From anders.andersson at LTKALMAR.SE Mon Sep 1 00:10:03 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:40 2006 Subject: SV: Quote Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 31 augusti 2003 12:22 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Quote > > > At 19:11 30/08/2003, you wrote: > >He be the author of Postfix > > And I don't think he likes me very much ;) Hmm, sound like you should put your brains together and figure out something both accepts, or maybe thats been tried already. I found this on the list and just curious what they mean... Maybe you could make a readers digest for a stupid swede, just for education :) ######### http://archives.neohapsis.com/archives/postfix/2003-08/0595.html We use mailscanner w/ the hold queue. We have a header check: /^Received:/ HOLD And then setup mailscanner to pick messages up from hold and move|link them to incoming. Before this setup, we had postfix delivering messages to mailscanner from a pipe transport and then reinjecting w/ sendmail. I can share how we did either if anyone is interested. We have shared both of these setups w/ the mailscanner developer a couple of times but he has not yet shown much interest. lindsay ########## > > > >-----Original Message----- > >From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Michele Neylon:: Blacknight Solutions > >Sent: Saturday, August 30, 2003 12:40 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Quote > > > > > >Excuse my ignorance, but who is Wietse Venema? And more importantly, > >why does this person's opinion matter? > > > >Mr. Michele Neylon > >Blacknight Solutions > >http://www.blacknightsolutions.ie/ > >Possibly the cheapest ie's in Ireland > >Tel. +353 (0)59 9139897 > >Fax. +353 (0)59 9139897 > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > On Behalf Of Forrest Aldrich > > > Sent: 30 August 2003 18:32 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Quote > > > > > > This is what Wietse Venema says about MailScanner: > > > > > > >>>> > > > MailScanner is unsafe. It bypasses the correct interfaces > to access > > > queue files. I would not trust it with Postfix or with any other > > > MTA. <<<< > > > > > > > > > > > > Forrest > > > > > > > > > > > >######################################################### > >This message (and any attachment) is intended only for the recipient > >and may contain confidential and/or privileged material. If > you have > >received this in error, please contact the sender and delete this > >message immediately. Disclosure, copying or other action taken in > >respect of this email or in reliance to it is prohibited. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From dbird at SGHMS.AC.UK Mon Sep 1 01:18:00 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:40 2006 Subject: Trend Autoupdate broken in 4.23-10 Message-ID: <3F529038.90001@sghms.ac.uk> Dear all, The trend autoupdate in 4.23-10 is broken. Attached is a fixed version. Dan -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- #!/bin/sh # Trend Autoupdate Script. # V0.1 Dan Bird. dbird@sghms.ac.uk # 12/08/2003 OPRINI=opr.ini.$$ export OPRINI # source of IScan dat files FTPSERV="ftp://ftp.antivirus.com/products/pattern/" # Get the info on new version... echo "Checking for latest DAT version..." wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini NEWVER=`grep PatternVersion /tmp/opr.ini.$$ | sed s/^PatternVersion=//g | cut -c 1-3` # What's out current version? CURRENTVER=`ls /etc/iscan/* | grep lpt | tail -1 | cut -d. -f 2` if [ "$CURRENTVER" = "" ] then CURRENTVER=0 fi echo "Current version is : $CURRENTVER" fail () { trap EXIT echo "Test run failed -- removing bad Trend data files" echo "$OUT" rm -rf /etc/iscan/lpt*$NEWVER* exit 1 } # If our current one is older, download the new one!!! if [ $CURRENTVER -lt $NEWVER ] then echo "Getting new DAT version : $NEWVER" wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip printf "Testing file for corruption...." DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip | grep "No errors"` if [ "$DATCHECK" != "" ] then echo "OK" mv /tmp/lpt$NEWVER.zip /etc/iscan printf "installing...." cd /etc/iscan unzip -q -o lpt$NEWVER.zip echo "DONE" else echo "BAD ARCHIVE" fi trap fail EXIT CMD="/opt/trend/ISBASE/IScan.BASE/vscan -v 2>&1" OUT=`$CMD` case "$OUT" in *"read pattern failed"* | \ *"invalid pattern file"* | \ *"pattern file not found"* | \ *"incorrect pattern format"* | \ *"read error"* | \ *"out of memory"* ) fail ;; esac trap EXIT else echo "DAT files are upto date" fi rm -f /tmp/*.zip /tmp/$OPRINI /etc/iscan/*.zip From raymond at PROLOCATION.NET Mon Sep 1 01:47:46 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:40 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have just released a new "stable" version of MailScanner. There are many > improvements and some fixes this time, rather more than I can easily list > for you here, so please see the ChangeLog which is at the bottom of this > message. Seems to run just fine! Just upgraded. I noticed in the spam.lists.conf that the two BAD ones are still listed: osirusoft / SPEWS Could you take those out in a upcomming package ? =) I dont think its wise to put them inside the standard configs anymore. And perhaps put in also NJABL, i am getting very good results with that one also... NJABL dnsbl.njabl.org Bye, Raymond. From gerry at DORFAM.CA Mon Sep 1 02:36:24 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F Message-ID: I've noticed that ClamAV seems to be missing Sobig.F (or a variant). F-Prot and Trend are picking them up but ClamAV is letting them right through. I've even tried scanning the quarantine directory with each of the three scanners. ClamAV can't find the virus but the other two do. And before you ask...yes, I have the latest ClamAV data files. I even did a freshclam to be sure. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From oliver at LINUX-KERNEL.AT Mon Sep 1 03:25:55 2003 From: oliver at LINUX-KERNEL.AT (Oliver Pitzeier) Date: Thu Jan 12 21:19:40 2006 Subject: ANNOUNCE: Stable 4.23-10 released Message-ID: <200309010222.h812Mtxg025149@indianer.linux-kernel.at> Hi Julian! Hi folks! > I have just released a new "stable" version of MailScanner. > There are many improvements and some fixes this time, rather > more than I can easily list for you here, so please see the > ChangeLog which is at the bottom of this message. Works fine for me... Even with my SQL-black-/whitelists everything is still fine - as expected!!! Thanks! Best regards, Oliver From ashley at IMS.TELSTRA.COM.AU Mon Sep 1 04:54:36 2003 From: ashley at IMS.TELSTRA.COM.AU (ash) Date: Thu Jan 12 21:19:40 2006 Subject: Tagging the subject line of e-mail Message-ID: Did this ever get resolved? I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the subject line modifications notices that use the curly brackets, other than if I set "Scanned Modify Subject" , for example any violation be it a virus ,bad file name/type receives the subject line "Warning: E-mail viruses detected", I haven't had a spam message yet to see if that notification has also stopped working from my conf file Virus Modify Subject = yes Virus Subject Text = {Virus?} Filename Modify Subject = yes Filename Subject Text = {Filename?} Content Modify Subject = yes Content Subject Text = {Dangerous Content?} Spam Modify Subject = yes Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {Spam?} running perl 5.6.0 regards ash On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin wrote: >Mike, > >Thanks for responding. > >I'm planning on adding SpamAssassin later in the project. Is it required to >make the system function as I want? I didn't get that from the >documentation. They way I read the docs, SpamAssassin just improves >MailScanner's abilities. > >Kevin > >> -----Original Message----- >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >> Sent: Tuesday, August 19, 2003 1:59 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Tagging the subject line of e-mail >> >> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >> You can also >> set Log Spam = yes and watch your maillog after restarting >> MailScanner. >> >> Mike >> >> >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >> Of Collins, Kevin >> Sent: Tuesday, August 19, 2003 12:31 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Tagging the subject line of e-mail >> >> >> Hi! >> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >> machine to act as >> my company's "SPAM Filter". First, I want to say THANKS for >> creating such a >> project and for making it available to the masses for free. >> >> A little background: >> >> MailScanner machine: >> Red Hat 8.0 (fully up2dated) >> Sendmail 8.12.8 >> Perl 5.8.0 >> ClamAV 0.60 (compiled from source) >> Sendmail set to relay everything to internal Exchange Server >> >> Everything seems to be working fine - I've even let a few e-mails pass >> through the machine for testing. Which is why I'm writing; I >> now have a >> question. >> >> First, of the 20 some odd messages that have passed through >> MailScanner, it >> has tagged 3 as SPAM and one of them as having a Virus >> (actually it was an >> HTML Form in the message). The "Virus" message behaved as >> expected - the >> e-mail was deleted and not passed on and I got a notification of the >> deletion. But the remaining messages aren't working as I >> expected them to >> (I think). >> >> I've configured MailScanner to modify the subject line of >> every e-mail it >> touches to include {Scanned} at the beginning. (This is to >> let me - and >> everyone else - know that MS is working) In addition I want all SPAM >> messages flagged with {Spam} as the beginning of the subject line and >> {Virus} for those that were found to have Viruses. >> >> To this point, all of the e-mail coming in (save the "Virus" message >> mentioned above) have only had the word {Scanned} pre-pended >> to the Subject >> Line. I've not seen the {Spam} label anywhere. Here are the >> (I think) >> appropriate sections of the MailScanner.conf: >> >> ---- >> Scanned Modify Subject = start >> Scanned Subject Text = {Scanned} >> Virus Modify Subject = yes >> Virus Subject Text = {Virus} >> Filename Modify Subject = yes >> Filename Subject Text = {Filename} >> Spam Modify Subject = yes >> Spam Subject Text = {Spam} >> High Scoring Spam Modify Subject = yes >> High Scoring Spam Subject Text = {Spam} >> ---- >> Spam Checks = yes >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >> .ac.uk) >> Spam Domain List = >> Spam Lists To Reach High Score = 5 >> Spam List Timeout = 10 >> Max Spam List Timeouts = 7 >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >> Is Definitely Spam = no >> ---- >> >> >From this, is my description of how MailScanner should work valid? >> >Have I >> forgot to do something? What do I need to change/add/delete >> to make it work >> as I describe? >> >> Thanks in advance. >> >> -- >> Kevin L. Collins, MCSE >> Systems Manager >> Nesbitt Engineering, Inc. >> From dh at UPTIME.AT Mon Sep 1 08:05:06 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:40 2006 Subject: Umlaut in languages.conf for German. Message-ID: <9DC71316-DC4A-11D7-AA50-00039379E28A@uptime.at> Hello all. As I am not an total expert for Mail, I was wondering whether The Mail Header is encoded in a special Charset as well? When I send Mail through our gateway and donot correct languages.conf to not contain Umlauts, the Message Header shows up mangled in my MUA (it's Mail.app set to utf-8). Umlauts in the Body are displayed just fine. When I alter the Umlauts to their alternative spelling (as in ?=ae, ?=oe, ?=ue) everythign shows up fine -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/c99f2634/attachment.bin From pndiku at DSMAGIC.COM Mon Sep 1 08:37:06 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:40 2006 Subject: Mailwatch 0.2 sql prob In-Reply-To: References: Message-ID: <1062401826.16023.43.camel@mufasa.ds.co.ug> Hi Chris. Try this CustomConfig.pm. I got it by combining Mailwatch's version with the default Mailscanner one. It's more efficient than my last hack in that it only connects to the dB once per batch of messages rather than once per message. It uses a temporary file, so doesn't have the default mailwatch problem of losing the dB connection. If you (and anyone else using mailwatch) like it I'll send a diff to the mailwatch maintainer. Peter On Fri, 2003-08-29 at 15:22, Chris Campbell wrote: > Hey Peter.... > Would you mind dumping your table schema for me? I think I messed stuff > up... Your "hack" seems to work a little..... but > > Aug 29 08:21:32 nycexmx1 MailScanner[6895]: Cannot insert row: called with > 20 bind variables when 2 are needed > > > ..................................... > Christopher S. Campbell > UNIX Admin > First Albany Corp > 518.447.8544 > chris.campbell@fac.com > > > > > > "Peter C. > Ndikuwera" To: MAILSCANNER@JISCMAIL.AC.UK > M> Subject: Re: Mailwatch 0.2 sql prob > Sent by: > MailScanner > mailing list > AIL.AC.UK> > > > 08/29/03 03:16 AM > Please respond to > MailScanner > mailing list > > > > > > > Hi Daniel, > > I have a fix which is really a hack. I'm sure it's the wrong way to do > it but it works for me. I've attached the relevant part of my > CustomConfig.pm. > > Peter > On Wed, 2003-08-27 at 17:14, Daniel Bird wrote: > > Hi, > > I noticed in the archives the same problem I'm having, but no solution: > > I keep seeing this in the maillog: > > > > Cannot insert row: MySQL server has gone away > > > > I was wondering if anyone has had this problem and managed to find a fix? > > > > Regards > > -- > > ____________________________________ > > > > Daniel Bird > > Network & Systems Manager > > St. George's Hospital Medical School > > Tooting > > London SW17 0RE > > > > P: +44 20 8725 2897 > > F: +44 20 8725 3583 > > E: dan@sghms.ac.uk > > ____________________________________ > > > > Hex dump: Where witches put used curses... > > "#define QUESTION ((bb) || !(bb)) - Shakespeare." > (See attached file: SQLLogging.pm) > -------------- next part -------------- # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: CustomConfig.pm,v 1.3.2.10 2003/08/11 20:35:40 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # package MailScanner::CustomConfig; use strict 'vars'; use strict 'refs'; no strict 'subs'; # Allow bare words for parameter %'s use vars qw($VERSION); ### The package version, both in 1.23 style *and* usable by MakeMaker: $VERSION = substr q$Revision: 1.3.2.10 $, 10; # # These are the custom functions that you can write to produce a value # for any configuration keyword that you want to do clever things such # as retrieve values from a database. # # Your function may be passed a "message" object, and must return # a legal value for the configuration parameter. No checking will be # done on the result, for extra speed. If you want to find out what # there is in a "message" object, look at Message.pm as they are all # listed there. # # You must handle the case when no "message" object is passed to your # function. In this case it should return a sensible default value. # # Return value: You must return the internal form of the result values. # For example, if you are producing a yes or no value, # you return 1 or 0. To find all the internal values # look in ConfigDefs.pl. # # For each function "FooValue" that you write, there needs to be a # function "InitFooValue" which will be called when the configuration # file is read. In the InitFooValue function, you will need to set up # any global state such as create database connections, read more # configuration files and so on. # ## ## This is a trivial example function to get you started. ## You could use it in the main MailScanner configuration file like ## this: ## VirusScanning = &ScanningValue ## #sub InitScanningValue { # # No initialisation needs doing here at all. # MailScanner::Log::InfoLog("Initialising ScanningValue"); #} # #sub EndScanningValue { # # No shutdown code needed here at all. # # This function could log total stats, close databases, etc. # MailScanner::Log::InfoLog("Ending ScanningValue"); #} # ## This will return 1 for all messages except those generated by this ## computer. #sub ScanningValue { # my($message) = @_; # # return 1 unless $message; # Default if no message passed in # # return 0 if $message->{subject} =~ /jules/i; # return 1; # # #my($IPAddress); # #$IPAddress = $message->{clientip}; # #return 0 if $IPAddress eq '127.0.0.1'; # #return 1; #} #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** # # This set of functions provides per-domain simple spam whitelists and # blacklists. Each of the 2 directories set below contains 1 file for # each domain, with the domain name being the filename. The file contains # a list of entries, 1 per line, each one either being a full address: # user@domain.com # or an entire domain: # domain.com # The addresses contained in the file for a domain make up the entire # spam whitelist or blacklist for that domain. # # For example, say you had /etc/MailScanner/spam.bydomain/whitelist/jules.fm # which included the lines # soton.ac.uk # ecs.soton.ac.uk # jules@julianfield.net # 123.234.45.56 # Then all mail from anything@soton.ac.uk, anything@ecs.soton.ac.uk or # jules@julianfield.net would be whitelisted if it was heading to any # address @jules.fm. Also all mail from IP address 123.234.45.56 would be # whitelisted if it was heading to any address @jules.fm. # The same thing works for the blacklist directory. # # Overall white and blacklists should be put in a file in each directory # called 'default'. # # To enable these functions, set the following in your MailScanner.conf file: # Is Definitely Not Spam = &ByDomainSpamWhitelist # Is Definitely Spam = &ByDomainSpamBlacklist # # Set these to be the location of your whitelist files and blacklist files my $WhitelistDir = '/etc/MailScanner/spam.bydomain/whitelist'; my $BlacklistDir = '/etc/MailScanner/spam.bydomain/blacklist'; use DirHandle; use FileHandle; my(%Whitelist, %Blacklist); # # Initialise by-domain spam whitelist and blacklist # sub InitByDomainSpamWhitelist { MailScanner::Log::InfoLog("Starting up by-domain spam whitelist, " . "reading from %s", $WhitelistDir); my $domains = CreateByDomainList($WhitelistDir, \%Whitelist); MailScanner::Log::InfoLog("Read whitelist for %d domains", $domains); } sub InitByDomainSpamBlacklist { MailScanner::Log::InfoLog("Starting up by-domain spam blacklist, " . "reading from %s", $BlacklistDir); my $domains = CreateByDomainList($BlacklistDir, \%Blacklist); MailScanner::Log::InfoLog("Read blacklist for %d domains", $domains); } # # Lookup a message in the by-domain whitelist and blacklist # sub ByDomainSpamWhitelist { my($message) = @_; return LookupByDomainList($message, \%Whitelist); } sub ByDomainSpamBlacklist { my($message) = @_; return LookupByDomainList($message, \%Blacklist); } # # Close down the by-domain whitelist and blacklist # sub EndByDomainSpamWhitelist { MailScanner::Log::InfoLog("Closing down by-domain spam whitelist"); } sub EndByDomainSpamBlacklist { MailScanner::Log::InfoLog("Closing down by-domain spam blacklist"); } # # Setup the per-domain spam white or black list. # Note this doesn't do anything much in the way of syntax-checking the # files, so they better be right! If there are duff lines in the files, # they just won't produce any matches, they can't actually cause any harm. # sub CreateByDomainList { my($dirname, $BlackWhite) = @_; my($dir, $filename, $fh, $domains); $dir = new DirHandle; $dir->open($dirname) or return 0; $domains = 0; # Count the number of domains we have read while ($filename = $dir->read()) { next if $filename =~ /^\./; next unless -f "$dirname/$filename"; $fh = new FileHandle; $fh->open("$dirname/$filename") or next; $filename = lc($filename); # Going to store the name in lower case while(<$fh>) { chomp; #print STDERR "Line is \"$_\"\n"; s/#.*$//; # Strip comments s/\S*:\S*//g; # Strip any words with ":" in them s/^\s+//g; # Strip leading whitespace s/^(\S+)\s.*$/$1/; # Use only the 1st word s/^\*\@//; # Strip any leading "*@" they might have put in #print STDERR "Line is \"$_\"\n"; next if /^$/; # Strip blank lines $BlackWhite->{$filename}{lc($_)} = 1; # Store the whitelist entry } $fh->close(); $domains++; } $dir->close(); return $domains; } # # Based on the address it is going to, choose the right spam white/blacklist. # Return 1 if the "from" address is white/blacklisted, 0 if not. # sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$from}; return 1 if $BlackWhite->{'default'}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$ip}; # It is not in the list return 0; } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** ########################################################################### # # Handy little feature to let you use the same MailScanner.conf file on # lots of different hosts, where the only difference is the hostname. # Just uncomment the "use Sys::Hostname" line and then set # Hostname = &Hostname # in your MailScanner.conf to use this. # # Many thanks to Tony Finch for this. # ########################################################################### use Sys::Hostname; my $hostname; sub InitHostname { $hostname = hostname; } sub Hostname { return $hostname; } sub EndHostname { # nothing to do } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** ########################################################################### # # This is a setup to do logging to an SQL database. # For speed, the per-message logs are written to a tab-separated file # during execution. # When the child process dies of old age (or is politely killed), the # log file is read and inserted into a database table. # # If you want to use this code, you must: # 1. uncomment the "use DBI;" line just below this comment. # 2. Read the README.sql-logging file in the docs directory # of the distribution. # ########################################################################### use IO::File; use DBI; my($logfile1); my($hostname) = hostname; # Don't forget to uncomment Use Sys::Hostname above # Modify this as necessary for your configuration my($db_name) = "mailscanner"; my($db_host) = "localhost"; my($db_user) = "mailscanner"; my($db_pass) = "mailscanner"; # Initialise. All we need to do is create the temporary log files. These # are created using tmpfile() to avoid security problems caused by any # other process on the system being able to read (or even write!) to # the log files. The files created are not accessible to any other processes # at all, as they don't have an entry in a directory. sub InitSQLLogging { MailScanner::Log::InfoLog("Initialising SQL Logging temp file"); $logfile1 = IO::File->new_tmpfile or die "IO::File->new_tmpfile: $!"; #$logfile->autoflush(1); } # Shutdown. Write all the log entries to the SQL database, then close # the temporary log files. Closing them will also delete them as they were # created with tmpfile(). sub EndSQLLogging { my(@fields); MailScanner::Log::InfoLog("Ending SQL Logging temp output " . "and flushing to database"); # Create database connection my($dbh) = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", $db_user, $db_pass, {PrintError => 0}) or MailScanner::Log::DieLog("Cannot connect to the database: %s", $DBI::errstr); # Rewind to start of logfile $logfile1->flush(); seek($logfile1, 0, 0) or MailScanner::Log::DieLog("EndSQLLogging seek: %s", $!); while(<$logfile1>) { chomp; @fields = split(/\t/); print join(",", @fields); # Work through each field protecting any special characters such as single quote # The line below replaces ' with \' # @fields = map { s/\'/\\'/g } @fields; # ADD: Peter C. Ndikuwera. The above line doesn't seem to work... # Set any empty strings to NULL so the SQL insert works correctly @fields = map { ($_ eq '')?'NULL':"$_" } @fields; # Insert @fields into a database table my($sth) = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); $sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fields[4],$fields[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fields[11],$fields[12],$fields[13],$fields[14],$fields[15],$fields[16],$fields[17],$fields[18],$fields[19]) or MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); } # Close database connection $dbh->disconnect(); # Close and delete the temporary files (deletion is done automatically) $logfile1->close(); MailScanner::Log::InfoLog("Database flush completed"); } # Write all the log information for 1 message to the temporary file. sub SQLLogging { my($message) = @_; # Get rid of control chars and tidy-up SpamAssassin report my $spamreport = $message->{spamreport}; $spamreport =~ s/\n/ /g; $spamreport =~ s/\t//g; # Get timestamp, and format it so it is suitable to use with MySQL my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", $year+1900,$mon+1,$mday,$hour,$min,$sec); # Also print 1 line for each report about this message. These lines # contain all the info above, + the attachment filename and text of # each report. my($file, $text, @report_array); while(($file, $text) = each %{$message->{allreports}}) { $file = "the entire message" if $file eq ""; # Use the sanitised filename to avoid problems caused by people forcing # logging of attachment filenames which contain nasty SQL instructions. $file = $message->{file2safefile}{$file} or $file; $text =~ s/\n/ /; # Make sure text report only contains 1 line $text =~ s/\t/ /; # and no tab characters push (@report_array, $text); } # Sanitize reports my $reports = join(",",@report_array); # Print 1 line for each message. print $logfile1 join("\t", $timestamp, $message->{id}, $message->{size}, $message->{from}, join(',', @{$message->{to}}), $message->{subject}, $message->{clientip}, join(',', @{$message->{archiveplaces}}), $message->{isspam}, $message->{ishigh}, $message->{issaspam}, $message->{isrblspam}, $message->{spamwhitelisted}, $message->{sascore}, $spamreport, $message->{virusinfected}, $message->{nameinfected}, $message->{otherinfected}, $reports, $hostname) . "\n"; } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** # # This Custom Function provides a facility whereby some internal-only # accounts can only send mail to other "internal" domain names, and cannot # send mail to any other addresses apart from those domains. # # To use it, specify # Non Spam Actions = &InternalActions # Spam Actions = &InternalActions # High Scoring Spam Actions = &InternalActions # in your MailScanner.conf file, having added this code to # /usr/lib/MailScanner/MailScanner/CustomConfig.pm # # It uses a configuration file whose path is my($InternalAccountList) = '/etc/MailScanner/internal.accounts.conf'; # to read lines that look like one of these # domain yourdomain.com # account local-only1 # These 2 lines in the file would define that a local email account # "local-only1" could not send mail to any address except addresses # @yourdomain.com. # There can be many domains and many accounts specified, one per line. # # Mail from the internal-only accounts to external domains will have the my($InternalFailAction) = 'delete'; # action applied to it. This can be any of the legal "spam actions" as # defined in the MailScanner.conf file. # use FileHandle; my(%InternalDomains, %InternalAccounts); sub InitInternalActions { MailScanner::Log::InfoLog("Initialising Internal account list"); my $listfile = new FileHandle; unless($listfile->open("<$InternalAccountList")) { MailScanner::Log::WarnLog("Could not read list of internal accounts " . "from %s", $InternalAccountList); return; } my($keyword, $value); my $line = 0; my $domains = 0; my $accounts = 0; while(<$listfile>) { $line++; chomp; s/^#.*$//; s/^\s*//g; s/\s*$//g; next if /^$/; $keyword = undef; $value = undef; /^([^\s]+)\s*([^\s]+)$/; ($keyword, $value) = (lc($1), lc($2)); $value =~ s/\@.*$//; # Delete the @ and everything after it if ($keyword =~ /domain/i) { #print STDERR "Storing domain $value\n"; $InternalDomains{$value} = 1; $domains++; } elsif ($keyword =~ /account|user/i) { #print STDERR "Storing account $value\n"; $InternalAccounts{$value} = 1; $accounts++; } else { MailScanner::Log::WarnLog("Syntax error in %s at line %d", $InternalAccountList, $line); } } $listfile->close(); MailScanner::Log::InfoLog("Internal Account List read %d domains and %d " . "accounts", $domains, $accounts); } sub EndInternalActions { # No shutdown code needed here at all. MailScanner::Log::InfoLog("Shutting down internal accounts list"); } # This will return 1 for all messages except those generated by this # computer. # This will return "deliver" for all internal mail as requested, # and $InternalFailAction for everything else. sub InternalActions { my($message) = @_; return 'deliver' unless $message; # Default if no message passed in return 'deliver' unless $message->{from}; # Default if duff message my($fromac, $fromdomain, $todomain); $fromac = lc($message->{from}); $fromdomain = $fromac; $fromac =~ s/\@.*$//; # Leave everything before @ $fromdomain =~ s/^.*\@//; # Leave everything after @ # Is it coming from inside? #print STDERR "Testing $fromdomain\n"; #print STDERR "Answer is " . $InternalDomains{$fromdomain} . "\n"; return 'deliver' unless $InternalDomains{$fromdomain}; #print STDERR "$fromdomain passed internaldomains test\n"; # and is it coming from an internal-only address? return 'deliver' unless $InternalAccounts{$fromac}; #print STDERR "$fromac passed internalaccounts test\n"; # Fail if it is being delivered to *any* external addresses foreach $todomain (@{$message->{todomain}}) { $todomain = lc($todomain); #print STDERR "Testing $todomain\n"; unless ($InternalDomains{$todomain}) { MailScanner::Log::WarnLog("Internal-only account %s attempted to " . "send mail to external address \@%s", $fromac, $todomain); return $InternalFailAction; } } # Passed that, so it must be only going to internal addresses return 'deliver'; } 1; From David.While at UCE.AC.UK Mon Sep 1 08:54:20 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F Message-ID: <107DE25EC0216C45AEF670016024245F64417B@exchangea.staff.uce.ac.uk> I use ClamAV and it picks up Sobig.F just fine - so far 453 and rising! David While -----Original Message----- From: Gerry Doris [mailto:gerry@DORFAM.CA] Sent: Mon 01/09/2003 02:36 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: ClamAV missing Sobig.F I've noticed that ClamAV seems to be missing Sobig.F (or a variant). F-Prot and Trend are picking them up but ClamAV is letting them right through. I've even tried scanning the quarantine directory with each of the three scanners. ClamAV can't find the virus but the other two do. And before you ask...yes, I have the latest ClamAV data files. I even did a freshclam to be sure. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From eja at URBAKKEN.DK Mon Sep 1 08:53:15 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:40 2006 Subject: Mails Message-ID: <3F52FAEB.2010708@urbakken.dk> Hi. I can see, that my MailScanner does work, but it seems, that it puts incomming mails in /var/spool/postfix/incoming: /var/spool/postfix/incoming/0/3 # ls -l total 12 drwxr-xr-x 2 postfix postfix 112 Sep 1 09:37 . drwxr-xr-x 5 postfix postfix 120 Sep 1 09:37 .. -rwx------ 1 postfix postfix 5541 Sep 1 08:54 03CBE2EB61 -rwx------ 1 postfix postfix 2798 Sep 1 09:37 03CBE37A08 I think it should have been /var/spool/postfix.in/incoming ?. Am I right, and if, what should be changed in my setup ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 09:35:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F In-Reply-To: References: Message-ID: <200309010835.h818ZS501908@onyx.rockstone.co.uk> On Monday 01 September 2003 2:36 am, Gerry Doris wrote: > I've noticed that ClamAV seems to be missing Sobig.F (or a variant). > F-Prot and Trend are picking them up but ClamAV is letting them right > through. Please email one of these files to my address. Regards, Antony. -- All matter in the Universe can be placed into one of two categories: 1. things which need to be fixed 2. things which will need to be fixed once you've had a few minutes to play with them From michele at BLACKNIGHTSOLUTIONS.COM Mon Sep 1 09:39:44 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:40 2006 Subject: Upgrade: werid problem Message-ID: <200309010839.h818ddt27127@camelot.blacknightsolutions.com> Hi I just tried to upgrade MailScanner from the previous version to the latest on a client's server, but the MailScanner.conf.rpmnew is not to be found anywhere. Any ideas? I ran the upgrade successfully on another server yesterday running the same version of RH, so I am a little confused M ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From dh at UPTIME.AT Mon Sep 1 10:00:59 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:40 2006 Subject: Never Notify Senders Of Precedence --> not working? Message-ID: Hello. Once again it is me. Using the latest Stable release I set: Never Notify Senders Of Precedence = list bulk I just received a Mail (even from this list) which has: Precedence: list But was marked as: spam, SpamAssassin (Wertung=4.1, benoetigt 4.1, FORGED_MUA_OUTLOOK 3.48, MISSING_OUTLOOK_NAME 0.58) Is there anything I setup wrongly? Thanks -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/24134954/attachment.bin From m.sapsed at BANGOR.AC.UK Mon Sep 1 10:08:56 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:40 2006 Subject: What's Going on here? References: <005601c36e70$f4d5f140$9c01a8c0@home.middlefinger.net> Message-ID: <3F530CA8.9030803@bangor.ac.uk> Mike Kercher wrote: > I've seen several emails come through that look like they got past Sophos, > but the filename alone caught it. For the most part, Sophos says the > attachment is infected with Sobig. Thoughts? If I understand you correctly, you're seeing attachments which you would expect to be Sobig-F. The filename rules pick them up but Sophos doesn't? I've seen a few instances like this and having quarantined them, I sent them to Sophos. They were all broken copies. I've also sometimes seen Sobig-like attachments which were in fact empty. There were quite a lot like this with Bugbear which caused them to issue the Bugbear-Dam ide. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:30:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Trend Autoupdate broken in 4.23-10 In-Reply-To: <3F529038.90001@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030901103028.066c2b40@imap.ecs.soton.ac.uk> Thanks for that. I'll put out a -11 soon with this in it. At 01:18 01/09/2003, you wrote: >Dear all, >The trend autoupdate in 4.23-10 is broken. Attached is a fixed version. > >Dan > >-- >____________________________________ > >Daniel Bird >Network & Systems Manager >St. George's Hospital Medical School >Tooting >London SW17 0RE > >P: +44 20 8725 2897 >F: +44 20 8725 3583 >E: dan@sghms.ac.uk >____________________________________ > >Hex dump: Where witches put used curses... >"#define QUESTION ((bb) || !(bb)) - Shakespeare." > > >#!/bin/sh > ># Trend Autoupdate Script. ># V0.1 Dan Bird. dbird@sghms.ac.uk ># 12/08/2003 > > >OPRINI=opr.ini.$$ >export OPRINI > ># source of IScan dat files >FTPSERV="ftp://ftp.antivirus.com/products/pattern/" > ># Get the info on new version... >echo "Checking for latest DAT version..." >wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini >NEWVER=`grep PatternVersion /tmp/opr.ini.$$ | sed s/^PatternVersion=//g | >cut -c 1-3` > ># What's out current version? >CURRENTVER=`ls /etc/iscan/* | grep lpt | tail -1 | cut -d. -f 2` > >if [ "$CURRENTVER" = "" ] >then > CURRENTVER=0 >fi >echo "Current version is : $CURRENTVER" > >fail () { > trap EXIT > echo "Test run failed -- removing bad Trend data files" > echo "$OUT" > rm -rf /etc/iscan/lpt*$NEWVER* > exit 1 >} > ># If our current one is older, download the new one!!! >if [ $CURRENTVER -lt $NEWVER ] >then > echo "Getting new DAT version : $NEWVER" > wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip > printf "Testing file for corruption...." > > DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip | grep "No errors"` > > if [ "$DATCHECK" != "" ] > then > echo "OK" > mv /tmp/lpt$NEWVER.zip /etc/iscan > printf "installing...." > cd /etc/iscan > unzip -q -o lpt$NEWVER.zip > echo "DONE" > else > echo "BAD ARCHIVE" > fi > > trap fail EXIT > CMD="/opt/trend/ISBASE/IScan.BASE/vscan -v 2>&1" > OUT=`$CMD` > case "$OUT" in > *"read pattern failed"* | \ > *"invalid pattern file"* | \ > *"pattern file not found"* | \ > *"incorrect pattern format"* | \ > *"read error"* | \ > *"out of memory"* ) > fail > ;; > esac > trap EXIT > >else > echo "DAT files are upto date" >fi >rm -f /tmp/*.zip /tmp/$OPRINI /etc/iscan/*.zip -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:34:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Never Notify Senders Of Precedence --> not working? In-Reply-To: Message-ID: <5.2.0.9.2.20030901103337.04da4c90@imap.ecs.soton.ac.uk> The contents of the spam report has nothing to do with stopping sender notifications. At 10:00 01/09/2003, you wrote: >Hello. Once again it is me. Using the latest Stable release I set: > >Never Notify Senders Of Precedence = list bulk > >I just received a Mail (even from this list) which has: > >Precedence: list > >But was marked as: > >spam, SpamAssassin (Wertung=4.1, benoetigt 4.1, FORGED_MUA_OUTLOOK 3.48, >MISSING_OUTLOOK_NAME 0.58) > > >Is there anything I setup wrongly? > >Thanks > >-d > >-- nee amata wo mitsukete soshite midoto wasrezu > domma mi mumega itakutemo soba mi iru mo > zutto...zutto...zutto > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:04:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: <3F51F743.437479E8@whidbey.com> References: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901100432.05c97680@imap.ecs.soton.ac.uk> At 14:25 31/08/2003, you wrote: >I just ran the installer and was about to update_MailScanner_conf when I >noticed >there was no MailScanner.conf.rpmnew this time. Is that a fluke, or is >there no >change between the 4.23-9 and 4.23-10 configuration files? Correct. I don't think I added any new options to -10 that weren't in -9. >Van > >Julian Field wrote: > > > Folks, > > > > I have just released a new "stable" version of MailScanner. There are many > > improvements and some fixes this time, rather more than I can easily list > > for you here, so please see the ChangeLog which is at the bottom of this > > message. > > > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:32:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: References: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901103242.04d53c90@imap.ecs.soton.ac.uk> This will be in -11 as well. At 01:47 01/09/2003, you wrote: >Hi! > > > I have just released a new "stable" version of MailScanner. There are many > > improvements and some fixes this time, rather more than I can easily list > > for you here, so please see the ChangeLog which is at the bottom of this > > message. > >Seems to run just fine! Just upgraded. > >I noticed in the spam.lists.conf that the two BAD ones are still listed: > >osirusoft / SPEWS > >Could you take those out in a upcomming package ? =) > >I dont think its wise to put them inside the standard configs anymore. > >And perhaps put in also NJABL, i am getting very good results with that >one also... > >NJABL dnsbl.njabl.org > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:17:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <3F52046A.30205@platformhosting.com> References: <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> Message-ID: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> The reason you can't find it is that it's not there. Sorry. I have been trying to come up with a decent answer to this problem myself, too. At 15:21 31/08/2003, you wrote: >Hi All, > >I'm trying to implement the Is Definately Spam feature based on a tag >[Possible Spam]in the subject ideally if this exists, MS should realise >this is definately spam, log it as such and then look for the action it >should take based on the users domain name etc.. > >How would I do this in the Is Definately Spam ruleset file? I've tried >a few combinations and looked in the examples file, but it only seems to >cover To and or From fields.. >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From david at PLATFORMHOSTING.COM Mon Sep 1 10:42:40 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> References: <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> Message-ID: <3F531490.4020009@platformhosting.com> I've managed to implement a SpamAssassin rule to do this, but it would still be great to make this something that didn't require SA. I look forward to seeing the result of your head scratching :) -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > The reason you can't find it is that it's not there. Sorry. > I have been trying to come up with a decent answer to this problem > myself, too. > > At 15:21 31/08/2003, you wrote: > >> Hi All, >> >> I'm trying to implement the Is Definately Spam feature based on a tag >> [Possible Spam]in the subject ideally if this exists, MS should realise >> this is definately spam, log it as such and then look for the action it >> should take based on the users domain name etc.. >> >> How would I do this in the Is Definately Spam ruleset file? I've tried >> a few combinations and looked in the examples file, but it only seems to >> cover To and or From fields.. >> -- >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> 1300 85 HOST >> www.platformhosting.com >> >> >> ======================================================================== >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >> ======================================================================== > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > > ======================================================================== > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform MailScanner To report SPAM forward the message to: spam@platformhosting.com To report incorrectly tagged messages: notspam@platformhosting.com Platform MailScanner - http://mailscanner.platformhosting.com/ Platform Hosting - http://www.platformhosting.com/ ======================================================================== From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:58:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Mails In-Reply-To: <3F52FAEB.2010708@urbakken.dk> Message-ID: <5.2.0.9.2.20030901105806.05c1cf60@imap.ecs.soton.ac.uk> It's putting the mail in the right place. Postfix should get kicked to request a delivery of it. Please check your mail log for any clues. At 08:53 01/09/2003, you wrote: >Hi. > >I can see, that my MailScanner does work, but it seems, that it puts >incomming mails in /var/spool/postfix/incoming: > >/var/spool/postfix/incoming/0/3 # ls -l >total 12 >drwxr-xr-x 2 postfix postfix 112 Sep 1 09:37 . >drwxr-xr-x 5 postfix postfix 120 Sep 1 09:37 .. >-rwx------ 1 postfix postfix 5541 Sep 1 08:54 03CBE2EB61 >-rwx------ 1 postfix postfix 2798 Sep 1 09:37 03CBE37A08 > >I think it should have been /var/spool/postfix.in/incoming ?. > >Am I right, and if, what should be changed in my setup ?. > >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 8.2 Proff. >Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:57:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Tagging the subject line of e-mail In-Reply-To: Message-ID: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> Can you give us an example of what you mean? At 04:54 01/09/2003, you wrote: >Did this ever get resolved? > >I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the subject >line modifications notices that use the curly brackets, other than if I set >"Scanned Modify Subject" , for example any violation be it a virus ,bad file >name/type receives the subject line "Warning: E-mail viruses detected", I >haven't had a spam message yet to see if that notification has also stopped >working > >from my conf file >Virus Modify Subject = yes >Virus Subject Text = {Virus?} >Filename Modify Subject = yes >Filename Subject Text = {Filename?} >Content Modify Subject = yes >Content Subject Text = {Dangerous Content?} >Spam Modify Subject = yes >Spam Subject Text = {Spam?} >High Scoring Spam Modify Subject = yes >High Scoring Spam Subject Text = {Spam?} > >running perl 5.6.0 > >regards > >ash > >On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin > wrote: > > >Mike, > > > >Thanks for responding. > > > >I'm planning on adding SpamAssassin later in the project. Is it required to > >make the system function as I want? I didn't get that from the > >documentation. They way I read the docs, SpamAssassin just improves > >MailScanner's abilities. > > > >Kevin > > > >> -----Original Message----- > >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] > >> Sent: Tuesday, August 19, 2003 1:59 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: Tagging the subject line of e-mail > >> > >> > >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! > >> You can also > >> set Log Spam = yes and watch your maillog after restarting > >> MailScanner. > >> > >> Mike > >> > >> > >> -----Original Message----- > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > >> Of Collins, Kevin > >> Sent: Tuesday, August 19, 2003 12:31 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Tagging the subject line of e-mail > >> > >> > >> Hi! > >> > >> I've just completed installing MS v4.22-5 onto a Red Hat 8 > >> machine to act as > >> my company's "SPAM Filter". First, I want to say THANKS for > >> creating such a > >> project and for making it available to the masses for free. > >> > >> A little background: > >> > >> MailScanner machine: > >> Red Hat 8.0 (fully up2dated) > >> Sendmail 8.12.8 > >> Perl 5.8.0 > >> ClamAV 0.60 (compiled from source) > >> Sendmail set to relay everything to internal Exchange Server > >> > >> Everything seems to be working fine - I've even let a few e-mails pass > >> through the machine for testing. Which is why I'm writing; I > >> now have a > >> question. > >> > >> First, of the 20 some odd messages that have passed through > >> MailScanner, it > >> has tagged 3 as SPAM and one of them as having a Virus > >> (actually it was an > >> HTML Form in the message). The "Virus" message behaved as > >> expected - the > >> e-mail was deleted and not passed on and I got a notification of the > >> deletion. But the remaining messages aren't working as I > >> expected them to > >> (I think). > >> > >> I've configured MailScanner to modify the subject line of > >> every e-mail it > >> touches to include {Scanned} at the beginning. (This is to > >> let me - and > >> everyone else - know that MS is working) In addition I want all SPAM > >> messages flagged with {Spam} as the beginning of the subject line and > >> {Virus} for those that were found to have Viruses. > >> > >> To this point, all of the e-mail coming in (save the "Virus" message > >> mentioned above) have only had the word {Scanned} pre-pended > >> to the Subject > >> Line. I've not seen the {Spam} label anywhere. Here are the > >> (I think) > >> appropriate sections of the MailScanner.conf: > >> > >> ---- > >> Scanned Modify Subject = start > >> Scanned Subject Text = {Scanned} > >> Virus Modify Subject = yes > >> Virus Subject Text = {Virus} > >> Filename Modify Subject = yes > >> Filename Subject Text = {Filename} > >> Spam Modify Subject = yes > >> Spam Subject Text = {Spam} > >> High Scoring Spam Modify Subject = yes > >> High Scoring Spam Subject Text = {Spam} > >> ---- > >> Spam Checks = yes > >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > >> .ac.uk) > >> Spam Domain List = > >> Spam Lists To Reach High Score = 5 > >> Spam List Timeout = 10 > >> Max Spam List Timeouts = 7 > >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > >> Is Definitely Spam = no > >> ---- > >> > >> >From this, is my description of how MailScanner should work valid? > >> >Have I > >> forgot to do something? What do I need to change/add/delete > >> to make it work > >> as I describe? > >> > >> Thanks in advance. > >> > >> -- > >> Kevin L. Collins, MCSE > >> Systems Manager > >> Nesbitt Engineering, Inc. > >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From slwatts at WINCKWORTHS.CO.UK Mon Sep 1 11:27:38 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: Hmm... It's a shame a generic subject checking mechanism couldn't be implemented. For instance: Create MS new config item: CheckSubject Rules = /path/to/subject.ruleset Subject.ruleset: #subject text to match action option "[definitely spam]" - /path/to/spamaction.by.domain "..JK.." sign /path/to/JK.sign.rules "..personal.." attachsig /path/to/personal.sign.rules Default sign /path/to/default.sign.rules Where spam.by.domain contains the actual action to take: TO: *@mydomain.com Delete TO: *@testdomain.com Attach, deliver And if you could have an action in the subject.ruleset like: consume whereby the search text is also removed from the subject then it would be great! So you may have: "..JK.." sign, consume /path/to/JK.sign.rules Not too sure how much sense this makes - but it would apear to kill two birds with one stone (for my requirement anyway!). But I guess it would take a fair bit or re-writing to do :-( Sam -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 01 September 2003 10:18 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Syntax for subject checking The reason you can't find it is that it's not there. Sorry. I have been trying to come up with a decent answer to this problem myself, too. At 15:21 31/08/2003, you wrote: >Hi All, > >I'm trying to implement the Is Definately Spam feature based on a tag >[Possible Spam]in the subject ideally if this exists, MS should realise >this is definately spam, log it as such and then look for the action it >should take based on the users domain name etc.. > >How would I do this in the Is Definately Spam ruleset file? I've tried >a few combinations and looked in the examples file, but it only seems >to cover To and or From fields.. >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================= >= > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com To > report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================= >= -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From mailscanner at ecs.soton.ac.uk Mon Sep 1 11:01:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Upgrade: werid problem In-Reply-To: <200309010839.h818ddt27127@camelot.blacknightsolutions.com> Message-ID: <5.2.0.9.2.20030901105854.066e2bc0@imap.ecs.soton.ac.uk> If the MailScanner.conf file hasn't changed from the previous version you had installed, then there is no need for a .rpmnew file so it won't create one. At 09:39 01/09/2003, you wrote: >Hi > >I just tried to upgrade MailScanner from the previous version to the latest >on a client's server, but the MailScanner.conf.rpmnew is not to be found >anywhere. >Any ideas? > >I ran the upgrade successfully on another server yesterday running the same >version of RH, so I am a little confused > >M > > > >######################################################### >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance to it is prohibited. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 11:03:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <3F531490.4020009@platformhosting.com> References: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901110230.05c17b70@imap.ecs.soton.ac.uk> At 10:42 01/09/2003, you wrote: >I've managed to implement a SpamAssassin rule to do this, but it would >still be great to make this something that didn't require SA. > >I look forward to seeing the result of your head scratching :) You may be able to do this with MCP. This is still in development but take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >Julian Field wrote: > >>The reason you can't find it is that it's not there. Sorry. >>I have been trying to come up with a decent answer to this problem >>myself, too. >> >>At 15:21 31/08/2003, you wrote: >> >>>Hi All, >>> >>>I'm trying to implement the Is Definately Spam feature based on a tag >>>[Possible Spam]in the subject ideally if this exists, MS should realise >>>this is definately spam, log it as such and then look for the action it >>>should take based on the users domain name etc.. >>> >>>How would I do this in the Is Definately Spam ruleset file? I've tried >>>a few combinations and looked in the examples file, but it only seems to >>>cover To and or From fields.. >>>-- >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>1300 85 HOST >>>www.platformhosting.com >>> >>> >>>======================================================================== >>> This message has been scanned for viruses and unsafe content by >>> Platform MailScanner >>> >>> To report SPAM forward the message to: spam@platformhosting.com >>> To report incorrectly tagged messages: notspam@platformhosting.com >>> >>> Platform MailScanner - http://mailscanner.platformhosting.com/ >>> Platform Hosting - http://www.platformhosting.com/ >>> >>>======================================================================== >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>======================================================================== >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >>======================================================================== >> >> > > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From michele at BLACKNIGHTSOLUTIONS.COM Mon Sep 1 11:37:12 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:41 2006 Subject: Upgrade: werid problem In-Reply-To: <5.2.0.9.2.20030901105854.066e2bc0@imap.ecs.soton.ac.uk> Message-ID: <200309011037.h81Ab7h07901@camelot.blacknightsolutions.com> > If the MailScanner.conf file hasn't changed from the previous > version you had installed, then there is no need for a > .rpmnew file so it won't create one. > Okay, but when I upgraded from version 9 to version 10 on another box it was created as there were a number of additions to the configuration options intriduced by the new release. (Now I am rather confused :-( ) ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 11:55:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649670@pascal.priv.bmrb.co.uk> > You may be able to do this with MCP. This is still in development but > take a look at > http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > Thats looking very interesting. One question, presumably this produces a report in the same manner as SA (i.e. test names but no description) so any 'describe' definitions you create will be effectively ignored (although SA may require them to be present?). If this is the case then it is a shame since it would be nice to be able to include in the report expressions such as.. "Contained profanity" "Contained the URL of a listed porn site" "Contained Bomb making instructions" etc... BTW I spotted a couple of oddities on the web page (presumably from when you renamed TCP MCP) - all in the cut n' paste section from MaiLScanner.conf. # MCP (Text Content Protection) should presumably be # MCP (Message Content Protection) and there are two mentions of TCP rather than MCP BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Sep 1 12:20:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <5.2.0.9.2.20030901121648.066fa720@imap.ecs.soton.ac.uk> Unfortunately I made a couple of mistakes in the build for 4.23-10, and have found 1 important bug in it. The 3 fixes are: - trend-autoupdate should now work properly - Removed osirusoft from the available "Spam Lists" - Fixed important logging bug that could cause MailScanner to crash If you are using the tar distribution, then the only files that have changed are trend-autoupdate, spam.lists.conf and Log.pm. If you are using either of the RPM distributions, then just update the mailscanner RPM itself, that's about all that should be needed. Download as usual from www.mailscanner.info. Really sorry folks! (This is partially why I release at weekends :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From bamcomp at YAHOO.COM Mon Sep 1 12:47:53 2003 From: bamcomp at YAHOO.COM (Brett Moss) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released In-Reply-To: <5.2.0.9.2.20030901121648.066fa720@imap.ecs.soton.ac.uk> Message-ID: <20030901114753.46877.qmail@web13802.mail.yahoo.com> hi, i get this when i try and run the update_virus_scanners manually or when run as a cron job with both 4.23-10 and 4.23-11 i am unable to find an -I switch -I: invalid switch or incorrect usage Usage: uvscan [--allole] [--analyse | --analyze] [-c | --clean] [--cleandocall] [--config file] [--dam] [-d | --dat | --data-directory] [--delete] [--exclude file] [-e | --exit-on-error] [--extlist] [--extensions EXT1[,EXT2...]] [--extra file] [--fam] [-f | --file file] [--floppya] [--floppyb] [-h | --help] [--ignore-compressed] [--ignore-links] [--load file] [--manalyse | --manalyze | --macro-heuristics] [--maxfilesize XXX] [--mime] [--mailbox] [-m | --move directory] [--noboot] [--nocomp] [--nodecrypt] [--nodoc] [--noexpire] [--norename] [--one-file-system] [--panalyse | --panalyze] [-p | --atime-preserve | --plad] [--program] [-r | --recursive | --sub] [--secure] [-s | --selected] [--summary] [-u | --unzip] [-v | --verbose] [--version] [--virus-list] [-] {file / directory} thanks, brett --- Julian Field wrote: > Unfortunately I made a couple of mistakes in the > build for 4.23-10, and > have found 1 important bug in it. > > The 3 fixes are: > - trend-autoupdate should now work properly > - Removed osirusoft from the available "Spam Lists" > - Fixed important logging bug that could cause > MailScanner to crash > > If you are using the tar distribution, then the only > files that have > changed are trend-autoupdate, spam.lists.conf and > Log.pm. > > If you are using either of the RPM distributions, > then just update the > mailscanner RPM itself, that's about all that should > be needed. > > Download as usual from www.mailscanner.info. > > Really sorry folks! (This is partially why I release > at weekends :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From bamcomp at YAHOO.COM Mon Sep 1 13:21:34 2003 From: bamcomp at YAHOO.COM (Brett Moss) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released In-Reply-To: <20030901114753.46877.qmail@web13802.mail.yahoo.com> Message-ID: <20030901122134.44166.qmail@web13801.mail.yahoo.com> hello again, sorry but i had forgot to change the mcafee-wrapper from rpmnew this is what happens when working between 2 and 5 am i guess thanks again brett > i am unable to find an -I switch > > -I: invalid switch or incorrect usage __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From gerry at DORFAM.CA Mon Sep 1 15:20:58 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig.F In-Reply-To: <200309010835.h818ZS501908@onyx.rockstone.co.uk> Message-ID: On Mon, 1 Sep 2003, Antony Stone wrote: > On Monday 01 September 2003 2:36 am, Gerry Doris wrote: > > > I've noticed that ClamAV seems to be missing Sobig.F (or a variant). > > F-Prot and Trend are picking them up but ClamAV is letting them right > > through. > > Please email one of these files to my address. > > Regards, > > Antony. I'll send you the next one I get. All files currently in my quarantine directory aren't listed as virii by any of the scanners (F-Prot, Trend, or ClamAV)??? I automatically deleted them each day. I'm really confused now. Is it possible that one of these is cleaning the attachment during the scan? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From michael at NSEC.DK Mon Sep 1 15:47:35 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: Message-ID: Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael From jwilliam at KCR.UKY.EDU Mon Sep 1 16:40:20 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5.2.0.9.2.20030321143859.03ea2d40@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> Please forgive me if I've missed this post, but is there a way to look at the IP address of incoming mail and filter/blacklist it based on that? I'm getting the sobig.f from an IP EVERY minute. The campus network guys don't allow us to have any control over our router/firewall so I can't block it there. I was hoping MailScanner would yet again come to the rescue. Thanks! John --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From mailscanner at ecs.soton.ac.uk Mon Sep 1 16:40:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: References: Message-ID: <5.2.0.9.2.20030901164019.08ca1e78@imap.ecs.soton.ac.uk> Can I just confirm this is a MailWatch problem. MailScanner builds the $message->{to} list from the envelope, not the headers. At 15:47 01/09/2003, you wrote: >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 16:43:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> References: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> Message-ID: <200309011543.h81Fhe506188@onyx.rockstone.co.uk> On Monday 01 September 2003 4:40 pm, John Williams wrote: > Please forgive me if I've missed this post, but is there a way to look at > the IP address of incoming mail and filter/blacklist it based on that? You can do this on your MTA, so it doesn't even need to get processed by MailScanner. On sendmail, the file you need is /etc/mail/access - I'm not sure about other MTAs. Antony. -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 16:45:30 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> John Williams wrote: > Please forgive me if I've missed this post, but is there a way to > look at the IP address of incoming mail and filter/blacklist it based > on that? Add it to sendmails access database. However, maybe you also have genuine email from that IP? Best way to block sobig is to use sendmail subject matching, search the archives for a set of rules. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ryanb at AACRAO.ORG Mon Sep 1 16:55:14 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: Julian, Could this be used to set specific actions for email with certain Bayes scores? Currently, I'm manually filtering and deleting all mail that scores Bayes_90 and Bayes_99 (I almost never get a false positive and I don't need to keep these messages to train Bayes). It would be great if there were a way to have MailScanner handle these messages differently. I could bump up the SpamAssassin score and have MailScanner treat these messages as high scoring spam, but this wouldn't really accomplish the same thing as not all high scoring spam is Bayes_90 or 99. By the way, I've upgraded to 4.23-11 and so far everything is working great! Ryan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 01, 2003 6:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Syntax for subject checking At 10:42 01/09/2003, you wrote: >I've managed to implement a SpamAssassin rule to do this, but it would >still be great to make this something that didn't require SA. > >I look forward to seeing the result of your head scratching :) You may be able to do this with MCP. This is still in development but take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >Julian Field wrote: > >>The reason you can't find it is that it's not there. Sorry. >>I have been trying to come up with a decent answer to this problem >>myself, too. >> >>At 15:21 31/08/2003, you wrote: >> >>>Hi All, >>> >>>I'm trying to implement the Is Definately Spam feature based on a tag >>>[Possible Spam]in the subject ideally if this exists, MS should realise >>>this is definately spam, log it as such and then look for the action it >>>should take based on the users domain name etc.. >>> >>>How would I do this in the Is Definately Spam ruleset file? I've tried >>>a few combinations and looked in the examples file, but it only seems to >>>cover To and or From fields.. >>>-- >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>1300 85 HOST >>>www.platformhosting.com >>> >>> >>>===================================================================== === >>> This message has been scanned for viruses and unsafe content by >>> Platform MailScanner >>> >>> To report SPAM forward the message to: spam@platformhosting.com >>> To report incorrectly tagged messages: notspam@platformhosting.com >>> >>> Platform MailScanner - http://mailscanner.platformhosting.com/ >>> Platform Hosting - http://www.platformhosting.com/ >>> >>>===================================================================== === >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>====================================================================== == >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >>====================================================================== == >> >> > > > >======================================================================= = > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================= = -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jwilliam at KCR.UKY.EDU Mon Sep 1 16:59:07 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb. co.uk> Message-ID: <5.1.1.5.2.20030901115531.0291c4a0@mail.kcr.uky.edu> At 04:45 PM 9/1/2003 +0100, you wrote: >John Williams wrote: > > Please forgive me if I've missed this post, but is there a way to > > look at the IP address of incoming mail and filter/blacklist it based > > on that? >Add it to sendmails access database. However, maybe you also have genuine >email from that IP? Best way to block sobig is to use sendmail subject >matching, search the archives for a set of rules. Thanks all! I seen to forget about sendmail and it's capabilities. I usually just leave it alone and do most things from MailScanner. I lost my mind when I came in this morning to over 1000 messages from that one ip. Sendmail is now filtering it. I might allow it again if it disappears from my mail logs. John --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 17:07:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> Message-ID: <200309011607.h81G7X506276@onyx.rockstone.co.uk> On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote: > John Williams wrote: > > Please forgive me if I've missed this post, but is there a way to > > look at the IP address of incoming mail and filter/blacklist it based > > on that? > > Add it to sendmails access database. However, maybe you also have genuine > email from that IP? Best way to block sobig is to use sendmail subject > matching, search the archives for a set of rules. Unlikely you'll get genuine mail from that IP address, because Sobig sends directly from infected client to (low priority) MX listed mail server, bypassing client's normal outbound mail server. Genuine emails from that client should go via the client's local (or ISP) mail server first, so you won't end up blocking them. Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From steve.freegard at LBSLTD.CO.UK Mon Sep 1 17:09:53 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header Message-ID: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Hi Michael, Looks like a problem specific to Sendmail - all the SQL logging routines do is use the $message->{to} variable set by MailScanner - I've just looked at the MailScanner code and it reads the 'R' line directly from the qf* file stripping off the RFC822: and <> from the addresses and isn't interested in any other headers, so Sendmail/something else must be changing the 'R' field. Regards, Steve. -----Original Message----- From: Michael Svendsen [mailto:michael@NSEC.DK] Sent: 01 September 2003 15:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problem with to-field in MIME Header Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 17:13:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649675@pascal.priv.bmrb.co.uk> Antony Stone wrote: > Genuine emails from that client should go via the client's local (or > ISP) mail server first, so you won't end up blocking them. > Very true, (unless its an Exchange server thats infected of course!). Although I'd still advise the subject based blocking, so you block all sobig, not just the current sender. Also worth noting that many infected machines are on services where they get a dynamic IP. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Sep 1 17:27:52 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: Hi, you can block most Sobig.F mails with this Sendmail-Filter: LOCAL_CONFIG Kstorage macro LOCAL_RULESETS HX-MailScanner: $>+CheckDateXMSc D{SobigFPat}Found to be clean D{SobigFMsg}This message may contain the Sobig.F virus. SCheckDateXMSc R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1 R$* $@ OK HMessage-Id: $>CheckMessageId SCheckMessageId # Record the presence of the header R$* $: $(storage {MessageIdCheck} $@ OK $) $1 R$* $@ OK Scheck_eoh # Check the macro R$* $: < $&{MessageIdCheck} > # Clear the macro for the next message R$* $: $(storage {MessageIdCheck} $) $1 R< $+ > $@ $>ClearSobig R$* $: < $&{SobigFCheck} > R$* $: $(storage {SobigFCheck} $) $1 R< SobigF > $#error $: 553 ${SobigFMsg} R$* $@ OK SClearSobig R$* $: $(storage {SobigFCheck} $) $1 R$* $@ OK Exim ACL: acl_smtp_data = acl_check_sobig acl_check_sobig: accept hosts = : deny message = Possible Sobig.f rejected condition = ${if and{{eq{$h_x-mailscanner:}{Found to be clean}}\ {match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}} accept The idea being that Sobig-F uses a x-mailscanner header but does not provide a message ID. We are blocking most with this successfully. Regards, JP From philk at TCP.NET.UK Mon Sep 1 17:41:14 2003 From: philk at TCP.NET.UK (Phil Kendall) Date: Thu Jan 12 21:19:41 2006 Subject: Question about quarentining dangerous content? Message-ID: <2EA7D94851025446810834BA2DED5E6DE24742@adonis.tcp.net.uk> We upgraded to from 4.20-3 to 4.24.11 today. The following mail was picked up as having dangerous content: Sep 1 17:10:27 MailScanner[18581]: Content Checks: Detected HTML-specific exploits in h81GANmM026123 Sep 1 17:10:27 MailScanner[18581]: Saved infected "msg-18581-834.html" to /var/spool/MailScanner/quarantine/20030901/h81GANmM026123 The file that was quarantined was not the original message but the in fact the stored.content.message.txt We have Quarantine Infections = yes & Quarantine Whole Message = no set in the MailScanner.conf file. Is this the behaviour we should expect? Is it possible to have it so that dangerous content is quarantined & infected attachments without having to quartine the entire message? Phil Kendall Technical Systems Administrator TCP - Europacom.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/3cbeb3ff/attachment.html From anders.andersson at LTKALMAR.SE Mon Sep 1 17:42:03 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:41 2006 Subject: SV: blocking an email based on it's IP Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > > Antony Stone wrote: > > Genuine emails from that client should go via the client's local (or > > ISP) mail server first, so you won't end up blocking them. > > > Very true, (unless its an Exchange server thats infected of > course!). Although I'd still advise the subject based > blocking, so you block all sobig, not just the current > sender. Also worth noting that many infected machines are on > services where they get a dynamic IP. Any admin letting an exchange get infected should be blocked anyhow... just my thoughts though From gerry at DORFAM.CA Mon Sep 1 19:18:14 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig Message-ID: OK, I got another batch of these Sobig virii that ClamAV is missing and have sent one to your personal addtress as you requested (I can forward all my virii to you if you wish ). I'm sure that F-Prot was missing these earlier too but I noticed that F-Prot's data files were updated at 1:00pm EST today on my system. F-Prot is now catching them. Trend has been catching them all along. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Mon Sep 1 20:04:19 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV misses this! In-Reply-To: <200309011848.h81ImR506779@onyx.rockstone.co.uk> Message-ID: On Mon, 1 Sep 2003, Antony Stone wrote: > On Monday 01 September 2003 7:15 pm, Gerry Doris wrote: > > > OK, I got another round of those virii that ClamAV is missing. they are > > picked up by both F-Prot and Trend. I don't think that F-Prot was > > catching it earlier but my system was updated today at 1:00pm EST and > > F-Prot now finds it. > > > > I had to disable both F-Prot and Trend to get this out. ClamAV is still > > running. > > Hm. Interesting. I gues that since this was Sobig, and that's on my list > of silent viruses, you haven't received anything back from my system? > > It got picked up as Sobig.F by Bitdefender, F-Prot, Inoculan and McAfee, > which on my system means that it got missed by ClamAV, Kaspersky and NOD32 (I > run several antivirus engines on a single machine for exactly this sort of > comparison!). > > I can pull the file you sent me out of my quarantine directory, and see if it > seems to be a complete virus file (none of my A-V scanners said it was a > damaged or broken sample, so I'm assuming for now that it's real). > > I'll submit it to the ClamAV people anyway - I don't know if you're on their > mailing list, but I've just posted a proposal to maintain an independent list > of damaged or broken virus samples (which they seem reluctant to include in > the main signatures list) so that ClamAV doesn't become perceived as being > behind all the other A-V products, even though that may be because it only > identifies real viruses, and ignores broken or ineffective ones. > > Thanks for sending it, anyway. > > Antony. Thanks for your help on this Antony. I was beginning to think something had gone very wrong on my system. I've temporarily dropped off the mailing list that is sending all these virii to me (as well a ton of virus notifications from other subscribers many of whom are running MailScanner!). That mailing list depends solely on MimeDefang/ClamAV. Obviously, that is proving not to be a good idea. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 20:12:34 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: <200309011912.h81JCc506858@onyx.rockstone.co.uk> On Monday 01 September 2003 7:18 pm, Gerry Doris wrote: > OK, I got another batch of these Sobig virii that ClamAV is missing and > have sent one to your personal addtress as you requested (I can forward > all my virii to you if you wish ). Actually, that's not such a ridiculous idea as it may initially appear... One of the things (only one, mind) which I love about MailScanner is the ability to run multiple antivirus engines and get every mail scanned by all of them. On one particular system I currently have 8 A-V engines running, and I have this idea that it would be very useful to set up a mail server such as this running lots of A-V engines, scanning every email it receives, and delivering nothing but sender notifications to identify what each A-V system said about the attachments. It would be cheap (it would only be a single machine, with a single mailbox, so the lowest level of licence as far as the A-V vendors are concerned), and the only bit I haven't worked out yet technically is how to stop it being used a bit like an open relay, as it could be abused by somebody sending loads of Sobigs into it, with lots of innocent email addresses getting the resultant notifications (I couldn't use the 'Silent Viruses' list, because that would defeat its entire purpose if someone genuinely sent it a Sobig sample). Ho Hum. Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is. From kevins at BMRB.CO.UK Mon Sep 1 20:32:48 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A786D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A786D@pascal.priv.bmrb.co.uk> Message-ID: <1062444772.28736.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-09-01 at 20:12, Antony Stone wrote: >It would be cheap (it would only be a single machine, with a single >mailbox, >so the lowest level of licence as far as the A-V vendors are >concerned), and >the only bit I haven't worked out yet technically is how to stop it >being >used a bit like an open relay, as it could be abused by somebody >sending >loads of Sobigs into it, with lots of innocent email addresses getting >the >resultant notifications (I couldn't use the 'Silent Viruses' list, >because >that would defeat its entire purpose if someone genuinely sent it a >Sobig >sample). Maybe the answer is not to send notifications, but instead provide a web page where people can sign in (using their email address) and see the result of every email they sent (perhaps listed by subject). My only concern is that the AV vendors may feel that you're in fact providing a service to everyone rather than the 'mailbox' you're protecting. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ryanb at AACRAO.ORG Mon Sep 1 20:43:38 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:41 2006 Subject: MailWatch: blocked files fix Message-ID: Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan From miguelk at KONSULTEX.COM.BR Mon Sep 1 22:09:21 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:41 2006 Subject: Freshclam update logging problems Message-ID: <3F53B581.4030805@konsultex.com.br> I think I discovered why clam-update.log only shows updates once in a while. What happens is that even though freshclam is running, so is the Mailscanner cron job to update Clam. Since the frequency of the Mailscanner update is much greater (per hour) than I set freshclam (every 12 hours), when freshcalm does run, it finds the database already updated and does nothing. It's very unsual for it to be the first and in those cases Mailscanner logs that the database is up to date. That explains the discrepancies between the logs on the 3 servers we run this way. I hope this helps someone that runs into this "problem". Miguel -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 22:34:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: Freshclam update logging problems In-Reply-To: <3F53B581.4030805@konsultex.com.br> References: <3F53B581.4030805@konsultex.com.br> Message-ID: <200309012134.h81LYQ507099@onyx.rockstone.co.uk> On Monday 01 September 2003 10:09 pm, Miguel Koren O'Brien de Lacy wrote: > I think I discovered why clam-update.log only shows updates once in a > while. What happens is that even though freshclam is running, so is the > Mailscanner cron job to update Clam. But the MailScanner script is just a front-end for freshclam. Why are you running both? This seems to me that it can only lead to conflicts or confusion, albeit only infrequently. I would recommend that if you are using the standard MailScanner virus update script, you do not independently run freshclam. Antony. -- The flush toilet then, as the plainest manifestation of a feedback loop, is a mythical beast - the beast of self. - Kevin Kelly, Out of Control From steve.freegard at LBSLTD.CO.UK Mon Sep 1 23:20:19 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:41 2006 Subject: MailWatch: blocked files fix Message-ID: <67D9E7698329D411936E00508B6590B902773ABE@neelix.lbsltd.co.uk> Ryan, Here is the updated SQL statement: SELECT COUNT(*) AS processed, SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END) AS virii, ROUND((SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS viriipercent, SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END) AS blockedfiles, ROUND((SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS blockedfilespercent, SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END) AS otherinfected, ROUND((SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS otherinfectedpercent, SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END) AS spam, ROUND((SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS spampercent, SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END) AS highspam, ROUND((SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS highspampercent, SUM(size) AS size FROM maillog WHERE DATE_FORMAT(timestamp, '%Y-%m-%d') = CURRENT_DATE() Kind regards, Steve. -----Original Message----- From: Bingham, Ryan To: MAILSCANNER@JISCMAIL.AC.UK Sent: 01/09/03 20:43 Subject: MailWatch: blocked files fix Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dbird at SGHMS.AC.UK Tue Sep 2 00:43:50 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <200309011607.h81G7X506276@onyx.rockstone.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> <200309011607.h81G7X506276@onyx.rockstone.co.uk> Message-ID: <3F53D9B6.5000300@sghms.ac.uk> Antony Stone wrote: >On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote: > > > >>John Williams wrote: >> >> >>>Please forgive me if I've missed this post, but is there a way to >>>look at the IP address of incoming mail and filter/blacklist it based >>>on that? >>> >>> >>Add it to sendmails access database. However, maybe you also have genuine >>email from that IP? Best way to block sobig is to use sendmail subject >>matching, search the archives for a set of rules. >> >> > >Unlikely you'll get genuine mail from that IP address, because Sobig sends >directly from infected client to (low priority) MX listed mail server, >bypassing client's normal outbound mail server. > >Genuine emails from that client should go via the client's local (or ISP) >mail server first, so you won't end up blocking them. > > Does anybody actively build lists of IP's sending out SoBig? We are currently analysing our logs hourly and then taking the top 10 offenders and putting them in an Exim blocking list, in the hope that it will take **some** load off our servers. My thought's are along the same lines of Antony's. i.e Sobig uses it's own SMTP engine so we shouldn't be seeing these IP's anyhow. Dan >Antony. > >-- > >In science, one tries to tell people >in such a way as to be understood by everyone >something that no-one ever knew before. > >In poetry, it is the exact opposite. > > - Paul Dirac > > > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/0bb5faf4/attachment.html From michael at NSEC.DK Tue Sep 2 00:46:28 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Message-ID: Hi m8 I use Postfix with MySQL/SASL/TSL Here is a snip from a queue-file: ESMTPOmichael@domain.comRdomain@mail.domain.comM Think this is the problem :) Any ideas? Best Regards Michael -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Steve Freegard Sent: Monday, September 01, 2003 6:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problem with to-field in MIME Header Hi Michael, Looks like a problem specific to Sendmail - all the SQL logging routines do is use the $message->{to} variable set by MailScanner - I've just looked at the MailScanner code and it reads the 'R' line directly from the qf* file stripping off the RFC822: and <> from the addresses and isn't interested in any other headers, so Sendmail/something else must be changing the 'R' field. Regards, Steve. -----Original Message----- From: Michael Svendsen [mailto:michael@NSEC.DK] Sent: 01 September 2003 15:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problem with to-field in MIME Header Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dbird at SGHMS.AC.UK Tue Sep 2 00:49:44 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: References: Message-ID: <3F53DB18.6040102@sghms.ac.uk> Jan-Peter Koopmann wrote: >Hi, > >you can block most Sobig.F mails with this > >Sendmail-Filter: > >LOCAL_CONFIG >Kstorage macro > > > >LOCAL_RULESETS >HX-MailScanner: $>+CheckDateXMSc >D{SobigFPat}Found to be clean >D{SobigFMsg}This message may contain the Sobig.F virus. > > > >SCheckDateXMSc >R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1 >R$* $@ OK > > > >HMessage-Id: $>CheckMessageId > > > >SCheckMessageId ># Record the presence of the header >R$* $: $(storage {MessageIdCheck} $@ OK $) $1 >R$* $@ OK > > > >Scheck_eoh ># Check the macro >R$* $: < $&{MessageIdCheck} > ># Clear the macro for the next message >R$* $: $(storage {MessageIdCheck} $) $1 >R< $+ > $@ $>ClearSobig >R$* $: < $&{SobigFCheck} > >R$* $: $(storage {SobigFCheck} $) $1 >R< SobigF > $#error $: 553 ${SobigFMsg} >R$* $@ OK > > > >SClearSobig >R$* $: $(storage {SobigFCheck} $) $1 >R$* $@ OK > > > > >Exim ACL: > >acl_smtp_data = acl_check_sobig > >acl_check_sobig: > accept hosts = : > > deny message = Possible Sobig.f rejected > condition = ${if and{{eq{$h_x-mailscanner:}{Found to be >clean}}\ > >{match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}} > > > > accept > > > >The idea being that Sobig-F uses a x-mailscanner header but does not >provide a message ID. We are blocking most with this successfully. > > >Regards, > JP > > > The exim filter looks interesting, but is that likely to lead to any FP's? -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." From michael at YT-IT.COM Tue Sep 2 01:55:05 2003 From: michael at YT-IT.COM (Michael Luk) Date: Thu Jan 12 21:19:41 2006 Subject: Does MailScanner configuration error? Message-ID: I use MailScanner+Sendmail+Sophos,there are some problem happened to me now,when sending email to some domain,such as 163.com,163.net,and so on,the reciept can't recieve it at all,and system return email to sender just like below: >The original message was received at Wed, 27 Aug 2003 08:22:51 +0800 >from [218.247.37.227] > > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577)) > > ----- Transcript of session follows ----- >.... while talking to m203.163.com.: >>>> DATA ><<< 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1 (1577) >554 5.0.0 Service unavailable > >Reporting-MTA: dns; mail.X.com.cn >Arrival-Date: Wed, 27 Aug 2003 08:22:51 +0800 > >Final-Recipient: RFC822; michaelluk@163.com >Action: failed >Status: 5.2.0 >Remote-MTA: DNS; m203.163.com >Diagnostic-Code: SMTP; 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577) >Last-Attempt-Date: Wed, 27 Aug 2003 08:23:04 +0800 But,If I stop Mailscanner+Sophos,only starting sendmail,sending mail to all domain,it is all ok,why it happened??? pls help me!Thanks! From ashley at IMS.TELSTRA.COM.AU Tue Sep 2 02:48:37 2003 From: ashley at IMS.TELSTRA.COM.AU (Ash) Date: Thu Jan 12 21:19:41 2006 Subject: Tagging the subject line of e-mail In-Reply-To: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> Message-ID: <3F53F6F5.9070709@ims.telstra.com.au> Please forgive me the problem lay between the keyboard and back of chair :-(. I missed Deliver Cleaned Messages was set to no I would say this occured when I upgraded from v3.x and as we dont get many viruses I never noticed, wrote a ruleset and it all works. Have I made another mistake somewhere? the admin message is the same no matter what problem it deteced. "Warning: E-mail viruses detected" appears for every violation and doesnt actually align with the problem it detected, ie "Warning: Bad Filename detected" or Warning: Bad Filetype detected" . ash Julian Field wrote: > Can you give us an example of what you mean? > > At 04:54 01/09/2003, you wrote: > >> Did this ever get resolved? >> >> I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the >> subject >> line modifications notices that use the curly brackets, other than if >> I set >> "Scanned Modify Subject" , for example any violation be it a virus >> ,bad file >> name/type receives the subject line "Warning: E-mail viruses detected", I >> haven't had a spam message yet to see if that notification has also >> stopped >> working >> >> from my conf file >> Virus Modify Subject = yes >> Virus Subject Text = {Virus?} >> Filename Modify Subject = yes >> Filename Subject Text = {Filename?} >> Content Modify Subject = yes >> Content Subject Text = {Dangerous Content?} >> Spam Modify Subject = yes >> Spam Subject Text = {Spam?} >> High Scoring Spam Modify Subject = yes >> High Scoring Spam Subject Text = {Spam?} >> >> running perl 5.6.0 >> >> regards >> >> ash >> >> On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin >> wrote: >> >> >Mike, >> > >> >Thanks for responding. >> > >> >I'm planning on adding SpamAssassin later in the project. Is it >> required to >> >make the system function as I want? I didn't get that from the >> >documentation. They way I read the docs, SpamAssassin just improves >> >MailScanner's abilities. >> > >> >Kevin >> > >> >> -----Original Message----- >> >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >> >> Sent: Tuesday, August 19, 2003 1:59 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Re: Tagging the subject line of e-mail >> >> >> >> >> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >> >> You can also >> >> set Log Spam = yes and watch your maillog after restarting >> >> MailScanner. >> >> >> >> Mike >> >> >> >> >> >> -----Original Message----- >> >> From: MailScanner mailing list >> >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >> >> Of Collins, Kevin >> >> Sent: Tuesday, August 19, 2003 12:31 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Tagging the subject line of e-mail >> >> >> >> >> >> Hi! >> >> >> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >> >> machine to act as >> >> my company's "SPAM Filter". First, I want to say THANKS for >> >> creating such a >> >> project and for making it available to the masses for free. >> >> >> >> A little background: >> >> >> >> MailScanner machine: >> >> Red Hat 8.0 (fully up2dated) >> >> Sendmail 8.12.8 >> >> Perl 5.8.0 >> >> ClamAV 0.60 (compiled from source) >> >> Sendmail set to relay everything to internal Exchange Server >> >> >> >> Everything seems to be working fine - I've even let a few e-mails pass >> >> through the machine for testing. Which is why I'm writing; I >> >> now have a >> >> question. >> >> >> >> First, of the 20 some odd messages that have passed through >> >> MailScanner, it >> >> has tagged 3 as SPAM and one of them as having a Virus >> >> (actually it was an >> >> HTML Form in the message). The "Virus" message behaved as >> >> expected - the >> >> e-mail was deleted and not passed on and I got a notification of the >> >> deletion. But the remaining messages aren't working as I >> >> expected them to >> >> (I think). >> >> >> >> I've configured MailScanner to modify the subject line of >> >> every e-mail it >> >> touches to include {Scanned} at the beginning. (This is to >> >> let me - and >> >> everyone else - know that MS is working) In addition I want all SPAM >> >> messages flagged with {Spam} as the beginning of the subject line and >> >> {Virus} for those that were found to have Viruses. >> >> >> >> To this point, all of the e-mail coming in (save the "Virus" message >> >> mentioned above) have only had the word {Scanned} pre-pended >> >> to the Subject >> >> Line. I've not seen the {Spam} label anywhere. Here are the >> >> (I think) >> >> appropriate sections of the MailScanner.conf: >> >> >> >> ---- >> >> Scanned Modify Subject = start >> >> Scanned Subject Text = {Scanned} >> >> Virus Modify Subject = yes >> >> Virus Subject Text = {Virus} >> >> Filename Modify Subject = yes >> >> Filename Subject Text = {Filename} >> >> Spam Modify Subject = yes >> >> Spam Subject Text = {Spam} >> >> High Scoring Spam Modify Subject = yes >> >> High Scoring Spam Subject Text = {Spam} >> >> ---- >> >> Spam Checks = yes >> >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >> >> .ac.uk) >> >> Spam Domain List = >> >> Spam Lists To Reach High Score = 5 >> >> Spam List Timeout = 10 >> >> Max Spam List Timeouts = 7 >> >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >> >> Is Definitely Spam = no >> >> ---- >> >> >> >> >From this, is my description of how MailScanner should work valid? >> >> >Have I >> >> forgot to do something? What do I need to change/add/delete >> >> to make it work >> >> as I describe? >> >> >> >> Thanks in advance. >> >> >> >> -- >> >> Kevin L. Collins, MCSE >> >> Systems Manager >> >> Nesbitt Engineering, Inc. >> >> > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Tue Sep 2 03:16:17 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:41 2006 Subject: Filetype Rules Message-ID: <200309020216.h822GQr00356@ori.rl.ac.uk> Hello, according to the comment in MailScanner.conf I set Filetype Rules = i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") But then MailScanner does not start: Syntax error(s) in configuration file: Unrecognised keyword "filetyperules" at line 443 Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. Regards, Nerijus From mike at CAMAROSS.NET Tue Sep 2 04:45:14 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:41 2006 Subject: Does MailScanner configuration error? In-Reply-To: Message-ID: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> Perhaps they are looking at your headers which more than likely say "X-MailScanner: Found to be clean" Search your MailScanner.conf for that and change it to something OTHER than Found to be clean and see if that helps. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Michael Luk Sent: Monday, September 01, 2003 7:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Does MailScanner configuration error? I use MailScanner+Sendmail+Sophos,there are some problem happened to me now,when sending email to some domain,such as 163.com,163.net,and so on,the reciept can't recieve it at all,and system return email to sender just like below: >The original message was received at Wed, 27 Aug 2003 08:22:51 +0800 >from [218.247.37.227] > > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577)) > > ----- Transcript of session follows ----- >.... while talking to m203.163.com.: >>>> DATA ><<< 550 Your message was blocked by NetEase AntiSpam+. >pQwAALr4Sz/kACaC.1 (1577) >554 5.0.0 Service unavailable > >Reporting-MTA: dns; mail.X.com.cn >Arrival-Date: Wed, 27 Aug 2003 08:22:51 +0800 > >Final-Recipient: RFC822; michaelluk@163.com >Action: failed >Status: 5.2.0 >Remote-MTA: DNS; m203.163.com >Diagnostic-Code: SMTP; 550 Your message was blocked by NetEase >AntiSpam+. pQwAALr4Sz/kACaC.1(1577) >Last-Attempt-Date: Wed, 27 Aug 2003 08:23:04 +0800 But,If I stop Mailscanner+Sophos,only starting sendmail,sending mail to all domain,it is all ok,why it happened??? pls help me!Thanks! From Jan-Peter.Koopmann at SECEIDOS.DE Tue Sep 2 09:59:14 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: > The exim filter looks interesting, but is that likely to lead > to any FP's? Have not noticed any here or at our customers site. What system would generate an x-mailscanner header but NOT use a message-ID? I do not doubt there is a distinct possibility but I just cannot see how this would make sense. Regards, JP From mailscanner at ecs.soton.ac.uk Tue Sep 2 08:59:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Filetype Rules In-Reply-To: <200309020216.h822GQr00356@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> Check you haven't got a ConfigDefs.pl.rpmnew in /usr/lib/MailScanner/MailScanner. At 03:16 02/09/2003, you wrote: >Hello, > >according to the comment in MailScanner.conf I set >Filetype Rules = >i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") > >But then MailScanner does not start: >Syntax error(s) in configuration file: >Unrecognised keyword "filetyperules" at line 443 >Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. > >Regards, >Nerijus -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 08:56:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: References: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Message-ID: <5.2.0.9.2.20030902085539.0637f158@imap.ecs.soton.ac.uk> For reasons best known to Wietse himself, Postfix queue files are binary and not for human consumption. Bytes must have been *really* expensive when he designed his queue files. At 00:46 02/09/2003, you wrote: >Hi m8 > >I use Postfix with MySQL/SASL/TSL > >Here is a snip from a queue-file: > >ESMTPOmichael@domain.comRdomain@mail.domain.comM > >Think this is the problem :) > >Any ideas? > > > >Best Regards > >Michael > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Steve Freegard >Sent: Monday, September 01, 2003 6:10 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Problem with to-field in MIME Header > > >Hi Michael, > >Looks like a problem specific to Sendmail - all the SQL logging routines do >is use the $message->{to} variable set by MailScanner - I've just looked at >the MailScanner code and it reads the 'R' line directly from the qf* file >stripping off the RFC822: and <> from the addresses and isn't interested in >any other headers, so Sendmail/something else must be changing the 'R' >field. > >Regards, >Steve. > >-----Original Message----- >From: Michael Svendsen [mailto:michael@NSEC.DK] >Sent: 01 September 2003 15:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Problem with to-field in MIME Header > > >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Tue Sep 2 10:58:15 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:42 2006 Subject: blocking an email based on it's IP In-Reply-To: References: Message-ID: <3F5469B7.8050202@sghms.ac.uk> Jan-Peter Koopmann wrote: >>The exim filter looks interesting, but is that likely to lead >>to any FP's? >> >> > >Have not noticed any here or at our customers site. What system would >generate an x-mailscanner header but NOT use a message-ID? I do not >doubt there is a distinct possibility but I just cannot see how this >would make sense. > > Thanck, gust checking. ;-) >Regards, > JP > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/bf03551a/attachment.html From pndiku at DSMAGIC.COM Tue Sep 2 10:46:25 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:42 2006 Subject: Mailwatch 0.2 sql prob In-Reply-To: <3F4FCCF9.8060101@sghms.ac.uk> References: <3F4CBCC1.5050409@sghms.ac.uk> <1062141399.1959.3.camel@mufasa.ds.co.ug> <3F4FCCF9.8060101@sghms.ac.uk> Message-ID: <1062495985.16023.455.camel@mufasa.ds.co.ug> Just remove the line: MailScanner::Log::InfoLog("Initialising database connection database=$db_name;host=$db_host,$db_user,$db_pass"); Also, you might want to look at the new CustomConfig.pm I posted earlier. I can send it to you privately if you want. Peter On Sat, 2003-08-30 at 01:00, Daniel Bird wrote: > > Peter C. Ndikuwera wrote: > > Hi Daniel, > > > > I have a fix which is really a hack. I'm sure it's the wrong way to do > > it but it works for me. I've attached the relevant part of my > > CustomConfig.pm. > > > > Peter > > Peter / Steve, > I've tried this one and it works for me (although the DB username and > password appear in the maillog!!! ;-) > > Dan > > On Wed, 2003-08-27 at 17:14, Daniel Bird wrote: > > > > > Hi, > > > I noticed in the archives the same problem I'm having, but no solution: > > > I keep seeing this in the maillog: > > > > > > Cannot insert row: MySQL server has gone away > > > > > > I was wondering if anyone has had this problem and managed to find a fix? > > > > > > Regards > > > -- > > > ____________________________________ > > > > > > Daniel Bird > > > Network & Systems Manager > > > St. George's Hospital Medical School > > > Tooting > > > London SW17 0RE > > > > > > P: +44 20 8725 2897 > > > F: +44 20 8725 3583 > > > E: dan@sghms.ac.uk > > > ____________________________________ > > > > > > Hex dump: Where witches put used curses... > > > "#define QUESTION ((bb) || !(bb)) - Shakespeare." > > > > > > > > > __________________________________________________________________ > > > ############### > > > # SQL Logging # > > > ############### > > > > > > use DBI; > > > use Sys::Hostname; > > > > > > sub InitSQLLogging { > > > } > > > > > > sub EndSQLLogging { > > > } > > > > > > sub SQLLogging { > > > my($sth); > > > my($hostname) = hostname; > > > > > > # Modify this as necessary for your configuration > > > my($db_name) = "mailscanner"; > > > my($db_host) = "localhost"; > > > my($db_user) = "mailscanner"; > > > my($db_pass) = "mailscanner"; > > > > > > MailScanner::Log::InfoLog("Initialising database connection database=$db_name;host=$db_host,$db_user,$db_pass"); > > > > > > # Connect to the database > > > my($dbh) = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", > > > $db_user, $db_pass, > > > {PrintError => 0}); > > > > > > # Sometimes this line needs to be uncommented. Go figure > > > # MailScanner::Log::WarnLog($DBI::errstr); > > > > > > # Check if connection was successfull - if it isn't > > > # then generate a warning and continue processing. > > > if (!$dbh) { > > > MailScanner::Log::WarnLog("Unable to initialise database connection: %s", $DBI::errstr); > > > return; > > > } else { > > > # Prepare statement > > > $sth = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)") or MailScanner::Log::WarnLog($DBI::errstr); > > > } > > > > > > MailScanner::Log::InfoLog("Finished initialising database connection"); > > > my($message) = @_; > > > > > > # Don't bother trying to do an insert if no message > > > # is passed-in or if the database connection is down. > > > MailScanner::Log::InfoLog("In SQL Logging msg=$message, dbh=$dbh"); > > > return unless $message; > > > return unless defined $dbh; > > > > > > # Get rid of control chars and tidy-up SpamAssassin report > > > my $spamreport = $message->{spamreport}; > > > $spamreport =~ s/\n/ /g; > > > $spamreport =~ s/\t//g; > > > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); > > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > > > > # Also print 1 line for each report about this message. These lines > > > # contain all the info above, + the attachment filename and text of > > > # each report. > > > my($file, $text, @report_array); > > > while(($file, $text) = each %{$message->{allreports}}) { > > > $file = "the entire message" if $file eq ""; > > > # Use the sanitised filename to avoid problems caused by people forcing > > > # logging of attachment filenames which contain nasty SQL instructions. > > > $file = $message->{file2safefile}{$file} or $file; > > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > > $text =~ s/\t/ /; # and no tab characters > > > push (@report_array, $text); > > > } > > > > > > # Sanitize reports > > > my $reports = join(",",@report_array); > > > > > > # Insert the data > > > $sth->execute( > > > $timestamp, > > > $message->{id}, > > > $message->{size}, > > > $message->{from}, > > > join(',', @{$message->{to}}), > > > $message->{subject}, > > > $message->{clientip}, > > > join(',', @{$message->{archiveplaces}}), > > > $message->{isspam}, > > > $message->{ishigh}, > > > $message->{issaspam}, > > > $message->{isrblspam}, > > > $message->{spamwhitelisted}, > > > $message->{sascore}, > > > $spamreport, > > > $message->{virusinfected}, > > > $message->{nameinfected}, > > > $message->{otherinfected}, > > > $reports, > > > $hostname) > > > or MailScanner::Log::WarnLog("Cannot insert row: %s", $DBI::errstr); > > > > > > MailScanner::Log::InfoLog("Finished SQL Logging [$DBI::errstr]"); > > > > > > $dbh->disconnect if defined $dbh; > > > MailScanner::Log::InfoLog("Disconnected from the database"); > > > } > > > > > -- > ____________________________________ > > Daniel Bird > Network & Systems Manager > St. George's Hospital Medical School > Tooting > London SW17 0RE > > P: +44 20 8725 2897 > F: +44 20 8725 3583 > E: dan@sghms.ac.uk > ____________________________________ > > Hex dump: Where witches put used curses... > "#define QUESTION ((bb) || !(bb)) - Shakespeare." From anders.andersson at LTKALMAR.SE Tue Sep 2 11:16:30 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:42 2006 Subject: SV: blocking an email based on it's IP Message-ID: Unless they are using a NAT firewall then you might block their smtp-server as well..... but not likely any got that kind of config.... just a thought Does anybody actively build lists of IP's sending out SoBig? We are currently analysing our logs hourly and then taking the top 10 offenders and putting them in an Exim blocking list, in the hope that it will take **some** load off our servers. My thought's are along the same lines of Antony's. i.e Sobig uses it's own SMTP engine so we shouldn't be seeing these IP's anyhow. Dan Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/072a3e9f/attachment.html From michael at NSEC.DK Tue Sep 2 11:32:53 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:42 2006 Subject: Problem with to-field in MIME Header In-Reply-To: <5.2.0.9.2.20030902085539.0637f158@imap.ecs.soton.ac.uk> Message-ID: Heh, okay. So what I hear you say: "Find another MTA", right? ;-) I'm an old sendmail user, justed wanted a alternative MTA that supports virtual users and mysql. So I thought Postfix/Courier-IMAP/MySQL were a great solution. Maybe I should take a look on Exim then... :) Best Regards Michael -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, September 02, 2003 9:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problem with to-field in MIME Header For reasons best known to Wietse himself, Postfix queue files are binary and not for human consumption. Bytes must have been *really* expensive when he designed his queue files. At 00:46 02/09/2003, you wrote: >Hi m8 > >I use Postfix with MySQL/SASL/TSL > >Here is a snip from a queue-file: > >ESMTPOmichael@domain.comRdomain@mail.domain.comM > >Think this is the problem :) > >Any ideas? > > > >Best Regards > >Michael > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Steve Freegard >Sent: Monday, September 01, 2003 6:10 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Problem with to-field in MIME Header > > >Hi Michael, > >Looks like a problem specific to Sendmail - all the SQL logging routines do >is use the $message->{to} variable set by MailScanner - I've just looked at >the MailScanner code and it reads the 'R' line directly from the qf* file >stripping off the RFC822: and <> from the addresses and isn't interested in >any other headers, so Sendmail/something else must be changing the 'R' >field. > >Regards, >Steve. > >-----Original Message----- >From: Michael Svendsen [mailto:michael@NSEC.DK] >Sent: 01 September 2003 15:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Problem with to-field in MIME Header > > >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Tue Sep 2 11:29:55 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: Antony Stone wrote: > >On one particular system I currently have 8 A-V engines running, and I have >this idea that it would be very useful to set up a mail server such as this >running lots of A-V engines, scanning every email it receives, and delivering >nothing but sender notifications to identify what each A-V system said about >the attachments. You mean a computer specifically intended to piss off the innocent victims of email forgery? >the only bit I haven't worked out yet technically is how to stop it being >used a bit like an open relay, as it could be abused by somebody sending >loads of Sobigs into it, with lots of innocent email addresses getting the >resultant notifications (I couldn't use the 'Silent Viruses' list, because >that would defeat its entire purpose if someone genuinely sent it a Sobig >sample). There is *NO* *WAY* of telling the difference between forged and genuine email, except for certain specifica cases. The point of the silent viruses list is that those viruses always forge email, so they should be simply deleted. Tony. -- f.a.n.finch http://dotat.at/ FITZROY: NORTHEASTERLY 4 OR 5 INCREASING 6 OR 7 IN SOUTHEAST. THUNDERY SHOWERS. GOOD. From m.sapsed at BANGOR.AC.UK Tue Sep 2 11:57:24 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:42 2006 Subject: Does MailScanner configuration error? References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> Message-ID: <3F547794.7080707@bangor.ac.uk> Mike Kercher wrote: > Perhaps they are looking at your headers which more than likely say > "X-MailScanner: Found to be clean" > > Search your MailScanner.conf for that and change it to something OTHER than > Found to be clean and see if that helps. I thought Julian's recommendation was to change the X-MailScanner: bit rather than the body - dopey filterers may be dumping based on the presence of the header rather than what it says? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From R.A.Gardener at SHU.AC.UK Tue Sep 2 12:17:48 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:19:42 2006 Subject: Subject line tagging, verion 4.23-11 and Exim Message-ID: <00c901c37143$dc4012c0$110a130a@videoproducer> Hi, we are running version 3.35 of Exim. We are using a Sun Ultra 10 with Solaris 2.6. I upgraded to version 4.23-11 of MailScanner yesterday and seem to have lost the subject line tagging of infected messages. e.g. what was: Subject: {Virus?} the original subject now appears as just: Subject: the original subject I have checked the options that I have set in MailScanner.conf and they are still specifying that subject tagging is needed. Virus Modify Subject = yes Virus Subject Text = {Virus?} Has anyone else seen this behaviour with MailScanner 4.23-x and Exim 3.x ? Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- A non-text attachment was scrubbed... Name: Ray Gardener.vcf Type: text/x-vcard Size: 571 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/775fc94a/RayGardener.vcf From Jan-Peter.Koopmann at SECEIDOS.DE Tue Sep 2 12:20:11 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:42 2006 Subject: AW: Problem with to-field in MIME Header Message-ID: > Maybe I should take a look on Exim then... :) You should... :-) From nerijus at USERS.SOURCEFORGE.NET Tue Sep 2 12:21:41 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:42 2006 Subject: Filetype Rules In-Reply-To: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> Message-ID: <200309021123.h82BNj707329@mail.schetelig.lt> No. I commented that line out, and it works now, but there is still probably a bug. On Tue, 2 Sep 2003 08:59:30 +0100 Julian Field wrote: > Check you haven't got a > ConfigDefs.pl.rpmnew in /usr/lib/MailScanner/MailScanner. > > At 03:16 02/09/2003, you wrote: > >Hello, > > > >according to the comment in MailScanner.conf I set > >Filetype Rules = > >i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") > > > >But then MailScanner does not start: > >Syntax error(s) in configuration file: > >Unrecognised keyword "filetyperules" at line 443 > >Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. From davidj at IMPOL.NET Tue Sep 2 12:33:53 2003 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:19:42 2006 Subject: Filename/filetype rulesets Message-ID: Hi, I've been using MailScanner (4.22-4) with Exim (4.20) I'd like to congratulate Julian on an unbelievable product, that in my honest opinion beats most commercial products that cost ridiculous amounts of money. Anyway, what I'd like is an example on how to split the filename/filetype options into rulesets I have a specific client that wants to be able to receive all content types from a specific domain and just need an example to work with. Thanks in advance. Kind regards, David Jacobson System Architect Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/320d5af7/attachment.html From P.G.M.Peters at utwente.nl Tue Sep 2 13:50:17 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:42 2006 Subject: Does MailScanner configuration error? In-Reply-To: <3F547794.7080707@bangor.ac.uk> References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> <3F547794.7080707@bangor.ac.uk> Message-ID: On Tue, 2 Sep 2003 11:57:24 +0100, you wrote: >> Perhaps they are looking at your headers which more than likely say >> "X-MailScanner: Found to be clean" >> >> Search your MailScanner.conf for that and change it to something OTHER than >> Found to be clean and see if that helps. > >I thought Julian's recommendation was to change the X-MailScanner: bit >rather than the body - dopey filterers may be dumping based on the >presence of the header rather than what it says? I have seen bounces from this same kind of software. Because we have changed the headers I presumed this server still uses osirusoft. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Sep 2 13:59:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: Filename/filetype rulesets In-Reply-To: Message-ID: <5.2.0.9.2.20030902135549.043756e8@imap.ecs.soton.ac.uk> At 12:33 02/09/2003, you wrote: >Hi, > >I've been using MailScanner (4.22-4) with Exim (4.20) > >I'd like to congratulate Julian on an unbelievable product, that in my >honest opinion beats most commercial >products that cost ridiculous amounts of money. > >Anyway, what I'd like is an example on how to split the filename/filetype >options into rulesets > >I have a specific client that wants to be able to receive all content >types from a specific domain and just need >an example to work with. In MailScanner.conf, set Filetype Rules = /etc/MailScanner/rules/filetype.rules Filename Rules = /etc/MailScanner/rules/filename.rules In filetype.rules put From: domain.com /etc/MailScanner/filename.allowall.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf In filename.rules put From: domain.com /etc/MailScanner/filetype.allowall.rules.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf In filename.allowall.rules.conf put (separated by tabs, not spaces) allow . - - In filetype.allowall.rules.conf put (separated by tabs, not spaces) allow . - - That should do the trick. >Thanks in advance. > >Kind regards, > >David Jacobson >System Architect > >Imperial Online - The Imperial Connection > >Switchboard (+27) 11 723-8000 >Helpdesk (+27) 11 723-8181 >Mobile (+27) 83 235-0760 >Facsimile (+27) 11 454 1236 >Email davidj@impol.net > >www.imperialonline.co.za / www.imperialtoday.co.za > >Confidentiality Notice: >This communication and the information it contains are intended for the >person(s) or organisation(s) named above and for no other person(s) or >organisation(s). >The content of this communication may be confidential, legally privileged >and protected. Unauthorised use, copying or disclosure of any part of this >communication may be unlawful. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/09f30c7b/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 14:18:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: <200309021318.h82DIRc23293@agate.rockstone.co.uk> On Tuesday 02 September 2003 11:29 am, Tony Finch wrote: > Antony Stone wrote: > >On one particular system I currently have 8 A-V engines running, and I > > have this idea that it would be very useful to set up a mail server such > > as this running lots of A-V engines, scanning every email it receives, > > and delivering nothing but sender notifications to identify what each > > A-V system said about the attachments. > > You mean a computer specifically intended to piss off the innocent victims > of email forgery? No, I mean a machine specifically intended to enable people to find out what the various anti-virus products make of a particular file. The whole reason I said I couldn't see the technical way of doing this yet was because of the "innocent victim" problem. Regards, Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics From kodak at FRONTIERHOMEMORTGAGE.COM Tue Sep 2 14:24:24 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <3F530CA8.9030803@bangor.ac.uk> Message-ID: <005601c37155$86a1b7d0$0501a8c0@darkside> >I've seen a few instances like this and having quarantined them, I sent >them to Sophos. They were all broken copies. I've also sometimes seen >Sobig-like attachments which were in fact empty. There were quite a lot >like this with Bugbear which caused them to issue the Bugbear-Dam ide. Indeed, they have sent me a sbf-dam.ide that doesn't appear to have been publicly released (yet). If anyone is interested, you can email me and I'll send it along. Also, I'm sure Sophos would be happy to send it to anyone who asks. --J(K) From David.While at UCE.AC.UK Tue Sep 2 13:36:04 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: feature request Message-ID: <107DE25EC0216C45AEF670016024245F6F16@exchangea.staff.uce.ac.uk> What is the possibility of including the sending IP address in the virus lines in the log file entries? With the recent Sobig.F outbreak it would seem sensible to be able to do some automatic processing on the log files to determine the IP addresses that are sending them. My quick analysis of my log file shows that it is a few addresses sending large numbers to me. If this is possible I would then be able to add it as a feature to mailstats.pl to block persistent virus senders for a short period of time. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/3a73c4e1/attachment.html From waldner at WALDNER.PRIV.AT Tue Sep 2 14:24:45 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: Your message of "Tue, 02 Sep 2003 14:18:22 BST." <200309021318.h82DIRc23293@agate.rockstone.co.uk> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> Message-ID: <20030902132446.7932747061@fsck.waldner.priv.at> On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: >No, I mean a machine specifically intended to enable people to find out what >the various anti-virus products make of a particular file. > >The whole reason I said I couldn't see the technical way of doing this yet >was because of the "innocent victim" problem. So don't send anything back per mail, but use another channel. I can imagine the user entering the msg-id in some web-form to see the scan output. (Of course, the tradeoff would be the used diskspace and overhead for the webstuff (server and cgi et al).) cheers, &rw -- -- "Service packs" are for people who are mentally not equipped -- to keep track of patches and wouldn't know how to apply one -- anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/86e8488a/attachment.bin From ryanb at AACRAO.ORG Tue Sep 2 15:22:52 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:42 2006 Subject: MailWatch: blocked files fix Message-ID: Thanks Steve! I replaced the SQL statement in functions.php and it works perfectly now. Thanks again, Ryan -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, September 01, 2003 6:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailWatch: blocked files fix Ryan, Here is the updated SQL statement: SELECT COUNT(*) AS processed, SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END) AS virii, ROUND((SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS viriipercent, SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END) AS blockedfiles, ROUND((SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS blockedfilespercent, SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END) AS otherinfected, ROUND((SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS otherinfectedpercent, SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END) AS spam, ROUND((SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS spampercent, SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END) AS highspam, ROUND((SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS highspampercent, SUM(size) AS size FROM maillog WHERE DATE_FORMAT(timestamp, '%Y-%m-%d') = CURRENT_DATE() Kind regards, Steve. -----Original Message----- From: Bingham, Ryan To: MAILSCANNER@JISCMAIL.AC.UK Sent: 01/09/03 20:43 Subject: MailWatch: blocked files fix Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Tue Sep 2 15:27:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F6F16@exchangea.staff.uce.a c.uk> Message-ID: <5.2.0.9.2.20030902152659.04dae810@imap.ecs.soton.ac.uk> At 13:36 02/09/2003, you wrote: >What is the possibility of including the sending IP address in the virus >lines in the log file entries? Please can you give me an example of what log entries you mean. >With the recent Sobig.F outbreak it would seem sensible to be able to do >some automatic processing on the log files to determine the IP addresses >that are sending them. My quick analysis of my log file shows that it is a >few addresses sending large numbers to me. > >If this is possible I would then be able to add it as a feature to >mailstats.pl to block persistent virus senders for a short period of time. > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Sep 2 15:48:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:42 2006 Subject: sigpipe warnings in syslog In-Reply-To: <20030902142336.GA15442@imaginet.co.uk> Message-ID: Hi! > I am using Mailscanner on Debian/stable. I was previously using the > Debian package of 3.27 but about 6 months ago, installed a copy of > version 4 from the tar file. > > I have just upgraded to version 4.23-11 (from 4.21-9) and it all works > fine apart from messages in syslog everytime a new batch is processed: > > SIGPIPE received - trying new log socket > > This occurs using both the standard syslogd in Debian and syslog-ng. What version syslog-ng are you running ? I am using syslog-ng 1.5.26 and i dont see that in my logs. Bye, Raymond. From gerry at dorfam.ca Tue Sep 2 16:04:09 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: <20030902132446.7932747061@fsck.waldner.priv.at> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> <20030902132446.7932747061@fsck.waldner.priv.at> Message-ID: <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> > > On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: >>No, I mean a machine specifically intended to enable people to find out >> what >>the various anti-virus products make of a particular file. >> >>The whole reason I said I couldn't see the technical way of doing this >> yet >>was because of the "innocent victim" problem. > > So don't send anything back per mail, but use another channel. I can > imagine the user entering the msg-id in some web-form to see the scan > output. (Of course, the tradeoff would be the used diskspace and > overhead for the webstuff (server and cgi et al).) > > cheers, > &rw The problem I see is that it would end up being a great service for the virus writers. They could tweak and adjust until they ended up with a virus that wasn't detected by the majority of scanners. Gerry From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 16:10:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> References: <20030902132446.7932747061@fsck.waldner.priv.at> <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> Message-ID: <200309021510.h82FA8c23987@agate.rockstone.co.uk> On Tuesday 02 September 2003 4:04 pm, Gerry Doris wrote: > > On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: > > >No, I mean a machine specifically intended to enable people to find out > > > what the various anti-virus products make of a particular file. > > > The whole reason I said I couldn't see the technical way of doing this > > > yet was because of the "innocent victim" problem. > > > > So don't send anything back per mail, but use another channel. I can > > imagine the user entering the msg-id in some web-form to see the scan > > output. (Of course, the tradeoff would be the used diskspace and > > overhead for the webstuff (server and cgi et al).) > > > > cheers, > > &rw > > The problem I see is that it would end up being a great service for the > virus writers. They could tweak and adjust until they ended up with a > virus that wasn't detected by the majority of scanners. In which case we already have a sample of it and can create a ClamAV signature automatically :) ? Antony. -- I vote "no" to this proposal to form a committee to investigate whether we should or should not hold a ballot on whether to vote yet. From dot at DOTAT.AT Tue Sep 2 16:17:16 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: Message-ID: Julian Field wrote: >At 13:36 02/09/2003, you wrote: >>What is the possibility of including the sending IP address in the virus >>lines in the log file entries? > >Please can you give me an example of what log entries you mean. In amongst my ever-increasing logging patches I have the following. I haven't decided whether to log the virus name(s) as well -- that might not be a good idea with multiple virus scanners; alternatively I might want to optionally disable the logging of the output from the scanners themselves in order to reduce log volume. --- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 +++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 @@ -508,6 +508,9 @@ next unless $text; $message->{virusreports}{"$attachment"} .= $text; } + MailScanner::Log::InfoLog("Infected message %s came from %s", + $id, $message->{clientip}) + if MailScanner::Config::Value('logipaddrs'); } # And then all the report types... --- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 +++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 @@ -88,6 +88,7 @@ logfacility = syslogfacility logformtags = loghtmlformtags logobjecttags = logobjectcodebasetags +logipaddrs = loginfectedipaddresses maxdirtybytes = maxunsafebytesperscan maxdirtymessages = maxunsafemessagesperscan maxmessagesize = maximummessagesize @@ -145,6 +146,7 @@ logspam 1 no 0 yes 1 lognonspam 0 no 0 yes 1 logmessageids 0 no 0 yes 1 +logipaddrs 0 no 0 yes 1 expandtnef 1 no 0 yes 1 showscanner 0 no 0 yes 1 spamassassinautowhitelist 1 no 0 yes 1 Tony. -- f.a.n.finch http://dotat.at/ MULL OF KINTYRE TO ARDNAMURCHAN POINT: NORTHWEST BACKING SOUTHWEST 3 OR 4. CLOUDY, RAIN THEN SHOWERS, BECOMING DRY, FAIR LATER. GOOD FALLING MODERATE IN RAIN OR SHOWERS. SLIGHT. From dot at DOTAT.AT Tue Sep 2 16:17:53 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: Antony Stone wrote: > >No, I mean a machine specifically intended to enable people to find out what >the various anti-virus products make of a particular file. Use a web page. Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTHWEST TO WEST 3 OR 4 BACKING SOUTHWEST 4 OR 5 LATER. CLOUDY, RAIN THEN SHOWERS. GOOD FALLING MODERATE IN RAIN OR SHOWERS. SLIGHT INCREASING MODERATE. From peter.farago at PENSION-KEY.COM Tue Sep 2 16:19:36 2003 From: peter.farago at PENSION-KEY.COM (Peter Farago) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in Message-ID: I installed mailscanner & spamassassin under redhat 9 and tried to configure it to work with postfix. postfix-1.1.12-1 mailscanner 4.23-11 mail-spamassassin 2.55 I followed the instructions in "MailScanner Installation Guide - Postfix" postfix (2 copies) and mailscanner (many copies) both run after I do the service MailScanner start but inbound mail gets stuck in /var/spool/postfix.in/deferred. there are no errors in maillog but I don't see any mailscanner entries after the startup. It appears to not recognize the arrival of mail in the inbound queue. Any ideas on how to fix this? From errol.neal at ENHTECH.COM Tue Sep 2 16:19:13 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: Message-ID: <5.1.0.14.0.20030902104015.03c128a0@mail.enhtech.com> Hi all, My company has been using MailScanner for some time now and have been really pleased. Our primary platform for deployment is Solaris 9 on Sparc. We are going to be deploying several new severs and are pricing out the hardware for them. Since we depend on these systems and want them to be as efficient as possible, we want to target possible bottlenecks in a MailScanner system and put the capital there as opposed to just throwing money at the system. Right now what we are looking at is deploying a 2.4 Pentium IV system with IDE disks and 512MB of RAM. I personally think we should invest the money in the Disk IO and even go with Pentium III's but my employer is not so convinced. Of course everyone knows that SCSI is faster than standard IDE dieks, however is that increase in performance noticable on a MailScanner system? Is the performance on a P4 that much better than performance on a PIII? Since I do not have systems of this nature to test with I am turning to users of this software to help me invest my budget wisely to produce the best system I can. SCSI vs IDE, is the difference that noticeable? 64bit vs 32 bit, any performance gains there? Linux vs Solaris? Anybody got any ideas? PS our daily volume of mail passing through our MailScanners is somewhere in the neighborhood of 15-20K Thank you in advance, Regards, Errol U. Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 16:47:37 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Hi all, > SCSI vs IDE, is the difference that noticeable? The best I/O improvement is by making sure you've got plenty of RAM and putting the MailScanner work directory in tmpfs (not either of the mail queues though!) > Linux vs Solaris? Anybody got any ideas? Personally speaking ufs sucks and anything FS intensive struggles on Solaris (in fairness my experience is with low end machines, E250 and lower). You'll get more bang-per-buck using linux on Intel. Where Solaris excels is at the high end and I can't see why anyone would need a high end server for a mail load of only 15-20k. > > PS our daily volume of mail passing through our MailScanners is > somewhere in the neighborhood of 15-20K > For comparison I run a mail server handling a load of about 7K using a Compaq blade (800Mhz processor, IDE drive, 512M ram, running Linux) with MS, SA, DCC, Razor2, Pyzor, MailStats and MailScanner-mrtg. The main load comes when the two stats programs process the logfiles. If you've got the money for Sun hardware buy Intel and get an extra box for redundancy/ load balencing! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tyler at BELOIT.EDU Tue Sep 2 16:52:36 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:19:42 2006 Subject: caramail domain Message-ID: <5.2.0.9.0.20030902103737.00bbb2e0@beloit.edu> FYI for everyone, I have researched the caramail.com domain issue and they must now be setting up legitimate email accounts with just username@caramail.com. I have had two legitimate accounts from caramail.com that were tagged as spam. I think caramail.com should probably get removed from the spamassassin domain name list. Regardless, I will either whitelist their domain or lower the weighted score for FAKE_HELO_DOTCOM. In the long run, I hope that spamassassin will take off caramail.com from the list of Fake_helo_dtocom list since I am guessing that many other sites will be tagging them falsely as well. Tim Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From David.While at UCE.AC.UK Tue Sep 2 16:54:26 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <107DE25EC0216C45AEF670016024245F64417C@exchangea.staff.uce.ac.uk> Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- From splee at PLEXIO.COM Tue Sep 2 16:55:50 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <005601c37155$86a1b7d0$0501a8c0@darkside> References: <005601c37155$86a1b7d0$0501a8c0@darkside> Message-ID: <1062518150.366.39.camel@ralph.plexio.private> On Tue, 2003-09-02 at 06:24, Jason Balicki wrote: > >I've seen a few instances like this and having quarantined them, I sent > >them to Sophos. They were all broken copies. I've also sometimes seen > >Sobig-like attachments which were in fact empty. There were quite a lot > >like this with Bugbear which caused them to issue the Bugbear-Dam ide. > > Indeed, they have sent me a sbf-dam.ide that doesn't appear to have > been publicly released (yet). If anyone is interested, you can email me > and I'll send it along. Also, I'm sure Sophos would be happy to send > it to anyone who asks. At the height of the Sobig.F storm one of my mail servers (MS/Sophos/Exim) let through 3000+ copies of what appeared to be Sobig.F-like messages without any attachment. If there is no attachment, can Sophos still detect it? I guess there must be some other virus-like signature within the message. Stephen From dbird at SGHMS.AC.UK Tue Sep 2 16:58:48 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks References: <5.1.0.14.0.20030902104015.03c128a0@mail.enhtech.com> Message-ID: <3F54BE38.1060402@sghms.ac.uk> Errol Neal wrote: > Hi all, > > My company has been using MailScanner for some time now and have been > really pleased. Our primary platform for deployment is Solaris 9 on > Sparc. > We are going to be deploying several new severs and are pricing out the > hardware for them. Since we depend on these systems and want them to be > as efficient as possible, we want to target possible bottlenecks in a > MailScanner system and put the capital there as opposed to just throwing > money at > the system. > > Right now what we are looking at is deploying a 2.4 Pentium IV system > with > IDE disks and 512MB of RAM. I personally think we should invest the money > in the Disk IO and even go with Pentium III's but my employer is not so > convinced. Of course everyone knows that SCSI is faster than standard IDE > dieks, > however is that increase in performance noticable on a MailScanner > system? > Is the performance on a P4 that much better than performance on a > PIII? Since > I do not have systems of this nature to test with I am turning to > users of > this software to help me invest my budget wisely to produce the best > system > I can. > > SCSI vs IDE, is the difference that noticeable? In the context of MailScanner I couldn't say for definate but I very much suspect so since SCSI will perform better than IDE on the OS side ;-). Extra RAM will also do you a load of good. 64bit vs 32 bit, any performance gains there? Again, see above, but I'll leave that one for Julian. > > Linux vs Solaris? Anybody got any ideas? Whatever you're comfortable with, although the upgrade process etc with Linux is far easier. We were originally using Ultra5's about 18 months ago bet changed to linux so we could use the rpm's etc. (made life for a couple of my admin's far easier ;-) > > > PS our daily volume of mail passing through our MailScanners is somewhere > in the neighborhood of 15-20K We do that volume on each of our mailhubs (3). They are little Celeron 800's with 256Mb Ram and IDE disks. They each run MS/SA/DCC/Pyzor/Razor and 3 x virus scanners. I guess the question is how is your mail distributed? If you get a steady flow like we usually do, then this'd be OK. Having said that, with the current troughs and peaks we're seeing from viri like SoBig etc, these little fella's are starting to strugle (and occasionally fall over becoase of the load), so we're upgrading to Dual PIII 1.4Ghz with 512Mb RAM and SCSI-3 disks. These are reletively cheap (< ?1300 ext VAT) from Dell (accademic pricing) and will fly with our current load, and give us some room for growth. > > > Thank you in advance, > > > Regards, > > Errol U. Neal > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From David.While at UCE.AC.UK Tue Sep 2 17:02:47 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: feature request Message-ID: <107DE25EC0216C45AEF670016024245F64417D@exchangea.staff.uce.ac.uk> Sep 2 15:36:24 xxxxxx MailScanner[10247]: Virus and Content Scanning: Starting ******** Sep 2 15:36:25 xxxxxxMailScanner[10247]: /var/spool/MailScanner/incoming/10247/./h82EZlKq015377/thank_you.pif: Worm.Sobig.F FOUND Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: ClamAV found 1 infections Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: Found 1 viruses Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filename Checks: Possible MS-Dos program shortcut attack (thank_you.pif) Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filetype Checks: No executables (thank_you.pif) Sep 2 15:36:25 xxxxxx MailScanner[10247]: Other Checks: Found 2 problems Ideally I would like the IP address in the line marked with *s (apologies for the line wrap (if indeed it does!) David While -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tue 02/09/2003 15:27 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: feature request At 13:36 02/09/2003, you wrote: >What is the possibility of including the sending IP address in the virus >lines in the log file entries? Please can you give me an example of what log entries you mean. >With the recent Sobig.F outbreak it would seem sensible to be able to do >some automatic processing on the log files to determine the IP addresses >that are sending them. My quick analysis of my log file shows that it is a >few addresses sending large numbers to me. > >If this is possible I would then be able to add it as a feature to >mailstats.pl to block persistent virus senders for a short period of time. > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dafydd.tomos at IMAGINET.CO.UK Tue Sep 2 15:23:36 2003 From: dafydd.tomos at IMAGINET.CO.UK (Dafydd Tomos) Date: Thu Jan 12 21:19:42 2006 Subject: sigpipe warnings in syslog Message-ID: <20030902142336.GA15442@imaginet.co.uk> Hi, First of all thanks to Julian and all the other contributors to Mailscanner, for a great piece of software. I am using Mailscanner on Debian/stable. I was previously using the Debian package of 3.27 but about 6 months ago, installed a copy of version 4 from the tar file. I have just upgraded to version 4.23-11 (from 4.21-9) and it all works fine apart from messages in syslog everytime a new batch is processed: SIGPIPE received - trying new log socket This occurs using both the standard syslogd in Debian and syslog-ng. I guess it's only a warning, but was wondering if there was a way to stop it occurring. cheers -- Dafydd Tomos Systems Administrator Gweinyddwr Systemau Imaginet Ltd http://www.imaginet.co.uk/ From jharnish at CI.GRAND-RAPIDS.MI.US Tue Sep 2 15:52:45 2003 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <221C759285B78647AEE6181FD6AF36A7078B91CD@bambi.grand-rapids.mi.us> Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/3d7768b3/attachment.html From raymond at PROLOCATION.NET Tue Sep 2 17:03:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <1062518150.366.39.camel@ralph.plexio.private> Message-ID: Hi! > > Indeed, they have sent me a sbf-dam.ide that doesn't appear to have > > been publicly released (yet). If anyone is interested, you can email me > > and I'll send it along. Also, I'm sure Sophos would be happy to send > > it to anyone who asks. > At the height of the Sobig.F storm one of my mail servers > (MS/Sophos/Exim) let through 3000+ copies of what appeared to be > Sobig.F-like messages without any attachment. If there is no attachment, > can Sophos still detect it? I guess there must be some other virus-like > signature within the message. If theres no attachment its no virus, its just crap mail =) IMHO its not to blame your virus scanner for that, but a content filter should take care of that :) I think you could better call those 'SPAM' =) Bye, Raymond. From kodak at FRONTIERHOMEMORTGAGE.COM Tue Sep 2 17:08:30 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <1062518150.366.39.camel@ralph.plexio.private> Message-ID: <009c01c3716c$73d87c80$0501a8c0@darkside> >If there is no >attachment, >can Sophos still detect it? I don't believe so. There are two "issues" with Sobig-F. One issue is when Sobig-F sends no attachment -- not a problem, it'll get past any default checks (and will confuse the user) but no damage will be done. Your MTA may allow you to reject mail based on subject and/or other textual clues, and you may want to try that approach (not *just* subject though. :) The second is the damaged Sobig-F executable. It will not run, but may get past a scanner. If the system in question is set up to not allow any executables through you're fine. (Most likely your AV vendor has an updated signature for the damaged Sobig-F by now though, so it should be getting tagged and stripped at this point.) --J(K) From errol.neal at ENHTECH.COM Tue Sep 2 17:10:31 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co .uk> Message-ID: <5.1.0.14.0.20030902115711.03f96d18@mail.enhtech.com> At 04:47 PM 9/2/2003 +0100, you wrote: >The best I/O improvement is by making sure you've got plenty of RAM and >putting the MailScanner work directory in tmpfs (not either of the mail >queues though!) That is a bit scary for us. Unpacking messages in a memory based file system could be catastrophic. *Shudders*. Too scary to even think about it if for example, MailScanner dies and leaves a bunch of mail in the tmpfs and we unknowingly reboot the system... for us.. instant law suit. Can anyone explain how this works? Does MailScanner unpack messages 1 at a time, does it unpack all the messages bulky in this directory? >Personally speaking ufs sucks and anything FS intensive struggles on >Solaris (in fairness my experience is with low end machines, E250 and >lower). You'll get more bang-per-buck using linux on Intel. Where >Solaris excels is at the high end and I can't see why anyone would need a >high end server for a mail load of only 15-20k. We are using the lower end Netra T-1 and V Fire 100 (I think). Turning on logging increases performance dramatically. Compared against linux using XFS logging on ultra 160 drives, the performance is almost equal. >If you've got the money for Sun hardware buy Intel and get an extra box >for redundancy/ load balencing! Lower end sun models are actually quite inexpensive these days. 550MHZ cpu, 512 RAM, two nics and 40GB ide for less and 1K US is not too bad. We actually have 3 systems deployed at the moment, each system handles about 15-20K messages a day, and that varies. I guess what I am trying to achieve as I said earlier is a strategic investment of dollars into what will make the difference most dramatically. For example, if 1 gig of ram will improve the systems performance over our current 512MB Ram in a much greater way than deploying SCSI based /var/ slices, I will put my money in the RAM and stick to my IDE disks. This is what I need to know. Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 17:19:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649684@pascal.priv.bmrb.co.uk> Errol Neal wrote: > At 04:47 PM 9/2/2003 +0100, you wrote: >> The best I/O improvement is by making sure you've got plenty of RAM >> and putting the MailScanner work directory in tmpfs (not either of >> the mail queues though!) > > That is a bit scary for us. Unpacking messages in a memory based > file system could be catastrophic. *Shudders*. Too scary to even > think about it if for example, > MailScanner dies and leaves a bunch of mail in the tmpfs and we > unknowingly reboot the system... for us.. instant law suit. > Can anyone explain how this works? Does MailScanner unpack messages 1 > at a time, does it unpack all the messages bulky in this directory? No, its absolutely safe, so long as you only do this for the _work_ directory (/var/spool/MailScanner/incoming) and NOT the _queue_ directories (mqueue and mqueue.in). MailScanner never removes the queue files (even when it moves the files it actually just links them into the outgoing directory then unlinks them in the incoming directory IIRC). The MailScanner incoming directory is used to unpack batches of messages to be scanned. Should the System crash only these unpacked _copies_ of the original message will be lost, the original message will still be sitting there in mqueue.in (on a disk based filesystem) ready to be processed by MailScanner when it is restarted. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 17:29:50 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFA@pascal.priv.bmrb.co.uk> Errol Neal wrote: >> The best I/O improvement is by making sure you've got plenty of RAM >> and putting the MailScanner work directory in tmpfs (not either of >> the mail queues though!) > > Also, if one is to use the tmpfs, how large should the file system be? > number of MailScanner children * batch size (no of messages) * average mail size * margin of error tmpfs resizes automatically, but obviously you don't want to run out of RAM and start swapping. Heres a silly example... 5 children * batchsize 100 * average_size 200k [which is silly, who has many messages that size] * margin of error say 5 (cautious) = 488M And thats using stupidly large numbers!, the real figures are probably an order of magnitude or two (but allow for peaks - what happens when every mail has an attachment, like some virus storms we've had). A cautious mind would probably spec 1G of ram (but 512M would probably be okay) with that batch size. In the real world though its often worth decreasing the batch size to improve performance (which reduces the memory requirement). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Sep 2 17:44:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: Message-ID: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> Check you queue directories are set correctly in MailScanner.conf. At 16:19 02/09/2003, you wrote: >I installed mailscanner & spamassassin under redhat 9 and tried to >configure it to work with postfix. > >postfix-1.1.12-1 >mailscanner 4.23-11 >mail-spamassassin 2.55 > >I followed the instructions in "MailScanner Installation Guide - Postfix" > >postfix (2 copies) and mailscanner (many copies) both run after I do the >service MailScanner start but inbound mail gets stuck >in /var/spool/postfix.in/deferred. > >there are no errors in maillog but I don't see any mailscanner entries >after the startup. It appears to not recognize the arrival of mail in the >inbound queue. > >Any ideas on how to fix this? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Tue Sep 2 18:47:25 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com>; from peter.farago@PENSION-KEY.COM on Tue, Sep 02, 2003 at 01:18:38PM -0400 References: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Message-ID: <20030902124725.A62355@mikea.ath.cx> On Tue, Sep 02, 2003 at 01:18:38PM -0400, Peter A Farago wrote: > Se below > > At 05:44 PM 9/2/2003 +0100, you wrote: > >Check you queue directories are set correctly in MailScanner.conf. > > Incoming Queue Dir = /var/spool/postfix.in > > # Set location of outgoing mail queue. > # This can also be the filename of a ruleset. > Outgoing Queue Dir = /var/spool/postfix > > # Set where to unpack incoming messages before scanning them > Incoming Work Dir = /var/spool/MailScanner/incoming > > # Set where to store infected and message attachments (if they are kept) > # This can also be the filename of a ruleset. > Quarantine Dir = /var/spool/MailScanner/quarantine Now: o what directories does the inbound postfix instance expect to put inbound mail into; o where does the outbound postfix instance expect to get its outbound mail; o how many instances of postfix are running? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From peter.farago at PENSION-KEY.COM Tue Sep 2 19:10:51 2003 From: peter.farago at PENSION-KEY.COM (Peter A Farago) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: <20030902124725.A62355@mikea.ath.cx> References: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Message-ID: <5.2.1.1.0.20030902140504.00b357c8@pension-key.com> there are 2 instances running; inbound based on /etc/postfix.in and outbound based on /etc/postfix. postfix.in/main.cf:queue_directory = /var/spool/postfix.in postfix/main.cf:queue_directory = /var/spool/postfix is mailscanner expect to pick up the mail from /var/spool/postfix.in and delivery it to the outbound instance? I don't think this is happening because I don't see any mailscanner activity in maillog after the initial sartup. At 12:47 PM 9/2/2003 -0500, you wrote: >On Tue, Sep 02, 2003 at 01:18:38PM -0400, Peter A Farago wrote: > > Se below > > > > At 05:44 PM 9/2/2003 +0100, you wrote: > > >Check you queue directories are set correctly in MailScanner.conf. > > > > Incoming Queue Dir = /var/spool/postfix.in > > > > # Set location of outgoing mail queue. > > # This can also be the filename of a ruleset. > > Outgoing Queue Dir = /var/spool/postfix > > > > # Set where to unpack incoming messages before scanning them > > Incoming Work Dir = /var/spool/MailScanner/incoming > > > > # Set where to store infected and message attachments (if they are kept) > > # This can also be the filename of a ruleset. > > Quarantine Dir = /var/spool/MailScanner/quarantine > >Now: >o what directories does the inbound postfix instance expect to > put inbound mail into; > >o where does the outbound postfix instance expect to get > its outbound mail; > >o how many instances of postfix are running? > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin since 1964 From mike at CAMAROSS.NET Tue Sep 2 19:24:44 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <107DE25EC0216C45AEF670016024245F64417C@exchangea.staff.uce.ac.uk> Message-ID: <005b01c3717f$7b8c3f80$a91cbdcf@home.middlefinger.net> I'm getting this after upgrading to the new version: ERROR: unable to open config file: /var/www/html/mailstats/mrtg1.cfg What should be in this file? Seems like mailstats.pl used to create what it needed. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David While > Sent: Tuesday, September 02, 2003 10:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: mailstats V0.21 > > > Whoops - sorry about that - its there now. > > -----Original Message----- > From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] > Sent: Tue 02/09/2003 15:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: ANNOUNCE: mailstats V0.21 > > > Hey I went out to this site to grab .21 and it was > showing .23 as the latest but I can not download it. > > Thanks > > Joe > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Sunday, August 31, 2003 12:41 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: mailstats V0.21 > > > A few people have been asking so here it is! > > A new version of mailstats is available - the > main changes are: > > * Added support to produce list of > SpamAssassin traps triggered > * Added support for configurable message > in access file > * Added support to produce 2 mrtg config > files for better graphing > * Added support for multiple mail queue > directories > * Corrected bug in virus update notification > * Added support to restrict the output in lists. > > It can be downloaded from > http://www.while.homeunix.net/mailstats > > There > is also a discussion forum available at > http://www.while.homeunix.net/mailstats/phpBB2> / > > > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English > University of Central England > Tel: 0121 331 6211 > > ----------------------------------------------------------------- > From mike at CAMAROSS.NET Tue Sep 2 19:34:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <005b01c3717f$7b8c3f80$a91cbdcf@home.middlefinger.net> Message-ID: <005c01c37180$dbd2be40$a91cbdcf@home.middlefinger.net> Nevermind...I deleted the old mrtg.cfg and then it recreated everything. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Tuesday, September 02, 2003 1:25 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: mailstats V0.21 > > > I'm getting this after upgrading to the new version: > > ERROR: unable to open config file: /var/www/html/mailstats/mrtg1.cfg > > What should be in this file? Seems like mailstats.pl used to > create what it needed. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of David While > > Sent: Tuesday, September 02, 2003 10:54 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: ANNOUNCE: mailstats V0.21 > > > > > > Whoops - sorry about that - its there now. > > > > -----Original Message----- > > From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] > > Sent: Tue 02/09/2003 15:52 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Cc: > > Subject: Re: ANNOUNCE: mailstats V0.21 > > > > > > Hey I went out to this site to grab .21 and it was > showing .23 > > as the latest but I can not download it. > > > > Thanks > > > > Joe > > > > -----Original Message----- > > From: David While [mailto:David.While@UCE.AC.UK] > > Sent: Sunday, August 31, 2003 12:41 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: mailstats V0.21 > > > > > > A few people have been asking so here it is! > > > > A new version of mailstats is available - the main > > changes are: > > > > * Added support to produce list of > > SpamAssassin traps triggered > > * Added support for configurable message > > in access file > > * Added support to produce 2 mrtg config > > files for better graphing > > * Added support for multiple mail queue > > directories > > * Corrected bug in virus update notification > > * Added support to restrict the output in lists. > > > > It can be downloaded from > > http://www.while.homeunix.net/mailstats > > > > There > > is also a discussion forum available at > > http://www.while.homeunix.net/mailstats/phpBB2> / > > > > > > > > ----------------------------------------------------------------- > > David While > > Technical Development Manager > > Faculty of Computing, Information & English > > University of Central England > > Tel: 0121 331 6211 > > > > ----------------------------------------------------------------- > > > From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:29:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: caramail domain In-Reply-To: <5.2.0.9.0.20030902103737.00bbb2e0@beloit.edu> Message-ID: <5.2.1.1.2.20030902192902.0273d308@imap.ecs.soton.ac.uk> This is nothing to do with MailScanner. Please contact the SpamAssassin folks, as it's their setup. At 16:52 02/09/2003, you wrote: >FYI for everyone, > I have researched the caramail.com domain issue and they must now be >setting up legitimate email accounts with just username@caramail.com. I >have had two legitimate accounts from caramail.com that were tagged as >spam. I think caramail.com should probably get removed from the >spamassassin domain name list. Regardless, I will either whitelist their >domain or lower the weighted score for FAKE_HELO_DOTCOM. In the long run, >I hope that spamassassin will take off caramail.com from the list of >Fake_helo_dtocom list since I am guessing that many other sites will be >tagging them falsely as well. > Tim > > > > >Tim Tyler >Network Engineer - Beloit College >tyler@beloit.edu -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:39:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649684@pascal.priv.bmrb. co.uk> Message-ID: <5.2.1.1.2.20030902193547.0261a728@imap.ecs.soton.ac.uk> At 17:19 02/09/2003, you wrote: >Errol Neal wrote: > > At 04:47 PM 9/2/2003 +0100, you wrote: > >> The best I/O improvement is by making sure you've got plenty of RAM > >> and putting the MailScanner work directory in tmpfs (not either of > >> the mail queues though!) > > > > That is a bit scary for us. Unpacking messages in a memory based > > file system could be catastrophic. *Shudders*. Too scary to even > > think about it if for example, > > MailScanner dies and leaves a bunch of mail in the tmpfs and we > > unknowingly reboot the system... for us.. instant law suit. > > Can anyone explain how this works? Does MailScanner unpack messages 1 > > at a time, does it unpack all the messages bulky in this directory? > >No, its absolutely safe, so long as you only do this for the _work_ >directory (/var/spool/MailScanner/incoming) and NOT the _queue_ >directories (mqueue and mqueue.in). MailScanner never removes the queue >files (even when it moves the files it actually just links them into the >outgoing directory then unlinks them in the incoming directory IIRC). The >MailScanner incoming directory is used to unpack batches of messages to be >scanned. Should the System crash only these unpacked _copies_ of the >original message will be lost, the original message will still be sitting >there in mqueue.in (on a disk based filesystem) ready to be processed by >MailScanner when it is restarted. Just to confirm this, the above explanation is absolutely correct. There is no critical data ever stored in the MailScanner/incoming directory. Furthermore, MailScanner never takes responsibility for any message, there is always either the original in mqueue.in or the finished version in mqueue or both. There is no situation in which the message is in neither queue. You can safely pull the plug on MailScanner at any time, you will not lose any mail, even if you do use tmpfs for MailScanner/incoming. As for the size of tmpfs, the usual maximum figure is half your physical RAM. But as it expands and contracts as needed, you are best leaving it to the operating system to manage. It's better at adjusting it than you are. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:34:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F64417D@exchangea.staff.uce .ac.uk> Message-ID: <5.2.1.1.2.20030902193310.02727fe8@imap.ecs.soton.ac.uk> At 17:02 02/09/2003, you wrote: >Sep 2 15:36:24 xxxxxx MailScanner[10247]: Virus and Content Scanning: >Starting >******** Sep 2 15:36:25 xxxxxxMailScanner[10247]: >/var/spool/MailScanner/incoming/10247/./h82EZlKq015377/thank_you.pif: >Worm.Sobig.F FOUND That bit of code is the virus scanner output parser. It knows nothing about individual messages at all, so it can't log the client IP. Sorry. >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: ClamAV found 1 >infections >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: Found 1 viruses >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filename Checks: Possible >MS-Dos program shortcut attack (thank_you.pif) >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filetype Checks: No executables >(thank_you.pif) >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Other Checks: Found 2 problems > >Ideally I would like the IP address in the line marked with *s (apologies >for the line wrap (if indeed it does!) > >David While > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tue 02/09/2003 15:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: feature request > > > > At 13:36 02/09/2003, you wrote: > >What is the possibility of including the sending IP address in > the virus > >lines in the log file entries? > > Please can you give me an example of what log entries you mean. > > > >With the recent Sobig.F outbreak it would seem sensible to be > able to do > >some automatic processing on the log files to determine the IP > addresses > >that are sending them. My quick analysis of my log file shows > that it is a > >few addresses sending large numbers to me. > > > >If this is possible I would then be able to add it as a feature to > >mailstats.pl to block persistent virus senders for a short > period of time. > > > >----------------------------------------------------------------- > >David While > >Technical Development Manager > >Faculty of Computing, Information & English > >University of Central England > >Tel: 0121 331 6211 > >----------------------------------------------------------------- > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From joshua.hirsh at PARTNERSOLUTIONS.CA Tue Sep 2 20:06:24 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5ABE@eqmail1.efni.vpn> Hi Peter, It sounds like your MailScanner installation is looking in the wrong directory. For postfix, you should make sure that "Incoming Queue Dir" is set to /var/spool/postfix.in/deferred in /etc/MailScanner/MailScanner.conf. Regards, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From TGFurnish at HERFF-JONES.COM Tue Sep 2 20:39:24 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> Seems like a straightforward question but I just want to make sure I'm not missing something before I deploy. For our next phase of testing I want to have mailscanner start handling all the mail for several of our high-volume, many-user domains, but I only want a small subset of those users to actually be part of the testing - email for everyone else ought to be untouched (at least as far as a user is likely to notice). What is the proper / best way of doing that? So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've also configured the MTA (sendmail) to split messages with multiple recipients into one message per recipient. The rulesets look like so: To: testuser@testdomain.com yes FromOrTo: default no I also set "Scanned Modify Subject" to a similar ruleset. Anything else I'm missing and should turn off for non-test users before I deploy? -- Trever From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 20:43:17 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> Message-ID: <200309021943.h82JhNc24927@agate.rockstone.co.uk> On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > For our next phase of testing I want to have mailscanner start handling all > the mail for several of our high-volume, many-user domains, but I only want > a small subset of those users to actually be part of the testing - email > for everyone else ought to be untouched (at least as far as a user is > likely to notice). What is the proper / best way of doing that? > > So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've > also configured the MTA (sendmail) to split messages with multiple > recipients into one message per recipient. The rulesets look like so: > > To: testuser@testdomain.com yes > FromOrTo: default no > > I also set "Scanned Modify Subject" to a similar ruleset. > > Anything else I'm missing and should turn off for non-test users before I > deploy? Ensure that "Non Spam Actions" says something sensible for the non-test users. Antony. -- Windows: just another pane in the glass. From mike at CAMAROSS.NET Tue Sep 2 20:50:52 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <200309021943.h82JhNc24927@agate.rockstone.co.uk> Message-ID: <000001c3718b$84465320$a91cbdcf@home.middlefinger.net> Sounds like he's on the right track overall. I'd attribute that to Julian's straightforward and "simple" wording of the MailScanner.conf entries. A new user can have MailScanner up and running in a matter of minutes...even with rulesets! Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Antony Stone > Sent: Tuesday, September 02, 2003 2:43 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Turn off all possible message changes for some users? > > > On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > > > For our next phase of testing I want to have mailscanner start > > handling all the mail for several of our high-volume, many-user > > domains, but I only want a small subset of those users to > actually be > > part of the testing - email for everyone else ought to be untouched > > (at least as far as a user is likely to notice). What is > the proper / > > best way of doing that? > > > > So far I've turned "Virus Scanning" and "Spam Checks" into > rulesets. > > I've also configured the MTA (sendmail) to split messages with > > multiple recipients into one message per recipient. The > rulesets look > > like so: > > > > To: testuser@testdomain.com yes > > FromOrTo: default no > > > > I also set "Scanned Modify Subject" to a similar ruleset. > > > > Anything else I'm missing and should turn off for non-test users > > before I deploy? > > Ensure that "Non Spam Actions" says something sensible for > the non-test users. > > Antony. > > -- > > Windows: just another pane in the glass. > From TGFurnish at HERFF-JONES.COM Tue Sep 2 20:57:28 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C079E@inex1.herffjones.hj-int> So far MS has been a joy to work with. I do wish there were some sort of doc (besides the source) that listed the exact sequence in which various checks happen and what the next step is for each possible outcome of a check - ie a flow chart of MailScanner message processing that answers questions like: - "Which virus scanner gets the message first?" - "If running multiple virus scanners, does the second scanner get the first message after the first scanner has processed the whole batch or just that message?" - "If a message is marked as spam via a RBL list, does it still get passed to spamassassin?" ...and the one for my particular situation: "If 'Virus Scanning' and 'Spam Checks' are both 'no', then do the filename rules still get applied?" Then again, maybe such a doc is already there and I've just missed it. :-) > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Tuesday, September 02, 2003 2:51 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Turn off all possible message changes for some users? > > > Sounds like he's on the right track overall. I'd attribute > that to Julian's > straightforward and "simple" wording of the MailScanner.conf > entries. A new > user can have MailScanner up and running in a matter of > minutes...even with > rulesets! > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Antony Stone > > Sent: Tuesday, September 02, 2003 2:43 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Turn off all possible message changes for some users? > > > > > > On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > > > > > For our next phase of testing I want to have mailscanner start > > > handling all the mail for several of our high-volume, many-user > > > domains, but I only want a small subset of those users to > > actually be > > > part of the testing - email for everyone else ought to be > untouched > > > (at least as far as a user is likely to notice). What is > > the proper / > > > best way of doing that? > > > > > > So far I've turned "Virus Scanning" and "Spam Checks" into > > rulesets. > > > I've also configured the MTA (sendmail) to split messages with > > > multiple recipients into one message per recipient. The > > rulesets look > > > like so: > > > > > > To: testuser@testdomain.com yes > > > FromOrTo: default no > > > > > > I also set "Scanned Modify Subject" to a similar ruleset. > > > > > > Anything else I'm missing and should turn off for non-test users > > > before I deploy? > > > > Ensure that "Non Spam Actions" says something sensible for > > the non-test users. > > > > Antony. > > > > -- > > > > Windows: just another pane in the glass. > > > From llasad1 at yahoo.com Tue Sep 2 21:17:49 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:42 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <20030902201749.7637.qmail@web41411.mail.yahoo.com> Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/5a6815ff/attachment.html From zabriskw at ITECH.NET Tue Sep 2 21:18:59 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:42 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902201749.7637.qmail@web41411.mail.yahoo.com> Message-ID: <00dc01c3718f$71cedbf0$0c02a8c0@itech.dom> Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/7dda3b1c/attachment.html From postmaster at mdh.se Tue Sep 2 21:28:26 2003 From: postmaster at mdh.se (MailScanner) Date: Thu Jan 12 21:19:43 2006 Subject: Varning: E-post fel upptäckt Message-ID: <200309022028.h82KSQ3v009911@dahlsten.mdh.se> Vår viruskontroll har blivit aktiverad p.g.a. ett meddelande ni skickat:- To: anette.mansson@mdh.se Subject: Re: That movie Date: Tue Sep 2 22:28:26 2003 En eller flera av bilagorna är på listan av icke accepterade bilagor för denna domän och kommer inte bli levererade till mottagaren. Försök att byta namn på filerna eller skicka filerna i "zip" format för att undvika att bilagorna inte blir levererade. Viruskontrollen sa detta om meddelandet: Rapport: Shortcuts to MS-Dos programs are very dangerous in email (details.pif) -- Mailscanner Virusskanner f÷r E-post www.mailscanner.info From: "MailScanner" To: mailscanner@ecs.soton.ac.uk Subject: Warning: E-mail viruses detected X-MailScanner: generated Our virus detector has just been triggered by a message you sent:- To: anette.mansson@mdh.se Subject: Re: That movie Date: Tue Sep 2 22:28:26 2003 One or more of the attachments are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files or putting them into a "zip" file to avoid this constraint. The virus detector said this about the message: Report: Shortcuts to MS-Dos programs are very dangerous in email (details.pif) -- MailScanner Email Virus Scanner www.mailscanner.info From zabriskw at ITECH.NET Tue Sep 2 21:31:42 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902202951.39010.qmail@web41402.mail.yahoo.com> Message-ID: <00f301c37191$3892d790$0c02a8c0@itech.dom> That same problem has happened to me numerous times. Unfortunately there is not a solution from what I have found. Try restarting MailScanner. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:29 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote: Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. -------------------------------------------------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/4ef0d89a/attachment.html From lists at TRCINTL.COM Tue Sep 2 21:35:48 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: I too have seen that problem several times. I wouldn't say it is often, but I have seen it. That same problem has happened to me numerous times. Unfortunately there is not a solution from what I have found. Try restarting MailScanner. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:29 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote: Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. ---------------------------------------------------------------------------- ---- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ---------------------------------------------------------------------------- ---- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From raymond at PROLOCATION.NET Tue Sep 2 21:36:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <00f301c37191$3892d790$0c02a8c0@itech.dom> Message-ID: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. From llasad1 at yahoo.com Tue Sep 2 21:45:14 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <20030902204514.12907.qmail@web41411.mail.yahoo.com> I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote:Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ae658e96/attachment.html From raymond at PROLOCATION.NET Tue Sep 2 21:45:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. From zabriskw at ITECH.NET Tue Sep 2 21:46:48 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902204514.12907.qmail@web41411.mail.yahoo.com> Message-ID: <010601c37193$54d089f0$0c02a8c0@itech.dom> I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/12f981f3/attachment.html From zabriskw at ITECH.NET Tue Sep 2 21:47:28 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: Message-ID: <010c01c37193$6c700e00$0c02a8c0@itech.dom> Im running the latest stable version of MS also using SpamAssasin. No Virus scanning. ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in > Hi! > > > > That same problem has happened to me numerous times. Unfortunately > > > there is not a solution from what I have found. Try restarting > > > MailScanner. > > > If numerous people see this it really must be a problem. Julian i also > > reported that one, i iknow its most likely hard to find, but is there a > > way we can track/trace that ? > > Could we have a look at version numbers and scanners installed, perhaps we > can pinpoint things ? > > I am running latest MS with f-prot ... > > Bye, > Raymond. > From llasad1 at yahoo.com Tue Sep 2 21:49:17 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <20030902204917.55528.qmail@web41408.mail.yahoo.com> I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any virus protection becuase my internal mail server scans all incoming and outgoing mail for viruses. Raymond Dijkxhoorn wrote:Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/526ecceb/attachment.html From mike at CAMAROSS.NET Tue Sep 2 21:53:36 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902204514.12907.qmail@web41411.mail.yahoo.com> Message-ID: <001e01c37194$48124040$640ba8c0@home.middlefinger.net> You don't, by chance, still have Osirusoft defined in your config, do you? You might also try lowering the number of messages per batch from 100 down to 30 or so and see if you can spot a bottleneck there. It might also help to enable Debug'ing of MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Tuesday, September 02, 2003 3:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From raymond at PROLOCATION.NET Tue Sep 2 21:53:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <001e01c37194$48124040$640ba8c0@home.middlefinger.net> Message-ID: Mike, > You don't, by chance, still have Osirusoft defined in your config, do you? > You might also try lowering the number of messages per batch from 100 down > to 30 or so and see if you can spot a bottleneck there. It might also help > to enable Debug'ing of MailScanner. I tried everything :) Batches are small, but it keeps locking up, told Julian but i guess its hard to find whats going on in situations like this. And no, removed Osirusoft as soon as i saw timeouts on that, and not even using SA on the boxes. Bye, Raymond. From raymond at PROLOCATION.NET Tue Sep 2 22:05:25 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <002b01c37195$3186a7c0$640ba8c0@home.middlefinger.net> Message-ID: Hi Mike, > An extra check sure wouldn't hurt on the MS box! If you don't want to spend > money on it, give ClamAV a shot at initial detection anyway :) > I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any > virus protection becuase my internal mail server scans all incoming and > outgoing mail for viruses. IF! all is going like normal i am also scanning with Clam, but with the current load thats not really smart :) Bye, Raymond. From kevins at BMRB.CO.UK Tue Sep 2 22:02:14 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A78C2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A78C2@pascal.priv.bmrb.co.uk> Message-ID: <1062536537.30875.9.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-02 at 21:53, Mike Kercher wrote: >You don't, by chance, still have Osirusoft defined in your config, do >You might also try lowering the number of messages per batch from 100 >down >to 30 or so and see if you can spot a bottleneck there. It might also >help >to enable Debug'ing of MailScanner. Other suggestions along similar lines Turn off Bayes, Autowhitelisting (should be off already) and set skip_rbl_checks in spam.assassin.prefs.conf. Then try restarting MailScanner. Also turn off razor, pyzor and dcc in that file (if you use them). If this helps re-enable them one at a time until the problem recurs. settings in spam.assassin.prefs.conf (these are for SA 2.6 but presumably the same for 2.55) skip_rbl_checks 1 use_dcc 0 use pyzor 0 use razor2 0 use_bayes 0 in MailScanner.conf SpamAssassin Auto Whitelist = no Also, if you have any virus scanner installed - EVEN IF YOU ARE NOT USING IT! make sure you don't have upgrade_virus_scanners in /etc/cron.hourly. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Tue Sep 2 22:11:03 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <002c01c37196$b80eb2f0$640ba8c0@home.middlefinger.net> OS and version? I run MS/SA/Sophos on multiple RHAS, RH7.2 and RH7.3 boxes with no failures yet. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Tuesday, September 02, 2003 3:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Mike, > You don't, by chance, still have Osirusoft defined in your config, do > you? You might also try lowering the number of messages per batch from > 100 down to 30 or so and see if you can spot a bottleneck there. It > might also help to enable Debug'ing of MailScanner. I tried everything :) Batches are small, but it keeps locking up, told Julian but i guess its hard to find whats going on in situations like this. And no, removed Osirusoft as soon as i saw timeouts on that, and not even using SA on the boxes. Bye, Raymond. From llasad1 at YAHOO.COM Tue Sep 2 22:16:30 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <010601c37193$54d089f0$0c02a8c0@itech.dom> Message-ID: <20030902211630.15844.qmail@web41405.mail.yahoo.com> It seems to be kicking in after restarting MS a few times, but it seems to stop after about a few minutes. I have been restarting but this can't be the solution. Thanks for the suggestions. Kris Zabriskie wrote:I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/9b9d9102/attachment.html From errol.neal at ENHTECH.COM Tue Sep 2 17:16:02 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:43 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co .uk> Message-ID: <5.1.0.14.0.20030902121510.0421cdd8@mail.enhtech.com> >The best I/O improvement is by making sure you've got plenty of RAM and >putting the MailScanner work directory in tmpfs (not either of the mail >queues though!) Also, if one is to use the tmpfs, how large should the file system be? Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From raymond at PROLOCATION.NET Tue Sep 2 22:18:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <002c01c37196$b80eb2f0$640ba8c0@home.middlefinger.net> Message-ID: Hi! > I run MS/SA/Sophos on multiple RHAS, RH7.2 and RH7.3 boxes with no failures > yet. RH9 on two of the boxes. Bye, Raymond. From mike at CAMAROSS.NET Tue Sep 2 17:24:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: System Bottlenecks In-Reply-To: <5.1.0.14.0.20030902115711.03f96d18@mail.enhtech.com> Message-ID: <003e01c3716e$b278d370$a91cbdcf@home.middlefinger.net> Julian would have to confirm, but I believe that sendmail keeps a copy of the email until it has been successfully delivered (assuming you don't have supersafe disabled). I refer quite often to my Sendmail Performance Tuning book and still learn new stuff all the time. Although the newer IDE drives are close to SCSI in speed, the performance of SCSI drives comes from the on-board CPU of the SCSI controller. On IDE systems, the disk subsystem has to use the system CPU for processing. All of my mail servers are PIII-800 and below with at least a gig of RAM. I host email for several law firms and have never lost an email yet and I do use a tmpfs for the workdir. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Errol Neal > Sent: Tuesday, September 02, 2003 11:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: System Bottlenecks > > > At 04:47 PM 9/2/2003 +0100, you wrote: > >The best I/O improvement is by making sure you've got plenty > of RAM and > >putting the MailScanner work directory in tmpfs (not either > of the mail > >queues though!) > > That is a bit scary for us. Unpacking messages in a memory > based file system could be catastrophic. *Shudders*. Too > scary to even think about it if for example, MailScanner dies > and leaves a bunch of mail in the tmpfs and we unknowingly > reboot the system... for us.. instant law suit. Can anyone > explain how this works? Does MailScanner unpack messages 1 at > a time, does it unpack all the messages bulky in this directory? > > >Personally speaking ufs sucks and anything FS intensive struggles on > >Solaris (in fairness my experience is with low end machines, > E250 and > >lower). You'll get more bang-per-buck using linux on Intel. Where > >Solaris excels is at the high end and I can't see why anyone > would need > >a high end server for a mail load of only 15-20k. > > We are using the lower end Netra T-1 and V Fire 100 (I > think). Turning on logging increases performance > dramatically. Compared against linux using XFS logging on > ultra 160 drives, the performance is almost equal. > > >If you've got the money for Sun hardware buy Intel and get > an extra box > >for redundancy/ load balencing! > > Lower end sun models are actually quite inexpensive these > days. 550MHZ cpu, 512 RAM, two nics and 40GB ide for less and > 1K US is not too bad. > > We actually have 3 systems deployed at the moment, each > system handles about 15-20K messages a day, and that varies. > I guess what I am trying to achieve as I said earlier is a > strategic investment of dollars into what will make the > difference most dramatically. For example, if 1 gig of ram > will improve the systems performance over our current 512MB > Ram in a much greater way than deploying SCSI based /var/ > slices, I will put my money in the RAM and stick to my IDE > disks. This is what I need to know. > > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > From raymond at PROLOCATION.NET Tue Sep 2 22:19:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902211630.15844.qmail@web41405.mail.yahoo.com> Message-ID: Hi! > It seems to be kicking in after restarting MS a few times, but it seems > to stop after about a few minutes. I have been restarting but this > can't be the solution. Thanks for the suggestions. Doing the same at the moment. The strage this is when i even do a service MS reload it seems to speed it up allready. But after a few batches it seems either terrible slow or completely frozen. Julian! :) Bye, Raymond. From raymond at PROLOCATION.NET Tue Sep 2 22:23:35 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <000801c37198$38ea9050$0c02a8c0@itech.dom> Message-ID: Hi! > Keep going! It eventually will kick off again. If you tail the log, > you will notice (if you experiencing the same problem I have), that > MailScanner will grab a handful of mail (like 100 messages), and nothing > is done with them. If you see the RBLs going, then you know it is > working, or if it is passing it off to SA (if it is being ran). Check > in mqueue.in and see if there is a core dump file. I noticed one on > mine. Blow it away. I have no idea what it does, but it was huge and I > wanted it out of there. The only thing I can tell ya is, dont answer > the phone (people will start complaining) and just keep restarting MS. Hahahaha ok. Bye, Raymond. From steve.douglas at SBIINCORPORATED.COM Tue Sep 2 17:32:34 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FC61@mail.gardenbotanika.com> I have not yet ever performed an update. I am using 4.22.xx on RedHat v9 via RPM with the latest f-prot. I know there is an entry on just performing the RPM update, but is there anything you might recommend on the side that I back first and an extra precaution before running the new RPM? I already have the rules and .conf files backed up. Thank you. SD :-) > -----Original Message----- > From: Brett Moss [mailto:bamcomp@YAHOO.COM] > Sent: Monday, September 01, 2003 7:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > hello again, > sorry but i had forgot to change the mcafee-wrapper > from rpmnew > this is what happens when working between 2 and 5 am i > guess > thanks again > brett > > > i am unable to find an -I switch > > > > -I: invalid switch or incorrect usage > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com From kevins at BMRB.CO.UK Tue Sep 2 22:32:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A78C8@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A78C8@pascal.priv.bmrb.co.uk> Message-ID: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Sep 2 21:27:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:43 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030902212650.038eec68@imap.ecs.soton.ac.uk> At 20:39 02/09/2003, you wrote: >Seems like a straightforward question but I just want to make sure I'm not >missing something before I deploy. > >For our next phase of testing I want to have mailscanner start handling all >the mail for several of our high-volume, many-user domains, but I only want >a small subset of those users to actually be part of the testing - email for >everyone else ought to be untouched (at least as far as a user is likely to >notice). What is the proper / best way of doing that? > >So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've >also configured the MTA (sendmail) to split messages with multiple >recipients into one message per recipient. The rulesets look like so: > >To: testuser@testdomain.com yes >FromOrTo: default no > >I also set "Scanned Modify Subject" to a similar ruleset. > >Anything else I'm missing and should turn off for non-test users before I >deploy? Virus Scanning and Spam Checks should do the trick, -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at prolocation.net Tue Sep 2 22:48:40 2003 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902214753.55490.qmail@web41414.mail.yahoo.com> Message-ID: Hi! > Kevin Spicer wrote:On Tue, 2003-09-02 at 22:16, lester lasad wrote: > >It seems to be kicking in after restarting MS a few times, but it seems > >to stop after about a few minutes. I have been restarting but this > >can't be the solution. Thanks for the suggestions. Sure, no problem at all. Bye, Raymond. From llasad1 at YAHOO.COM Tue Sep 2 22:47:53 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> Message-ID: <20030902214753.55490.qmail@web41414.mail.yahoo.com> question, I have a secondary MS server, there are a few emails that our VP's need with attachments. Once I locate these emails in /var/spool/mqueue.in can I copy them to to the other servers mqueue.in? Never done it, if anyone has I would like to know (and how did you do it?) Kevin Spicer wrote:On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/9079cb02/attachment.html From peter.farago at PENSION-KEY.COM Tue Sep 2 18:18:38 2003 From: peter.farago at PENSION-KEY.COM (Peter A Farago) Date: Thu Jan 12 21:19:43 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Se below At 05:44 PM 9/2/2003 +0100, you wrote: >Check you queue directories are set correctly in MailScanner.conf. Incoming Queue Dir = /var/spool/postfix.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/postfix # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine From llasad1 at yahoo.com Tue Sep 2 21:29:51 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <00dc01c3718f$71cedbf0$0c02a8c0@itech.dom> Message-ID: <20030902202951.39010.qmail@web41402.mail.yahoo.com> This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote:Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/b7b1b94f/attachment.html From mike at CAMAROSS.NET Tue Sep 2 22:00:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902204917.55528.qmail@web41408.mail.yahoo.com> Message-ID: <002b01c37195$3186a7c0$640ba8c0@home.middlefinger.net> An extra check sure wouldn't hurt on the MS box! If you don't want to spend money on it, give ClamAV a shot at initial detection anyway :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Tuesday, September 02, 2003 3:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any virus protection becuase my internal mail server scans all incoming and outgoing mail for viruses. Raymond Dijkxhoorn wrote: Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From zabriskw at ITECH.NET Tue Sep 2 22:21:49 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902211630.15844.qmail@web41405.mail.yahoo.com> Message-ID: <000801c37198$38ea9050$0c02a8c0@itech.dom> Keep going! It eventually will kick off again. If you tail the log, you will notice (if you experiencing the same problem I have), that MailScanner will grab a handful of mail (like 100 messages), and nothing is done with them. If you see the RBLs going, then you know it is working, or if it is passing it off to SA (if it is being ran). Check in mqueue.in and see if there is a core dump file. I noticed one on mine. Blow it away. I have no idea what it does, but it was huge and I wanted it out of there. The only thing I can tell ya is, dont answer the phone (people will start complaining) and just keep restarting MS. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 5:16 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in It seems to be kicking in after restarting MS a few times, but it seems to stop after about a few minutes. I have been restarting but this can't be the solution. Thanks for the suggestions. Kris Zabriskie wrote: I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. -------------------------------------------------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ffb17ae7/attachment.html From m.sapsed at BANGOR.AC.UK Tue Sep 2 18:28:11 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:43 2006 Subject: Does MailScanner configuration error? References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> <3F547794.7080707@bangor.ac.uk> Message-ID: <3F54D32B.8050704@bangor.ac.uk> Peter Peters wrote: > On Tue, 2 Sep 2003 11:57:24 +0100, you wrote: >>>Perhaps they are looking at your headers which more than likely say >>>"X-MailScanner: Found to be clean" >>> >>>Search your MailScanner.conf for that and change it to something OTHER than >>>Found to be clean and see if that helps. >> >>I thought Julian's recommendation was to change the X-MailScanner: bit >>rather than the body - dopey filterers may be dumping based on the >>presence of the header rather than what it says? > > I have seen bounces from this same kind of software. Because we have > changed the headers I presumed this server still uses osirusoft. But surely then the e-mails would bounce whether he had MailScanner turned off or on wouldn't they? The impression I got of the original problem was that the bounces were caused by something which MailScanner adds to the messages. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From waldner at WALDNER.PRIV.AT Tue Sep 2 18:18:01 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:19:43 2006 Subject: ClamAV missing Sobig In-Reply-To: Your message of "Tue, 02 Sep 2003 11:04:09 EDT." <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> <20030902132446.7932747061@fsck.waldner.priv.at> <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> Message-ID: <20030902171813.6C9BC47082@fsck.waldner.priv.at> On Tue, 02 Sep 2003 11:04:09 EDT, Gerry Doris writes: >The problem I see is that it would end up being a great service for the >virus writers. They could tweak and adjust until they ended up with a >virus that wasn't detected by the majority of scanners. You think they don't do that already? cheers, &rw -- -- "I'm not proud. We really haven't done everything we could to protect -- our customers. Our products just aren't engineered for security." -- - Brian Valentine, senior vice-president in charge of MS's -- Windows development. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ec74978f/attachment.bin From m.sapsed at BANGOR.AC.UK Tue Sep 2 18:42:34 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:43 2006 Subject: What's Going on here? References: <005601c37155$86a1b7d0$0501a8c0@darkside> <1062518150.366.39.camel@ralph.plexio.private> Message-ID: <3F54D68A.2020006@bangor.ac.uk> Stephen Lee wrote: > At the height of the Sobig.F storm one of my mail servers > (MS/Sophos/Exim) let through 3000+ copies of what appeared to be > Sobig.F-like messages without any attachment. If there is no attachment, > can Sophos still detect it? I guess there must be some other virus-like > signature within the message. No. Sophos will only detect Sobig-F if it's given a non-damaged executable attachment to look at. If you want to block Sobig messages which don't have the proper attachments then you need to look at sendmail/exim rules (as in the archive) or spamassassin rules. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From jharnish at CI.GRAND-RAPIDS.MI.US Tue Sep 2 19:03:53 2003 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapids.mi.us> What can I do to assist in getting mcafee AV support in mailstats? -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Tuesday, September 02, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: mailstats V0.21 Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/a11d6729/attachment.html From TGFurnish at HERFF-JONES.COM Tue Sep 2 23:24:21 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A1@inex1.herffjones.hj-int> You really ought to start a separate thread for separate questions - this has little to do with mail being stuck in the incoming queue. Having said that, you don't need a secondary server - you just need to move the messages from the incoming queue to the outgoing queue. In a typical redhat+sendmail install that means that you move the message from /var/spool/mqueue.in to /var/spool/mqueue. Where are you going to get the original message though? By the time your "special user" can identify the message for you, it's already been delivered. It sounds like you want to quarantine the messages (as queue files) and enable the quarantine cleaning cron job. -t. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Tuesday, September 02, 2003 4:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in question, I have a secondary MS server, there are a few emails that our VP's need with attachments. Once I locate these emails in /var/spool/mqueue.in can I copy them to to the other servers mqueue.in? Never done it, if anyone has I would like to know (and how did you do it?) Kevin Spicer wrote: On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/782223f3/attachment.html From gerry at DORFAM.CA Wed Sep 3 02:27:39 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:43 2006 Subject: Small typo in f-prot-autoupdate Message-ID: Julian there is a small typo in the f-prot-autoupdate script that prevents logging status to /var/log/maillog. Here's the code segment where I added the open Syslog line right after alarm 0 ... if ($@) { if ($@ =~ /timeout/) { # We timed out! CleanTempDir(); &UnlockFProt(); alarm 0; } } else { alarm 0; Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": "F-Prot did not need updating."); } -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From ashley at IMS.TELSTRA.COM.AU Wed Sep 3 03:47:17 2003 From: ashley at IMS.TELSTRA.COM.AU (Ash) Date: Thu Jan 12 21:19:43 2006 Subject: Tagging the subject line of e-mail In-Reply-To: <3F53F6F5.9070709@ims.telstra.com.au> References: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> <3F53F6F5.9070709@ims.telstra.com.au> Message-ID: <3F555635.3000301@ims.telstra.com.au> Found the file MailScanner/etc/reports/en/languages.conf and changed NoticeSubject to "Warning: E-mail problem detected" also NoticeHeading to "The following e-mail messages were found to have problems in them" ash Ash wrote: > Please forgive me the problem lay between the keyboard and back of chair > :-(. I missed Deliver Cleaned Messages was set to no I would say this > occured when I upgraded from v3.x and as we dont get many viruses I > never noticed, wrote a ruleset and it all works. > > Have I made another mistake somewhere? the admin message is the same no > matter what problem it deteced. "Warning: E-mail viruses detected" > appears for every violation and doesnt actually align with the problem > it detected, ie "Warning: Bad Filename detected" or Warning: Bad > Filetype detected" . > > ash > > Julian Field wrote: > >> Can you give us an example of what you mean? >> >> At 04:54 01/09/2003, you wrote: >> >>> Did this ever get resolved? >>> >>> I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the >>> subject >>> line modifications notices that use the curly brackets, other than if >>> I set >>> "Scanned Modify Subject" , for example any violation be it a virus >>> ,bad file >>> name/type receives the subject line "Warning: E-mail viruses >>> detected", I >>> haven't had a spam message yet to see if that notification has also >>> stopped >>> working >>> >>> from my conf file >>> Virus Modify Subject = yes >>> Virus Subject Text = {Virus?} >>> Filename Modify Subject = yes >>> Filename Subject Text = {Filename?} >>> Content Modify Subject = yes >>> Content Subject Text = {Dangerous Content?} >>> Spam Modify Subject = yes >>> Spam Subject Text = {Spam?} >>> High Scoring Spam Modify Subject = yes >>> High Scoring Spam Subject Text = {Spam?} >>> >>> running perl 5.6.0 >>> >>> regards >>> >>> ash >>> >>> On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin >>> wrote: >>> >>> >Mike, >>> > >>> >Thanks for responding. >>> > >>> >I'm planning on adding SpamAssassin later in the project. Is it >>> required to >>> >make the system function as I want? I didn't get that from the >>> >documentation. They way I read the docs, SpamAssassin just improves >>> >MailScanner's abilities. >>> > >>> >Kevin >>> > >>> >> -----Original Message----- >>> >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >>> >> Sent: Tuesday, August 19, 2003 1:59 PM >>> >> To: MAILSCANNER@JISCMAIL.AC.UK >>> >> Subject: Re: Tagging the subject line of e-mail >>> >> >>> >> >>> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >>> >> You can also >>> >> set Log Spam = yes and watch your maillog after restarting >>> >> MailScanner. >>> >> >>> >> Mike >>> >> >>> >> >>> >> -----Original Message----- >>> >> From: MailScanner mailing list >>> >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >>> >> Of Collins, Kevin >>> >> Sent: Tuesday, August 19, 2003 12:31 PM >>> >> To: MAILSCANNER@JISCMAIL.AC.UK >>> >> Subject: Tagging the subject line of e-mail >>> >> >>> >> >>> >> Hi! >>> >> >>> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >>> >> machine to act as >>> >> my company's "SPAM Filter". First, I want to say THANKS for >>> >> creating such a >>> >> project and for making it available to the masses for free. >>> >> >>> >> A little background: >>> >> >>> >> MailScanner machine: >>> >> Red Hat 8.0 (fully up2dated) >>> >> Sendmail 8.12.8 >>> >> Perl 5.8.0 >>> >> ClamAV 0.60 (compiled from source) >>> >> Sendmail set to relay everything to internal Exchange Server >>> >> >>> >> Everything seems to be working fine - I've even let a few e-mails >>> pass >>> >> through the machine for testing. Which is why I'm writing; I >>> >> now have a >>> >> question. >>> >> >>> >> First, of the 20 some odd messages that have passed through >>> >> MailScanner, it >>> >> has tagged 3 as SPAM and one of them as having a Virus >>> >> (actually it was an >>> >> HTML Form in the message). The "Virus" message behaved as >>> >> expected - the >>> >> e-mail was deleted and not passed on and I got a notification of the >>> >> deletion. But the remaining messages aren't working as I >>> >> expected them to >>> >> (I think). >>> >> >>> >> I've configured MailScanner to modify the subject line of >>> >> every e-mail it >>> >> touches to include {Scanned} at the beginning. (This is to >>> >> let me - and >>> >> everyone else - know that MS is working) In addition I want all SPAM >>> >> messages flagged with {Spam} as the beginning of the subject line and >>> >> {Virus} for those that were found to have Viruses. >>> >> >>> >> To this point, all of the e-mail coming in (save the "Virus" message >>> >> mentioned above) have only had the word {Scanned} pre-pended >>> >> to the Subject >>> >> Line. I've not seen the {Spam} label anywhere. Here are the >>> >> (I think) >>> >> appropriate sections of the MailScanner.conf: >>> >> >>> >> ---- >>> >> Scanned Modify Subject = start >>> >> Scanned Subject Text = {Scanned} >>> >> Virus Modify Subject = yes >>> >> Virus Subject Text = {Virus} >>> >> Filename Modify Subject = yes >>> >> Filename Subject Text = {Filename} >>> >> Spam Modify Subject = yes >>> >> Spam Subject Text = {Spam} >>> >> High Scoring Spam Modify Subject = yes >>> >> High Scoring Spam Subject Text = {Spam} >>> >> ---- >>> >> Spam Checks = yes >>> >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >>> >> .ac.uk) >>> >> Spam Domain List = >>> >> Spam Lists To Reach High Score = 5 >>> >> Spam List Timeout = 10 >>> >> Max Spam List Timeouts = 7 >>> >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >>> >> Is Definitely Spam = no >>> >> ---- >>> >> >>> >> >From this, is my description of how MailScanner should work valid? >>> >> >Have I >>> >> forgot to do something? What do I need to change/add/delete >>> >> to make it work >>> >> as I describe? >>> >> >>> >> Thanks in advance. >>> >> >>> >> -- >>> >> Kevin L. Collins, MCSE >>> >> Systems Manager >>> >> Nesbitt Engineering, Inc. >>> >> >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support From chocobofrank at HOTMAIL.COM Wed Sep 3 05:29:29 2003 From: chocobofrank at HOTMAIL.COM (Frank Cheong) Date: Thu Jan 12 21:19:43 2006 Subject: Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 Message-ID: Recently, I have just installed MailScanner, Perl 5.8.0 and all related components according to the mailscanner installation guide onto my Solaris 8 machine. I cannot start the /opt/MailScanner/lib/sophos-autoupdate which I found that whenever the module call the syslog function (e.g. syslog.openlog) It will then try to connect to the syslog server on my localhost while it failed with the below message : "Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.0/sun4-solaris/Socket.pm line 373." What is the problem ? I have tried to telnet localhost 514 which is the syslog port and the following message reported Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. I also checked that the below line is inside /etc/service syslog 514/udp Can I assume my solaris syslog configuration ok and it is the problem of the perl installation instead ? From christo at AFGLASS.CO.ZA Wed Sep 3 07:31:11 2003 From: christo at AFGLASS.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:43 2006 Subject: Newbie question related to file type filters Message-ID: <000801c371e5$1fbceb30$660210ac@christo> Hi I only configured my MS server last week and it works fine. Spam dropped by about 90% OK My question. By default MS blocks all Executable and Media file types from the filetype.rules.conf file. How can I setup a MS rule to let through these files only for certain email addresses and let the others be blocked. One small rule file example will be enough Thanx -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/e79a4373/attachment.html From llasad1 at YAHOO.COM Tue Sep 2 23:18:40 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> Message-ID: <20030902221840.68651.qmail@web41415.mail.yahoo.com> Kevin, I took your suggestion and all new mail seems to be coming in OK, the problem is that I copied one of the emails out of mqueue.in into mqueue but it does not route. It's just stuck, all other new mail that comes in routes with no problems. any suggestions? Kevin Spicer wrote: On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/a1a421fd/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 3 08:05:33 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:43 2006 Subject: Please update your email address... Message-ID: <07053388524134@radgametools.com> We're sorry, but the RAD general email addresses have changed recently (to slow the flood of spam ). Please use one of these addresses instead: Sales: sales1@radgametools.com RAD Video Tools Support: support1@radgametools.com Bink SDK Support: bink1@radgametools.com Miles SDK Support: miles1@radgametools.com Granny SDK Support: granny1@radgametools.com Pixomatic SDK Support: pixo1@radgametools.com Smacker SDK Support: smack1@radgametools.com Webmaster: webmaster1@radgametools.com Sorry for the inconvenience and thanks for your support! RAD Game Tools From raymond at PROLOCATION.NET Tue Sep 2 23:25:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902221840.68651.qmail@web41415.mail.yahoo.com> Message-ID: Hi! > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into mqueue > but it does not route. It's just stuck, all other new mail that comes > in routes with no problems. any suggestions? If you ONLY put that one file in your queue, and restart MS, what do you see happening ? do you see MS defcuntioning ? Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 08:38:15 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 08:41:52 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649687@pascal.priv.bmrb.co.uk> lester lasad wrote: > question, I have a secondary MS server, there are a few emails that > our VP's need with attachments. Once I locate these emails in > /var/spool/mqueue.in can I copy them to to the other servers > mqueue.in? Never done it, if anyone has I would like to know (and > how did you do it?) Although this would probably work you shouldn't generally do it because sendmail generates queue names using the time and process id. This means that by copying mails between systems you could break the guarantee of queue file name uniqueness (that said it is only a small risk, as you would have to have a sendmail process with the same PID on both systems at the time the mail was originally recieved.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From David.While at UCE.AC.UK Wed Sep 3 08:33:35 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <107DE25EC0216C45AEF670016024245F64417E@exchangea.staff.uce.ac.uk> It should already be there - simply set your Scanner to mcafee David While -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 19:03 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 What can I do to assist in getting mcafee AV support in mailstats? -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Tuesday, September 02, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: mailstats V0.21 Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- From llasad1 at YAHOO.COM Wed Sep 3 08:58:31 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> Message-ID: <20030903075831.49203.qmail@web41402.mail.yahoo.com> Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/7102d155/attachment.html From llasad1 at YAHOO.COM Wed Sep 3 08:59:49 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> Message-ID: <20030903075949.41965.qmail@web41410.mail.yahoo.com> Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/80219789/attachment.html From raymond at PROLOCATION.NET Wed Sep 3 09:00:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903075831.49203.qmail@web41402.mail.yahoo.com> Message-ID: Hi! > To be honest all I have ever used is mailscanner, I am not famaliar > with configuring sendmail on it's own. I have been at this all night > with no luck. I have restarted MS many times with minimal success. I > have tried changing my routing table to route to a different internal > server to verify it's not a problem with the host I normally connect > with and have the same problems. This is very frustrating, I've got > about 2000 message still stuck in the queue, they are getting delivered > but at a very slow rate. Users don't like to see email from customers > that are 2 days late. If you have any more suggestions, I'd appreciate > it. I see the same behaviour, it is like MS tries to chew a long time on some messages. I allready tried to lower the TNEF timeout to see it thats causing it. Julian, would it be ok to send in the batches that seem to terribly slow down MS ? Perhaps the string in the Sobig virus wasnt the only thing they planned :) Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 09:11:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/55111e4c/attachment.html From raymond at PROLOCATION.NET Wed Sep 3 09:17:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Message-ID: Hi! > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? On my box for example i had a queue of 1000 that would not run, it let it processing and it took 40 minutes to get them done. In the same time, by other box, same specs, took allmost 10.000 messages, without any problem. Bye, Raymond. From llasad1 at YAHOO.COM Wed Sep 3 09:29:44 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Message-ID: <20030903082944.59630.qmail@web41404.mail.yahoo.com> This is for incoming mail. On average I receive 15-20 thousand incoming emails a day. Right now I have roughly 2000 messages in the queue, so MS has been routing mail but it is very slow. Doesn't seem to want to catch up. "Spicer, Kevin" wrote: Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/77b30866/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 09:35:32 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> lester lasad wrote: > This is for incoming mail. On average I receive 15-20 thousand > incoming emails a day. Right now I have roughly 2000 messages in the > queue, so MS has been routing mail but it is very slow. Doesn't seem > to want to catch up. Which queue? How many in mqueue How many in mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From eja at URBAKKEN.DK Wed Sep 3 09:35:25 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. Message-ID: <3F55A7CD.8000401@urbakken.dk> I have installed MailScanner on my RedHat 9.0 server here. I have went through the install instruction many times, and found that I have doen all the mentioned changes. Even that I get some errors. Many of them are maybe selfexplaining, and I can see whats wrong, but another thing is how to do the things, that brings the errors to an end. Can some of you maybe help me?. Here's the sample of /var/log/maillog: Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted configuration directory name: /etc/postfix.in Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for filter:100 in 0.4 seconds, 4940 bytes. Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: linux-bounces+eja=urbakken.dk@lists.samba.org(100): unable to execute /usr/sbin/postdrop -r: Success Sep 3 10:27:21 gateway postfix/pipe[7677]: 3299A1BFCB: to=, relay=ccfilter, delay=2, status=bounced (service unavailable. Command output: postdrop: error: untrusted configuration directory name: /etc/postfix.in postdrop: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf sendm ail: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name sendmail: fatal: linux-bounces+eja=urbakken.dk@lists.samba.org(100) : unable to execute /usr/sbin/postdrop -r: Success ) Sep 3 08:27:21 gateway postfix/cleanup[7676]: BCA181BFCF: message-id=<20030903082721.BCA181BFCF@gateway.urbakken.dk> Sep 3 08:27:21 gateway postfix/nqmgr[3122]: BCA181BFCF: from=<>, size=7460, nrcpt=1 (queue active) Sep 3 08:27:22 gateway postfix/nqmgr[3122]: BCA181BFCF: to=, relay=none, delay=0, status=deferred (deferred transport) Sep 3 10:27:22 gateway MailScanner[3753]: New Batch: Scanning 1 messages, 7595 bytes Sep 3 10:27:22 gateway MailScanner[3753]: Virus and Content Scanning: Starting Sep 3 10:27:22 gateway MailScanner[3753]: Uninfected: Delivered 1 messages Sep 3 04:27:22 gateway postfix/nqmgr[3181]: 223385A5B8: from=<>, size=7584, nrcpt=1 (queue active) Sep 3 04:27:25 gateway postfix/smtp[7704]: 223385A5B8: to=, relay=dp.samba.org[66.70.73.150], delay=4, status=sent (25 -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From llasad1 at YAHOO.COM Wed Sep 3 09:49:33 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> Message-ID: <20030903084933.57527.qmail@web41414.mail.yahoo.com> "Spicer, Kevin" wrote: Which queue? All are in the mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. Tried running your commands and received the following: > service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] > mv /var/spool/mqueue.in/* /var/spool/mqueue sh: line 1: /bin/mv: Argument list too long > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/6be47ef6/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:48:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903084933.57527.qmail@web41414.mail.yahoo.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Morning all, Appears you are all having a similar problem. Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. What does your maillog say is happening? grep MailScanner /var/log/maillog | tail -70 What processes are running? ps ax | grep -i mail What have you changed from your previously-working system? At 09:49 03/09/2003, you wrote: >"Spicer, Kevin" wrote: > >Which queue? > >All are in the mqueue.in > >As I said, if you're happy to bypass MailScanner to get the mail delivered >follow the instructions below. > >Tried running your commands and received the following: > > > service MailScanner stop > >Shutting down MailScanner daemons: > >MailScanner: [ OK ] > >incoming sendmail: [ OK ] > >outgoing sendmail: [ OK ] > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > "Spicer, Kevin" wrote: > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > RedHat syntax) > > > > service MailScanner stop [wait for all MailScanner > > processes to disappear after running this before moving on] mv > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > [restart Mailscanner toprocess any newly arriving messages, see if it > > copes] sendmail -q > > > > [this last command will take a very long time to complete as it will > > attempt to deliver each mesasge in the queue, with your backlog this > > could be a considerable period of time] > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:49:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. In-Reply-To: <3F55A7CD.8000401@urbakken.dk> Message-ID: <5.2.0.9.2.20030903094925.04237aa8@imap.ecs.soton.ac.uk> Start by killing spamd. service spamd stop service spamassassin stop chkconfig spamd off chkconfig spamassassin off At 09:35 03/09/2003, you wrote: >I have installed MailScanner on my RedHat 9.0 server here. I have went >through the install instruction many times, and found that I have doen >all the mentioned changes. Even that I get some errors. Many of them are >maybe selfexplaining, and I can see whats wrong, but another thing is >how to do the things, that brings the errors to an end. > >Can some of you maybe help me?. > >Here's the sample of /var/log/maillog: > >Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted >configuration directory name: /etc/postfix.in >Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify >"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf >Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for >filter:100 in 0.4 seconds, 4940 bytes. >Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature >end-of-input from /usr/sbin/postdrop -r while reading input attribute name >Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: >linux-bounces+eja=urbakken.dk@lists.samba.org(100): unable to execute >/usr/sbin/postdrop -r: Success >Sep 3 10:27:21 gateway postfix/pipe[7677]: 3299A1BFCB: >to=, relay=ccfilter, delay=2, status=bounced (service >unavailable. Command output: postdrop: >error: untrusted configuration directory name: /etc/postfix.in postdrop: >fatal: specify "alternate_config_directories = /etc/postfix.in" in >/etc/postfix/main.cf sendm >ail: warning: premature end-of-input from /usr/sbin/postdrop -r while >reading input attribute name sendmail: fatal: >linux-bounces+eja=urbakken.dk@lists.samba.org(100) >: unable to execute /usr/sbin/postdrop -r: Success ) >Sep 3 08:27:21 gateway postfix/cleanup[7676]: BCA181BFCF: >message-id=<20030903082721.BCA181BFCF@gateway.urbakken.dk> >Sep 3 08:27:21 gateway postfix/nqmgr[3122]: BCA181BFCF: from=<>, >size=7460, nrcpt=1 (queue active) >Sep 3 08:27:22 gateway postfix/nqmgr[3122]: BCA181BFCF: >to=, relay=none, delay=0, >status=deferred (deferred transport) >Sep 3 10:27:22 gateway MailScanner[3753]: New Batch: Scanning 1 >messages, 7595 bytes >Sep 3 10:27:22 gateway MailScanner[3753]: Virus and Content Scanning: >Starting >Sep 3 10:27:22 gateway MailScanner[3753]: Uninfected: Delivered 1 messages >Sep 3 04:27:22 gateway postfix/nqmgr[3181]: 223385A5B8: from=<>, >size=7584, nrcpt=1 (queue active) >Sep 3 04:27:25 gateway postfix/smtp[7704]: 223385A5B8: >to=, >relay=dp.samba.org[66.70.73.150], delay=4, status=sent (25 > >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 8.2 Proff. >Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:54:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Newbie question related to file type filters In-Reply-To: <000801c371e5$1fbceb30$660210ac@christo> Message-ID: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> See my postings from yesterday or the day before that include the work "filetype.rules.conf". You'll find them in the archive. At 07:31 03/09/2003, you wrote: >Hi > >I only configured my MS server last week and it works fine. Spam dropped >by about 90% > >OK My question. > >By default MS blocks all Executable and Media file types from the >filetype.rules.conf file. How can I setup a MS rule to let through these >files only for certain email addresses and let the others be blocked. One >small rule file example will be enough > >Thanx > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for >their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:53:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Small typo in f-prot-autoupdate In-Reply-To: Message-ID: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Thanks for that. Fixed. At 02:27 03/09/2003, you wrote: >Julian there is a small typo in the f-prot-autoupdate script that prevents >logging status to /var/log/maillog. Here's the code segment where I added >the open Syslog line right after alarm 0 ... > > >if ($@) { > if ($@ =~ /timeout/) { > # We timed out! > CleanTempDir(); > &UnlockFProt(); > alarm 0; > } >} else { > alarm 0; > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > "F-Prot did not need updating."); >} > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:50:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> References: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903095019.046667b8@imap.ecs.soton.ac.uk> At 18:18 02/09/2003, you wrote: >Se below > >At 05:44 PM 9/2/2003 +0100, you wrote: >>Check you queue directories are set correctly in MailScanner.conf. > >Incoming Queue Dir = /var/spool/postfix.in Incoming Queue Dir = /var/spool/postfix.in/deferred ># Set location of outgoing mail queue. ># This can also be the filename of a ruleset. >Outgoing Queue Dir = /var/spool/postfix Outgoing Queue Dir = /var/spool/postfix/incoming ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/MailScanner/incoming > ># Set where to store infected and message attachments (if they are kept) ># This can also be the filename of a ruleset. >Quarantine Dir = /var/spool/MailScanner/quarantine -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From max.gaspari at MERCATONEUNO.NET Wed Sep 3 10:21:28 2003 From: max.gaspari at MERCATONEUNO.NET (Max Gaspari) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. In-Reply-To: <3F55A7CD.8000401@urbakken.dk> References: <3F55A7CD.8000401@urbakken.dk> Message-ID: <14170.80.17.111.244.1062580888.squirrel@wm.mercatoneuno.net> > I have installed MailScanner on my RedHat 9.0 server here. I have went > through the install instruction many times, and found that I have doen > all the mentioned changes. Even that I get some errors. Many of them are > maybe selfexplaining, and I can see whats wrong, but another thing is Insert in /etc/postfix/main.cf, at the end row ... alternate_config_directories = /etc/postfix.in probably you don't have postfix chroot check also the permission of /var/spool/postfix.in and /etc/postfix > Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted > configuration directory name: /etc/postfix.in > Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify > "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf > Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for > filter:100 in 0.4 seconds, 4940 bytes. > Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature > end-of-input from /usr/sbin/postdrop -r while reading input attribute name > Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: Bye From raymond at PROLOCATION.NET Wed Sep 3 11:02:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: Hi! > Appears you are all having a similar problem. > Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. I upgraded to -11 right away once it waqs released, still going on. > What does your maillog say is happening? > grep MailScanner /var/log/maillog | tail -70 > What processes are running? > ps ax | grep -i mail > > What have you changed from your previously-working system? Uh, nothing ? There is nothing else on the box, only MS. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Sep 3 11:10:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903111029.03ed06e8@imap.ecs.soton.ac.uk> Please run both of the commands and send me the output. At 11:02 03/09/2003, you wrote: >Hi! > > > Appears you are all having a similar problem. > > Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. > >I upgraded to -11 right away once it waqs released, still going on. > > > What does your maillog say is happening? > > grep MailScanner /var/log/maillog | tail -70 > > > What processes are running? > > ps ax | grep -i mail > > > > What have you changed from your previously-working system? > >Uh, nothing ? There is nothing else on the box, only MS. > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Sep 3 11:58:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903111029.03ed06e8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Please run both of the commands and send me the output. Okay ;) But currently they are not having backlog, i think i'd rather send you the zip with files they are stuck on. I tested the zip on 3 of my boxes and all go into slow-otion-mode once i put them in the queue. > > > What does your maillog say is happening? > > > grep MailScanner /var/log/maillog | tail -70 We have remote logging, but lets see :) [root@fallback vmx10]# grep MailScanner maillog-20030903 | tail -90 Sep 3 12:55:50 vmx10 MailScanner[11992]: Virus and Content Scanning: Starting Sep 3 12:55:50 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:55:52 vmx10 MailScanner[13124]: New Batch: Found 52 messages waiting Sep 3 12:55:52 vmx10 MailScanner[13124]: New Batch: Scanning 17 messages, 54364 bytes Sep 3 12:55:52 vmx10 MailScanner[13124]: Spam Checks: Starting Sep 3 12:55:53 vmx10 MailScanner[11768]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:53 vmx10 MailScanner[11768]: Content Checks: Detected and will convert HTML message to plain text in h83AtYPm010512 Sep 3 12:55:54 vmx10 MailScanner[16332]: New Batch: Found 66 messages waiting Sep 3 12:55:54 vmx10 MailScanner[16332]: New Batch: Scanning 14 messages, 811789 bytes Sep 3 12:55:54 vmx10 MailScanner[16332]: Spam Checks: Starting Sep 3 12:55:54 vmx10 MailScanner[16150]: Uninfected: Delivered 1 messages Sep 3 12:55:54 vmx10 MailScanner[12645]: Uninfected: Delivered 2 messages Sep 3 12:55:54 vmx10 MailScanner[16150]: New Batch: Found 64 messages waiting Sep 3 12:55:54 vmx10 MailScanner[16150]: New Batch: Scanning 3 messages, 11209 bytes Sep 3 12:55:54 vmx10 MailScanner[16150]: Spam Checks: Starting Sep 3 12:55:54 vmx10 MailScanner[10261]: Uninfected: Delivered 2 messages Sep 3 12:55:54 vmx10 MailScanner[11768]: Uninfected: Delivered 7 messages Sep 3 12:55:54 vmx10 MailScanner[10513]: Uninfected: Delivered 1 messages Sep 3 12:55:54 vmx10 MailScanner[10513]: New Batch: Found 58 messages waiting Sep 3 12:55:54 vmx10 MailScanner[10513]: New Batch: Scanning 2 messages, 462948 bytes Sep 3 12:55:54 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:55:55 vmx10 MailScanner[10513]: Virus and Content Scanning: Starting Sep 3 12:55:55 vmx10 MailScanner[16150]: Virus and Content Scanning: Starting Sep 3 12:55:56 vmx10 MailScanner[13124]: Virus and Content Scanning: Starting Sep 3 12:55:57 vmx10 MailScanner[12831]: New Batch: Found 83 messages waiting Sep 3 12:55:57 vmx10 MailScanner[12831]: New Batch: Scanning 25 messages, 100283 bytes Sep 3 12:55:57 vmx10 MailScanner[12831]: Spam Checks: Starting Sep 3 12:55:57 vmx10 MailScanner[15550]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:57 vmx10 MailScanner[15550]: Content Checks: Detected and will convert HTML message to plain text in h83AtiPl010762 Sep 3 12:55:58 vmx10 MailScanner[16332]: Virus and Content Scanning: Starting Sep 3 12:55:58 vmx10 MailScanner[12208]: New Batch: Found 97 messages waiting Sep 3 12:55:58 vmx10 MailScanner[12208]: New Batch: Scanning 14 messages, 53689 bytes Sep 3 12:55:58 vmx10 MailScanner[12208]: Spam Checks: Starting Sep 3 12:55:59 vmx10 MailScanner[13788]: Uninfected: Delivered 3 messages Sep 3 12:55:59 vmx10 MailScanner[10513]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:59 vmx10 MailScanner[10513]: Content Checks: Detected and will convert HTML message to plain text in h83AtcPp010603 Sep 3 12:55:59 vmx10 MailScanner[13788]: New Batch: Found 96 messages waiting Sep 3 12:55:59 vmx10 MailScanner[13788]: New Batch: Scanning 2 messages, 7482 bytes Sep 3 12:55:59 vmx10 MailScanner[13788]: Spam Checks: Starting Sep 3 12:55:59 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Detected and will convert HTML message to plain text in h83AtoPm010872 Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Detected and will convert HTML message to plain text in h83AtWPq010476 Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Detected and will convert HTML message to plain text in h83AtXPq010487 Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Detected and will convert HTML message to plain text in h83AtrPn010901 Sep 3 12:56:02 vmx10 MailScanner[12831]: Virus and Content Scanning: Starting Sep 3 12:56:02 vmx10 MailScanner[12208]: Virus and Content Scanning: Starting Sep 3 12:56:04 vmx10 MailScanner[15550]: Uninfected: Delivered 5 messages Sep 3 12:56:04 vmx10 MailScanner[11992]: Uninfected: Delivered 4 messages Sep 3 12:56:04 vmx10 MailScanner[11992]: New Batch: Found 142 messages waiting Sep 3 12:56:04 vmx10 MailScanner[11992]: New Batch: Scanning 57 messages, 221554 bytes Sep 3 12:56:04 vmx10 MailScanner[11992]: Spam Checks: Starting Sep 3 12:56:04 vmx10 MailScanner[10513]: Uninfected: Delivered 2 messages Sep 3 12:56:04 vmx10 MailScanner[10513]: New Batch: Found 140 messages waiting Sep 3 12:56:04 vmx10 MailScanner[10513]: New Batch: Scanning 1 messages, 3789 bytes Sep 3 12:56:04 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:56:04 vmx10 MailScanner[16150]: Uninfected: Delivered 3 messages Sep 3 12:56:05 vmx10 MailScanner[10261]: New Batch: Found 143 messages waiting Sep 3 12:56:05 vmx10 MailScanner[10261]: New Batch: Scanning 3 messages, 25005 bytes Sep 3 12:56:05 vmx10 MailScanner[10261]: Spam Checks: Starting Sep 3 12:56:05 vmx10 MailScanner[10513]: Virus and Content Scanning: Starting Sep 3 12:56:05 vmx10 MailScanner[11768]: New Batch: Found 145 messages waiting Sep 3 12:56:05 vmx10 MailScanner[11768]: New Batch: Scanning 2 messages, 33156 bytes Sep 3 12:56:05 vmx10 MailScanner[11768]: Spam Checks: Starting Sep 3 12:56:05 vmx10 MailScanner[10261]: Virus and Content Scanning: Starting Sep 3 12:56:05 vmx10 MailScanner[11768]: Virus and Content Scanning: Starting Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Detected and will convert HTML message to plain text in h83AtdPl010629 Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Detected and will convert HTML message to plain text in h83AtcPm010603 Sep 3 12:56:07 vmx10 MailScanner[16578]: New Batch: Found 159 messages waiting Sep 3 12:56:07 vmx10 MailScanner[16578]: New Batch: Scanning 15 messages, 415000 bytes Sep 3 12:56:07 vmx10 MailScanner[16578]: Spam Checks: Starting Sep 3 12:56:08 vmx10 MailScanner[13788]: Uninfected: Delivered 2 messages Sep 3 12:56:08 vmx10 MailScanner[13788]: New Batch: Found 155 messages waiting Sep 3 12:56:08 vmx10 MailScanner[13788]: New Batch: Scanning 1 messages, 362618 bytes Sep 3 12:56:08 vmx10 MailScanner[13788]: Spam Checks: Starting Sep 3 12:56:09 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Detected and will convert HTML message to plain text in h83AtsPp010924 Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Detected and will convert HTML message to plain text in h83AtdPn010628 Sep 3 12:56:12 vmx10 MailScanner[16578]: Virus and Content Scanning: Starting Sep 3 12:56:14 vmx10 MailScanner[10513]: Uninfected: Delivered 1 messages Sep 3 12:56:14 vmx10 MailScanner[10513]: New Batch: Found 169 messages waiting Sep 3 12:56:14 vmx10 MailScanner[10513]: New Batch: Scanning 18 messages, 821417 bytes Sep 3 12:56:14 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:56:15 vmx10 MailScanner[16150]: New Batch: Found 168 messages waiting Sep 3 12:56:15 vmx10 MailScanner[16150]: New Batch: Scanning 1 messages, 190027 bytes Sep 3 12:56:15 vmx10 MailScanner[16150]: Spam Checks: Starting Sep 3 12:56:15 vmx10 MailScanner[16150]: Virus and Content Scanning: Starting [root@fallback vmx10]# > > > What processes are running? > > > ps ax | grep -i mail [root@vmx10 mqueue]# ps ax | grep -i mail 3060 ? S 0:58 sendmail: accepting connections 3065 ? S 0:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue 3071 ? S 0:00 sendmail: Queue runner@00:05:00 for /var/spool/mqueue 3089 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13109 ? S 0:00 sendmail: server qn-212-58-177-65.quicknet.nl [212.58.177.65] cmd read 15643 ? S 0:00 sendmail: server qn-212-127-170-234.quicknet.nl [212.127.170.234] cmd read 17522 ? S 0:01 sendmail: server qn-213-73-202-23.quicknet.nl [213.73.202.23] cmd read 17529 ? S 0:00 sendmail: server qn-212-127-128-210.quicknet.nl [212.127.128.210] cmd read 19948 ? S 0:00 sendmail: server [62.65.190.67] cmd read 20729 ? S 0:00 sendmail: server qn-212-127-128-210.quicknet.nl [212.127.128.210] cmd read 20909 ? S 0:00 sendmail: server 200-206-188-107.dsl.telesp.net.br [200.206.188.107] cmd read 23868 ? S 0:00 sendmail: h8391LPl023868 noba.nl [194.109.53.73]: DATA 27339 ? S 0:00 sendmail: h8397VPl027339 ecnwall.ecn.nl [130.112.251.6]: DATA 29707 ? S 0:00 sendmail: h839C0Pl029707 ecnwall.ecn.nl [130.112.251.6]: DATA 29767 ? S 0:00 sendmail: h839C6Pl029767 ecnwall.ecn.nl [130.112.251.6]: DATA 31644 ? S 0:00 sendmail: h839FcPn031644 qn-213-73-165-143.quicknet.nl [213.73.165.143]: DATA 32512 ? S 0:00 sendmail: h839GxPl032512 qn-212-58-177-65.quicknet.nl [212.58.177.65]: DATA 1252 ? S 0:03 sendmail: h839J9Pm001252 qn-212-127-192-40.quicknet.nl [212.127.192.40]: DATA 2110 ? S 0:00 sendmail: h839LBPl002110 qn-212-127-198-40.quicknet.nl [212.127.198.40]: DATA 7518 ? S 0:00 sendmail: h839UwPl007518 pD9EB7AC9.dip.t-dialin.net [217.235.122.201]: DATA 11199 ? S 0:00 sendmail: h839buPl011199 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 12706 ? S 0:00 sendmail: h839eQPl012706 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 14007 ? S 0:00 sendmail: server smtp1.versatel.com [62.58.16.73] cmd read 19003 ? S 0:00 sendmail: h839p1Pl019003 qn-212-58-177-65.quicknet.nl [212.58.177.65]: DATA 20124 ? S 0:00 sendmail: server [219.234.162.82] cmd read 25734 ? S 0:00 sendmail: server qn-212-127-177-74.quicknet.nl [212.127.177.74] cmd read 26390 ? S 0:00 sendmail: h83A1RPl026390 user-ae99ee.user.msu.edu [35.11.245.183]: DATA 32560 ? S 0:00 sendmail: h83A9cPl032560 qn-212-127-177-74.quicknet.nl [212.127.177.74]: DATA 313 ? S 0:00 sendmail: server [65.89.167.20] cmd read 896 ? S 0:00 sendmail: server mailserver.kadaster.nl [145.77.103.3] cmd read 4117 ? S 0:00 sendmail: server p508794FB.dip.t-dialin.net [80.135.148.251] cmd read 6086 ? S 0:00 sendmail: server c213-89-202-106.cm-upc.chello.se [213.89.202.106] cmd read 8400 ? S 0:00 sendmail: server qn-212-127-177-74.quicknet.nl [212.127.177.74] cmd read 10176 ? S 0:00 sendmail: server h31.122.114.64.cablerocket.net [64.114.122.31] (may be forged) cmd read 10261 ? S 8:46 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 10285 ? S 0:00 sendmail: h83ALJPl010285 qn-212-58-184-161.quicknet.nl [212.58.184.161]: DATA 10513 ? D 7:43 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 11768 ? S 6:43 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 11992 ? R 7:20 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12208 ? R 7:36 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12645 ? R 6:33 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12831 ? D 5:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13124 ? D 7:11 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13788 ? R 6:54 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 14541 ? R 7:51 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 14721 ? S 0:00 sendmail: server h31.122.114.64.cablerocket.net [64.114.122.31] (may be forged) cmd read 15550 ? D 6:49 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16150 ? S 5:54 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16332 ? R 6:07 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16578 ? D 6:12 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16745 ? S 0:00 sendmail: h83ARwPl016745 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 21752 ? S 0:00 sendmail: h83AX4Pl021752 qn-213-73-214-107.quicknet.nl [213.73.214.107]: DATA 24361 ? S 0:00 sendmail: h83AZaPl024361 qn-212-127-131-211.quicknet.nl [212.127.131.211]: DATA 29830 ? S 0:00 sendmail: server smtpzilla5.xs4all.nl [194.109.127.141] cmd read 31223 ? D 0:00 sendmail: ./h830glL0006017 smartrelay.multikabel.net.: client DATA 354 31955 ? S 0:00 sendmail: server mail4.wehkamp.nl [194.151.96.131] cmd read 32059 ? S 0:00 sendmail: server mail2.wehkamp.nl [194.151.96.3] cmd read 32464 ? S 0:00 sendmail: server pcp01847262pcs.southk01.tn.comcast.net [68.47.244.85] cmd read 2916 ? S 0:00 sendmail: ./h833GNTW014802 from queue 3681 ? S 0:00 sendmail: h83AmOPl003681 pcp02513789pcs.towson01.md.comcast.net [68.34.1.178]: DATA 4049 ? S 0:00 sendmail: h83AmnPl004049 qn-213-73-190-117.quicknet.nl [213.73.190.117]: DATA 5476 ? S 0:00 sendmail: h83AoJPm005476 qn-213-73-178-9.quicknet.nl [213.73.178.9]: DATA 5896 ? S 0:00 sendmail: h83AoiPl005896 qn-213-73-159-189.quicknet.nl [213.73.159.189]: DATA 6063 ? S 0:00 sendmail: h83AouPl006063 qn-212-58-180-54.quicknet.nl [212.58.180.54]: DATA 6211 ? S 0:00 sendmail: h83Ap5Pl006211 qn-213-73-165-143.quicknet.nl [213.73.165.143]: DATA 7186 ? S 0:00 sendmail: h83Aq4Pn007186 qn-213-73-240-147.quicknet.nl [213.73.240.147]: DATA 7683 ? S 0:00 sendmail: h83AqYPl007683 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 7694 ? D 0:00 sendmail: ./h837AAPl025670 smartrelay.multikabel.net.: client DATA 354 7710 ? S 0:00 sendmail: h83AqaPn007710 qn-213-73-130-45.quicknet.nl [213.73.130.45]: DATA 8667 ? S 0:00 sendmail: h83ArbPl008667 qn-213-73-219-235.quicknet.nl [213.73.219.235]: DATA 9260 ? S 0:00 sendmail: h83AsDPl009260 qn-212-58-178-197.quicknet.nl [212.58.178.197]: DATA 9372 ? S 0:00 sendmail: h83AsPPl009372 mail2.mindef.nl [217.169.231.203]: DATA 11443 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11477 ? S 0:00 sendmail: h83AuLPl011477 [61.42.121.78]: DATA 11646 ? S 0:00 sendmail: server smtpzilla1.xs4all.nl [194.109.127.137] cmd read 11658 ? S 0:00 sendmail: server ms3.zion4.com [216.128.86.2] cmd read 11774 ? S 0:00 sendmail: server qn-212-127-154-61.quicknet.nl [212.127.154.61] cmd read 11800 ? R 0:00 sendmail: smartrelay.multikabel.net.: idle 11868 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11933 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11997 ? S 0:00 sendmail: h83AvOPl011997 adsl-63-198-190-123.dsl.snfc21.pacbell.net [63.198.190.123]: DATA 12002 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12003 ? S 0:00 sendmail: h83AvPPl012003 adsl-200-105-142-34.acelerate.com [200.105.142.34]: DATA 12027 ? S 0:00 sendmail: h83AvQPl012027 [210.212.244.7]: DATA 12032 ? S 0:00 sendmail: h83AvQPl012032 mx69.ofmx6.com [216.128.76.69]: MAIL FROM 12067 ? S 0:00 sendmail: h83AvUPl012067 xs195-241-221-127.dial.tiscali.nl [195.241.221.127]: DATA 12097 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12106 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12107 ? S 0:00 sendmail: h83AvVPl012107 qn-213-73-227-243.quicknet.nl [213.73.227.243]: DATA 12113 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12161 ? S 0:00 sendmail: server alb-24-195-174-246.nycap.rr.com [24.195.174.246] cmd read 12162 ? S 0:00 sendmail: ./h83AjAIG000736 from queue 12163 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12165 ? S 0:00 sendmail: startup with 200.49.41.226 12170 ? D 0:00 /usr/sbin/sendmail -qIh83AuWPl011560 -qIh83AuKPm011457 -qIh83AuUPl011544 -qIh83AuWPl011564 -qIh83AuYPl011568 -qIh83AuVPl011554 -qIh83AuXPl011566 -qIh83AuWPl011558 -qIh83AuTPm011532 12177 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12210 ? S 0:00 sendmail: server qn-213-73-183-65.quicknet.nl [213.73.183.65] cmd read 12221 ? S 0:00 sendmail: server dns1.abc.com.py [200.61.117.238] cmd read 12226 ? D 0:00 /usr/sbin/sendmail -qIh83AvUPl012066 12228 ? D 0:00 /usr/sbin/sendmail -qIh83AuZPn011571 -qIh83AucPl011606 -qIh83AubPl011595 -qIh83AuSPl011520 -qIh83AubPl011601 -qIh83AuaPl011587 -qIh83AuaPl011581 -qIh83AuZPl011576 -qIh83AuaPl011584 -qIh83AuZPl011579 -qIh83AuaPl011588 -qIh83AubPl011600 -qIh83AucPl011602 12229 ? S 0:00 sendmail: h83AvgPl012229 [66.154.20.110]: DATA 12231 ? D 0:00 /usr/sbin/sendmail -qIh83AuqPm011716 -qIh83Av6Pl011861 -qIh83Av9Pl011918 -qIh83Av8Pl011914 -qIh83Av5Pl011857 -qIh83Av7Pl011895 -qIh83Av7Pl011909 -qIh83ApxPl007099 -qIh83Av8Pl011917 12235 ? S 0:00 sendmail: h83AvgPl012235 qn-213-73-152-24.quicknet.nl [213.73.152.24]: DATA 12239 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12240 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12241 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12244 pts/1 S 0:00 grep -i mail 12246 ? R 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf [root@vmx10 mqueue]# Bye, Raymond. From kylist at SHCORP.COM Wed Sep 3 14:02:24 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903084933.57527.qmail@web41414.mail.yahoo.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> <20030903084933.57527.qmail@web41414.mail.yahoo.com> Message-ID: <36591.10.10.1.71.1062594144.squirrel@webmailtest.shcorp.com> lester lasad said: > > > "Spicer, Kevin" wrote: > Which queue? > > All are in the mqueue.in > > As I said, if you're happy to bypass MailScanner to get the mail > delivered follow the instructions below. > > Tried running your commands and received the following: > >> service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >> mv /var/spool/mqueue.in/* /var/spool/mqueue > > sh: line 1: /bin/mv: Argument list too long Here's a trick to get around this: stop mailscanner as above (stop sendmail service) /etc/init.d/sendmail stop mv /var/spool/mqueue /var/spool/mqueue.old mv /var/spool/mqueue.in /var/spool/mqueue mv /var/spool/mqueue.old /var/spool/mqueue.in (start sendmail service) /etc/init.d/sendmail start Now sendmail should grab *everything* in the folder you just renamed to mqueue and deliver it. -- Kurt Yoder Sport & Health network administrator From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 14:09:20 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649696@pascal.priv.bmrb.co.uk> > mv /var/spool/mqueue /var/spool/mqueue.old > mv /var/spool/mqueue.in /var/spool/mqueue > mv /var/spool/mqueue.old /var/spool/mqueue.in > Or simply... find /var/spool/mqueue.in -exec mv {} /var/spool/mqueue ';' either way make sure you stop sendmail while doing this or you could get empty messages delivered. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From zfajfr at krnap.cz Wed Sep 3 14:17:11 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/c3c0856b/attachment.jpe From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 14:32:38 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649697@pascal.priv.bmrb.co.uk> Zdenek Fajfr wrote: > Hi all, > I have a little problem with the spam action "forward". Please don't post html messages to mailing lists - especially those with images, particularly background images. Wasting bandwidth and disk storage is what we have users for ;) Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From chris at TRUDEAU.ORG Wed Sep 3 14:30:38 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work References: Message-ID: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/9554181e/attachment.jpe From Janssen at RZ.UNI-FRANKFURT.DE Wed Sep 3 14:29:51 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: On Wed, 3 Sep 2003, Raymond Dijkxhoorn wrote: > > Please run both of the commands and send me the output. > > > > What processes are running? > > > > ps ax | grep -i mail > > [root@vmx10 mqueue]# ps ax | grep -i mail [snip sendmail procs] > qn-212-58-184-161.quicknet.nl [212.58.184.161]: DATA > 10513 ? D 7:43 /usr/bin/perl -I/usr/lib/MailScanner "D" means "uninterruptable sleep" (while doing I/O). This is bad. You can't even kill those processes with -9 Option (you shouldn't use kill -9 with MS anyway...). In case the "D" state lasts long it's very bad. Those processes are idle waiting for disk I/O. ps -C MailScanner o pid,wchan strace -p ls -l /proc//fd/ might give further information what's going wrong (1: full name of the wait channel; 2: last system call yet in process; 3: open filedescriptors). This should work well on GNU/Linux Systems. regards Michael From zfajfr at krnap.cz Wed Sep 3 14:42:11 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Message-ID: I tried it without bounce flag with the same results. I also tried to put there just Spam Actions = forward postmaster@krnap.cz High Scoring Spam Actions = forward postmaster@krnap.cz with no success Zdenek -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Trudeau Sent: Wednesday, September 03, 2003 3:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam Action "Forward" doesn't work I may be wrong, but I believe if you bounce a message, the system treats that message as if it weren't received therefore does nothing more with it...Try removing the bounce from your config, restarting mailscanner and see if that makes a difference. CT ----- Original Message ----- From: Zden?k Fajfr To: MAILSCANNER@JISCMAIL.AC.UK Sent: Wednesday, September 03, 2003 9:17 AM Subject: Spam Action "Forward" doesn't work Hi all, I have a little problem with the spam action "forward". Here are the two lines from MailScanner.conf dealing with spam actions: Spam Actions = store forward postmaster@krnap.cz bounce High Scoring Spam Actions = store forward postmaster@krnap.cz bounce I just modified the suggested default values. Unfortunately NO forwarding occurs!!! Here is what MailScanner writes into mail logfile for every caught spam message: Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, 101903 bytes Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 actions are bounce,store,forward,postmaster@krnap.cz Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce to sales@defsol.se The message is apparently bounced back to sender, it is also stored in quarantine but what about forwarding to postmaster? It's essential for me to know what messages have been marked as spam to be able to recognize false positives and take appropriate actions (changes in configuration, let the recipients know etc.) Could anybody help me where did I go wrong in configuration? I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav antivirus on Linux Mandrake 9.1 Thanks a lot for any help Z. Fajfr BTW: I regard MailScanner as an amazing piece of software, for it is very powerful, and yet relatively easy to configure (compare to clamav-milter, and especially Amavis) *********************************************** Zdenek Fajfr Department of Informatics & GIS The Krkonose Mts. National Park Adm. Dobrovskeho 3 54311 Vrchlabi Czech Republic The Heart of Europe *********************************************** Tel: (+420) 499 456 232, 737 225 439 Fax: (+420) 499 456 216, 499 422 095 E-mail: zfajfr@krnap.cz, zfajfr@click.cz Web: http://www.krnap.cz *********************************************** From zfajfr at krnap.cz Wed Sep 3 14:42:45 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649697@pascal.priv.bmrb.co.uk> Message-ID: sorry for the html format in my message Z. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Spicer, Kevin Sent: Wednesday, September 03, 2003 3:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam Action "Forward" doesn't work Zdenek Fajfr wrote: > Hi all, > I have a little problem with the spam action "forward". Please don't post html messages to mailing lists - especially those with images, particularly background images. Wasting bandwidth and disk storage is what we have users for ;) Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From joan.bryan at KCL.AC.UK Wed Sep 3 14:41:59 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: References: Message-ID: Hi Bad news I'm afraid. We've just upgraded to MailScanner 4.23-11 and viruses are still slipping through. Admittedly our server is still under load. Thanks for any help. Joan On Fri, 29 Aug 2003 03:16:47 +0100 Brian Hoy wrote: > Hi all, > > Thanks to everyone for their comments and advice. It is very much > appreciated. And especially to Julian for finding and fixing the problem so > quickly! > > Our sendmail config does have the load settings configured that many of you > mentioned, but still the mail was flowing in! The input queue was growing > faster than Mailscanner could scan it, and the problem just kept compounding. > > The reason is that the "load average" stats are not always a good measure of > the real stress that the machine is under. If a machine is heavily using > swap space, then the disks and motherboard I/O bandwidth are being consumed > (and CPU also if the disks are ATA, rather than SCSI), yet no useful work is > being done. > > If a process is waiting on a page fault, I do not think that it is placed in > the OS's run queue until the page is loaded (and another page swapped out - > still more disk I/O!). If this is true then the load average does not > increase, yet the machine is clearly starting to struggle with the load. > This is what happened to us the other day. > > If you want to experiment with this idea, compile this C program: > > // Compile with gcc -o vm_tester vm_tester.c > // > #include > #include > > #define NUM_PASSES 10 > #define MB_TO_ALLOC 128 > #define BYTES_TO_ALLOC (MB_TO_ALLOC * 1024*1024) > > int main(void) > { > char *mem; > int pass, r, c; > > if ((mem = (char *) malloc(BYTES_TO_ALLOC)) == NULL) > { > printf("malloc() failed"); > exit(-1); > } > > for (pass=0; pass { > for (c=0; c<4096; c++) > { > for (r=0; r { > mem[r*4096 + c]++; > } > } > } > > return 0; > } > > // ----------------------------------------------- > > It allocates 128M of RAM, and increments bytes in a way that generates as > many page faults as possible. As an initial suggestion, run as many of > these programs as needed to consume all your RAM and watch your other > processes struggle to get a slice of the CPU. BTW, don't do this on a > production server, or try to consume more memory than your total VM - you > have been warned! > > Use top and vmstat to watch things. If you start running more of these > programs, then you find that the load average does not increase that much, > but your disks are flat out, and machine responsiveness goes right out the > window (esp on ATA disks). > > I still think my suggestion (in my first post) for an "unfair" way of > selecting messages for scanning under "high load" has merit. When our mail > gateway was stressed out the other day, I was using strace to monitor the > system calls in the MailScanner processes, and they were spending 5-30mins > just doing the stat() calls before locking messages for scanning. > > When you machine is really overloaded, let's do anything to concentrate the > meagre available resources on clearing the queue in the most expedient fashion. > > Perhaps "high load" can be determined by the length of the input queue > (rather than the misleading system load average), and be user configurable. > > For example, if the input queue has in excess of 1000 messages waiting, peel > off any 30 for scanning. Ensure that no other MailScanner process evaluates > the length of the queue until a user configurable time has passed (15 > mins?). I know this is easier said than done, but I think it really would > help when the machine is steaming up shit creek. > > Another thought....Sendmail names all it's df and qf files, such that an > alphabetical listing is sorted by ascending time order too! If the other > MTAs are the same, then perhaps this fact could be used to remove all the > stat()s and still meet the fairness algorithm? > > Comments anyone? > > Regards, > Brian ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From mailscanner at ecs.soton.ac.uk Wed Sep 3 14:53:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Message-ID: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> And you are restarting/reloading MailScanner after you change the conf file? At 14:42 03/09/2003, you wrote: >I tried it without bounce flag with the same results. I also tried to put >there just > >Spam Actions = forward postmaster@krnap.cz >High Scoring Spam Actions = forward postmaster@krnap.cz > >with no success > > >Zdenek > > > > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf >Of Chris Trudeau >Sent: Wednesday, September 03, 2003 3:31 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam Action "Forward" doesn't work > > >I may be wrong, but I believe if you bounce a message, the system treats >that message as if it weren't received therefore does nothing more with >it...Try removing the bounce from your config, restarting mailscanner and >see if that makes a difference. > >CT > >----- Original Message ----- >From: Zden?k Fajfr >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Wednesday, September 03, 2003 9:17 AM >Subject: Spam Action "Forward" doesn't work > > >Hi all, >I have a little problem with the spam action "forward". Here are the two >lines from MailScanner.conf dealing with spam actions: > >Spam Actions = store forward postmaster@krnap.cz bounce >High Scoring Spam Actions = store forward postmaster@krnap.cz bounce > >I just modified the suggested default values. Unfortunately NO forwarding >occurs!!! > >Here is what MailScanner writes into mail logfile for every caught spam >message: > >Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >101903 bytes >Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >(skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, >MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY >0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, >RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 >actions are bounce,store,forward,postmaster@krnap.cz >Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce >to sales@defsol.se > >The message is apparently bounced back to sender, it is also stored in >quarantine but what about forwarding to postmaster? It's essential for me to >know what messages have been marked as spam to be able to recognize false >positives and take appropriate actions (changes in configuration, let the >recipients know etc.) >Could anybody help me where did I go wrong in configuration? > >I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav >antivirus on Linux Mandrake 9.1 > >Thanks a lot for any help > >Z. Fajfr > >BTW: I regard MailScanner as an amazing piece of software, for it is very >powerful, and yet relatively easy to configure (compare to clamav-milter, >and especially Amavis) > > > >*********************************************** >Zdenek Fajfr >Department of Informatics & GIS >The Krkonose Mts. National Park Adm. >Dobrovskeho 3 >54311 Vrchlabi >Czech Republic >The Heart of Europe >*********************************************** >Tel: (+420) 499 456 232, 737 225 439 >Fax: (+420) 499 456 216, 499 422 095 >E-mail: zfajfr@krnap.cz, zfajfr@click.cz >Web: http://www.krnap.cz >*********************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 14:52:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: References: Message-ID: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> Please can you double and triple check that you have the correct version of SweepViruses.pm. Please pwd ls -l SweepViruses.pm sum SweepViruses.pm and mail me the output. At 14:41 03/09/2003, you wrote: >Hi > >Bad news I'm afraid. We've just upgraded to MailScanner 4.23-11 and >viruses are still slipping through. Admittedly our server is still >under load. > >Thanks for any help. > >Joan > > > >On Fri, 29 Aug 2003 03:16:47 +0100 Brian Hoy >wrote: > > > Hi all, > > > > Thanks to everyone for their comments and advice. It is very much > > appreciated. And especially to Julian for finding and fixing the > problem so > > quickly! > > > > Our sendmail config does have the load settings configured that many of you > > mentioned, but still the mail was flowing in! The input queue was growing > > faster than Mailscanner could scan it, and the problem just kept > compounding. > > > > The reason is that the "load average" stats are not always a good > measure of > > the real stress that the machine is under. If a machine is heavily using > > swap space, then the disks and motherboard I/O bandwidth are being consumed > > (and CPU also if the disks are ATA, rather than SCSI), yet no useful > work is > > being done. > > > > If a process is waiting on a page fault, I do not think that it is > placed in > > the OS's run queue until the page is loaded (and another page swapped out - > > still more disk I/O!). If this is true then the load average does not > > increase, yet the machine is clearly starting to struggle with the load. > > This is what happened to us the other day. > > > > If you want to experiment with this idea, compile this C program: > > > > // Compile with gcc -o vm_tester vm_tester.c > > // > > #include > > #include > > > > #define NUM_PASSES 10 > > #define MB_TO_ALLOC 128 > > #define BYTES_TO_ALLOC (MB_TO_ALLOC * 1024*1024) > > > > int main(void) > > { > > char *mem; > > int pass, r, c; > > > > if ((mem = (char *) malloc(BYTES_TO_ALLOC)) == NULL) > > { > > printf("malloc() failed"); > > exit(-1); > > } > > > > for (pass=0; pass > { > > for (c=0; c<4096; c++) > > { > > for (r=0; r > { > > mem[r*4096 + c]++; > > } > > } > > } > > > > return 0; > > } > > > > // ----------------------------------------------- > > > > It allocates 128M of RAM, and increments bytes in a way that generates as > > many page faults as possible. As an initial suggestion, run as many of > > these programs as needed to consume all your RAM and watch your other > > processes struggle to get a slice of the CPU. BTW, don't do this on a > > production server, or try to consume more memory than your total VM - you > > have been warned! > > > > Use top and vmstat to watch things. If you start running more of these > > programs, then you find that the load average does not increase that much, > > but your disks are flat out, and machine responsiveness goes right out the > > window (esp on ATA disks). > > > > I still think my suggestion (in my first post) for an "unfair" way of > > selecting messages for scanning under "high load" has merit. When our mail > > gateway was stressed out the other day, I was using strace to monitor the > > system calls in the MailScanner processes, and they were spending 5-30mins > > just doing the stat() calls before locking messages for scanning. > > > > When you machine is really overloaded, let's do anything to concentrate the > > meagre available resources on clearing the queue in the most expedient > fashion. > > > > Perhaps "high load" can be determined by the length of the input queue > > (rather than the misleading system load average), and be user configurable. > > > > For example, if the input queue has in excess of 1000 messages waiting, > peel > > off any 30 for scanning. Ensure that no other MailScanner process > evaluates > > the length of the queue until a user configurable time has passed (15 > > mins?). I know this is easier said than done, but I think it really would > > help when the machine is steaming up shit creek. > > > > Another thought....Sendmail names all it's df and qf files, such that an > > alphabetical listing is sorted by ascending time order too! If the other > > MTAs are the same, then perhaps this fact could be used to remove all the > > stat()s and still meet the fairness algorithm? > > > > Comments anyone? > > > > Regards, > > Brian > >---------------------- >Joan Bryan >Unix Systems Administrator >Information Systems >Telephone: +44 (0) 20 7848 2671 >mailto:joan.bryan@kcl.ac.uk -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 3 15:07:25 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <200309031407.h83E7GM15445@camelot.blacknightsolutions.com> I know this was discussed some time back, but sifting through older mail I can't see a clear answer. Which version / license of F-Prot should be used for MailScanner on *nix ? ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From joan.bryan at KCL.AC.UK Wed Sep 3 15:26:21 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> Message-ID: <200309031421.h83ELN3T012177@angelo.kcl.ac.uk> Message-ID: Priority: NORMAL X-Mailer: Execmail for Win32 5.1.1 Build (10) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" On Wed, 3 Sep 2003 14:52:33 +0100 Julian Field wrote: > Please can you double and triple check that you have the correct version of > SweepViruses.pm. > Please > pwd /usr/local/MailScanner/lib/MailScanner > ls -l SweepViruses.pm -rwxr-xr-x 1 root root 68070 Aug 28 12:30 SweepViruses.pm > sum SweepViruses.pm 49919 133 SweepViruses.pm I have just corrected a probable misconfiguration on my part in MailScanner.conf in that the number of Unscanned messages per scan was higher than the Unsafe messages per scan. I've had no reported problems since 3pm. Thanks for your help. Joan From chris at TRUDEAU.ORG Wed Sep 3 15:34:29 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Security/Policy question References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <008f01c37228$7bb45520$5702010a@mscore.trusecure.net> This has likely already been discussed, but I can't quite piece together the rules logic and MTA components required to actually do this...I'm thinking its part of "domain specific white/blacklisting" in the CustomerConfig.pm, but I'm not sure. Conside the following scenario: I have a mailscanner system providing service for several domains as a gateway. I would like to block email originating from any location OTHER than my assigned next hop mail gateways which has a sender address of that protected domain. See WEAK ASCII below: example.com MS mail server Gateway Internet | | | ----------------------------------------- so any mail that comes from the Internet with a sender domain of example.com should be blocked. Any ideas MTA is postfix. CT From david at PLATFORMHOSTING.COM Wed Sep 3 15:40:52 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <3F55FD74.60007@platformhosting.com> Julian, I have noticed a similar thing, forward just doesn't seem to work for me either. -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > And you are restarting/reloading MailScanner after you change the conf > file? > > At 14:42 03/09/2003, you wrote: > >> I tried it without bounce flag with the same results. I also tried to put >> there just >> >> Spam Actions = forward postmaster@krnap.cz >> High Scoring Spam Actions = forward postmaster@krnap.cz >> >> with no success >> >> >> Zdenek >> >> >> >> >> >> >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf >> Of Chris Trudeau >> Sent: Wednesday, September 03, 2003 3:31 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Spam Action "Forward" doesn't work >> >> >> I may be wrong, but I believe if you bounce a message, the system treats >> that message as if it weren't received therefore does nothing more with >> it...Try removing the bounce from your config, restarting mailscanner and >> see if that makes a difference. >> >> CT >> >> ----- Original Message ----- >> From: Zden?k Fajfr >> To: MAILSCANNER@JISCMAIL.AC.UK >> Sent: Wednesday, September 03, 2003 9:17 AM >> Subject: Spam Action "Forward" doesn't work >> >> >> Hi all, >> I have a little problem with the spam action "forward". Here are the two >> lines from MailScanner.conf dealing with spam actions: >> >> Spam Actions = store forward postmaster@krnap.cz bounce >> High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >> >> I just modified the suggested default values. Unfortunately NO forwarding >> occurs!!! >> >> Here is what MailScanner writes into mail logfile for every caught spam >> message: >> >> Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >> 101903 bytes >> Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >> Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >> 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >> (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK >> 3.48, >> MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, >> MIME_MISSING_BOUNDARY >> 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME >> 0.82, >> RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message >> h83CkgIb019316 >> actions are bounce,store,forward,postmaster@krnap.cz >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) >> Bounce >> to sales@defsol.se >> >> The message is apparently bounced back to sender, it is also stored in >> quarantine but what about forwarding to postmaster? It's essential for >> me to >> know what messages have been marked as spam to be able to recognize false >> positives and take appropriate actions (changes in configuration, let the >> recipients know etc.) >> Could anybody help me where did I go wrong in configuration? >> >> I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and >> Clamav >> antivirus on Linux Mandrake 9.1 >> >> Thanks a lot for any help >> >> Z. Fajfr >> >> BTW: I regard MailScanner as an amazing piece of software, for it is very >> powerful, and yet relatively easy to configure (compare to clamav-milter, >> and especially Amavis) >> >> >> >> *********************************************** >> Zdenek Fajfr >> Department of Informatics & GIS >> The Krkonose Mts. National Park Adm. >> Dobrovskeho 3 >> 54311 Vrchlabi >> Czech Republic >> The Heart of Europe >> *********************************************** >> Tel: (+420) 499 456 232, 737 225 439 >> Fax: (+420) 499 456 216, 499 422 095 >> E-mail: zfajfr@krnap.cz, zfajfr@click.cz >> Web: http://www.krnap.cz >> *********************************************** > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mailscanner at ecs.soton.ac.uk Wed Sep 3 15:38:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <3F55FD74.60007@platformhosting.com> References: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> Which MTA are you using? It appears to work on my sendmail setup. At 15:40 03/09/2003, you wrote: >Julian, > >I have noticed a similar thing, forward just doesn't seem to work for me >either. > >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > >Julian Field wrote: > >>And you are restarting/reloading MailScanner after you change the conf file? >>At 14:42 03/09/2003, you wrote: >> >>>I tried it without bounce flag with the same results. I also tried to put >>>there just >>> >>>Spam Actions = forward postmaster@krnap.cz >>>High Scoring Spam Actions = forward postmaster@krnap.cz >>> >>>with no success >>> >>> >>>Zdenek >>> >>> >>> >>> >>> >>> >>>-----Original Message----- >>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf >>>Of Chris Trudeau >>>Sent: Wednesday, September 03, 2003 3:31 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Spam Action "Forward" doesn't work >>> >>> >>>I may be wrong, but I believe if you bounce a message, the system treats >>>that message as if it weren't received therefore does nothing more with >>>it...Try removing the bounce from your config, restarting mailscanner and >>>see if that makes a difference. >>> >>>CT >>> >>>----- Original Message ----- >>>From: Zden?k Fajfr >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Sent: Wednesday, September 03, 2003 9:17 AM >>>Subject: Spam Action "Forward" doesn't work >>> >>> >>>Hi all, >>>I have a little problem with the spam action "forward". Here are the two >>>lines from MailScanner.conf dealing with spam actions: >>> >>>Spam Actions = store forward postmaster@krnap.cz bounce >>>High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >>> >>>I just modified the suggested default values. Unfortunately NO forwarding >>>occurs!!! >>> >>>Here is what MailScanner writes into mail logfile for every caught spam >>>message: >>> >>>Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >>>101903 bytes >>>Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >>>Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >>>192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >>>(skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, >>>MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY >>>0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, >>>RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 >>>actions are bounce,store,forward,postmaster@krnap.cz >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce >>>to sales@defsol.se >>> >>>The message is apparently bounced back to sender, it is also stored in >>>quarantine but what about forwarding to postmaster? It's essential for me to >>>know what messages have been marked as spam to be able to recognize false >>>positives and take appropriate actions (changes in configuration, let the >>>recipients know etc.) >>>Could anybody help me where did I go wrong in configuration? >>> >>>I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav >>>antivirus on Linux Mandrake 9.1 >>> >>>Thanks a lot for any help >>> >>>Z. Fajfr >>> >>>BTW: I regard MailScanner as an amazing piece of software, for it is very >>>powerful, and yet relatively easy to configure (compare to clamav-milter, >>>and especially Amavis) >>> >>> >>> >>>*********************************************** >>>Zdenek Fajfr >>>Department of Informatics & GIS >>>The Krkonose Mts. National Park Adm. >>>Dobrovskeho 3 >>>54311 Vrchlabi >>>Czech Republic >>>The Heart of Europe >>>*********************************************** >>>Tel: (+420) 499 456 232, 737 225 439 >>>Fax: (+420) 499 456 216, 499 422 095 >>>E-mail: zfajfr@krnap.cz, zfajfr@click.cz >>>Web: http://www.krnap.cz >>>*********************************************** > > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > >======================================================================== > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 15:41:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited In-Reply-To: <200309031407.h83E7GM15445@camelot.blacknightsolutions.com> Message-ID: <5.2.0.9.2.20030903154050.04683c20@imap.ecs.soton.ac.uk> At 15:07 03/09/2003, you wrote: >I know this was discussed some time back, but sifting through older mail I >can't see a clear answer. > >Which version / license of F-Prot should be used for MailScanner on *nix ? They say you need to license the mail server version. You only actually need any features that are in the desktop/workstation version. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From errol.neal at ENHTECH.COM Wed Sep 3 15:51:58 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT Message-ID: <5.1.0.14.0.20030903104929.02d889e0@mail.enhtech.com> Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I mean other than just setting the scores to 0 for all OSI related rules. Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From steve.freegard at LBSLTD.CO.UK Wed Sep 3 16:07:39 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT Message-ID: <67D9E7698329D411936E00508B6590B902773ACB@neelix.lbsltd.co.uk> Hey Errol, I'm using the following in spam.assassin.prefs.conf: score RCVD_IN_OSIRUSOFT_COM 0 score X_OSIRU_DUL 0 score X_OSIRU_DUL_FH 0 score X_OSIRU_OPEN_RELAY 0 score X_OSIRU_SPAMWARE_SITE 0 score X_OSIRU_SPAM_SRC 0 Kind regards, Steve. -----Original Message----- From: Errol Neal [mailto:errol.neal@ENHTECH.COM] Sent: 03 September 2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Disabling OSIRUSOFT Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I mean other than just setting the scores to 0 for all OSI related rules. Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From chris at TRUDEAU.ORG Wed Sep 3 16:07:33 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT References: <5.1.0.14.0.20030903104929.02d889e0@mail.enhtech.com> Message-ID: <00c601c3722d$1a6de3d0$5702010a@mscore.trusecure.net> the SA mailing list had a number of posts over the last week or so about this...but try this: Make the following lines in your /usr/share/spamassassin/50_scores.cf reflect these changes: score RCVD_IN_OSIRUSOFT_COM 0.0 score X_OSIRU_DUL 0.0 score X_OSIRU_DUL_FH 0.0 score X_OSIRU_OPEN_RELAY 0.0 score X_OSIRU_SPAMWARE_SITE 0.0 score X_OSIRU_SPAM_SRC 0.0 CT ----- Original Message ----- From: "Errol Neal" To: Sent: Wednesday, September 03, 2003 10:51 AM Subject: Disabling OSIRUSOFT > Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I > mean other than just setting the scores to 0 for all OSI related rules. > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax From david at PLATFORMHOSTING.COM Wed Sep 3 16:13:25 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> Message-ID: <3F560515.6060006@platformhosting.com> Sendmail with MS 4.22-5 -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > Which MTA are you using? It appears to work on my sendmail setup. > > At 15:40 03/09/2003, you wrote: > >> Julian, >> >> I have noticed a similar thing, forward just doesn't seem to work for >> me either. >> >> -- >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> 1300 85 HOST >> www.platformhosting.com >> >> Julian Field wrote: >> >>> And you are restarting/reloading MailScanner after you change the >>> conf file? >>> At 14:42 03/09/2003, you wrote: >>> >>>> I tried it without bounce flag with the same results. I also tried >>>> to put >>>> there just >>>> >>>> Spam Actions = forward postmaster@krnap.cz >>>> High Scoring Spam Actions = forward postmaster@krnap.cz >>>> >>>> with no success >>>> >>>> >>>> Zdenek >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>> Behalf >>>> Of Chris Trudeau >>>> Sent: Wednesday, September 03, 2003 3:31 PM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: Re: Spam Action "Forward" doesn't work >>>> >>>> >>>> I may be wrong, but I believe if you bounce a message, the system >>>> treats >>>> that message as if it weren't received therefore does nothing more with >>>> it...Try removing the bounce from your config, restarting >>>> mailscanner and >>>> see if that makes a difference. >>>> >>>> CT >>>> >>>> ----- Original Message ----- >>>> From: Zden?k Fajfr >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Sent: Wednesday, September 03, 2003 9:17 AM >>>> Subject: Spam Action "Forward" doesn't work >>>> >>>> >>>> Hi all, >>>> I have a little problem with the spam action "forward". Here are the >>>> two >>>> lines from MailScanner.conf dealing with spam actions: >>>> >>>> Spam Actions = store forward postmaster@krnap.cz bounce >>>> High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >>>> >>>> I just modified the suggested default values. Unfortunately NO >>>> forwarding >>>> occurs!!! >>>> >>>> Here is what MailScanner writes into mail logfile for every caught spam >>>> message: >>>> >>>> Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >>>> 101903 bytes >>>> Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >>>> Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >>>> 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >>>> (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK >>>> 3.48, >>>> MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, >>>> MIME_MISSING_BOUNDARY >>>> 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME >>>> 0.82, >>>> RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam >>>> messages >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message >>>> h83CkgIb019316 >>>> actions are bounce,store,forward,postmaster@krnap.cz >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) >>>> Bounce >>>> to sales@defsol.se >>>> >>>> The message is apparently bounced back to sender, it is also stored in >>>> quarantine but what about forwarding to postmaster? It's essential >>>> for me to >>>> know what messages have been marked as spam to be able to recognize >>>> false >>>> positives and take appropriate actions (changes in configuration, >>>> let the >>>> recipients know etc.) >>>> Could anybody help me where did I go wrong in configuration? >>>> >>>> I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 >>>> and Clamav >>>> antivirus on Linux Mandrake 9.1 >>>> >>>> Thanks a lot for any help >>>> >>>> Z. Fajfr >>>> >>>> BTW: I regard MailScanner as an amazing piece of software, for it is >>>> very >>>> powerful, and yet relatively easy to configure (compare to >>>> clamav-milter, >>>> and especially Amavis) >>>> >>>> >>>> >>>> *********************************************** >>>> Zdenek Fajfr >>>> Department of Informatics & GIS >>>> The Krkonose Mts. National Park Adm. >>>> Dobrovskeho 3 >>>> 54311 Vrchlabi >>>> Czech Republic >>>> The Heart of Europe >>>> *********************************************** >>>> Tel: (+420) 499 456 232, 737 225 439 >>>> Fax: (+420) 499 456 216, 499 422 095 >>>> E-mail: zfajfr@krnap.cz, zfajfr@click.cz >>>> Web: http://www.krnap.cz >>>> *********************************************** ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From joshua.hirsh at PARTNERSOLUTIONS.CA Wed Sep 3 16:24:09 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AC4@eqmail1.efni.vpn> I haven't run into any issues with forward as an action. Perhaps the only difference for me is that I still deliver the spam, but forward it to another address as well. MS 4.23-11 and Postfix 2.0.13. Cheers, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From Kevin_Miller at CI.JUNEAU.AK.US Wed Sep 3 16:45:01 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <08146035CA49D6119A36009027AC822A0264E6DF@CITY-EXCH-NTS> F-Prot says the email version. I bought a license last spring when it was still just $300 a whack. Now it's based on users and quite expensive IMHO. On my secondary mail server I installed F-Secure (and clam). The F-Secure people were willing to work with me pricewise. You might contact them and see what they'll do for you. F-Prot didn't seem to want to. Next spring when the F-Prot license runs out, I'll roll that machine to F-Secure as well... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Michele Neylon:: Blacknight Solutions >[mailto:michele@BLACKNIGHTSOLUTIONS.COM] >Sent: Wednesday, September 03, 2003 6:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: F-prot revisited > > >I know this was discussed some time back, but sifting through >older mail I >can't see a clear answer. > >Which version / license of F-Prot should be used for >MailScanner on *nix ? > > > >######################################################### >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance to it is prohibited. > From christo at AFGLASS.CO.ZA Wed Sep 3 16:48:20 2003 From: christo at AFGLASS.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:44 2006 Subject: Newbie question related to file type filters In-Reply-To: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> Message-ID: <00c301c37232$cd151cb0$660210ac@christo> Thanx I got the post. Only subscribed today. Please Help with following. In the example below In filetype.allowall.rules.conf put (separated by tabs, not spaces) allow . - - How can I block executables and allow media files. What is each 'field' representing. The . 1st - and second - Thanx -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, September 03, 2003 10:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Newbie question related to file type filters See my postings from yesterday or the day before that include the work "filetype.rules.conf". You'll find them in the archive. At 07:31 03/09/2003, you wrote: >Hi > >I only configured my MS server last week and it works fine. Spam >dropped by about 90% > >OK My question. > >By default MS blocks all Executable and Media file types from the >filetype.rules.conf file. How can I setup a MS rule to let through >these files only for certain email addresses and let the others be >blocked. One small rule file example will be enough > >Thanx > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. Mailscanner thanks >transtec Computers for their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From lists at TRCINTL.COM Wed Sep 3 16:51:17 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: What is the price for F-Secure? Looking at their web site, I see a server version for nix's that is under $300.00. Is that the F-Secure product that others are using? If so, I may go that route unless anyone can recomend against it. >F-Prot says the email version. I bought a license last spring when it was >still just $300 a whack. Now it's based on users and quite expensive >IMHO. On my secondary mail server I installed F-Secure (and clam). The F- >Secure people were willing to work with me pricewise. You might contact >them and see what they'll do for you. F-Prot didn't seem to want to. >Next spring when the F-Prot license runs out, I'll roll that machine to F- >Secure as well... >...Kevin >------------------- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Michele Neylon:: Blacknight Solutions >[mailto:michele@BLACKNIGHTSOLUTIONS.COM] >Sent: Wednesday, September 03, 2003 6:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: F-prot revisited > > >I know this was discussed some time back, but sifting through older >mail I can't see a clear answer. > >Which version / license of F-Prot should be used for MailScanner on >*nix ? > > > >######################################################### >This message (and any attachment) is intended only for the recipient >and may contain confidential and/or privileged material. If you have >received this in error, please contact the sender and delete this >message immediately. Disclosure, copying or other action taken in >respect of this email or in reliance to it is prohibited. > From eja at URBAKKEN.DK Wed Sep 3 17:03:43 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:44 2006 Subject: Errors Message-ID: <3F5610DF.4050903@urbakken.dk> Julian !. Thanks for the reply. I did what you suggested, but had no luck. Will try to search the Clarkconnect for infos on my Clarkconnect version and MailScanner. The Clarkconnect server is installled on the RedHat 9.0 version. Sorry for interfering. P.S.The reason I do reply as I do is, that I haven't received the mail from you via e-mail. I looked into the archive_list, and found the reply. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From hciss at HCIWS.COM Wed Sep 3 17:03:41 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:19:44 2006 Subject: Feature Wish, IP Pool Warning Message-ID: <042c01c37234$f26902e0$7801a8c0@matthew> Sobig.x lies about its from email address so I have it setup as silent. But what I would like is if it email me a warning to the postmaster account ONLY if the source IP is in one the IP pools I own. This way I can look in my PPP logs, see who had that IP at that time and drop them an email or call. Matt From greg at NET1PLUS.COM Wed Sep 3 17:34:35 2003 From: greg at NET1PLUS.COM (Greg) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? Message-ID: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> I've searched the docs, user list and search engines but was unable to locate any information on wether or not it is possible to adjust the settings for DoS attacks. I have a user that sends out a number of emails to his clients all at once and they are getting bounced as a virus with a report of: "Denial of Service attack in message!" Is there any way to tweak this setting or disable it entirely? Regards Greg Caron Systems Administrator NET1Plus Internet Services From chris at TRUDEAU.ORG Wed Sep 3 17:48:25 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? References: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <010501c3723b$32023bf0$5702010a@mscore.trusecure.net> Is it possible this is an MTA setting. I don't think the message you are seeing is gnerated by MailScanner. Which MTA are you using and specifically what is the error? CT ----- Original Message ----- From: "Greg" To: Sent: Wednesday, September 03, 2003 12:34 PM Subject: Denial Of Service Threshold? > I've searched the docs, user list and search engines but was unable to > locate any information on wether or not it is possible to adjust the > settings for DoS attacks. I have a user that sends out a number of emails > to his clients all at once and they are getting bounced as a virus with a > report of: "Denial of Service attack in message!" > > Is there any way to tweak this setting or disable it entirely? > > Regards > > Greg Caron > Systems Administrator > NET1Plus Internet Services From greg at NET1PLUS.COM Wed Sep 3 17:58:55 2003 From: greg at NET1PLUS.COM (Greg) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? In-Reply-To: <010501c3723b$32023bf0$5702010a@mscore.trusecure.net> References: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <5.1.0.14.2.20030903125535.0315e350@pop3.net1plus.com> We are using Sendmail 8.11.6 on RH 7.3. The bounces contain the text: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Any infected parts of the message (the entire message) have not been delivered. This message is simply to warn you that your computer system MAY have a virus present and should be checked. The virus detector said this about the message: Report: Denial of Service attack in message! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Which uses one of the MS templates. Is it possible that MS is receiving this back from sendmail and just inserted the sendmail response into the MS bounce template? Thanks At 12:48 PM 9/3/2003 -0400, you wrote: >Is it possible this is an MTA setting. > >I don't think the message you are seeing is gnerated by MailScanner. > >Which MTA are you using and specifically what is the error? > >CT > >----- Original Message ----- >From: "Greg" >To: >Sent: Wednesday, September 03, 2003 12:34 PM >Subject: Denial Of Service Threshold? > > > > I've searched the docs, user list and search engines but was unable to > > locate any information on wether or not it is possible to adjust the > > settings for DoS attacks. I have a user that sends out a number of emails > > to his clients all at once and they are getting bounced as a virus with a > > report of: "Denial of Service attack in message!" > > > > Is there any way to tweak this setting or disable it entirely? > > > > Regards > > > > Greg Caron > > Systems Administrator > > NET1Plus Internet Services Greg Caron Systems Administrator NET1Plus Internet Services From evertjan at VANRAMSELAAR.NL Wed Sep 3 18:28:16 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:19:44 2006 Subject: SIGPIPE received - trying new log socket Message-ID: <2512.10.10.0.101.1062610096.squirrel@intranet> I just upgraded to MailScanner 4.23-11. Now I am getting the line 'SIGPIPE received - trying new log socket' in my logfile during every batch: Sep 3 19:14:58 ram3 sendmail[6764]: h83HEv6O006764: from=, size=5334, class=-60, nrcpts=1, msgid=<20030903165456.OKK Q4763.pop015.verizon.net@localhost>, proto=ESMTP, daemon=MTA, relay=abc [1.2.3.4] Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, 5887 bytes Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log socket Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, 5887 bytes Sep 3 19:14:58 ram3 MailScanner[4002]: Spam Checks: Starting Sep 3 19:15:01 ram3 MailScanner[4002]: Virus and Content Scanning: Starting Sep 3 19:15:02 ram3 MailScanner[4002]: Uninfected: Delivered 1 messages Sep 3 19:15:02 ram3 sendmail[6794]: h83HEv6O006764: to=, delay=00:00:05, xdelay=00:00:00, mailer=local, pri=230127, dsn=2.0.0, sta t=Sent Is this something serious? Redhat 8.0 Sendmail 8.12.8 MailScanner 4.23-11 MailWatch 0.2 syslogd 1.4.1 -- Evert Jan van Ramselaar Van Ramselaar Info Tech From bob.jones at USG.EDU Wed Sep 3 19:56:39 2003 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:19:44 2006 Subject: virus update scripts. Message-ID: <3F563967.9040908@usg.edu> Hey all, a couple things here. First is with the mcafee-autoupdate script in the latest release. What is this extra.dat file it tries to download and complains about when it's not there? Second, there is a problem with the update_virus_scanners on Solaris. The grep you have uses the -e flag, and unless you happen to have /usr/xpg4/bin first in your path you'll be out of luck. I've fixed this by adding the following right below the LOCKFILE declaration: OS=`uname` if [ ${OS} = SunOS ]; then echo "Found OS" GREP=/usr/xpg4/bin/grep else GREP=grep fi And then changing the subsequent grep to ${GREP}. Adding this should fix Solaris systems without breaking any systems that aren't already broken. -- Thanks, Bob Jones From mike at ZANKER.ORG Wed Sep 3 19:57:26 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:44 2006 Subject: MailScanner with Exim Message-ID: <105478843.1062619046@jemima.zanker.org> Hi, I recently changed from MailScanner/Sendmail to MailScanner/Exim. The whole process was really straightforward thanks to the installation guide for MS/Exim. Everything is working fine but I have noticed a very large number of files building up in /var/spool/exim.in/msglog. Each one contains a single log entry for the reception of the message referenced by the filename. Is it usual for these files to be produced? If so, how are others dealing with them - cron job to delete them every day? Thanks in advance, -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner at ELKNET.NET Wed Sep 3 20:17:33 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <200309031917.h83JHUr02416@ori.rl.ac.uk> To be able to sleep with an easy conscience at night, I was looking at an extrememly expensive license from F-Prot based upon the number of customer mailboxes I had. Since I do not charge my customers for filtering, I had no way to recoup my expenses. Also note that the F-Prot liscense is 'per year', and not a one time cost. While F-Prot's $29 Linux workstation version is all you technically need to run with MailScanner, per F-Prot, you would be in violation of their license. Their expensive 'per user' mail server version contains a whole bunch of extra utilities and stuff you would never use, but to meet their license agreement, that's the version you have to purchase. Back a couple of months ago, Computer Associates (CA) had contacted Julian regarding their license, and Julian posted it on the list. I liked what I saw, and I supplied Jullian with a licensed copy so he could add support for their product, e-Trust, to MailScanner. The product works great, and is very cost effective. The license will run you around $129 per year, and for that price you get a license to install the product on any 5 hosts, including Windows and Linux servers, workstations, PocketPC PDAs, Groupwise servers, Exchange servers; all versions are included in the box. The 5 node license is the smallest they sell, but at $129 total, I think that's a very good price compared to what I was looking at. For those of us with many users, and that want to run legally, I'm not aware of a lower priced commercial solution. I do of course also run ClamAV as my second scanner, which is GPL and therfore is free. I just was not comfortable running with only Clam, I like running both a commercial scanner and an Open Source one. -Alan >F-Prot says the email version. I bought a license last spring when it was >still just $300 a whack. Now it's based on users and quite expensive IMHO. >On my secondary mail server I installed F-Secure (and clam). The F-Secure >people were willing to work with me pricewise. You might contact them and >see what they'll do for you. F-Prot didn't seem to want to. Next spring >when the F-Prot license runs out, I'll roll that machine to F-Secure as >well... > >....Kevin From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:18:47 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> > mv /var/spool/mqueue.in/* /var/spool/mqueue > sh: line 1: /bin/mv: Argument list too long That just means there are two many files in the directory to do them all at once - the "*" is getting expanded to all the filenames. Try this instead: for file in `find /var/spool/mqueue.in -type f`; do mv $file /var/spool/mqueue done Be sure you get the quotes right aound the find command - they're "backticks", ie backwards apostrophes, not double-quotes or apostrophes. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in "Spicer, Kevin" wrote: Which queue? All are in the mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. Tried running your commands and received the following: > service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] > mv /var/spool/mqueue.in/* /var/spool/mqueue sh: line 1: /bin/mv: Argument list too long > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/1f6c5c0b/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:26:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A5@inex1.herffjones.hj-int> Whenever you say "queue" on this list, you should stop and remember to write either "incoming queue" or "outbound queue" instead. Do you mean you have 2000 messages in the incoming queue? If so, then yes MailScanner still has to work on them, but if you mean that you have 2000 in the outgoing queue, then MailScanner is already completely out of the picture for those messages. Mail in the outbound queue is entirely handled by your MTA. If you are seeing backlogs there, then you need to figure out whether it's normal or a real problem. If you have mail sitting in the outbound queue destined for domains you do not control, then that may very well be normal -- mail gets defered when servers are down, DNS has problems, etc. If the mail stuck in the queue is destined for a domain you control, then you need to figure out why it's not going out immediately. If you are using sendmail and you want to process just those messages in the outbound queue that are destined for your domain, then instead of sendmail -q, use sendmail -qRyourdomain.com. That will process only those messages with "yourdomain.com" in the recipient line of the message. Note that if you aren't splitting messages into one-per-recipient then this may still include messages bound for other domains (ie you have a message with two recipients, one local, one remote) and may therefore take a while. You can see what a sendmail process is doing at any given time - just look at it's process listing in the long output format of ps. The only tedious part is identifying the sendmail process you're interested in. If you're using -qR you can look for that... ps auxww | grep 'sendmail -qR' -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is for incoming mail. On average I receive 15-20 thousand incoming emails a day. Right now I have roughly 2000 messages in the queue, so MS has been routing mail but it is very slow. Doesn't seem to want to catch up. "Spicer, Kevin" wrote: Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! ! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/70979a4b/attachment.html From lists at TRCINTL.COM Wed Sep 3 20:27:28 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner Message-ID: Sorry if this is a stupid question, but how can I determine what version of MailScanner I currently have installed? From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:28:07 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> > Hi! > > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > On my box for example i had a queue of 1000 that would not > run, it let it > processing and it took 40 minutes to get them done. In the > same time, by > other box, same specs, took allmost 10.000 messages, without > any problem. > > Bye, > Raymond. If those were messages in the outbound queue destined for local addresses, I'd say that's definitely a problem outside the scope of MailScanner. If they're in the outbound queue destined for remote addresses, I'd say it's still not related to MailScanner and it may not indicate a problem at all. Of course, if you mean they were sitting in the incoming queue, then that's probably MailScanner... :-) From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:29:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7F@inex1.herffjones.hj-int> More suggestions? Perhaps this would be a good time to check out http://www.mailscanner.biz/ ? :-) -t. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/beb93956/attachment.html From kevins at BMRB.CO.UK Wed Sep 3 20:30:27 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7913@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7913@pascal.priv.bmrb.co.uk> Message-ID: <1062617432.26526.0.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:27, Kyle Harris wrote: Sorry if this is a stupid question, but how can I determine what version of MailScanner I currently have installed? grep for the word 'version' in your mail log BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From cslyon at NETSVCS.COM Wed Sep 3 20:33:59 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn Message-ID: So, I have been reading the FAQ and also the past posts but have a little confusion that I need to resolve. Just to give a little back ground, I have a lot of users who all have issues with e-mail that is being marked as spam or not being marked as spam. So, I think the answer to this is to have them forward the messages to an unattended mailbox that will autowhitelist or autoblacklist the sender. Is that what sa-learn is all about? So, if I create a spam and non-spam account on server and use the sa-learn to check the messages that my users forward to these accounts, if something was marked as spam and is not, further messages will not be marked again? Conversely, if I have a message that is spam but not marked, I can forward that to spam and it will be marked as spam the next message that comes in from that sender? How does it work, based on content I would assume or does it work by the domain? Also, what happens with stuff being forwarded from different mail clients like outlook? Can anybody shed some light on this one? From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:43:35 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B80@inex1.herffjones.hj-int> I'm wondering what the proper way is (assuming there is one) to whitelist email from this mailing list. The senders are individuals and the recipient is me... So what goes in the whitelist? -t. From joshua.hirsh at PARTNERSOLUTIONS.CA Wed Sep 3 20:46:12 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5ACE@eqmail1.efni.vpn> All list traffic originates from the SMTP server smtp.jiscmail.ac.uk [130.246.192.48], and the 'MAIL FROM:' is set as owner-mailscanner@JISCMAIL.AC.UK. Assuming the whitelists check one of these instead of the message headers, either of them should work. Cheers, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 3 20:53:35 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: <1062617432.26526.0.camel@bach.kevinspicer.co.uk> Message-ID: <200309031951.h83JpcaM013363@lancelot.blacknightsolutions.com> Or tail the log after you do a restart :P (I had to ask this a while back too ) Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: 03 September 2003 20:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What version of MailScanner > > On Wed, 2003-09-03 at 20:27, Kyle Harris wrote: > > Sorry if this is a stupid question, but how can I determine > what version of MailScanner I currently have installed? > > grep for the word 'version' in your mail log > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > > From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:54:56 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? {Scanned by HJ MS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B81@inex1.herffjones.hj-int> Thanks. Of course that assumes that: - the address of the list server won't change and - spammers won't use that address as their own. But I suppose that's the crux of why spam is a problem to begin with, so it'll have to do. :-) Thanks again. > -----Original Message----- > From: Hirsh, Joshua [mailto:joshua.hirsh@PARTNERSOLUTIONS.CA] > Sent: Wednesday, September 03, 2003 2:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: How to whitelist the mailscanner mailing list? > {Scanned by > HJMS} > > > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk > [130.246.192.48], and the 'MAIL FROM:' is set as > owner-mailscanner@JISCMAIL.AC.UK. > > Assuming the whitelists check one of these instead of the > message headers, > either of them should work. > > > Cheers, > > -- > Joshua Hirsh > Systems Administration > Partner Solutions/ING Canada > 455, avenue Saint-Joseph > Saint-Hyacinthe, Quebec J2S 8K8 > (450) 778-9580 ext. 3798 > joshua.hirsh@partnersolutions.ca > From KCollins at NESBITTENGINEERING.COM Wed Sep 3 20:54:13 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives Message-ID: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.local> I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's not. What's worse is that I'm getting mails identified that are on my whitelist. Is there anyway that I can prevent this from happening? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:03:35 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A6@inex1.herffjones.hj-int> You're close - but sa-learn doesn't update whitelists or blacklists - it just trains the Bayesian filtering engine, which identifies patterns in spam and uses them to recognize future spam. SpamAssassin passes messages to the Bayesian engine and gets a score for each message, just as it does for its other rules. This score just becomes part of the cumulative score for the message. There's a FAQ entry on how to set up a script to automatically run sa-learn - sounds like you already found that. If you have trouble getting it to work, ask for help again. Besides the bayesian filtering, you can also whitelist and blacklist senders but I would hesitate to recommend automating that process - I can imagine users blindly forwarding spam from the sobig virus to an address that would automatically blacklist the sender, which would be a bad thing since sobig is likely to come "from" someone who regularly emails you. HTH, Trever > -----Original Message----- > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 2:34 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} > > > So, I have been reading the FAQ and also the past posts but > have a little > confusion that I need to resolve. Just to give a little back > ground, I have > a lot of users who all have issues with e-mail that is being > marked as spam > or not being marked as spam. So, I think the answer to this > is to have them > forward the messages to an unattended mailbox that will > autowhitelist or > autoblacklist the sender. Is that what sa-learn is all about? > > > So, if I create a spam and non-spam account on server and use > the sa-learn > to check the messages that my users forward to these > accounts, if something > was marked as spam and is not, further messages will not be > marked again? > Conversely, if I have a message that is spam but not marked, > I can forward > that to spam and it will be marked as spam the next message > that comes in > from that sender? > > > How does it work, based on content I would assume or does it > work by the > domain? Also, what happens with stuff being forwarded from > different mail > clients like outlook? > > > Can anybody shed some light on this one? > From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:07:46 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Denial Of Service Threshold? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B83@inex1.herffjones.hj-int> Not much help from me, but perhaps this is related to checking for the "zip of death", a highly-nested zip file. http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0211&L=mailscanner&P=R38632&I =-1 -t. > -----Original Message----- > From: Greg [mailto:greg@NET1PLUS.COM] > Sent: Wednesday, September 03, 2003 11:59 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Denial Of Service Threshold? > > > We are using Sendmail 8.11.6 on RH 7.3. The bounces contain the text: > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Any infected parts of the message (the entire message) have > not been delivered. > > This message is simply to warn you that your computer system > MAY have a > virus present and should be checked. > > The virus detector said this about the message: > Report: Denial of Service attack in message! > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > Which uses one of the MS templates. Is it possible that MS is > receiving this > back from sendmail and just inserted the sendmail response into the MS > bounce template? > > Thanks > > > At 12:48 PM 9/3/2003 -0400, you wrote: > >Is it possible this is an MTA setting. > > > >I don't think the message you are seeing is gnerated by MailScanner. > > > >Which MTA are you using and specifically what is the error? > > > >CT > > > >----- Original Message ----- > >From: "Greg" > >To: > >Sent: Wednesday, September 03, 2003 12:34 PM > >Subject: Denial Of Service Threshold? > > > > > > > I've searched the docs, user list and search engines but > was unable to > > > locate any information on wether or not it is possible to > adjust the > > > settings for DoS attacks. I have a user that sends out a > number of emails > > > to his clients all at once and they are getting bounced > as a virus with a > > > report of: "Denial of Service attack in message!" > > > > > > Is there any way to tweak this setting or disable it entirely? > > > > > > Regards > > > > > > Greg Caron > > > Systems Administrator > > > NET1Plus Internet Services > > > Greg Caron > Systems Administrator > NET1Plus Internet Services > From raymond at PROLOCATION.NET Wed Sep 3 21:09:29 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> Message-ID: Hi! > I'd say that's definitely a problem outside the scope of MailScanner. If > they're in the outbound queue destined for remote addresses, I'd say it's > still not related to MailScanner and it may not indicate a problem at all. No =) Its about the incomming queue. Outgoing is a smart relay host so all flow out pretty fast normally. > Of course, if you mean they were sitting in the incoming queue, then that's > probably MailScanner... :-) Yes it is. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 21:09:56 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: Message-ID: Hi! > Sorry if this is a stupid question, but how can I determine what version of > MailScanner I currently have installed? What about looking in your logs ? Its telling when you start it up. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 21:15:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.local> Message-ID: Hi! > I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's > not. What's worse is that I'm getting mails identified that are on my > whitelist. > > Is there anyway that I can prevent this from happening? Did you disable the Osirusoft lists ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Sep 3 21:18:08 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> Message-ID: <1062620289.27350.17.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:33, Chris Lyon wrote: >So, I have been reading the FAQ and also the past posts but have a >little >confusion that I need to resolve. Just to give a little back ground, I >have >a lot of users who all have issues with e-mail that is being marked as >spam >or not being marked as spam. So, I think the answer to this is to have >them >forward the messages to an unattended mailbox that will autowhitelist >or >autoblacklist the sender. Is that what sa-learn is all about? Not quite sa-learn is for tuning the Bayes classifier, this doesn't whitelist or blacklist anything - it tokenises the mail content and store a probability of each token appearing in a spam or ham mail. This is then used to determine the probability of future message being spam or ham. >So, if I create a spam and non-spam account on server and use the >sa-learn >to check the messages that my users forward to these accounts, if >something >was marked as spam and is not, further messages will not be marked >again? No, it reduces the probability associated with the tokens which appear in a mail. Auto white/blacklists are a bad idea - search for autowhitelist in the archives for a discussion. You can best improve the accuracy by adding DCC, razor2 and pyzor, and by letting SA do RBL checks rather than MailScanner. I found that the majority of my false positives came from a very few sources. Mainly clients of one particular department which has several customers in Asia & Africa using dodgy ISP's I added some SA rules assigning a negative score to the names of that departments products, which helped. >How does it work, based on content I would assume or does it work by >the >domain? Also, what happens with stuff being forwarded from different >mail >clients like outlook? Outlook is v bad at forwarding messages unaltered. I got round this by using the attachment option in MS (which also allowed me to add some info for users). Then using a script I found online to strip the original message from the attachment. I strongly recommend getting a good handle on how SA works (by reading the docs - particulary the Mail::SpamAssassin::Conf docs and about Bayes) before trying to tune it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Sep 3 21:23:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7919@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7919@pascal.priv.bmrb.co.uk> Message-ID: <1062620620.26136.22.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:46, Hirsh, Joshua wrote: > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk >[130.246.192.48], and the 'MAIL FROM:' is set as >owner-mailscanner@JISCMAIL.AC.UK. > Assuming the whitelists check one of these instead of the message >headers, >either of them should work. They do. I'd recommend whitelisting the From: owner-mailscanner@JISCMAIL.AC.UK rather than by IP (since the IP presumably could change without warning. Just one question, are you getting false positives from the list? I don't think I've ever seen one. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkettler at EVI-INC.COM Wed Sep 3 21:21:50 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.loca l> Message-ID: <5.2.1.1.0.20030903161737.01825688@xanadu.evi-inc.com> At 03:54 PM 9/3/2003 -0400, Collins, Kevin wrote: >I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's >not. What's worse is that I'm getting mails identified that are on my >whitelist. > >Is there anyway that I can prevent this from happening? 1) what versions of SA and MS are you running? 2) when you say the mails are "on my whitelist" what _exactly_ do you mean. What specific config lines did you add, and to which product. There's about 8 different ways to whitelist a message between spamassassin and mailscanner, and not all of them work exactly as you might think. In particular, SA's "whitelist_to" feature does not work for messages which are BCC'ed or resent to someone. SA only gets to look at the message and is not told what user is really getting the message, it can only get clues from the message headers. From kevins at BMRB.CO.UK Wed Sep 3 21:25:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A791C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A791C@pascal.priv.bmrb.co.uk> Message-ID: <1062620730.26136.24.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:54, Collins, Kevin wrote: >I'm having trouble with MS + Spamassassin identifying mail as SPAM when >it's >not. What's worse is that I'm getting mails identified that are on my >whitelist. Could you post header examples and the relevent parts of your whitelist? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From llasad1 at YAHOO.COM Wed Sep 3 21:31:10 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <20030903203110.63606.qmail@web41406.mail.yahoo.com> I am running MailScanner 4.21-9 The maillog is just queueing up the messages, it is routing but not a a good rate (bad performance). I would run the command but the server that was having problems is not up, switched over to another server. Same as above for the second output request. I have not changed anything Julian Field wrote: Morning all, Appears you are all having a similar problem. Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. What does your maillog say is happening? grep MailScanner /var/log/maillog | tail -70 What processes are running? ps ax | grep -i mail What have you changed from your previously-working system? At 09:49 03/09/2003, you wrote: >"Spicer, Kevin" wrote: > >Which queue? > >All are in the mqueue.in > >As I said, if you're happy to bypass MailScanner to get the mail delivered >follow the instructions below. > >Tried running your commands and received the following: > > > service MailScanner stop > >Shutting down MailScanner daemons: > >MailScanner: [ OK ] > >incoming sendmail: [ OK ] > >outgoing sendmail: [ OK ] > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > "Spicer, Kevin" wrote: > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > RedHat syntax) > > > > service MailScanner stop [wait for all MailScanner > > processes to disappear after running this before moving on] mv > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > [restart Mailscanner toprocess any newly arriving messages, see if it > > copes] sendmail -q > > > > [this last command will take a very long time to complete as it will > > attempt to deliver each mesasge in the queue, with your backlog this > > could be a considerable period of time] > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/48598dd4/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:34:07 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? {Scanned by HJ MS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B89@inex1.herffjones.hj-int> > Just one question, are you getting false positives from the list? I > don't think I've ever seen one. Nope - just pondering the process for future reference. I'm only just now starting to deploy to actual users and I'll be surprised if no one askes for some mailing list to be whitelisted soon. -t. > -----Original Message----- > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Sent: Wednesday, September 03, 2003 3:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: How to whitelist the mailscanner mailing list? > {Scanned by > HJMS} > > > On Wed, 2003-09-03 at 20:46, Hirsh, Joshua wrote: > > > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk > >[130.246.192.48], and the 'MAIL FROM:' is set as > >owner-mailscanner@JISCMAIL.AC.UK. > > > Assuming the whitelists check one of these instead of the message > >headers, > >either of them should work. > > They do. I'd recommend whitelisting the > From: owner-mailscanner@JISCMAIL.AC.UK > rather than by IP (since the IP presumably could change > without warning. > > Just one question, are you getting false positives from the list? I > don't think I've ever seen one. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From rfabara at NOVADEVICES.COM Wed Sep 3 21:43:59 2003 From: rfabara at NOVADEVICES.COM (DIEGO NOVA) Date: Thu Jan 12 21:19:45 2006 Subject: What is this? Never heard of scanner 'clamav'! Message-ID: <013401c3725c$1a439420$0d01a8c0@rfabara> My email server don?t work !!! In my maillog : Sep 3 15:43:49 inet3 MailScanner[30205]: Using locktype = flock Sep 3 15:43:49 inet3 MailScanner[30205]: New Batch: Scanning 3 messages, 8688 bytes Sep 3 15:43:50 inet3 MailScanner[30205]: Virus and Content Scanning: Starting Sep 3 15:43:50 inet3 MailScanner[30205]: Never heard of scanner 'clamav'! Why ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/9d8be8f5/attachment.html From cslyon at NETSVCS.COM Wed Sep 3 21:45:46 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G wrote: >You're close - but sa-learn doesn't update whitelists or blacklists - it >just trains the Bayesian filtering engine, which identifies patterns in spam >and uses them to recognize future spam. SpamAssassin passes messages to the >Bayesian engine and gets a score for each message, just as it does for its >other rules. This score just becomes part of the cumulative score for the >message. > >There's a FAQ entry on how to set up a script to automatically run sa-learn >- sounds like you already found that. If you have trouble getting it to >work, ask for help again. > So it is just based on the content of the message. So, if something doesn't look right in the message, give it to sa-learn and it will learn from that e-mail. >Besides the bayesian filtering, you can also whitelist and blacklist senders >but I would hesitate to recommend automating that process - I can imagine >users blindly forwarding spam from the sobig virus to an address that would >automatically blacklist the sender, which would be a bad thing since sobig >is likely to come "from" someone who regularly emails you. > The issue that I am having is that I have a bunch of users 500+ that forward spam or non-spam to e-mail accounts that needed to be manualy processed. (Management choice unfortunately) So, what if the user forwards a mail to an account to get that sender whitelisted? >HTH, >Trever > >> -----Original Message----- >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 2:34 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} >> >> >> So, I have been reading the FAQ and also the past posts but >> have a little >> confusion that I need to resolve. Just to give a little back >> ground, I have >> a lot of users who all have issues with e-mail that is being >> marked as spam >> or not being marked as spam. So, I think the answer to this >> is to have them >> forward the messages to an unattended mailbox that will >> autowhitelist or >> autoblacklist the sender. Is that what sa-learn is all about? >> >> >> So, if I create a spam and non-spam account on server and use >> the sa-learn >> to check the messages that my users forward to these >> accounts, if something >> was marked as spam and is not, further messages will not be >> marked again? >> Conversely, if I have a message that is spam but not marked, >> I can forward >> that to spam and it will be marked as spam the next message >> that comes in >> from that sender? >> >> >> How does it work, based on content I would assume or does it >> work by the >> domain? Also, what happens with stuff being forwarded from >> different mail >> clients like outlook? >> >> >> Can anybody shed some light on this one? >> From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:25:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: virus update scripts. In-Reply-To: <3F563967.9040908@usg.edu> Message-ID: <5.2.1.1.2.20030903212112.036edc60@imap.ecs.soton.ac.uk> At 19:56 03/09/2003, you wrote: >Hey all, a couple things here. First is with the mcafee-autoupdate >script in the latest release. What is this extra.dat file it tries to >download and complains about when it's not there? I'll leave that one to Tony Finch as he wrote that script. > Second, there is a >problem with the update_virus_scanners on Solaris. The grep you have >uses the -e flag, and unless you happen to have /usr/xpg4/bin first in >your path you'll be out of luck. I've fixed this by adding the >following right below the LOCKFILE declaration: > >OS=`uname` >if [ ${OS} = SunOS ]; then > echo "Found OS" > GREP=/usr/xpg4/bin/grep >else > GREP=grep >fi > >And then changing the subsequent grep to ${GREP}. Adding this should >fix Solaris systems without breaking any systems that aren't already broken. Good idea. >-- >Thanks, >Bob Jones -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:10:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Denial Of Service Threshold? In-Reply-To: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <5.2.1.1.2.20030903210845.0365f7e8@imap.ecs.soton.ac.uk> MailScanner generates this when the virus scanner does not complete in a reasonable time (the timeout is configurable in MailScanner.conf) or else it fails with something like a segfault. Try scanning his attachments by hand after they have been quarantined and see why the virus scanner doesn't terminate nicely. At 17:34 03/09/2003, you wrote: >I've searched the docs, user list and search engines but was unable to >locate any information on wether or not it is possible to adjust the >settings for DoS attacks. I have a user that sends out a number of emails >to his clients all at once and they are getting bounced as a virus with a >report of: "Denial of Service attack in message!" > >Is there any way to tweak this setting or disable it entirely? > >Regards > >Greg Caron >Systems Administrator >NET1Plus Internet Services -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:12:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: SIGPIPE received - trying new log socket In-Reply-To: <2512.10.10.0.101.1062610096.squirrel@intranet> Message-ID: <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> At 18:28 03/09/2003, you wrote: >I just upgraded to MailScanner 4.23-11. Now I am getting the line 'SIGPIPE >received - trying new log socket' in my logfile during every batch: > >Sep 3 19:14:58 ram3 sendmail[6764]: h83HEv6O006764: from=, >size=5334, class=-60, nrcpts=1, msgid=<20030903165456.OKK >Q4763.pop015.verizon.net@localhost>, proto=ESMTP, daemon=MTA, relay=abc >[1.2.3.4] >Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, >5887 bytes >Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log >socket >Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, >5887 bytes >Sep 3 19:14:58 ram3 MailScanner[4002]: Spam Checks: Starting >Sep 3 19:15:01 ram3 MailScanner[4002]: Virus and Content Scanning: Starting >Sep 3 19:15:02 ram3 MailScanner[4002]: Uninfected: Delivered 1 messages >Sep 3 19:15:02 ram3 sendmail[6794]: h83HEv6O006764: to=, >delay=00:00:05, xdelay=00:00:00, mailer=local, pri=230127, dsn=2.0.0, sta >t=Sent > >Is this something serious? No. You aren't using syslog-ng are you? If all else fails, find the logging statement in Log.pm and comment it out if it's a pain. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:06:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Newbie question related to file type filters In-Reply-To: <00c301c37232$cd151cb0$660210ac@christo> References: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030903210338.0365f6a8@imap.ecs.soton.ac.uk> At 16:48 03/09/2003, you wrote: >Thanx I got the post. Only subscribed today. > >Please Help with following. >In the example below > >In filetype.allowall.rules.conf put (separated by tabs, not spaces) >allow . - - > >How can I block executables and allow media files. Read filetype.rules.conf and comment out the rules you don't like. >What is each 'field' representing. The . 1st - and second - The "." is the pattern to match against the filename. A "." means any single character. So this is bound to match against any filename as it just requires the filename to have at least 1 character in it. The "-" signs in "allow" rules are just placeholders. In "deny" rules they are the strings that are put in the log/sysadmin notices, and the reports that are sent to the users. >Thanx > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, September 03, 2003 10:55 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Newbie question related to file type filters > > >See my postings from yesterday or the day before that include the work >"filetype.rules.conf". You'll find them in the archive. > >At 07:31 03/09/2003, you wrote: > >Hi > > > >I only configured my MS server last week and it works fine. Spam > >dropped by about 90% > > > >OK My question. > > > >By default MS blocks all Executable and Media file types from the > >filetype.rules.conf file. How can I setup a MS rule to let through > >these files only for certain email addresses and let the others be > >blocked. One small rule file example will be enough > > > >Thanx > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. Mailscanner thanks > >transtec Computers for their support. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for their support. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for their support. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:34:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C07A6@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030903213144.036e4e08@imap.ecs.soton.ac.uk> The other thing to remember is that, based on the scores from the other rules, it auto-learns from very spammy and very non-spammy messages. So most of the time you don't need to train it manually at all, it will do it on its own. However, you may also want to have some sort of "spam" and "notspam" mailboxes which get processed by sa-learn. Search the archives for "sa-learn --mbox" or "sa-learn -mbox" and you'll find my scripts to do it all for you. At 21:03 03/09/2003, you wrote: >You're close - but sa-learn doesn't update whitelists or blacklists - it >just trains the Bayesian filtering engine, which identifies patterns in spam >and uses them to recognize future spam. SpamAssassin passes messages to the >Bayesian engine and gets a score for each message, just as it does for its >other rules. This score just becomes part of the cumulative score for the >message. > >There's a FAQ entry on how to set up a script to automatically run sa-learn >- sounds like you already found that. If you have trouble getting it to >work, ask for help again. > >Besides the bayesian filtering, you can also whitelist and blacklist senders >but I would hesitate to recommend automating that process - I can imagine >users blindly forwarding spam from the sobig virus to an address that would >automatically blacklist the sender, which would be a bad thing since sobig >is likely to come "from" someone who regularly emails you. > >HTH, >Trever > > > -----Original Message----- > > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > > Sent: Wednesday, September 03, 2003 2:34 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} > > > > > > So, I have been reading the FAQ and also the past posts but > > have a little > > confusion that I need to resolve. Just to give a little back > > ground, I have > > a lot of users who all have issues with e-mail that is being > > marked as spam > > or not being marked as spam. So, I think the answer to this > > is to have them > > forward the messages to an unattended mailbox that will > > autowhitelist or > > autoblacklist the sender. Is that what sa-learn is all about? > > > > > > So, if I create a spam and non-spam account on server and use > > the sa-learn > > to check the messages that my users forward to these > > accounts, if something > > was marked as spam and is not, further messages will not be > > marked again? > > Conversely, if I have a message that is spam but not marked, > > I can forward > > that to spam and it will be marked as spam the next message > > that comes in > > from that sender? > > > > > > How does it work, based on content I would assume or does it > > work by the > > domain? Also, what happens with stuff being forwarded from > > different mail > > clients like outlook? > > > > > > Can anybody shed some light on this one? > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:41:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903203110.63606.qmail@web41406.mail.yahoo.com> References: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030903213804.036edda0@imap.ecs.soton.ac.uk> At 21:31 03/09/2003, you wrote: >I am running MailScanner 4.21-9 This means that it isn't a problem with the latest release, 4.21 is from back in June. Is it processing all the messages in the queue with each new batch, or are you getting the maillog reporting that it found a large number of messages waiting, but then only started scanning a few of them? In that case, it's because a lot of the messages are still being delivered to you. If you could actually submit a chunk of your log showing what (if anything) is happening, then I can try to see what's going on. >The maillog is just queueing up the messages, it is routing but not a a >good rate (bad performance). I would run the command but the server that >was having problems is not up, switched over to another server. > >Same as above for the second output request. > >I have not changed anything > >Julian Field wrote: >Morning all, > >Appears you are all having a similar problem. >Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. > >What does your maillog say is happening? >grep MailScanner /var/log/maillog | tail -70 > >What processes are running? >ps ax | grep -i mail > >What have you changed from your previously-working system? > > >At 09:49 03/09/2003, you wrote: > > > >"Spicer, Kevin" wrote: > > > >Which queue? > > > >All are in the mqueue.in > > > >As I said, if you're happy to bypass MailScanner to get the mail delivered > >follow the instructions below. > > > >Tried running your commands and received the following: > > > > > service MailScanner stop > > > >Shutting down MailScanner daemons: > > > >MailScanner: [ OK ] > > > >incoming sendma! il: [ OK ] > > > >outgoing sendmail: [ OK ] > > > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > > > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > > > > > > > "Spicer, Kevin" wrote: > > > Can you confirm whether email had completely stopped, or whether > > > MailScanner just wasn't keeping up with the queue? > > > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > > RedHat syntax) > > > > > > service MailScanner stop [wait for all MailScanner > > > processes to disappear after running this before moving on] mv > > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > > [restart Mailscanner toprocess any newly arriving messages, see if it > > > copes] sendmail -q > > > > > > [this last command will take a very long time to complete as it will > > > attempt to deliver e! ach mesasge in the queue, with your backlog this > > > could be a considerable period of time] > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > > > > >Do you Yahoo!? > >Yahoo! > >SiteBuilder - Free, easy-to-use web site! design software > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:37:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> Message-ID: <5.2.1.1.2.20030903213653.036946a8@imap.ecs.soton.ac.uk> At 21:09 03/09/2003, you wrote: >Hi! > > > I'd say that's definitely a problem outside the scope of MailScanner. If > > they're in the outbound queue destined for remote addresses, I'd say it's > > still not related to MailScanner and it may not indicate a problem at all. > >No =) Its about the incomming queue. Outgoing is a smart relay host so all >flow out pretty fast normally. > > > Of course, if you mean they were sitting in the incoming queue, then that's > > probably MailScanner... :-) > >Yes it is. I have tried out a complete batch of mail someone sent me, and it processed it perfectly happily on my system. It just gently chugged through it, no holdups at all. So I still cannot reproduce this problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:48:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: What is this? Never heard of scanner 'clamav'! In-Reply-To: <013401c3725c$1a439420$0d01a8c0@rfabara> Message-ID: <5.2.1.1.2.20030903214716.036846d0@imap.ecs.soton.ac.uk> At 21:43 03/09/2003, you wrote: >My email server don?t work !!! > >In my maillog : > > >Sep 3 15:43:49 inet3 MailScanner[30205]: Using locktype = flock > >Sep 3 15:43:49 inet3 MailScanner[30205]: New Batch: Scanning 3 messages, >8688 bytes > >Sep 3 15:43:50 inet3 MailScanner[30205]: Virus and Content Scanning: Starting > >Sep 3 15:43:50 inet3 MailScanner[30205]: Never heard of scanner 'clamav'! > >Why ? Have you done anything to /etc/MailScanner/virus.scanners.conf? Or changed the setting of Virus Scanner Definitions = in your MailScanner.conf file? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Sep 3 21:53:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.1.1.2.20030903213653.036946a8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Yes it is. > > I have tried out a complete batch of mail someone sent me, and it processed > it perfectly happily on my system. It just gently chugged through it, no > holdups at all. So I still cannot reproduce this problem. Clear, most likely hard to find anyway.... there are several people with this problem, i guess you could have a look on one of the boxes :) I was hopeing it would be reproducable with the batch i sended in. Bye, Raymond. From vanhorn at whidbey.com Wed Sep 3 21:55:07 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn References: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> <1062620289.27350.17.camel@bach.kevinspicer.co.uk> Message-ID: <3F56552B.63C1A308@whidbey.com> Kevin Spicer wrote: > You can best improve the accuracy by adding DCC, razor2 and pyzor, and > by letting SA do RBL checks rather than MailScanner. I've always had MailScanner handling the RBL, is there really a performance or accuracy issue here? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From llasad1 at YAHOO.COM Wed Sep 3 21:55:23 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <36591.10.10.1.71.1062594144.squirrel@webmailtest.shcorp.com> Message-ID: <20030903205523.86738.qmail@web41409.mail.yahoo.com> Just to refresh, Mail was in the incoming queue only /var/spool/mqueue.in. Mail was routing but at a very slow pace (not at it's normal rate). I am running MS 4.21-9 and also using spamassassin 2.55-1. I have been using this setup since January 3rd, of 2003 with no problems. I have of course upgraded the packages along the way. No changes have been made to the server in the recent past, it has been running with no problems. Thankfully, I had a secondary SMTP server that I moved into the Primary spot. I am using the same versions of MailScanner and spamassassin on that server. Mail has been routing fine all day after changing the servers around. I used Kurt Yoders suggestions below which helped in clearing up the queue on the other server. Thanks for all of your suggestions and assistance!!! If you need more info please let me know. Kurt Yoder wrote: lester lasad said: > > > "Spicer, Kevin" wrote: > Which queue? > > All are in the mqueue.in > > As I said, if you're happy to bypass MailScanner to get the mail > delivered follow the instructions below. > > Tried running your commands and received the following: > >> service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >> mv /var/spool/mqueue.in/* /var/spool/mqueue > > sh: line 1: /bin/mv: Argument list too long Here's a trick to get around this: stop mailscanner as above (stop sendmail service) /etc/init.d/sendmail stop mv /var/spool/mqueue /var/spool/mqueue.old mv /var/spool/mqueue.in /var/spool/mqueue mv /var/spool/mqueue.old /var/spool/mqueue.in (start sendmail service) /etc/init.d/sendmail start Now sendmail should grab *everything* in the folder you just renamed to mqueue and deliver it. -- Kurt Yoder Sport & Health network administrator --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/0ef60b8f/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:57:24 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B8A@inex1.herffjones.hj-int> > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 3:46 PM > > The issue that I am having is that I have a bunch of users 500+ that > forward spam or non-spam to e-mail accounts that needed to be manualy > processed. (Management choice unfortunately) I would think having 500 users do anything is overkill. :-) > So, what if the user forwards a mail to an account to get that sender > whitelisted? As I said, sa-learn doesn't impact whitelists or blacklists at all. If you want to do that you'll have to script up something else. Again though, almost certainly not a safe idea. > -----Original Message----- > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 3:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Training the bayesian engine and sa-learn > {Scanned by HJMS} > > > On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G JONES.COM> wrote: > > >You're close - but sa-learn doesn't update whitelists or > blacklists - it > >just trains the Bayesian filtering engine, which identifies > patterns in > spam > >and uses them to recognize future spam. SpamAssassin passes > messages to > the > >Bayesian engine and gets a score for each message, just as > it does for its > >other rules. This score just becomes part of the cumulative > score for the > >message. > > > >There's a FAQ entry on how to set up a script to > automatically run sa-learn > >- sounds like you already found that. If you have trouble > getting it to > >work, ask for help again. > > > > So it is just based on the content of the message. So, if > something doesn't > look right in the message, give it to sa-learn and it will > learn from that > e-mail. > > >Besides the bayesian filtering, you can also whitelist and blacklist > senders > >but I would hesitate to recommend automating that process - > I can imagine > >users blindly forwarding spam from the sobig virus to an > address that would > >automatically blacklist the sender, which would be a bad > thing since sobig > >is likely to come "from" someone who regularly emails you. > > > The issue that I am having is that I have a bunch of users 500+ that > forward spam or non-spam to e-mail accounts that needed to be manualy > processed. (Management choice unfortunately) > > So, what if the user forwards a mail to an account to get that sender > whitelisted? > > > > >HTH, > >Trever > > > >> -----Original Message----- > >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > >> Sent: Wednesday, September 03, 2003 2:34 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Training the bayesian engine and sa-learn > {Scanned by HJMS} > >> > >> > >> So, I have been reading the FAQ and also the past posts but > >> have a little > >> confusion that I need to resolve. Just to give a little back > >> ground, I have > >> a lot of users who all have issues with e-mail that is being > >> marked as spam > >> or not being marked as spam. So, I think the answer to this > >> is to have them > >> forward the messages to an unattended mailbox that will > >> autowhitelist or > >> autoblacklist the sender. Is that what sa-learn is all about? > >> > >> > >> So, if I create a spam and non-spam account on server and use > >> the sa-learn > >> to check the messages that my users forward to these > >> accounts, if something > >> was marked as spam and is not, further messages will not be > >> marked again? > >> Conversely, if I have a message that is spam but not marked, > >> I can forward > >> that to spam and it will be marked as spam the next message > >> that comes in > >> from that sender? > >> > >> > >> How does it work, based on content I would assume or does it > >> work by the > >> domain? Also, what happens with stuff being forwarded from > >> different mail > >> clients like outlook? > >> > >> > >> Can anybody shed some light on this one? > >> > From raymond at PROLOCATION.NET Wed Sep 3 21:59:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.1.1.2.20030903213804.036edda0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >I am running MailScanner 4.21-9 > > This means that it isn't a problem with the latest release, 4.21 is from > back in June. Last night i downgraded to 4.22 on one of my boxes, a pain since i had some of the new features running but that didnt help either, and indeed, if 4.21 also does it it seems there is some new thing thats doing it. Like we had way back also ... > Is it processing all the messages in the queue with each new batch, or are > you getting the maillog reporting that it found a large number of messages > waiting, but then only started scanning a few of them? In that case, it's > because a lot of the messages are still being delivered to you. No, in my case it was like this: 12 workers, 70 messages. 8 worders got 8 x 70. Those would not come out the queue. I monitored those exact files, they stayed very very long, as in 50 minutes or so. The other workers were processing new messages and that went ok, so it seems some were stuck. The 8 other workers seemed more or less frozen. With the very few workers left the system went crazy on backlog making it only worse... I didnt use any RBL checking or SA so its only the virus scanner and the filename stuff. I also cut down the TNEF timeout to 30 seconds... > If you could actually submit a chunk of your log showing what (if anything) > is happening, then I can try to see what's going on. You can have all my logs, only thing is they are around 180 Meg daily for each server. But its not showing anything strange, those batches just take DAMN long to end up, but eventually they do... Thanks, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 22:01:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903205523.86738.qmail@web41409.mail.yahoo.com> Message-ID: Hi! > Just to refresh, Mail was in the incoming queue only > /var/spool/mqueue.in. Mail was routing but at a very slow pace (not at > it's normal rate). I am running MS 4.21-9 and also using spamassassin > 2.55-1. I have been using this setup since January 3rd, of 2003 with no > problems. I have of course upgraded the packages along the way. No > changes have been made to the server in the recent past, it has been > running with no problems. What OS/Version ? RH9 ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Sep 3 22:18:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7933@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7933@pascal.priv.bmrb.co.uk> Message-ID: <1062623921.26526.29.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 21:55, G. Armour Van Horn wrote: >Kevin Spicer wrote: >> You can best improve the accuracy by adding DCC, razor2 and pyzor, and >> by letting SA do RBL checks rather than MailScanner. >I've always had MailScanner handling the RBL, is there really a >performance >or accuracy issue here? Not _really_, I guess its personal choice. The thrust of what I was trying to say was that if the poster was getting false positives from SA letting SA do the RBL checks will increase the scores for many spams increasing the differentiation in scores between spam and ham. I should have added that there may be a need to tune the thresholds in this case. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From cslyon at NETSVCS.COM Wed Sep 3 22:27:12 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: On Wed, 3 Sep 2003 15:57:24 -0500, Furnish, Trever G wrote: >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 3:46 PM >> >> The issue that I am having is that I have a bunch of users 500+ that >> forward spam or non-spam to e-mail accounts that needed to be manualy >> processed. (Management choice unfortunately) > >I would think having 500 users do anything is overkill. :-) > Believe me, I wish that I didn't have that overkill, headache, pain in the A!@ problem. The issue is I don't want to do the work and as we put more MailScanners in, then the workload gets greater. >> So, what if the user forwards a mail to an account to get that sender >> whitelisted? > >As I said, sa-learn doesn't impact whitelists or blacklists at all. If you >want to do that you'll have to script up something else. Again though, >almost certainly not a safe idea. > So, sa-learn won't do the whitelist or blacklist but I can get write a perl script to get that done. So, grep the sender and put that into the whitelist file. Seems an easy way to do it and if it creates problems for the users, they created it so I won't feel so bad until I am made to fix it. That is another issue. >> -----Original Message----- >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 3:46 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Training the bayesian engine and sa-learn >> {Scanned by HJMS} >> >> >> On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G > JONES.COM> wrote: >> >> >You're close - but sa-learn doesn't update whitelists or >> blacklists - it >> >just trains the Bayesian filtering engine, which identifies >> patterns in >> spam >> >and uses them to recognize future spam. SpamAssassin passes >> messages to >> the >> >Bayesian engine and gets a score for each message, just as >> it does for its >> >other rules. This score just becomes part of the cumulative >> score for the >> >message. >> > >> >There's a FAQ entry on how to set up a script to >> automatically run sa-learn >> >- sounds like you already found that. If you have trouble >> getting it to >> >work, ask for help again. >> > >> >> So it is just based on the content of the message. So, if >> something doesn't >> look right in the message, give it to sa-learn and it will >> learn from that >> e-mail. >> >> >Besides the bayesian filtering, you can also whitelist and blacklist >> senders >> >but I would hesitate to recommend automating that process - >> I can imagine >> >users blindly forwarding spam from the sobig virus to an >> address that would >> >automatically blacklist the sender, which would be a bad >> thing since sobig >> >is likely to come "from" someone who regularly emails you. >> > >> The issue that I am having is that I have a bunch of users 500+ that >> forward spam or non-spam to e-mail accounts that needed to be manualy >> processed. (Management choice unfortunately) >> >> So, what if the user forwards a mail to an account to get that sender >> whitelisted? >> >> >> >> >HTH, >> >Trever >> > >> >> -----Original Message----- >> >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> >> Sent: Wednesday, September 03, 2003 2:34 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Training the bayesian engine and sa-learn >> {Scanned by HJMS} >> >> >> >> >> >> So, I have been reading the FAQ and also the past posts but >> >> have a little >> >> confusion that I need to resolve. Just to give a little back >> >> ground, I have >> >> a lot of users who all have issues with e-mail that is being >> >> marked as spam >> >> or not being marked as spam. So, I think the answer to this >> >> is to have them >> >> forward the messages to an unattended mailbox that will >> >> autowhitelist or >> >> autoblacklist the sender. Is that what sa-learn is all about? >> >> >> >> >> >> So, if I create a spam and non-spam account on server and use >> >> the sa-learn >> >> to check the messages that my users forward to these >> >> accounts, if something >> >> was marked as spam and is not, further messages will not be >> >> marked again? >> >> Conversely, if I have a message that is spam but not marked, >> >> I can forward >> >> that to spam and it will be marked as spam the next message >> >> that comes in >> >> from that sender? >> >> >> >> >> >> How does it work, based on content I would assume or does it >> >> work by the >> >> domain? Also, what happens with stuff being forwarded from >> >> different mail >> >> clients like outlook? >> >> >> >> >> >> Can anybody shed some light on this one? >> >> >> From dan at OXNARDSD.ORG Wed Sep 3 22:11:58 2003 From: dan at OXNARDSD.ORG (Dan Kubilos) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered Message-ID: Been bashing my head in. My boss is Peeved. I am want to convert html to text by default. Boss and other vips receive a newsletter that I need to leave untouched. I am using rulesets but am missing something. Full header of newsletter as delivered is ***** From henker at S-H-COM.DE Wed Sep 3 22:20:10 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:19:45 2006 Subject: F-prot revisited In-Reply-To: <200309031917.h83JHUr02416@ori.rl.ac.uk> References: <200309031917.h83JHUr02416@ori.rl.ac.uk> Message-ID: On Wed, 3 Sep 2003, Alan Fiebig wrote: > While F-Prot's $29 Linux workstation version is all you technically need > to run with MailScanner, per F-Prot, you would be in violation of their > license. Their expensive 'per user' mail server version contains a whole But they don't sell the command line version for servers ! They just sell bigger products - and we don't need that, we use MailScanner. It's really disappointing looking for quotes on products from all the vendors I have looked at. We just need a command line scanner, nothing else. Last week, a Panda sales rep called me because I dl'ed the trial version. They could NOT tell me what the price for the final thing was ! They went on with "how many users you have, how many mboxes ?" - geez, I don't count my users` mboxes every day. And the funny thing in their trial is that it prints "FREEWARE" when running - in a recent comparison of Linux virus scanners, it was also mentioned "Freeware" in the German computer magazine "c't" lately. I told Panda their product is useless if it does not include automatic signature updates. > liked what I saw, and I supplied Jullian with a licensed copy so he > could add support for their product, e-Trust, to MailScanner. Even on the CA page, I didn't see a final price for the product I need, but maybe at that time I was already too tired after trying to find a price. Maybe all MailScanner users should unite and buy licences together, I'm sure we would get a discount :) Regards, Steffan From kevins at BMRB.CO.UK Wed Sep 3 22:46:54 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> Message-ID: <1062625614.26526.34.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 22:11, Dan Kubilos wrote: >Been bashing my head in. My boss is Peeved. >I am want to convert html to text by default. >Boss and other vips receive a newsletter that I need to leave >untouched. I >am using rulesets but am missing something. Probably the envelope details differ from those in the headers. Grep your maillog for the messageID to find the address to use in your ruleset. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Steve.Swaney at FSL.com Wed Sep 3 22:40:57 2003 From: Steve.Swaney at FSL.com (Stephen Swaney) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <1062625257.2403.91.camel@speedy> I'm starting to suspect that something besides MailScanner may be the cause of this mysterious problem. We have a new install of MailScanner that has been chugging nicely along since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: Found ***** messages waiting" started creeping rapidly up. until it reached about 15,000 around 2:00 PM. I've been closely monitoring this server since Sunday and it's never had more than 200 messages queued before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was chugging nicely along until today. We're now dropping the queue about 2,000 messages per hour by routing outbound email through another gateway. I can't do a lot of log diagnosis on the system right now because The load is a bit high and I don't want to disrupt the cleanup. I just think it's strange that all of the sudden so many of us are experiencing the same problem with different versions of MailScanner. Only thing new in my systems logs is the reporting of: Report: ClamAV: patch.exe contains Worm.Dumaru Which started about the same time as the queue backup. From the web: "Dumaru is a mass mailing worm, uses e-mail addresses collected from htm, wab, html, dbx, tbb, abd files to distribute infected messages. Dumaru worm arrives as an e-mail attachment. The infected attachment name will be "patch.exe"." Can't see why this would cause a problem if we're stopping it, but it's the only apparent anomaly in the logs. Any ideas? Steve Stephen Swaney President Fortress Systems, Ltd. www.FSL.com Steve.Swaney@FSL.com Phone: 202 338-1670 Fax:202 448-2969 U.S. Toll Free Phone and Fax: 877 746-6636 -- This message has been scanned for viruses and dangerous content by MailScanner and Sophos Anti-Virus at Fortress Systems.com and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/c58908f8/attachment.html From COMBSTM at APPSTATE.EDU Wed Sep 3 22:54:13 2003 From: COMBSTM at APPSTATE.EDU (T. Combs) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered In-Reply-To: "Your message dated Wed, 03 Sep 2003 22:46:54 +0100" <1062625614.26526.34.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> Message-ID: <01L08J8RMW6K9S446E@appstate.edu> > >Boss and other vips receive a newsletter that I need to leave > >untouched. I > >am using rulesets but am missing something. > Probably the envelope details differ from those in the headers. Grep > your maillog for the messageID to find the address to use in your > ruleset. The envelope address is usually in the Return-Path: header. The return is *@sbl.cc which is probably not equal to *@*.sbl.cc I would make this change and test again. -- Combstm@appstate.edu Appalachian State University (828)262-6297 Information Technology Services FAX: (828)262-2236 From raymond at PROLOCATION.NET Wed Sep 3 23:07:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner with Exim In-Reply-To: <105478843.1062619046@jemima.zanker.org> Message-ID: Hi! > I recently changed from MailScanner/Sendmail to MailScanner/Exim. The > whole process was really straightforward thanks to the installation > guide for MS/Exim. Everything is working fine but I have noticed a very > large number of files building up in /var/spool/exim.in/msglog. Each > one contains a single log entry for the reception of the message > referenced by the filename. > > Is it usual for these files to be produced? If so, how are others > dealing with them - cron job to delete them every day? I wrote a little HOW-TO a few days ago, wil submit it on the website also. What you need it in there also, have a look: HOW-TO migrate from Sendmail to Exim with a MailScanner setup. 23 August 2003. By Raymond Dijkxhoorn, Prolocation. raymond@prolocation.net / www.prolocation.net This dokument can be used as guideline when you want to migrate from Sendmail to Exim but allready have MailScanner installed. Its a guideline for a RPM installed box, but most likely pretty easy to follow for other installations also. Download the latest Exim 4.x package from ftp.exim.org. The one we used was the RPM install, but the package itselfs is pretty simple to build. Version used when making this dokument was Exim 4.22 Stop your running MailScanner setup. Make sure cron isnt restarting it. service MailScanner stop (service crond stop) Install the Exim RPMs rpm -Uvh exim-4.22-1_10.rh9.i386.rpm exim-perl-4.22-1_10.rh9.i386.rpm Now we need to change the MailScanner.conf, these are the changed we did: Run As User = exim Run As Group = exim Incoming Queue Dir = /var/spool/exim.in/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim These are about the changes you need, be sure to check the split spool settings. Now make the needed dirs: mkdir /var/spool/exim.in mkdir /var/spool/exim.in/input Link the exim msglog dirs so the msglog mechanism exim uses wont break. ln -s /var/spool/exim/msglog /var/spool/exim.in/msglog On busy systems you could disable the use of the msglog dirs, this will save on disk io. You can do this in your exim config no_message_logs Alter the rights of the dir so exim can write chown exim.exim /var/spool/exim.in -R The next part is for people who also installed SpamAssasin, we had SA running with Pyzor, Razor and DCC installed. Since exim is running as user exim, and the test also are executed as exim you have to 'save' your old settings. Move the old dirs to /var/spool/exim, the exim homedirectory... .pyzor .razor .spamassassin Chown them to exim.exim, and you are set. If you had the bayes files elsewhere then dont forget to chown those also to exim.exim. There is a nice install dokument on the MailScanner Exim install, so for that part, goto: http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml We used the 'One Exim configuration file' part of that dokument. Dont forget the crontab for Exim that cycles the logs and cleans up the hints databases, also mentioned on the same page. YOu now only need to configure exim with your site specific settings. The config file is located in /etc/exim When migrating from sendmail you most likely had a relay-domains file and a mailertable file, you can simple use this to replace that within exim. domainlist relay_to_domains = /etc/exim/relay-domains mailertable_router: driver = manualroute domains = ! +local_domains route_data = ${lookup{$domain}lsearch{/etc/exim/mailertable}} transport = remote_smtp You need to alter the format of the files a little, exim takes the list like for the mailertable, the relay-domains i had unchanged After you are done with the exim config you should not forget to change /etc/sysconfig/mailscanner You also have to tell there you switched over to exim. My config is called exim4.conf so i changed that also in that same file. You might need to remove the MS lock files in /tmp, they are most likely having the wrong owners also. Just delete them, MS will recreate them. Thats about it. You can now have a try and startup MailScanner again, with your fresh Exim installation. service MailScanner start (service crond start) If you have things like MailScanner-MRTG installed, look carefully if that wont break anything. Good luck migrating. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 23:10:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062625257.2403.91.camel@speedy> Message-ID: Hi! > I'm starting to suspect that something besides MailScanner may be the > cause of this mysterious problem. > > We have a new install of MailScanner that has been chugging nicely along > since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: > Found ***** messages waiting" started creeping rapidly up. until it > reached about 15,000 around 2:00 PM. I've been closely monitoring this > server since Sunday and it's never had more than 200 messages queued > before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was > chugging nicely along until today. I am suspecting this all along, but will be hard for Julian to catch this since it seems hard to reproduce at his end. The strange thing is that i was able to reproduce it with the zip i sended Julian on two other boxes also... Bye, Raymond From SJCJonker at SJC.NL Wed Sep 3 23:22:57 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <3F5669C1.4050501@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Although I don't have the problem (or haven't encountered it yet) I saw a few times RH9. Within RH9 I have seen a few perl scripts (AutoRPM comes to mind) not running correctly. This was fixed by bypassing the internationalization, although I'm running on the "default" en_US.UTF-8 "language". For autorpm it was fixed by putting LC_ALL=C in the script. Maybe Raymond, you could try the batch you have problems with after you modified the /etc/init.d/MailScanner (or equiv) to include the export LC_ALL=C statement. It's a long shot from my side, as I said I haven't encountered the issue yet. But it's worth a try. P.S. I have not checked/don't know where to look if and how changing the internationalization for MS & SA could have an effect on the functioning of both. Raymond Dijkxhoorn said the following on 09/03/2003 10:53 PM: | Hi! | | |>>Yes it is. |> |>I have tried out a complete batch of mail someone sent me, and it processed |>it perfectly happily on my system. It just gently chugged through it, no |>holdups at all. So I still cannot reproduce this problem. | | | Clear, most likely hard to find anyway.... there are several people with | this problem, i guess you could have a look on one of the boxes :) | | I was hopeing it would be reproducable with the batch i sended in. | | Bye, | Raymond. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/VmnBjU9r45tKnOARApkjAJ9TXjt8tjhkIF209Ien2rQMVl4JygCfaGU7 QaGYXpx30gwp8YBvoEU3T6I= =paOE -----END PGP SIGNATURE----- From keith at MIDNIGHTHAX.COM Wed Sep 3 23:42:27 2003 From: keith at MIDNIGHTHAX.COM (Keith Edmunds) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> Message-ID: <20030903234227.6b0ee26a.keith@midnighthax.com> On Wed, 3 Sep 2003 14:18:47 -0500 "Furnish, Trever G" wrote: > for file in `find /var/spool/mqueue.in -type f`; > do > mv $file /var/spool/mqueue > done > > Be sure you get the quotes right aound the find command - they're > "backticks", ie backwards apostrophes, not double-quotes or > apostrophes. There's nothing wrong in what you have written at all, but sometimes it is easier for others to read if you use the alternative syntax: for file in $(find /var/spool/mqueue.in -type f); do mv $file /var/spool/mqueue done - saves all that hassle with precisely _which_ key is the backtick. -- Keith Edmunds From brose at MED.WAYNE.EDU Wed Sep 3 23:46:26 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and Warning Messages Message-ID: Am I correct in what I'm seeing? When MailScanner creates the warning messages is it dropping the message into mqueue.in? I've been watching queues and I was surprised to see them in mqueue.in since I would have thought it would drop them in mqueue. If it's placed in mqueue.in wouldn't that be more work since mailscanner is scanning that message on the next pass? -=Bobby From keith at MIDNIGHTHAX.COM Wed Sep 3 23:51:22 2003 From: keith at MIDNIGHTHAX.COM (Keith Edmunds) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner+PostFix In-Reply-To: <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> References: <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <20030903235122.346637f5.keith@midnighthax.com> On Sun, 31 Aug 2003 11:19:35 +0100 Julian Field wrote: > I would advise you look at Exim instead. Due to the structure of > Postfix, MailScanner has to do a heck of a lot more i/o than it does > when working with sendmail or Exim, so it's not very efficient. The > body of every message has to be copied between queues, as opposed to > just linked and deleted as it does with sendmail and Exim. > > Postfix has a (deservedly) good reputation, it's just that its > internal design doesn't fit with MailScanner very well. Is it fair to say that the duplicate mail problem with Postfix is unlikely to be resolved in the near future? Don't get me wrong, I'm not knocking either MS or Postfix, I just want to know! I use Postfix on a number of installations and I think I'm faced with the choice of: a) migrating to, say, exim or b) putting up with the duplicate mails If I'm wrong, correction would be welcomed. Is it likely that there will ever be a tighter integration between Postfix and MS which would work around these issues? Thanks, Keith From raymond at PROLOCATION.NET Wed Sep 3 23:52:18 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and Warning Messages In-Reply-To: Message-ID: Hi! > Am I correct in what I'm seeing? When MailScanner creates the warning > messages is it dropping the message into mqueue.in? I've been watching > queues and I was surprised to see them in mqueue.in since I would have > thought it would drop them in mqueue. If it's placed in mqueue.in > wouldn't that be more work since mailscanner is scanning that message on > the next pass? Thats the way it works yes, pretty safe :) Julian, to avoid wasting valuable resources would it be possible to make it configurable where to place them ? In the outgoing queue would be better. But on the other hand i can imagine you dont want to write the message itself but let a local process handle that. Since queue files differ for each mailer. Bye, Raymond. From brose at MED.WAYNE.EDU Thu Sep 4 00:00:07 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and SpamChecks Message-ID: Another question, I noticed that even if Spam Checks is off, the logs still say spam checks. I know that that comes from the log spam option, but the MS processes are still running thru the spam check subroutines in MessageBatch. Granted it's really not doing the checks, I was still wondering why it just doesn't skip the spam/ham routines altogether and go straight to virus checking when spam checks is off. We had routing issues today and got dumped on when it came back up so I've been staring at queues and logs all day. I'd turned off the spam checks to clear the queues faster and it just couldn't go fast enough for me. ;-) From brose at MED.WAYNE.EDU Thu Sep 4 00:02:53 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request Message-ID: Is it possible to have MailScanner note the Sender IP in the logs for a message that it finds a virus on. That'll make it easier to pull out the people that are pounding the heck out of MailScanner so that the can just just be blocked entirely. -=Bobby From raymond at PROLOCATION.NET Thu Sep 4 00:19:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: Hi! > Is it possible to have MailScanner note the Sender IP in the logs for a > message that it finds a virus on. That'll make it easier to pull out > the people that are pounding the heck out of MailScanner so that the can > just just be blocked entirely. # Include the full headers of each message in the notices sent to the local # system administrators? # This can also be the filename of a ruleset. Notices Include Full Headers = yes Bye, Raymond. From brose at MED.WAYNE.EDU Thu Sep 4 00:44:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request Message-ID: You can't run a report on that easily enough. If the IP address is in the log, then maybe David's mailstats can grab it so that you can see the virus guys. I can even see his autoblocker function using it. -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Wednesday, September 03, 2003 7:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner feature request Hi! > Is it possible to have MailScanner note the Sender IP in the logs for > a message that it finds a virus on. That'll make it easier to pull > out the people that are pounding the heck out of MailScanner so that > the can just just be blocked entirely. # Include the full headers of each message in the notices sent to the local # system administrators? # This can also be the filename of a ruleset. Notices Include Full Headers = yes Bye, Raymond. From Steve.Swaney at FSL.com Thu Sep 4 05:12:58 2003 From: Steve.Swaney at FSL.com (Stephen Swaney) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <1062648778.2403.207.camel@speedy> Stopping spamassassin RBL checks solved the problem here. in spam.assassin.prefs.conf skip_rbl_checks 1 Pyzor, Razoor and DCC all appear to be fine. It looks like this started around 11:00 AM EDT. Steve Steve.Swaney@FSL.com On Wed, 2003-09-03 at 18:10, Raymond Dijkxhoorn wrote: > Hi! > > > I'm starting to suspect that something besides MailScanner may be the > > cause of this mysterious problem. > > > > We have a new install of MailScanner that has been chugging nicely along > > since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: > > Found ***** messages waiting" started creeping rapidly up. until it > > reached about 15,000 around 2:00 PM. I've been closely monitoring this > > server since Sunday and it's never had more than 200 messages queued > > before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was > > chugging nicely along until today. > > I am suspecting this all along, but will be hard for Julian to catch this > since it seems hard to reproduce at his end. > > The strange thing is that i was able to reproduce it with the zip i > sended Julian on two other boxes also... > > Bye, > Raymond -- This message has been scanned for viruses and dangerous content by MailScanner and Sophos Anti-Virus at Fortress Systems.com and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/b23fd019/attachment.html From mike at ZANKER.ORG Thu Sep 4 06:04:26 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner with Exim In-Reply-To: References: Message-ID: <141898312.1062655466@jemima.zanker.org> On 04 September 2003 00:07 +0200 Raymond Dijkxhoorn wrote: > I wrote a little HOW-TO a few days ago, wil submit it on the website > also. What you need it in there also, have a look: Thank you Raymond, that certainly does answer my question. I had done everything you mention *except* linking the msglog directories! Regards, Mike. From evertjan at VANRAMSELAAR.NL Thu Sep 4 06:08:44 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:19:45 2006 Subject: SIGPIPE received - trying new log socket In-Reply-To: <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> References: <2512.10.10.0.101.1062610096.squirrel@intranet> <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> Message-ID: <48349.194.151.195.222.1062652124.squirrel@mail.vanramselaar.nl> Julian Field said: >>Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log >>socket >>Is this something serious? > > No. You aren't using syslog-ng are you? Nope. Just the standard syslogd. > If all else fails, find the logging statement in Log.pm and comment it out > if it's a pain. Well I was just curious if something was wrong, because I had never seen it before the last MS upgrade. Thanks for pointing out I don't have to worry... :o) -- Evert Jan van Ramselaar Van Ramselaar Info Tech From zfajfr at krnap.cz Thu Sep 4 06:28:23 2003 From: zfajfr at krnap.cz (Zdenek Fajfr) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5AC4@eqmail1.efni.vpn> Message-ID: Well, the thing is that I don't want to deliver spam to users any more; I just want to be able to check the spam occasionally for false positives. So thought I could pick up the spam, deliver it to one common e-mail address (me) passing it through a filtering rule in Outlook to separate it from ordinary mail and storing it in folder called 'SPAM'. I wonder way the log records say Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 actions are bounce,store,forward,postmaster@krnap.cz !?!?!? One would expect there ....forward postmaster@krnap.cz (e.g. without the comma) or forward(postmaster@krnap.cz) or maybe forward "postmaster@krnap.cz". I tried to enclose the email address in (double) quotes - no success either. I'm running out of ideas Z. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Hirsh, Joshua > Sent: Wednesday, September 03, 2003 5:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam Action "Forward" doesn't work > > > I haven't run into any issues with forward as an action. Perhaps the only > difference for me is that I still deliver the spam, but forward it to > another address as well. > > MS 4.23-11 and Postfix 2.0.13. > > > Cheers, > > -- > Joshua Hirsh > Systems Administration > Partner Solutions/ING Canada > 455, avenue Saint-Joseph > Saint-Hyacinthe, Quebec J2S 8K8 > (450) 778-9580 ext. 3798 > joshua.hirsh@partnersolutions.ca From danieltan at shopnsave.com.sg Thu Sep 4 06:40:15 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Message-ID: <015b01c372a7$04caa480$3900a8c0@Daniel> i thought the f-prot autoupdate script comes with f-prot software by itslef? check-updates.pl??? Julian, have you solved the mcp error yet? am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch or by manually entering it by hand. Daniel ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, September 03, 2003 4:53 PM Subject: Re: Small typo in f-prot-autoupdate Thanks for that. Fixed. At 02:27 03/09/2003, you wrote: >Julian there is a small typo in the f-prot-autoupdate script that prevents >logging status to /var/log/maillog. Here's the code segment where I added >the open Syslog line right after alarm 0 ... > > >if ($@) { > if ($@ =~ /timeout/) { > # We timed out! > CleanTempDir(); > &UnlockFProt(); > alarm 0; > } >} else { > alarm 0; > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > "F-Prot did not need updating."); >} > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:23:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate In-Reply-To: <015b01c372a7$04caa480$3900a8c0@Daniel> References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904092143.0435d010@imap.ecs.soton.ac.uk> At 06:40 04/09/2003, you wrote: >i thought the f-prot autoupdate script comes with f-prot software by itslef? >check-updates.pl??? Their script doesn't do the locking required to ensure that MailScanner doesn't try to start up f-prot while it is half way through updating. If MailScanner tried to use f-prot while the update was actually in progress, there is a chance that it would break and let viruses through. So my script does the same as theirs but with some locking added to do ths. >Julian, have you solved the mcp error yet? >am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch >or by manually entering it by hand. Haven't had a chance to get near that yet. MCP isn't ready for mass public consumption anyway so I'm not too bothered. Also, MCP will still scan text and HTML sections of messages without the patch. >Daniel > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, September 03, 2003 4:53 PM >Subject: Re: Small typo in f-prot-autoupdate > > >Thanks for that. Fixed. > >At 02:27 03/09/2003, you wrote: > >Julian there is a small typo in the f-prot-autoupdate script that prevents > >logging status to /var/log/maillog. Here's the code segment where I added > >the open Syslog line right after alarm 0 ... > > > > > >if ($@) { > > if ($@ =~ /timeout/) { > > # We timed out! > > CleanTempDir(); > > &UnlockFProt(); > > alarm 0; > > } > >} else { > > alarm 0; > > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > > "F-Prot did not need updating."); > >} > > > >-- > >Gerry > > > >"The lyfe so short, the craft so long to learne" Chaucer > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:08:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903234227.6b0ee26a.keith@midnighthax.com> References: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> Message-ID: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> I have just fixed one server which was suffering from this exact problem. It was processing messages, but very slowly. I'm not saying this will work for everyone, but it fixed it for me just now. Make sure your spam.assassin.prefs.conf contains these lines score RCVD_IN_OSIRUSOFT_COM 0.0 score X_OSIRU_OPEN_RELAY 0.0 score X_OSIRU_DUL 0.0 score X_OSIRU_SPAM_SRC 0.0 score X_OSIRU_SPAMWARE_SITE 0.0 score X_OSIRU_DUL_FH 0.0 Please let us know if that helps. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:15:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mailscanner and Warning Messages In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904091333.03fbc888@imap.ecs.soton.ac.uk> At 23:52 03/09/2003, you wrote: > > Am I correct in what I'm seeing? When MailScanner creates the warning > > messages is it dropping the message into mqueue.in? I've been watching > > queues and I was surprised to see them in mqueue.in since I would have > > thought it would drop them in mqueue. If it's placed in mqueue.in > > wouldn't that be more work since mailscanner is scanning that message on > > the next pass? > >Thats the way it works yes, pretty safe :) Julian, to avoid wasting >valuable resources would it be possible to make it configurable where to >place them ? In the outgoing queue would be better. But on the other hand >i can imagine you dont want to write the message itself but let a local >process handle that. Since queue files differ for each mailer. It should be configurable already. See MailScanner.conf: # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/lib/sendmail Now I've never tried it, but I don't see why you shouldn't be able to say Sendmail = /usr/lib/sendmail -OQueueDirectory=/var/spool/mqueue but I still prefer to scan messages I just created, in case something nasty happens. I never have seen anything nasty happen here, but that's just because I haven't been imaginative to create the scenario :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:18:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner+PostFix In-Reply-To: <20030903235122.346637f5.keith@midnighthax.com> References: <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904091555.06503168@imap.ecs.soton.ac.uk> At 23:51 03/09/2003, you wrote: >On Sun, 31 Aug 2003 11:19:35 +0100 >Julian Field wrote: > > > I would advise you look at Exim instead. Due to the structure of > > Postfix, MailScanner has to do a heck of a lot more i/o than it does > > when working with sendmail or Exim, so it's not very efficient. The > > body of every message has to be copied between queues, as opposed to > > just linked and deleted as it does with sendmail and Exim. > > > > Postfix has a (deservedly) good reputation, it's just that its > > internal design doesn't fit with MailScanner very well. > >Is it fair to say that the duplicate mail problem with Postfix is >unlikely to be resolved in the near future? It's going to take a fair bit of analysis to find what's wrong, and I don't have *any* free time at the moment, my day job (http://www.ecs.soton.ac.uk/~jkf/myjob.html) is really hectic at the moment as we get everything organised for the students' arrival in a few weeks time. Maybe some time in October I might have time. > Don't get me wrong, I'm not >knocking either MS or Postfix, I just want to know! I use Postfix on a >number of installations and I think I'm faced with the choice of: > >a) migrating to, say, exim or >b) putting up with the duplicate mails -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 09:49:10 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have just fixed one server which was suffering from this exact problem. > It was processing messages, but very slowly. Hmm... good! =) > I'm not saying this will work for everyone, but it fixed it for me just now. > Make sure your spam.assassin.prefs.conf contains these lines > > score RCVD_IN_OSIRUSOFT_COM 0.0 > score X_OSIRU_OPEN_RELAY 0.0 > score X_OSIRU_DUL 0.0 > score X_OSIRU_SPAM_SRC 0.0 > score X_OSIRU_SPAMWARE_SITE 0.0 > score X_OSIRU_DUL_FH 0.0 Allthough i am not using SA in my setup currently. But its good you have seen it happen also on your end. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:51:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> At 09:49 04/09/2003, you wrote: >Hi! > > > I have just fixed one server which was suffering from this exact problem. > > It was processing messages, but very slowly. > >Hmm... good! =) > > > I'm not saying this will work for everyone, but it fixed it for me just > now. > > Make sure your spam.assassin.prefs.conf contains these lines > > > > score RCVD_IN_OSIRUSOFT_COM 0.0 > > score X_OSIRU_OPEN_RELAY 0.0 > > score X_OSIRU_DUL 0.0 > > score X_OSIRU_SPAM_SRC 0.0 > > score X_OSIRU_SPAMWARE_SITE 0.0 > > score X_OSIRU_DUL_FH 0.0 > >Allthough i am not using SA in my setup currently. But its good you have >seen it happen also on your end. But it may well be a completely different problem in your case. The thing is, it appears to have just started affecting people running a) various different versions of MailScanner b) on various different platforms c) it was never a problem before some very recent change in circumstances This really points to it being a problem outside of MailScanner, as otherwise people would have surely noticed it before? The biggest changes in circumstances recently are the arrival of some very virulent worms and the death of osirusoft. If you are 100% sure you aren't ever checking osirusoft, then that leaves the worms. I can't see exactly what they might be causing, but they are putting a lot of stress on many networks, and I imagine that DNS servers as well as mail servers are seeing significantly more load than before, due to all the delivery-time DNS lookups that are done by the MTAs. From what you say, we are talking about at least 2 different problems, yours and the one I have just seen. Maybe there are more than 2? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From danieltan at shopnsave.com.sg Thu Sep 4 10:10:52 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904092143.0435d010@imap.ecs.soton.ac.uk> Message-ID: <008401c372c4$70cac800$3900a8c0@Daniel> i'm sorry but how do i get the script? it is not included in the installation? what is the filename? ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, September 04, 2003 4:23 PM Subject: Re: Small typo in f-prot-autoupdate At 06:40 04/09/2003, you wrote: >i thought the f-prot autoupdate script comes with f-prot software by itslef? >check-updates.pl??? Their script doesn't do the locking required to ensure that MailScanner doesn't try to start up f-prot while it is half way through updating. If MailScanner tried to use f-prot while the update was actually in progress, there is a chance that it would break and let viruses through. So my script does the same as theirs but with some locking added to do ths. >Julian, have you solved the mcp error yet? >am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch >or by manually entering it by hand. Haven't had a chance to get near that yet. MCP isn't ready for mass public consumption anyway so I'm not too bothered. Also, MCP will still scan text and HTML sections of messages without the patch. >Daniel > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, September 03, 2003 4:53 PM >Subject: Re: Small typo in f-prot-autoupdate > > >Thanks for that. Fixed. > >At 02:27 03/09/2003, you wrote: > >Julian there is a small typo in the f-prot-autoupdate script that prevents > >logging status to /var/log/maillog. Here's the code segment where I added > >the open Syslog line right after alarm 0 ... > > > > > >if ($@) { > > if ($@ =~ /timeout/) { > > # We timed out! > > CleanTempDir(); > > &UnlockFProt(); > > alarm 0; > > } > >} else { > > alarm 0; > > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > > "F-Prot did not need updating."); > >} > > > >-- > >Gerry > > > >"The lyfe so short, the craft so long to learne" Chaucer > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From raymond at PROLOCATION.NET Thu Sep 4 10:17:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> Message-ID: Hi! > But it may well be a completely different problem in your case. > > The thing is, it appears to have just started affecting people running > a) various different versions of MailScanner > b) on various different platforms > c) it was never a problem before some very recent change in circumstances Could be. > This really points to it being a problem outside of MailScanner, as > otherwise people would have surely noticed it before? The biggest changes > in circumstances recently are the arrival of some very virulent worms and > the death of osirusoft. If you are 100% sure you aren't ever checking I personally have a feeling its the format of some messages, perhaps some messages that are causing delays due to the way they are builded ? TNEF stuff ect ect. I can imagine a lot of things that direction. Even if i disable RBL and not run SA at all it seems to happen. I have it also on a server (new one) where SA isnt even installed. Or perhaps a virus, but still ... > From what you say, we are talking about at least 2 different problems, > yours and the one I have just seen. Maybe there are more than 2? Could be, but its a pain to live with. =) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 10:18:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Without login access to somebody's machine which is *reliably* suffering from this problem, I'm a bit stuck. At 10:17 04/09/2003, you wrote: >Hi! > > > But it may well be a completely different problem in your case. > > > > The thing is, it appears to have just started affecting people running > > a) various different versions of MailScanner > > b) on various different platforms > > c) it was never a problem before some very recent change in circumstances > >Could be. > > > This really points to it being a problem outside of MailScanner, as > > otherwise people would have surely noticed it before? The biggest changes > > in circumstances recently are the arrival of some very virulent worms and > > the death of osirusoft. If you are 100% sure you aren't ever checking > >I personally have a feeling its the format of some messages, perhaps some >messages that are causing delays due to the way they are builded ? TNEF >stuff ect ect. I can imagine a lot of things that direction. Even if i >disable RBL and not run SA at all it seems to happen. I have it also on a >server (new one) where SA isnt even installed. > >Or perhaps a virus, but still ... > > > From what you say, we are talking about at least 2 different problems, > > yours and the one I have just seen. Maybe there are more than 2? > >Could be, but its a pain to live with. =) > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 10:26:44 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Without login access to somebody's machine which is *reliably* suffering > from this problem, I'm a bit stuck. If it was happening _right now_ i would -love- to give a login, but it isnt. One of the other people who is suffering from this wanting to give Julian a login for looking into this ? Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 10:26:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904102320.0756b728@imap.ecs.soton.ac.uk> One of the things you could do to track it is this: In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter print STDERR "Got to point 1\n"; statements through it (obviously changing the number). Then set "Debug = yes" and you should see this output. If it is pausing horribly at some particular stage of processing a batch, then this should show it up. Leave all the spam checks disabled if you can, these take quite a long time anyway. And check your /etc/sysconfig/i18n has no mention of "utf8" in it. That's important. At 10:26 04/09/2003, you wrote: >Hi! > > > Without login access to somebody's machine which is *reliably* suffering > > from this problem, I'm a bit stuck. > >If it was happening _right now_ i would -love- to give a login, but it >isnt. > >One of the other people who is suffering from this wanting to give Julian >a login for looking into this ? > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 11:44:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner+PostFix ---- try this In-Reply-To: <5.2.0.9.2.20030904091555.06503168@imap.ecs.soton.ac.uk> References: <20030903235122.346637f5.keith@midnighthax.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904114353.076b6a38@imap.ecs.soton.ac.uk> Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; At 09:18 04/09/2003, you wrote: >At 23:51 03/09/2003, you wrote: >>On Sun, 31 Aug 2003 11:19:35 +0100 >>Julian Field wrote: >> >> > I would advise you look at Exim instead. Due to the structure of >> > Postfix, MailScanner has to do a heck of a lot more i/o than it does >> > when working with sendmail or Exim, so it's not very efficient. The >> > body of every message has to be copied between queues, as opposed to >> > just linked and deleted as it does with sendmail and Exim. >> > >> > Postfix has a (deservedly) good reputation, it's just that its >> > internal design doesn't fit with MailScanner very well. >> >>Is it fair to say that the duplicate mail problem with Postfix is >>unlikely to be resolved in the near future? > >It's going to take a fair bit of analysis to find what's wrong, and I don't >have *any* free time at the moment, my day job >(http://www.ecs.soton.ac.uk/~jkf/myjob.html) is really hectic at the moment >as we get everything organised for the students' arrival in a few weeks time. > >Maybe some time in October I might have time. > >> Don't get me wrong, I'm not >>knocking either MS or Postfix, I just want to know! I use Postfix on a >>number of installations and I think I'm faced with the choice of: >> >>a) migrating to, say, exim or >>b) putting up with the duplicate mails > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Sep 4 13:22:17 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: Feature Wish, IP Pool Warning In-Reply-To: Message-ID: Matt wrote: >Sobig.x lies about its from email address so I have it setup as silent. But >what I would like is if it email me a warning to the postmaster account ONLY >if the source IP is in one the IP pools I own. This way I can look in my >PPP logs, see who had that IP at that time and drop them an email or call. Look at the "Send Notices" option in MailScanner.conf. It can be a ruleset, which can match on the IP address of the sending host. (I don't know if it works for silent viruses...) Tony. -- f.a.n.finch http://dotat.at/ DOVER WIGHT: EAST VEERING SOUTHEAST 3 OR 4. FAIR. GOOD.. From dot at DOTAT.AT Thu Sep 4 13:25:07 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: "Rose, Bobby" wrote: >Is it possible to have MailScanner note the Sender IP in the logs for a >message that it finds a virus on. That'll make it easier to pull out >the people that are pounding the heck out of MailScanner so that the can >just just be blocked entirely. Try this patch which I posted recently, and add to MailScanner.conf Log Infected IP Addresses = yes --- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 +++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 @@ -508,6 +508,9 @@ next unless $text; $message->{virusreports}{"$attachment"} .= $text; } + MailScanner::Log::InfoLog("Infected message %s came from %s", + $id, $message->{clientip}) + if MailScanner::Config::Value('logipaddrs'); } # And then all the report types... --- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 +++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 @@ -88,6 +88,7 @@ logfacility = syslogfacility logformtags = loghtmlformtags logobjecttags = logobjectcodebasetags +logipaddrs = loginfectedipaddresses maxdirtybytes = maxunsafebytesperscan maxdirtymessages = maxunsafemessagesperscan maxmessagesize = maximummessagesize @@ -145,6 +146,7 @@ logspam 1 no 0 yes 1 lognonspam 0 no 0 yes 1 logmessageids 0 no 0 yes 1 +logipaddrs 0 no 0 yes 1 expandtnef 1 no 0 yes 1 showscanner 0 no 0 yes 1 spamassassinautowhitelist 1 no 0 yes 1 Tony. -- f.a.n.finch http://dotat.at/ LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. From dot at DOTAT.AT Thu Sep 4 13:33:03 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: Message-ID: Bob Jones wrote: >Hey all, a couple things here. First is with the mcafee-autoupdate >script in the latest release. What is this extra.dat file it tries to >download and complains about when it's not there? Sorry that was a cockup on my part -- some experimental code for getting emergency dat files between a virus outbreak and a full dat file update escaped. My current version of the script is below. Tony. -- f.a.n.finch http://dotat.at/ BISCAY: EASTERLY BECOMING CYCLONIC THEN WESTERLY 3 OR 4. THUNDERY SHOWERS. MODERATE OR GOOD. #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.38 2003/09/04 12:27:27 fanf2 Exp $ # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run # uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) # and it will still look for the dat files here. If uvscan's library # dependencies can be found in a standard place (e.g. /usr/local/lib) # then you don't need a wrapper script to set LD_LIBRARY_PATH before # running it. # # The dat files are installed in a subdirectory of $DATDIR named # according to their version number, with symlinks from $PREFIX into # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. # defaults OPTS="" PREFIX=/opt/uvscan FTPDIR=http://download.nai.com/products/datfiles/4.x/nai/ # handle the command line usage () { echo "usage: $0 [-dfrtv] [prefix]" echo " -d delete old files" echo " -f force update" echo " -r show README" echo " -t timestamp output" echo " -v verbose" echo " prefix uvscan installation directory" exit 1 } case $# in 0|1|2) : ok ;; *) usage ;; esac for arg in "$@" do case $arg in -*) OPTS=$arg ;; /*) PREFIX=$arg ;; *) usage ;; esac done case $OPTS in *[!-dfrtv]*) usage esac option () { case $OPTS in -*$1*) eval $2=yes ;; *) eval $2=no ;; esac } option d DELETE option f FORCE option r README option t TIME option v VERBOSE case $FORCE in yes) VERBOSE=yes esac # set up paths PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin export PATH DATDIR=$PREFIX/datfiles SUBDIR=datfiles/current LINK=$PREFIX/$SUBDIR # wrapper functions for echo etc. timestamp () { case $TIME in yes) date "+%Y-%m-%d %H:%M:%S " esac } say () { case $VERBOSE in yes) echo "`timestamp`$*" esac } run () { say "> $*" "$@" } say Starting $0 say DELETE=$DELETE say FORCE=$FORCE say README=$README say TIME=$TIME say VERBOSE=$VERBOSE say PREFIX=$PREFIX if [ ! -h $LINK ] then INIT=yes VERBOSE=yes say Initial setup of $0 run mkdir -p $DATDIR fi run cd $DATDIR # version number pattern MATCH="[0-9][0-9][0-9][0-9]" # work out latest dat version CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" say "> $CMD" if eval "$CMD" then VERSION=`cat update.ini | sed "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` else cat update.err VERSION=UNKNOWN fi run rm -f update.* badversion () { VERBOSE=yes say "Failed to get McAfee datfile update from $FTPDIR" say "FTP version number \"$VERSION\" $*" run exit 1 } # check the format of the version number case $VERSION in $MATCH) : ok ;; *) badversion does not match "$MATCH" ;; esac # already got it? if [ -d $VERSION ] then case $FORCE in yes) say Forced removal of $VERSION run rm -rf $VERSION ;; *) say Already have $VERSION run exit 0 ;; esac fi # work out installed dat version PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` # check new version is actually newer if [ $PREVIOUS -gt $VERSION ] then badversion older than installed $PREVIOUS fi VERBOSE=yes say Installed dat file is $PREVIOUS say Latest dat file is $VERSION # protect against failure fail () { trap EXIT echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR run rm -rf $VERSION run exit 1 } trap fail EXIT # fetch and extract dat files TARFILE=dat-$VERSION.tar run mkdir $VERSION run cd $VERSION run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE # verify the contents CMD="uvscan --version --dat ." say "> $CMD" OUT=`$CMD 2>&1` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail esac # protection not needed now trap '' EXIT echo "$OUT" say Update OK # show information on this update? case $README in yes) run sed 's/[[:cntrl:]]//g 1,/^====================/d /^====================/,/^NEW VIRUSES DETECTED/d /^UNDERSTANDING VIRUS NAMES/,$d s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap run rm -f *.diz *.exe *.ini *.lst *.tar *.txt # do remaining part of initial setup case $INIT in yes) for file in *.dat do run rm -f $PREFIX/$file run ln -s $SUBDIR/$file $PREFIX/$file done esac # update the current version link run rm -f $LINK run ln -s $VERSION $LINK # maybe delete old dat files case $DELETE in yes) run cd $DATDIR run rm -rf $PREVIOUS esac say Completed OK run exit 0 # done From Janssen at RZ.UNI-FRANKFURT.DE Thu Sep 4 14:31:16 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: On Wed, 3 Sep 2003, Raymond Dijkxhoorn wrote: > Clear, most likely hard to find anyway.... there are several people with > this problem, i guess you could have a look on one of the boxes :) Hello Raymond, you've already send us the output of ps during a bad-performance event. This ps-output has stated somewhat clearly that you are suffering more or less sever disk IO problems: from 108 processes were 23 in "D" state. In case these processes are longer than a moment in "D" state this is (one part of) your problem. In case these processes are just for short moment in "D" state, you've got much to much of them anyway. I don't know how to debug/improve your disk situation, but this seems to me of more need, than to debug MS ;-) Is all this "MS performs badly" just a Sobig-F story? Take 20% more Mails (and dubble Bytes) and the server went slow. Michael From raymond at PROLOCATION.NET Thu Sep 4 14:37:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: Hi! > you've already send us the output of ps during a bad-performance event. > This ps-output has stated somewhat clearly that you are suffering more > or less sever disk IO problems: > > from 108 processes were 23 in "D" state. In case these processes are > longer than a moment in "D" state this is (one part of) your problem. Yes. But mainly caused by the 'loop'. The same ammount of mails on the other box dont have this problem. I surely want to take for granted its IO, but i really wonder why its not on the other box also, taking the exact same ammount of mails and bytes. They are load balanced behind an Alteon... We also do log parsing, and when this is happening we also see MS scanning more mails then come in (number of bytes) so MS is scanning some batches over and over. Or perhaps i am missing something, but normally that ammount should be pretty equal. > In case these processes are just for short moment in "D" state, you've > got much to much of them anyway. I don't know how to debug/improve your > disk situation, but this seems to me of more need, than to debug MS ;-) Could be, but i still think its not only io related. Sure, io shows up bad when this is happening, but perhaps this is only the result, not the cause. And yes, when its going on its like a snowball. > Is all this "MS performs badly" just a Sobig-F story? Take 20% more > Mails (and dubble Bytes) and the server went slow. We block Sobig on the MTA allready, so no, its not Sobig, we reject subjects... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:45:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904144523.07700098@imap.ecs.soton.ac.uk> When I ran your new version, I get this: > uvscan --version --dat . uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open shared object file: No such file or directory Fetch or test failed -- removing bad McAfee data files At 13:33 04/09/2003, you wrote: >Bob Jones wrote: > >Hey all, a couple things here. First is with the mcafee-autoupdate > >script in the latest release. What is this extra.dat file it tries to > >download and complains about when it's not there? > >Sorry that was a cockup on my part -- some experimental code for getting >emergency dat files between a virus outbreak and a full dat file update >escaped. My current version of the script is below. > >Tony. >-- >f.a.n.finch http://dotat.at/ >BISCAY: EASTERLY BECOMING CYCLONIC THEN WESTERLY 3 OR 4. THUNDERY SHOWERS. >MODERATE OR GOOD. > > > >#!/bin/sh -e ># ># Update the McAfee data files. ># ># $Cambridge: hermes/build/bin/uvscan-update,v 1.38 2003/09/04 12:27:27 >fanf2 Exp $ > ># $PREFIX is the directory where the uvscan binary is (NOT a symlink to ># the binary), which is where it looks for its dat files. You may run ># uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) ># and it will still look for the dat files here. If uvscan's library ># dependencies can be found in a standard place (e.g. /usr/local/lib) ># then you don't need a wrapper script to set LD_LIBRARY_PATH before ># running it. ># ># The dat files are installed in a subdirectory of $DATDIR named ># according to their version number, with symlinks from $PREFIX into ># the subdirectory via a current link. The current link is updated ># without locking on the assumption that this is sufficiently unlikely ># to cause a problem. > ># defaults >OPTS="" >PREFIX=/opt/uvscan >FTPDIR=http://download.nai.com/products/datfiles/4.x/nai/ > ># handle the command line >usage () { > echo "usage: $0 [-dfrtv] [prefix]" > echo " -d delete old files" > echo " -f force update" > echo " -r show README" > echo " -t timestamp output" > echo " -v verbose" > echo " prefix uvscan installation directory" > exit 1 >} >case $# in >0|1|2) : ok > ;; >*) usage > ;; >esac >for arg in "$@" >do > case $arg in > -*) OPTS=$arg > ;; > /*) PREFIX=$arg > ;; > *) usage > ;; > esac >done >case $OPTS in >*[!-dfrtv]*) > usage >esac >option () { > case $OPTS in > -*$1*) eval $2=yes > ;; > *) eval $2=no > ;; > esac >} >option d DELETE >option f FORCE >option r README >option t TIME >option v VERBOSE >case $FORCE in >yes) VERBOSE=yes >esac > ># set up paths >PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin >export PATH >DATDIR=$PREFIX/datfiles >SUBDIR=datfiles/current >LINK=$PREFIX/$SUBDIR > ># wrapper functions for echo etc. >timestamp () { > case $TIME in > yes) date "+%Y-%m-%d %H:%M:%S " > esac >} >say () { > case $VERBOSE in > yes) echo "`timestamp`$*" > esac >} >run () { > say "> $*" > "$@" >} >say Starting $0 >say DELETE=$DELETE >say FORCE=$FORCE >say README=$README >say TIME=$TIME >say VERBOSE=$VERBOSE >say PREFIX=$PREFIX > >if [ ! -h $LINK ] >then > INIT=yes > VERBOSE=yes > say Initial setup of $0 > run mkdir -p $DATDIR >fi >run cd $DATDIR > ># version number pattern >MATCH="[0-9][0-9][0-9][0-9]" > ># work out latest dat version >CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" >say "> $CMD" >if eval "$CMD" >then > VERSION=`cat update.ini | sed > "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` >else > cat update.err > VERSION=UNKNOWN >fi >run rm -f update.* > >badversion () { > VERBOSE=yes > say "Failed to get McAfee datfile update from $FTPDIR" > say "FTP version number \"$VERSION\" $*" > run exit 1 >} > ># check the format of the version number >case $VERSION in >$MATCH) : ok > ;; >*) badversion does not match "$MATCH" > ;; >esac > ># already got it? >if [ -d $VERSION ] >then > case $FORCE in > yes) say Forced removal of $VERSION > run rm -rf $VERSION > ;; > *) say Already have $VERSION > run exit 0 > ;; > esac >fi > ># work out installed dat version >PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` > ># check new version is actually newer >if [ $PREVIOUS -gt $VERSION ] >then > badversion older than installed $PREVIOUS >fi > >VERBOSE=yes > >say Installed dat file is $PREVIOUS >say Latest dat file is $VERSION > ># protect against failure >fail () { > trap EXIT > echo "$OUT" > say Fetch or test failed -- removing bad McAfee data files > run cd $DATDIR > run rm -rf $VERSION > run exit 1 >} >trap fail EXIT > ># fetch and extract dat files >TARFILE=dat-$VERSION.tar >run mkdir $VERSION >run cd $VERSION >run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE >run tar xvf $TARFILE > ># verify the contents >CMD="uvscan --version --dat ." >say "> $CMD" >OUT=`$CMD 2>&1` >case "$OUT" in >*"Missing or invalid DAT"* | \ >*"Data file not found"* | \ >*"Removal datafile clean.dat not found"* | \ >*"Unable to remove viruses"* ) > fail >esac > ># protection not needed now >trap '' EXIT > >echo "$OUT" >say Update OK > ># show information on this update? >case $README in >yes) run sed 's/[[:cntrl:]]//g > 1,/^====================/d > /^====================/,/^NEW VIRUSES DETECTED/d > /^UNDERSTANDING VIRUS NAMES/,$d > s/^/# /;/@MM/s/$/ <--/' readme.txt >esac ># remove some crap >run rm -f *.diz *.exe *.ini *.lst *.tar *.txt > ># do remaining part of initial setup >case $INIT in >yes) for file in *.dat > do > run rm -f $PREFIX/$file > run ln -s $SUBDIR/$file $PREFIX/$file > done >esac > ># update the current version link >run rm -f $LINK >run ln -s $VERSION $LINK > ># maybe delete old dat files >case $DELETE in >yes) run cd $DATDIR > run rm -rf $PREVIOUS >esac > >say Completed OK >run exit 0 > ># done -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:40:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904144025.075d8980@imap.ecs.soton.ac.uk> If that does just what you are looking for, I'll add it into the main code. At 13:25 04/09/2003, you wrote: >"Rose, Bobby" wrote: > >Is it possible to have MailScanner note the Sender IP in the logs for a > >message that it finds a virus on. That'll make it easier to pull out > >the people that are pounding the heck out of MailScanner so that the can > >just just be blocked entirely. > >Try this patch which I posted recently, and add to MailScanner.conf > Log Infected IP Addresses = yes > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 >@@ -508,6 +508,9 @@ > next unless $text; > $message->{virusreports}{"$attachment"} .= $text; > } >+ MailScanner::Log::InfoLog("Infected message %s came from %s", >+ $id, $message->{clientip}) >+ if MailScanner::Config::Value('logipaddrs'); > } > > # And then all the report types... >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 >@@ -88,6 +88,7 @@ > logfacility = syslogfacility > logformtags = loghtmlformtags > logobjecttags = logobjectcodebasetags >+logipaddrs = loginfectedipaddresses > maxdirtybytes = maxunsafebytesperscan > maxdirtymessages = maxunsafemessagesperscan > maxmessagesize = maximummessagesize >@@ -145,6 +146,7 @@ > logspam 1 no 0 yes 1 > lognonspam 0 no 0 yes 1 > logmessageids 0 no 0 yes 1 >+logipaddrs 0 no 0 yes 1 > expandtnef 1 no 0 yes 1 > showscanner 0 no 0 yes 1 > spamassassinautowhitelist 1 no 0 yes 1 > > >Tony. >-- >f.a.n.finch http://dotat.at/ >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:54:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> At 14:37 04/09/2003, you wrote: >Hi! > > > you've already send us the output of ps during a bad-performance event. > > This ps-output has stated somewhat clearly that you are suffering more > > or less sever disk IO problems: > > > > from 108 processes were 23 in "D" state. In case these processes are > > longer than a moment in "D" state this is (one part of) your problem. > >Yes. But mainly caused by the 'loop'. The same ammount of mails on the >other box dont have this problem. I surely want to take for granted its >IO, but i really wonder why its not on the other box also, taking the >exact same ammount of mails and bytes. They are load balanced behind an >Alteon... > >We also do log parsing, and when this is happening we also see MS scanning >more mails then come in (number of bytes) so MS is scanning some batches >over and over. Or perhaps i am missing something, but normally that >ammount should be pretty equal. Note the PIDs of the mailscanner processes and see if they keep changing. You should have "Max Children+1" processes that keep the same PID for long periods of time. If they keep changing, then you've got something that is crashing MS. But that would also keep producing "Starting" messages. What virus scanner are you using? Sophossavi by any chance? > > In case these processes are just for short moment in "D" state, you've > > got much to much of them anyway. I don't know how to debug/improve your > > disk situation, but this seems to me of more need, than to debug MS ;-) > >Could be, but i still think its not only io related. Sure, io shows up bad >when this is happening, but perhaps this is only the result, not the >cause. And yes, when its going on its like a snowball. > > > Is all this "MS performs badly" just a Sobig-F story? Take 20% more > > Mails (and dubble Bytes) and the server went slow. > >We block Sobig on the MTA allready, so no, its not Sobig, we reject >subjects... > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Thu Sep 4 15:03:33 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request Message-ID: <107DE25EC0216C45AEF670016024245F6F1B@exchangea.staff.uce.ac.uk> Certainly does - I'm just testing out a new version of mailstats which makes use of this to add the sending IP address to teh access table. Once I'm happy I'll release it so that you can protect against teh Sobig.F onslaught! I think the initial release will simply use the same system as spam emails although in future release I will add separate configuration so that the message in the access file is different for viruses as well as allowing different times for the IP to stay blocked. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 04 September 2003 14:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner feature request If that does just what you are looking for, I'll add it into the main code. At 13:25 04/09/2003, you wrote: >"Rose, Bobby" wrote: > >Is it possible to have MailScanner note the Sender IP in the logs for a > >message that it finds a virus on. That'll make it easier to pull out > >the people that are pounding the heck out of MailScanner so that the can > >just just be blocked entirely. > >Try this patch which I posted recently, and add to MailScanner.conf > Log Infected IP Addresses = yes > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 >@@ -508,6 +508,9 @@ > next unless $text; > $message->{virusreports}{"$attachment"} .= $text; > } >+ MailScanner::Log::InfoLog("Infected message %s came from %s", >+ $id, $message->{clientip}) >+ if MailScanner::Config::Value('logipaddrs'); > } > > # And then all the report types... >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 >@@ -88,6 +88,7 @@ > logfacility = syslogfacility > logformtags = loghtmlformtags > logobjecttags = logobjectcodebasetags >+logipaddrs = loginfectedipaddresses > maxdirtybytes = maxunsafebytesperscan > maxdirtymessages = maxunsafemessagesperscan > maxmessagesize = maximummessagesize >@@ -145,6 +146,7 @@ > logspam 1 no 0 yes 1 > lognonspam 0 no 0 yes 1 > logmessageids 0 no 0 yes 1 >+logipaddrs 0 no 0 yes 1 > expandtnef 1 no 0 yes 1 > showscanner 0 no 0 yes 1 > spamassassinautowhitelist 1 no 0 yes 1 > > >Tony. >-- >f.a.n.finch http://dotat.at/ >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 15:12:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >We also do log parsing, and when this is happening we also see MS scanning > >more mails then come in (number of bytes) so MS is scanning some batches > >over and over. Or perhaps i am missing something, but normally that > >ammount should be pretty equal. > > Note the PIDs of the mailscanner processes and see if they keep changing. > You should have "Max Children+1" processes that keep the same PID for long > periods of time. If they keep changing, then you've got something that is > crashing MS. But that would also keep producing "Starting" messages. > > What virus scanner are you using? Sophossavi by any chance? I'll have a look on that if its happening again. From what i saw it was a few that remained stabil, and a couple kept restarting with a new pid. I am running with f-prot, and upgraded to the new one last night, perhaps that helped, we'll see. I'll post as soon as i find something new. Bye, Raymond From dot at DOTAT.AT Thu Sep 4 15:13:52 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: Julian Field wrote: > >When I ran your new version, I get this: > > uvscan --version --dat . >uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open >shared object file: No such file or directory >Fetch or test failed -- removing bad McAfee data files That's a problem with your McAfee installation -- I assume that the virus scanner library can be found by ld.so, e.g. via a symlink in /usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate ldconfig fu. Tony. -- f.a.n.finch http://dotat.at/ CAPE WRATH TO RATTRAY HEAD INCLUDING ORKNEY: SOUTH 3 OR 4, OCCASIONALLY 5. MAINLY FAIR. MAINLY GOOD. SLIGHT IN THE SOUTHEAST, MODERATE IN THE NORTHWEST. From rabollinger at COMCAST.NET Thu Sep 4 15:50:54 2003 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request References: <5.2.0.9.2.20030904144025.075d8980@imap.ecs.soton.ac.uk> Message-ID: <01d101c372f3$f1d6a020$8b030180@elliottturbo.com> Ideally, the same line would include a list of the sins committed by that email, similar to the nice summary you get from Spam Assassin with "Log Spam = yes". In fact, it'd be nice to mimic that format as well. Something along the lines of: Message h84ETLA12220 from 205.169.164.67 (a@b.com) to c.com is infected, McAfee (W32/Sobig.f@MM) Given that, I'd happily elimenate all of the other messages logged regarding the virus scanning process except while debugging. ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, September 04, 2003 9:40 AM Subject: Re: MailScanner feature request > If that does just what you are looking for, I'll add it into the main code. > > At 13:25 04/09/2003, you wrote: > >"Rose, Bobby" wrote: > > >Is it possible to have MailScanner note the Sender IP in the logs for a > > >message that it finds a virus on. That'll make it easier to pull out > > >the people that are pounding the heck out of MailScanner so that the can > > >just just be blocked entirely. > > > >Try this patch which I posted recently, and add to MailScanner.conf > > Log Infected IP Addresses = yes > > > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 > >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 > >@@ -508,6 +508,9 @@ > > next unless $text; > > $message->{virusreports}{"$attachment"} .= $text; > > } > >+ MailScanner::Log::InfoLog("Infected message %s came from %s", > >+ $id, $message->{clientip}) > >+ if MailScanner::Config::Value('logipaddrs'); > > } > > > > # And then all the report types... > >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 > >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 > >@@ -88,6 +88,7 @@ > > logfacility = syslogfacility > > logformtags = loghtmlformtags > > logobjecttags = logobjectcodebasetags > >+logipaddrs = loginfectedipaddresses > > maxdirtybytes = maxunsafebytesperscan > > maxdirtymessages = maxunsafemessagesperscan > > maxmessagesize = maximummessagesize > >@@ -145,6 +146,7 @@ > > logspam 1 no 0 yes 1 > > lognonspam 0 no 0 yes 1 > > logmessageids 0 no 0 yes 1 > >+logipaddrs 0 no 0 yes 1 > > expandtnef 1 no 0 yes 1 > > showscanner 0 no 0 yes 1 > > spamassassinautowhitelist 1 no 0 yes 1 > > > > > >Tony. > >-- > >f.a.n.finch http://dotat.at/ > >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 15:45:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F6F1B@exchangea.staff.uce.a c.uk> Message-ID: <5.2.0.9.2.20030904154446.076009b8@imap.ecs.soton.ac.uk> Added. I haven't add a new config option for it though, I'm just logging it anyway. It didn't seem worth the overhead of doing a config variable check for every report in every message. At 15:03 04/09/2003, you wrote: >Certainly does - I'm just testing out a new version of mailstats which >makes use of this to add the sending IP address to teh access table. >Once I'm happy I'll release it so that you can protect against teh >Sobig.F onslaught! > >I think the initial release will simply use the same system as spam >emails although in future release I will add separate configuration so >that the message in the access file is different for viruses as well as >allowing different times for the IP to stay blocked. >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 04 September 2003 14:41 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner feature request > > >If that does just what you are looking for, I'll add it into the main >code. > >At 13:25 04/09/2003, you wrote: > >"Rose, Bobby" wrote: > > >Is it possible to have MailScanner note the Sender IP in the logs for >a > > >message that it finds a virus on. That'll make it easier to pull out > > >the people that are pounding the heck out of MailScanner so that the >can > > >just just be blocked entirely. > > > >Try this patch which I posted recently, and add to MailScanner.conf > > Log Infected IP Addresses = yes > > > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 > >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 > >@@ -508,6 +508,9 @@ > > next unless $text; > > $message->{virusreports}{"$attachment"} .= $text; > > } > >+ MailScanner::Log::InfoLog("Infected message %s came from %s", > >+ $id, $message->{clientip}) > >+ if MailScanner::Config::Value('logipaddrs'); > > } > > > > # And then all the report types... > >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 > >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 > >@@ -88,6 +88,7 @@ > > logfacility = syslogfacility > > logformtags = loghtmlformtags > > logobjecttags = logobjectcodebasetags > >+logipaddrs = loginfectedipaddresses > > maxdirtybytes = maxunsafebytesperscan > > maxdirtymessages = maxunsafemessagesperscan > > maxmessagesize = maximummessagesize > >@@ -145,6 +146,7 @@ > > logspam 1 no 0 yes 1 > > lognonspam 0 no 0 yes 1 > > logmessageids 0 no 0 yes 1 > >+logipaddrs 0 no 0 yes 1 > > expandtnef 1 no 0 yes 1 > > showscanner 0 no 0 yes 1 > > spamassassinautowhitelist 1 no 0 yes 1 > > > > > >Tony. > >-- > >f.a.n.finch http://dotat.at/ > >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 15:39:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904153853.0406a068@imap.ecs.soton.ac.uk> At 15:13 04/09/2003, you wrote: >Julian Field wrote: > > > >When I ran your new version, I get this: > > > uvscan --version --dat . > >uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open > >shared object file: No such file or directory > >Fetch or test failed -- removing bad McAfee data files > >That's a problem with your McAfee installation -- I assume that the >virus scanner library can be found by ld.so, e.g. via a symlink in >/usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate >ldconfig fu. But mcafee-wrapper doesn't require any of that, so people won't have done it to get MailScanner working. Any chance you could use mcafee-wrapper in your script rather than call uvscan directly please? Then it's a more real test that MailScanner can drive uvscan with the new files. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Thu Sep 4 15:43:10 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: Not sure if this will help or not, but I have noticed MailScanner on my backup/test server hanging. An strace of the process showed nothing. But ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes database files opened. This is running MailScanner version 4.22-5 and SpamAssassin version 2.54. The strange thing is that MailScanner had been hung for over a day! I would have thought that MailScanner would have timed out SpamAssassin by then. Killing MailScanner and restarting would fix the problem for a while, then it would happen again. I know that some people who are having this problem are not using SpamAssassin, but perhaps there is a problem in the time out code for SpamAssassin or Virus Checking? I'm not complaining. My main MailScanner server is working, and I set "use_bayes 0" on my backup, and that seemed to clear its problem. The backup is a 233 MHz with 128 Mb of ram, and has other functions besides scanning email, so it is taxed when MailScanner scans email. Anyways, maybe this helps - if not, just ignore. Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, September 04, 2003 5:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > /var/spool/mqueue.in > > > One of the things you could do to track it is this: > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > print STDERR "Got to point 1\n"; > statements through it (obviously changing the number). Then > set "Debug = > yes" and you should see this output. If it is pausing horribly at some > particular stage of processing a batch, then this should show > it up. Leave > all the spam checks disabled if you can, these take quite a > long time anyway. > > And check your /etc/sysconfig/i18n has no mention of "utf8" > in it. That's > important. > > At 10:26 04/09/2003, you wrote: > >Hi! > > > > > Without login access to somebody's machine which is > *reliably* suffering > > > from this problem, I'm a bit stuck. > > > >If it was happening _right now_ i would -love- to give a > login, but it > >isnt. > > > >One of the other people who is suffering from this wanting > to give Julian > >a login for looking into this ? > > > >Bye, > >Raymond. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From brose at MED.WAYNE.EDU Thu Sep 4 16:00:45 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:46 2006 Subject: Mailscanner and SpamChecks Message-ID: Also, in light of the ongoing mass-mailing viruses, wouldn't it be better if the virus and content checks ran before the spam checks so that the spam check routines have less messages to look at? Doesn't make sense to spam check messages with a banned attachment types or virus if they're to be dropped or quaranteened later. -----Original Message----- From: Rose, Bobby Sent: Wednesday, September 03, 2003 7:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner and SpamChecks Another question, I noticed that even if Spam Checks is off, the logs still say spam checks. I know that that comes from the log spam option, but the MS processes are still running thru the spam check subroutines in MessageBatch. Granted it's really not doing the checks, I was still wondering why it just doesn't skip the spam/ham routines altogether and go straight to virus checking when spam checks is off. We had routing issues today and got dumped on when it came back up so I've been staring at queues and logs all day. I'd turned off the spam checks to clear the queues faster and it just couldn't go fast enough for me. ;-) From s.kelly at ayrcoll.ac.uk Thu Sep 4 16:10:41 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: References: Message-ID: <200309041610.42011.s.kelly@ayrcoll.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Using MailScanner 4.22-5, sendmail 8-12-7 (patched) on SuSE 8.2 pro with SA 2.55 On Thursday 04 September 2003 6:28 am, Zdenek Fajfr wrote: > Well, the thing is that I don't want to deliver spam to users any more; I > just want to be able to check the spam occasionally for false positives. So > thought I could pick up the spam, deliver it to one common e-mail address > (me) passing it through a filtering rule in Outlook to separate it from > ordinary mail and storing it in folder called 'SPAM'. > > I wonder way the log records say > > Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 > actions are bounce,store,forward,postmaster@krnap.cz > > !?!?!? > > One would expect there ....forward postmaster@krnap.cz (e.g. without the > comma) or forward(postmaster@krnap.cz) or maybe forward > "postmaster@krnap.cz". > I tried to enclose the email address in (double) quotes - no success > either. > > I'm running out of ideas I turned on forwarding for SPAM to check if it was working here, and I have had SPAM for other users forwarded to me. The only thing I did was to add the keyword forward and my email address to the end of the SPAM actions list which already contained attachment deliver. Hope this helps someone. Regards, Shane > - -- Shane Kelly Network Infrastructure Manager 01292 293577 (Direct line) Actual Newspaper Headlines: Killer Sentenced to Die for Second Time in 10 Years -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/V1Xx/thVM7mR0ZYRAqSCAJ4jJmww8WywBYqx3oOEHTyuEBPdsACgkgmJ CdKaRWiXdjvN87eJ7zd100k= =n3MJ -----END PGP SIGNATURE----- From anders.andersson at LTKALMAR.SE Thu Sep 4 16:22:14 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:46 2006 Subject: SV: virus update scripts. Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > >Julian Field wrote: > > > > > >When I ran your new version, I get this: > > > > uvscan --version --dat . > > >uvscan: error while loading shared libraries: > liblnxfv.so.4: cannot > > >open shared object file: No such file or directory Fetch or test > > >failed -- removing bad McAfee data files > > > >That's a problem with your McAfee installation -- I assume that the > >virus scanner library can be found by ld.so, e.g. via a symlink in > >/usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate > >ldconfig fu. > > But mcafee-wrapper doesn't require any of that, so people > won't have done it to get MailScanner working. Any chance you > could use mcafee-wrapper in your script rather than call > uvscan directly please? Then it's a more real test that > MailScanner can drive uvscan with the new files. Oh, you mean you dont need the lib files to use mcafee with mailscanner. I always just assumed you need them, hmmm, but I will keep them so I can do an uvsvan -- version to make its up2date. I learns new things all day.... why the hell cant I learn perl then *sniff* :) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From christo at IT4AFRICA.CO.ZA Thu Sep 4 16:21:49 2003 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:46 2006 Subject: Strange Problem Mail dissapear Message-ID: <017301c372f8$44780cc0$660210ac@christo> Since I upgraded to the latest MS strange things happens on my mail server. Mail are sent from my smaller mail server and according to it the mail is send sucessfully. But I get no trace of that mail on my server. I looked in the log and nothing there. All worked fine until yesterday when I updated MS. Any suggestions? Christo Bezuidenhout Disclaimer ---------------- This message and any attachment/s are confidential and intended solely for the addressee. If you have received this message in error, please notify AG Industries Limited immediately. Any unauthorised use, alteration or dissemination is prohibited. Whilst every effort has been made to ensure no viruses are present in this e-mail and/or attachments, we strongly recommend that you subject this e-mail and attachment/s to your own virus checking procedures prior to opening. AG Industries Limited accepts no liability whatsoever for any loss, whether direct, indirect or consequential, arising from information made available and actions resulting there from. Messages sent via this medium may be subject to delays, non-delivery and unauthorised alteration. Any recipient of an unacceptable communication, a chain letter or offensive material of any nature is requested to report it to Postmaster@ag-industries.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/013dc4d3/attachment.html From randyf at SIBERNET.COM Thu Sep 4 16:35:20 2003 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Sep 2003, Julian Field wrote: > > What virus scanner are you using? Sophossavi by any chance? > This statement concerns me (as it might to other Sophossavi users). Is there something that you might want to share? ---- Randy From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:45:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> I have just seen one of my servers hang, due to the Bayes database getting corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it printed millions of error messages about a "partial write (number of 665)". Presumably there was supposed to be a number before "of", which is supposed to increment but doesn't. I switched off Bayes (use_bayes 0) to work around the problem. What's the chance there are some messages out there which are capable of causing Bayes corruption due to them containing strange characters/strings? Has anyone suffered this problem who is using SA 2.60rc3? At 15:43 04/09/2003, you wrote: >Not sure if this will help or not, but I have noticed MailScanner on my >backup/test server hanging. An strace of the process showed nothing. But >ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes >database files opened. This is running MailScanner version 4.22-5 and >SpamAssassin version 2.54. > >The strange thing is that MailScanner had been hung for over a day! I would >have thought that MailScanner would have timed out SpamAssassin by then. >Killing MailScanner and restarting would fix the problem for a while, then >it would happen again. I know that some people who are having this problem >are not using SpamAssassin, but perhaps there is a problem in the time out >code for SpamAssassin or Virus Checking? > >I'm not complaining. My main MailScanner server is working, and I set >"use_bayes 0" on my backup, and that seemed to clear its problem. The >backup is a 233 MHz with 128 Mb of ram, and has other functions besides >scanning email, so it is taxed when MailScanner scans email. > >Anyways, maybe this helps - if not, just ignore. > >Jason > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Thursday, September 04, 2003 5:26 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > /var/spool/mqueue.in > > > > > > One of the things you could do to track it is this: > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > > print STDERR "Got to point 1\n"; > > statements through it (obviously changing the number). Then > > set "Debug = > > yes" and you should see this output. If it is pausing horribly at some > > particular stage of processing a batch, then this should show > > it up. Leave > > all the spam checks disabled if you can, these take quite a > > long time anyway. > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > in it. That's > > important. > > > > At 10:26 04/09/2003, you wrote: > > >Hi! > > > > > > > Without login access to somebody's machine which is > > *reliably* suffering > > > > from this problem, I'm a bit stuck. > > > > > >If it was happening _right now_ i would -love- to give a > > login, but it > > >isnt. > > > > > >One of the other people who is suffering from this wanting > > to give Julian > > >a login for looking into this ? > > > > > >Bye, > > >Raymond. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:47:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <200309041610.42011.s.kelly@ayrcoll.ac.uk> References: Message-ID: <5.2.0.9.2.20030904164659.04273108@imap.ecs.soton.ac.uk> At 16:10 04/09/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi, > Using MailScanner 4.22-5, sendmail 8-12-7 (patched) on SuSE 8.2 pro > with SA 2.55 > >On Thursday 04 September 2003 6:28 am, Zdenek Fajfr wrote: > > Well, the thing is that I don't want to deliver spam to users any more; I > > just want to be able to check the spam occasionally for false positives. So > > thought I could pick up the spam, deliver it to one common e-mail address > > (me) passing it through a filtering rule in Outlook to separate it from > > ordinary mail and storing it in folder called 'SPAM'. > > > > I wonder way the log records say > > > > Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 > > actions are bounce,store,forward,postmaster@krnap.cz > > > > !?!?!? > > > > One would expect there ....forward postmaster@krnap.cz (e.g. without the > > comma) or forward(postmaster@krnap.cz) or maybe forward > > "postmaster@krnap.cz". > > I tried to enclose the email address in (double) quotes - no success > > either. > > > > I'm running out of ideas > >I turned on forwarding for SPAM to check if it was working here, and I have >had SPAM for other users forwarded to me. The only thing I did was to add the >keyword forward and my email address to the end of the SPAM actions list >which already contained attachment deliver. >The log entry "bounce,store,forward,postmaster@krnap.cz" is correct, >there's nothing wrong with that. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Sep 4 16:54:18 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: Julian Field wrote: >At 15:13 04/09/2003, you wrote: >> >>That's a problem with your McAfee installation -- I assume that the >>virus scanner library can be found by ld.so > >But mcafee-wrapper doesn't require any of that, so people won't have done >it to get MailScanner working. >Any chance you could use mcafee-wrapper in your script rather than call >uvscan directly please? >Then it's a more real test that MailScanner can drive uvscan with the new >files. Unfortunately the wrapper script explicitly specifies the active dat file directory, so it's incompatible with my update script because that specifies a different dat file directory. I can add a couple of lines to set LD_LIBRARY_PATH, but I believe that's the wrong fix because properly installed programs should be runnable from a normal environment. It also fails to deal with things like the Red Hat 9 incompatibility, as does the standard wrapper. (My MailScanner setup runs uvscan directly, and this kind of problem is fixed by my uvscan package.) Tony. -- f.a.n.finch http://dotat.at/ LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. From dot at DOTAT.AT Thu Sep 4 16:56:29 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: Julian Field wrote: >Added. >I haven't add a new config option for it though, I'm just logging it >anyway. It didn't seem worth the overhead of doing a config variable check >for every report in every message. Ah, that's a shame. Part of the reason I made it configurable was so that I could tell MailScanner to only log about infected machines on our network, to make it easier to get information for our CERT team. Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTH TO SOUTHWEST 5 OR 6 GRADUALLY DECREASING 3 OR 4 LOCALLY 5. RAIN SOON SPREADING FROM THE WEST, PERHAPS HEAVY AT TIMES. GOOD DECREASING MODERATE OR GOOD. MODERATE OR ROUGH. From Kevin at MICA.NET Thu Sep 4 17:08:41 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? Message-ID: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> We have a linux box set up as a spam/virus relay server that is relaying mail for multiple domains. Currently, I have it configured to simply mark spam and then deliver the messages, since that's how I like it. I personally have a problem with a machine making a decision about what mail I should and shouldn't get, since no program is 100% perfect and I don't want to lose any real mail. However, we are considering relaying more domains thru this box for some other customers, and some of them would rather not ever see the spam, and have it just stopped @ the server (apparently they're not concerned about losing real mail, since we've explained that to them and they didn't seem to think it was an issue..). So anyway, what I'm wondering is if it is possible with MailScanner / Spamassassin to have MailScanner perform different actions depending on what domain the mail is intended for. From what I gather from the config file, it looks like you just have one config file, which affects any mail that runs thru the MailScanner on that machine. Am I correct in this thinking, or is it possible to have different configs for different domains? thx k -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/5dbf6733/attachment.html From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:49:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> At 16:35 04/09/2003, you wrote: >On Thu, 4 Sep 2003, Julian Field wrote: > > > > > What virus scanner are you using? Sophossavi by any chance? > > > > This statement concerns me (as it might to other Sophossavi users). Is >there something that you might want to share? Try switching to sophos instead of sophossavi, just to see if that's where the problem lies. Do you get any log entries about reinitialising (or just initialising) the savi library? You should get one when MS starts up a child process, and possibly 1 when a sophos-autoupdate happens. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From randyf at SIBERNET.COM Thu Sep 4 17:23:58 2003 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> Message-ID: I have been using Sophossavi since I upgraded to MS4, and havn't noticed any descrete problems. However, in the last week I have seen a significant drop in virus notifications on one of the servers I maintain. Could be that this domain has been well protected such as it's users aren't infected, and that other users that have these users in their address books have been well protected. Could also be because we are not catching all the viruses (though I would expect that someone inside would have either been infected, or would have found an attempted infection). So my question is more on the line of if I should be concerned that the Sophossavi implementation, though faster, might not protect as well (and I would much prefer slower and secure over faster and not)? Is there something I could turn on to make sure that things are functioning correctly? ---- Randy On Thu, 4 Sep 2003, Julian Field wrote: > At 16:35 04/09/2003, you wrote: > >On Thu, 4 Sep 2003, Julian Field wrote: > > > > > > > > What virus scanner are you using? Sophossavi by any chance? > > > > > > > This statement concerns me (as it might to other Sophossavi users). Is > >there something that you might want to share? > > Try switching to sophos instead of sophossavi, just to see if that's where > the problem lies. Do you get any log entries about reinitialising (or just > initialising) the savi library? You should get one when MS starts up a > child process, and possibly 1 when a sophos-autoupdate happens. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From jase at SENSIS.COM Thu Sep 4 17:38:49 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: For me, it would not surprise me if the bayes database was corrupt. I've used that box for many different tests. I can wipe out the database. But shouldn't MailScanner time out SpamAssassin if it takes too long? I have SpamAssassin Timeout = 70 Max SpamAssassin Timeouts = 20 but MailScanner was hanging for hours. Jason > I have just seen one of my servers hang, due to the Bayes > database getting > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > printed millions of error messages about a "partial write (number of > 665)". Presumably there was supposed to be a number before > "of", which is > supposed to increment but doesn't. I switched off Bayes > (use_bayes 0) to > work around the problem. > > What's the chance there are some messages out there which are > capable of > causing Bayes corruption due to them containing strange > characters/strings? > Has anyone suffered this problem who is using SA 2.60rc3? > > At 15:43 04/09/2003, you wrote: > >Not sure if this will help or not, but I have noticed > MailScanner on my > >backup/test server hanging. An strace of the process showed > nothing. But > >ls -l /proc//fd/ showed that it had some of the > SpamAssassin bayes > >database files opened. This is running MailScanner version > 4.22-5 and > >SpamAssassin version 2.54. > > > >The strange thing is that MailScanner had been hung for over > a day! I would > >have thought that MailScanner would have timed out > SpamAssassin by then. > >Killing MailScanner and restarting would fix the problem for > a while, then > >it would happen again. I know that some people who are > having this problem > >are not using SpamAssassin, but perhaps there is a problem > in the time out > >code for SpamAssassin or Virus Checking? > > > >I'm not complaining. My main MailScanner server is working, > and I set > >"use_bayes 0" on my backup, and that seemed to clear its > problem. The > >backup is a 233 MHz with 128 Mb of ram, and has other > functions besides > >scanning email, so it is taxed when MailScanner scans email. > > > >Anyways, maybe this helps - if not, just ignore. > > > >Jason > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, September 04, 2003 5:26 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > /var/spool/mqueue.in > > > > > > > > > One of the things you could do to track it is this: > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" > and scatter > > > print STDERR "Got to point 1\n"; > > > statements through it (obviously changing the number). Then > > > set "Debug = > > > yes" and you should see this output. If it is pausing > horribly at some > > > particular stage of processing a batch, then this should show > > > it up. Leave > > > all the spam checks disabled if you can, these take quite a > > > long time anyway. > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > in it. That's > > > important. > > > > > > At 10:26 04/09/2003, you wrote: > > > >Hi! > > > > > > > > > Without login access to somebody's machine which is > > > *reliably* suffering > > > > > from this problem, I'm a bit stuck. > > > > > > > >If it was happening _right now_ i would -love- to give a > > > login, but it > > > >isnt. > > > > > > > >One of the other people who is suffering from this wanting > > > to give Julian > > > >a login for looking into this ? > > > > > > > >Bye, > > > >Raymond. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at LISTS.COM.AR Thu Sep 4 17:43:06 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:46 2006 Subject: File Command Message-ID: <3F57416A.20941.1DC53159@localhost> Hi people, a quick one: in the default MailScanner.conf (from the tar 4.23-11 distro) I have the following: # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = #/usr/bin/file Now, that "#" just before /usr/bin/file, does it imply the command is commented out and won't be executed? or is it required? I can't figure this out just by browsing the code and I as I haven't finished configuration, I hoped someone answered before I try it out. TIA -- Mariano Absatz El Baby ---------------------------------------------------------- Don't worry about the world coming to an end today.It's already tomorrow in Australia. -- Charles Schulz From sbreen at CSPOTMAIL.COM Thu Sep 4 17:48:06 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. Message-ID: <3F576CC6.7030103@cspotmail.com> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz Pentium 3 with 256MB ram and a 256MB swap. The server will run for 24hours then die. The problem only started after installing MailScanner. I have mailscanner configured not to stop spam and with 3 child procs running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for virus scanning. Any ideas why MailScanner seems to be dying? I set the auto restart config value to 10480 seconds also. -- Stephen Breen c:Spot InterWorks From jase at SENSIS.COM Thu Sep 4 18:08:41 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner delivering attachments that it shouldn't? Message-ID: On Tuesday, I had a user get the Gibe virus. McAfee and ClamAV both caught the virus, and both the Filename and Filetype checks caught the attachment too. But it appears that since McAfee was able to clean the attachment, the cleaned version was delivered. I do have "Deliver Cleaned Messages = yes" for the user who got the virus, but I would think that the Filename and Filetype rules would override this. Otherwise, someone can get by the Filename and Filetype checks by sending the file infected with a virus which can be cleaned. Here is the log: Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus and Content Scanning: Starting Sep 2 15:58:27 dimstar2 MailScanner[28583]: McAfee said "/var/spool/MailScanner/incoming/28583/19uHII-0001E4-00/update134.exe" Sep 2 15:58:27 dimstar2 MailScanner[28583]: McAfee said " Found the W32/Gibe.gen@MM virus !!!" Sep 2 15:58:27 dimstar2 MailScanner[28583]: /19uHII-0001E4-00/update134.exe Found the W32/Gibe.gen@MM virus !!! Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: McAfee found 1 infections Sep 2 15:58:27 dimstar2 MailScanner[28583]: /var/spool/MailScanner/incoming/28583/./19uHII-0001E4-00/update134.exe: Worm.Gibe.B FOUND Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: ClamAV found 1 infections Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: Found 1 viruses Sep 2 15:58:28 dimstar2 MailScanner[28583]: Filename Checks: Windows/DOS Executable (update134.exe) Sep 2 15:58:28 dimstar2 MailScanner[28583]: Filetype Checks: No executables (update134.exe) Sep 2 15:58:28 dimstar2 MailScanner[28583]: Other Checks: Found 2 problems Sep 2 15:58:28 dimstar2 MailScanner[28583]: Saved entire message to /var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00 Sep 2 15:58:28 dimstar2 MailScanner[28583]: Saved infected "update134.exe" to /var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00 Sep 2 15:58:28 dimstar2 MailScanner[28583]: Cleaned: Delivered 1 cleaned messages Sep 2 15:58:28 dimstar2 MailScanner[28583]: Sender Warnings: Delivered 1 warnings to virus senders I'm using MailScanner version 4.22-5. Jason From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 4 18:30:38 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? In-Reply-To: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> References: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> Message-ID: <200309041730.h84HUf529249@onyx.rockstone.co.uk> On Thursday 04 September 2003 5:08 pm, Kevin Hanser wrote: > So anyway, what I'm wondering is if it is possible with MailScanner / > Spamassassin to have MailScanner perform different actions depending on > what domain the mail is intended for. /opt/MailScanner/etc/rules Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:10:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: File Command In-Reply-To: <3F57416A.20941.1DC53159@localhost> Message-ID: <5.2.1.1.2.20030904180923.02714158@imap.ecs.soton.ac.uk> At 17:43 04/09/2003, you wrote: >Hi people, > >a quick one: in the default MailScanner.conf (from the tar 4.23-11 distro) I >have the following: > ># Where the "file" command is installed. ># This is used for checking the content type of files, regardless of their ># filename. ># To disable Filetype checking, set this value to blank. >File Command = #/usr/bin/file > >Now, that "#" just before /usr/bin/file, does it imply the command is >commented out and won't be executed? or is it required? As the line above "File Command" says, setting it to blank disables filetype checking. The "#" at the start of /usr/bin/file comments out the rest of the line, leaving the value blank. This therefore disables filetype checking. Just ignore everything after a "#" and it will be obvious :-) >I can't figure this out just by browsing the code and I as I haven't finished >configuration, I hoped someone answered before I try it out. > >TIA > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Don't worry about the world coming to an end today.It's already tomorrow in >Australia. -- Charles Schulz -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:11:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <3F576CC6.7030103@cspotmail.com> Message-ID: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Does the RAM in use gradually creep up, or does it suddenly go to 100%? At 17:48 04/09/2003, you wrote: >I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >Pentium 3 with 256MB ram and a 256MB swap. The server will run for >24hours then die. The problem only started after installing MailScanner. >I have mailscanner configured not to stop spam and with 3 child procs >running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >virus scanning. Any ideas why MailScanner seems to be dying? I set the >auto restart config value to 10480 seconds also. > >-- >Stephen Breen >c:Spot InterWorks -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:09:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? In-Reply-To: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> Message-ID: <5.2.1.1.2.20030904180851.02688168@imap.ecs.soton.ac.uk> Please read the docs in /etc/MailScanner/rules. At 17:08 04/09/2003, you wrote: >We have a linux box set up as a spam/virus relay server that is relaying >mail for multiple domains. Currently, I have it configured to simply mark >spam and then deliver the messages, since that's how I like it. I >personally have a problem with a machine making a decision about what mail >I should and shouldn't get, since no program is 100% perfect and I don't >want to lose any real mail. However, we are considering relaying more >domains thru this box for some other customers, and some of them would >rather not ever see the spam, and have it just stopped @ the server >(apparently they're not concerned about losing real mail, since we've >explained that to them and they didn't seem to think it was an issue..). > >So anyway, what I'm wondering is if it is possible with MailScanner / >Spamassassin to have MailScanner perform different actions depending on >what domain the mail is intended for. From what I gather from the config >file, it looks like you just have one config file, which affects any mail >that runs thru the MailScanner on that machine. Am I correct in this >thinking, or is it possible to have different configs for different domains? > >thx > >k -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:04:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.1.1.2.20030904180257.02687ac0@imap.ecs.soton.ac.uk> At 17:38 04/09/2003, you wrote: >For me, it would not surprise me if the bayes database was corrupt. I've >used that box for many different tests. I can wipe out the database. But >shouldn't MailScanner time out SpamAssassin if it takes too long? I have > >SpamAssassin Timeout = 70 >Max SpamAssassin Timeouts = 20 > >but MailScanner was hanging for hours. Yes, the timeout should still happen. Also, I have found the bug in SA 2.55 that was causing this problem and it has been fixed in 2.60rc3. As I advised earlier, please can you add some debugging messages (print STDERR "blah blah blah\n";) to sub WorkForHours in /usr/sbin/MailScanner and try running it in debug mode. That may help show which bit is running slowly. > > I have just seen one of my servers hang, due to the Bayes > > database getting > > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > > printed millions of error messages about a "partial write (number of > > 665)". Presumably there was supposed to be a number before > > "of", which is > > supposed to increment but doesn't. I switched off Bayes > > (use_bayes 0) to > > work around the problem. > > > > What's the chance there are some messages out there which are > > capable of > > causing Bayes corruption due to them containing strange > > characters/strings? > > Has anyone suffered this problem who is using SA 2.60rc3? > > > > At 15:43 04/09/2003, you wrote: > > >Not sure if this will help or not, but I have noticed > > MailScanner on my > > >backup/test server hanging. An strace of the process showed > > nothing. But > > >ls -l /proc//fd/ showed that it had some of the > > SpamAssassin bayes > > >database files opened. This is running MailScanner version > > 4.22-5 and > > >SpamAssassin version 2.54. > > > > > >The strange thing is that MailScanner had been hung for over > > a day! I would > > >have thought that MailScanner would have timed out > > SpamAssassin by then. > > >Killing MailScanner and restarting would fix the problem for > > a while, then > > >it would happen again. I know that some people who are > > having this problem > > >are not using SpamAssassin, but perhaps there is a problem > > in the time out > > >code for SpamAssassin or Virus Checking? > > > > > >I'm not complaining. My main MailScanner server is working, > > and I set > > >"use_bayes 0" on my backup, and that seemed to clear its > > problem. The > > >backup is a 233 MHz with 128 Mb of ram, and has other > > functions besides > > >scanning email, so it is taxed when MailScanner scans email. > > > > > >Anyways, maybe this helps - if not, just ignore. > > > > > >Jason > > > > > > > -----Original Message----- > > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Sent: Thursday, September 04, 2003 5:26 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > > /var/spool/mqueue.in > > > > > > > > > > > > One of the things you could do to track it is this: > > > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" > > and scatter > > > > print STDERR "Got to point 1\n"; > > > > statements through it (obviously changing the number). Then > > > > set "Debug = > > > > yes" and you should see this output. If it is pausing > > horribly at some > > > > particular stage of processing a batch, then this should show > > > > it up. Leave > > > > all the spam checks disabled if you can, these take quite a > > > > long time anyway. > > > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > > in it. That's > > > > important. > > > > > > > > At 10:26 04/09/2003, you wrote: > > > > >Hi! > > > > > > > > > > > Without login access to somebody's machine which is > > > > *reliably* suffering > > > > > > from this problem, I'm a bit stuck. > > > > > > > > > >If it was happening _right now_ i would -love- to give a > > > > login, but it > > > > >isnt. > > > > > > > > > >One of the other people who is suffering from this wanting > > > > to give Julian > > > > >a login for looking into this ? > > > > > > > > > >Bye, > > > > >Raymond. > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:07:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: References: Message-ID: <5.2.1.1.2.20030904180551.027d3298@imap.ecs.soton.ac.uk> At 16:56 04/09/2003, you wrote: >Julian Field wrote: > >Added. > >I haven't add a new config option for it though, I'm just logging it > >anyway. It didn't seem worth the overhead of doing a config variable check > >for every report in every message. > >Ah, that's a shame. Part of the reason I made it configurable was so that >I could tell MailScanner to only log about infected machines on our network, >to make it easier to get information for our CERT team. Most people (I suspect) don't need that fine control over logging output such as this, and every config option I add creates more overhead. So if it's a line that is likely to get called a lot, I like to keep it as simple as possible. But mostly, I was feeling lazy and didn't want to write the docs etc that are needed for another config option. Maybe I'll rethink now I'm not in the office (v. hectic there). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sbreen at CSPOTMAIL.COM Thu Sep 4 18:44:15 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Message-ID: <3F5779EF.30205@cspotmail.com> The ram seems to at least be 100% used in a hour or two. Then it starts in on the swap file and that takes the rest of the day to fill up then the server dies (well gets really slow and takes for ever to do anything). Julian Field wrote: > Does the RAM in use gradually creep up, or does it suddenly go to 100%? > > At 17:48 04/09/2003, you wrote: > >> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >> 24hours then die. The problem only started after installing MailScanner. >> I have mailscanner configured not to stop spam and with 3 child procs >> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >> virus scanning. Any ideas why MailScanner seems to be dying? I set the >> auto restart config value to 10480 seconds also. >> >> -- >> Stephen Breen >> c:Spot InterWorks > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From tristanr at CI.GRANDJCT.CO.US Thu Sep 4 18:35:48 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:19:46 2006 Subject: Why anti-virus software is not enough... (Link to white-paper) Message-ID: Why anti-virus software is not enough: The urgent need for server-based email content checking http://www.trojanscan.com/mailsecurity/wpcontentchecking.htm "This white paper explains why anti-virus software alone is not enough to protect your organization against the current and future onslaught of computer viruses. Examining the different kinds of email attacks that threaten today's organizations, this paper describes the need for a solid server-based content-checking gateway to safeguard your business against email viruses and attacks." Isn't it nice to know that MailScanner already provides the protection described in the white paper Tristan Rhodes Information Systems (970) 244-1530 tristanr@ci.grandjct.co.us City of Grand Junction From miguelk at KONSULTEX.COM.BR Thu Sep 4 18:49:27 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Message-ID: <3F577B27.70402@konsultex.com.br> Stephen; This comment is based on the assumprion that you have the satandard kernel that came with it. My previous server (2 months ago) was running RH 7.1 and all was fine as long as I did not bother it too much with new software, more processes, etc. Early this year I upgraded php, apache, snort, Perl and some other things (not Mailscanner, though) which I can't remember right now. Since then it also had lapses when it started just dying. Mine would run form about 1 or 2 weeks. The basic problem with that kernel is that the virtual memory process killer (the OOM killer) sometimes makes a mistake and kills the kernel. That happened in my case because the new processes ate up more ram than before and made the OOM act more often. Your case, though may be different. I would suggest a kernel update o a distribution update, if you can do that. Miguel Julian Field wrote: > Does the RAM in use gradually creep up, or does it suddenly go to 100%? > > At 17:48 04/09/2003, you wrote: > >> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >> 24hours then die. The problem only started after installing MailScanner. >> I have mailscanner configured not to stop spam and with 3 child procs >> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >> virus scanning. Any ideas why MailScanner seems to be dying? I set the >> auto restart config value to 10480 seconds also. >> >> -- >> Stephen Breen >> c:Spot InterWorks > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From sbreen at CSPOTMAIL.COM Thu Sep 4 18:57:13 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <3F577B27.70402@konsultex.com.br> References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> <3F577B27.70402@konsultex.com.br> Message-ID: <3F577CF9.90509@cspotmail.com> Hi, thanks for the suggestion I will try a kernel update from 2.4.20-18.7 (which im running now) to 2.4.20-20.7 but a distrobution update for the mail server is a high priority of on our list. I really like MailScanner and it has been catching 500+ viruses a day so far with ClamAV and would really like to continue running it if possible. Steve Miguel Koren O'Brien de Lacy wrote: > Stephen; > > This comment is based on the assumprion that you have the satandard > kernel that came with it. My previous server (2 months ago) was > running RH 7.1 and all was fine as long as I did not bother it too > much with new software, more processes, etc. Early this year I > upgraded php, apache, snort, Perl and some other things (not > Mailscanner, though) which I can't remember right now. Since then it > also had lapses when it started just dying. Mine would run form about > 1 or 2 weeks. The basic problem with that kernel is that the virtual > memory process killer (the OOM killer) sometimes makes a mistake and > kills the kernel. That happened in my case because the new processes > ate up more ram than before and made the OOM act more often. Your > case, though may be different. I would suggest a kernel update o a > distribution update, if you can do that. > > Miguel > > Julian Field wrote: > >> Does the RAM in use gradually creep up, or does it suddenly go to 100%? >> >> At 17:48 04/09/2003, you wrote: >> >>> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >>> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >>> 24hours then die. The problem only started after installing >>> MailScanner. >>> I have mailscanner configured not to stop spam and with 3 child procs >>> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV >>> for >>> virus scanning. Any ideas why MailScanner seems to be dying? I set the >>> auto restart config value to 10480 seconds also. >>> >>> -- >>> Stephen Breen >>> c:Spot InterWorks >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> > > > -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From greyhair at GREYHAIR.NET Thu Sep 4 19:02:27 2003 From: greyhair at GREYHAIR.NET (Mr. Greyhair) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. Message-ID: <200309041802.h84I2Ru31436@localhost.greyhair.net> have you seen what is using up the RAM? Did you use 'top' to see the hogs? Is this machine *only* for Email, no other programs running (like apache, tomcat, etc)? Is buying more ram an option (newegg.com!)? Stephen Breen wrote .. > I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz > Pentium 3 with 256MB ram and a 256MB swap. The server will run for > 24hours then die. The problem only started after installing MailScanner. > I have mailscanner configured not to stop spam and with 3 child procs > running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for > virus scanning. Any ideas why MailScanner seems to be dying? I set the > auto restart config value to 10480 seconds also. > > -- > Stephen Breen > c:Spot InterWorks From sbreen at CSPOTMAIL.COM Thu Sep 4 19:08:06 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <200309041802.h84I2Ru31436@localhost.greyhair.net> References: <200309041802.h84I2Ru31436@localhost.greyhair.net> Message-ID: <3F577F86.6050302@cspotmail.com> The machine is a email server, it runs apache for openwebmail no java! a ram upgrade is a option (as in its on the way pretty soon here). I still dont see why all the ram/swap would disappear. Mr. Greyhair wrote: >have you seen what is using up the RAM? Did you use 'top' to see the hogs? Is this machine *only* for Email, no other programs running (like apache, tomcat, etc)? Is buying more ram an option (newegg.com!)? > >Stephen Breen wrote .. > > >>I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >>Pentium 3 with 256MB ram and a 256MB swap. The server will run for >>24hours then die. The problem only started after installing MailScanner. >>I have mailscanner configured not to stop spam and with 3 child procs >>running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >>virus scanning. Any ideas why MailScanner seems to be dying? I set the >>auto restart config value to 10480 seconds also. >> >>-- >>Stephen Breen >>c:Spot InterWorks >> >> -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From mailscanner at LISTS.COM.AR Thu Sep 4 20:30:32 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:46 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F2E3688.31037.1E036E@localhost> References: <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> Message-ID: <3F5768A8.15429.1E5E7D97@localhost> Hi Julian, I know I wrote this a month ago, but I couldn't lay my hands on a spare server... I upgraded one of the production servers to MailScanner 4.23-11 today and I'm getting the same results. I think all the McAfee reports are disappearing from $message->{allreports} somehow... I think this 'cause I modified the SQL loggin' routines to get a plain text log in real time and I only see filename reports there, never a virus report... Here's a log sample with the current version of MailScanner: Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 bytes Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- 11/var/incoming/24018/130309/message.zip Found the W32/ Mimail@MM virus !!! Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 infections Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- 1.txt Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- 1.txt Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages You can see that McAfee does find the virus (and logs it), but lastly, it says it delivered the message 'cause it was uninfected El 4 Aug 2003 a las 10:33, Mariano Absatz escribi?: > These are a couple of production servers, I'll see if I can find a spare > machine, set everything up and tell you later today. > > El 3 Aug 2003 a las 21:53, Julian Field escribi?: > > > Can you confirm that this is still a problem with the latest MailScanner > > please? > > > > I can't immediately see why it would do this. > > > > If this is still a problem, then it's obviously something I need to take a > > look at urgently. > > > > At 01:26 02/08/2003, you wrote: > > >I know, I know... my mailer decide to use base64 no matter I told it > > >otherwise... well, the log excerpts are at > > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > > > > > >Thanx. > > > > > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > > > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > > > > > For every test I put the relevant log lines from syslog (luckily > > > enough, the > > > > trafic was so low, that every test message passed thru mailscanner as a > > > > complete batch). > > > > > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > > > equivalent > > > > to the mysql log (generated by &AlerceLogging, that is a modified > > > version of > > > > SQLLogging that doesn't do any SQL). > > > > > > > > Finally, the relevant MailScanner header lines in the received message. > > > > > > > > > >-- > > >Mariano Absatz > > >El Baby > > >---------------------------------------------------------- > > >Always remember you're unique, just like everyone else. > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > The instructions said to use Windows 98 or better, > so I installed GNU/Linux 2.4. -- Mariano Absatz El Baby ---------------------------------------------------------- Lottery: A tax on people who are bad at math. From dh at UPTIME.AT Thu Sep 4 20:34:35 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:46 2006 Subject: OT: Osirusoft and no mail passed.. explanations.. Message-ID: ... It's interesting how free resources can become almost critical resources to various businesses. This week, we saw Osirusoft pull the plug on its DNSBL spam blacklist service. What's interesting is that Osirusoft ended by adding an open wildcard to the blacklist service, essentially causing *every* system to appear to be in the blacklist and thus be prevented from sending e-mail. Admins who used the Osirusoft DNSBL found their machines refusing to pass e-mail, even to itself in some situations! The moral to this story: Review your external dependencies and prepare contingency plans should one of those dependant relationships immediately be severed. http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0202.html Until next week, ... from teh sans newsletter -d - "Deep into that darkness peering, long I stood there wondering, fearing, - Doubting, dreaming dreams no mortal ever dared to dream to dream before.." Edgar Allen Poe - The Raven -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/7c3e725b/PGP.bin From Kevin at MICA.NET Thu Sep 4 20:39:47 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:19:47 2006 Subject: different actions for different domains? Message-ID: <8B699873CEBA3543926B467E7680823203483F@sol.hq.mica.net> Awesome! Just what I was looking for, guess I need to RTFM a little more closely next time :) Thanx! k -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 13:09 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: different actions for different domains? Please read the docs in /etc/MailScanner/rules. At 17:08 04/09/2003, you wrote: >We have a linux box set up as a spam/virus relay server that is >relaying mail for multiple domains. Currently, I have it configured to From mailscanner at ecs.soton.ac.uk Thu Sep 4 20:40:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F5768A8.15429.1E5E7D97@localhost> References: <3F2E3688.31037.1E036E@localhost> <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> Are you using a path containing any links in your MailScanner.conf. You possibly have /app/mailScanner/var/incoming as your working directory? As it says in the conf file, you *must* use the real path, particularly with mcafee. At 20:30 04/09/2003, you wrote: >Hi Julian, > >I know I wrote this a month ago, but I couldn't lay my hands on a spare >server... I upgraded one of the production servers to MailScanner 4.23-11 >today and I'm getting the same results. > >I think all the McAfee reports are disappearing from $message->{allreports} >somehow... I think this 'cause I modified the SQL loggin' routines to get a >plain text log in real time and I only see filename reports there, never a >virus report... > >Here's a log sample with the current version of MailScanner: > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 >bytes >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- >11/var/incoming/24018/130309/message.zip Found the W32/ >Mimail@MM virus !!! >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 >infections >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- >1.txt >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- >1.txt >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > >You can see that McAfee does find the virus (and logs it), but lastly, it >says it delivered the message 'cause it was uninfected > >El 4 Aug 2003 a las 10:33, Mariano Absatz escribi?: > > > These are a couple of production servers, I'll see if I can find a spare > > machine, set everything up and tell you later today. > > > > El 3 Aug 2003 a las 21:53, Julian Field escribi?: > > > > > Can you confirm that this is still a problem with the latest MailScanner > > > please? > > > > > > I can't immediately see why it would do this. > > > > > > If this is still a problem, then it's obviously something I need to > take a > > > look at urgently. > > > > > > At 01:26 02/08/2003, you wrote: > > > >I know, I know... my mailer decide to use base64 no matter I told it > > > >otherwise... well, the log excerpts are at > > > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > > > > > > > >Thanx. > > > > > > > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > > > > > > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > > > > > > > For every test I put the relevant log lines from syslog (luckily > > > > enough, the > > > > > trafic was so low, that every test message passed thru > mailscanner as a > > > > > complete batch). > > > > > > > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > > > > equivalent > > > > > to the mysql log (generated by &AlerceLogging, that is a modified > > > > version of > > > > > SQLLogging that doesn't do any SQL). > > > > > > > > > > Finally, the relevant MailScanner header lines in the received > message. > > > > > > > > > > > > >-- > > > >Mariano Absatz > > > >El Baby > > > >---------------------------------------------------------- > > > >Always remember you're unique, just like everyone else. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > > > > -- > > Mariano Absatz > > El Baby > > ---------------------------------------------------------- > > The instructions said to use Windows 98 or better, > > so I installed GNU/Linux 2.4. > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Lottery: A tax on people who are bad at math. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Thu Sep 4 20:54:38 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> References: <3F5768A8.15429.1E5E7D97@localhost> Message-ID: <3F576E4E.7587.1E749019@localhost> F#&k it! You're right... and I _had_ read that before (long time before), but once I did a test and I thought it worked 'cause I saw the message from mcafee saying that if found the virus... Then I used symlinks to do smooth upgrades... well it seems I'll have to remember to edit the incoming working directory... Thanx a lot, Julian! El 4 Sep 2003 a las 20:40, Julian Field escribi?: > Are you using a path containing any links in your MailScanner.conf. > You possibly have /app/mailScanner/var/incoming as your working directory? > As it says in the conf file, you *must* use the real path, particularly > with mcafee. > > At 20:30 04/09/2003, you wrote: > >Hi Julian, > > > >I know I wrote this a month ago, but I couldn't lay my hands on a spare > >server... I upgraded one of the production servers to MailScanner 4.23-11 > >today and I'm getting the same results. > > > >I think all the McAfee reports are disappearing from $message->{allreports} > >somehow... I think this 'cause I modified the SQL loggin' routines to get a > >plain text log in real time and I only see filename reports there, never a > >virus report... > > > >Here's a log sample with the current version of MailScanner: > > > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 > >bytes > >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting > >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting > >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- > >11/var/incoming/24018/130309/message.zip Found the W32/ > >Mimail@MM virus !!! > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 > >infections > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- > >1.txt > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- > >1.txt > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip > >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 > >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > > > >You can see that McAfee does find the virus (and logs it), but lastly, it > >says it delivered the message 'cause it was uninfected > > -- Mariano Absatz El Baby ---------------------------------------------------------- I don't suffer from insanity. I enjoy every minute of it. From mailscanner at ecs.soton.ac.uk Thu Sep 4 21:03:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F576E4E.7587.1E749019@localhost> References: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> <3F5768A8.15429.1E5E7D97@localhost> Message-ID: <5.2.1.1.2.20030904210224.03bb4470@imap.ecs.soton.ac.uk> Or else just keep the incoming directory somewhere outside the distribution, e.g. /var/spool/MailScanner/incoming. At 20:54 04/09/2003, you wrote: >F#&k it! >You're right... and I _had_ read that before (long time before), but once I >did a test and I thought it worked 'cause I saw the message from mcafee >saying that if found the virus... > >Then I used symlinks to do smooth upgrades... well it seems I'll have to >remember to edit the incoming working directory... > >Thanx a lot, Julian! > >El 4 Sep 2003 a las 20:40, Julian Field escribi?: > > > Are you using a path containing any links in your MailScanner.conf. > > You possibly have /app/mailScanner/var/incoming as your working directory? > > As it says in the conf file, you *must* use the real path, particularly > > with mcafee. > > > > At 20:30 04/09/2003, you wrote: > > >Hi Julian, > > > > > >I know I wrote this a month ago, but I couldn't lay my hands on a spare > > >server... I upgraded one of the production servers to MailScanner 4.23-11 > > >today and I'm getting the same results. > > > > > >I think all the McAfee reports are disappearing from > $message->{allreports} > > >somehow... I think this 'cause I modified the SQL loggin' routines to > get a > > >plain text log in real time and I only see filename reports there, never a > > >virus report... > > > > > >Here's a log sample with the current version of MailScanner: > > > > > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 > > >bytes > > >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting > > >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting > > >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- > > >11/var/incoming/24018/130309/message.zip Found the W32/ > > >Mimail@MM virus !!! > > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 > > >infections > > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- > > >1.txt > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- > > >1.txt > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip > > >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into > 1563661 > > >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > > > > > >You can see that McAfee does find the virus (and logs it), but lastly, it > > >says it delivered the message 'cause it was uninfected > > > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >I don't suffer from insanity. I enjoy every minute of it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve.douglas at SBIINCORPORATED.COM Thu Sep 4 21:31:54 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/c0d856bd/SteveDouglas.obj From KShortt at AZERTY.COM Thu Sep 4 21:23:55 2003 From: KShortt at AZERTY.COM (Shortt, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: Razor per user? Message-ID: <210DF55DED65B547896F728FB057F3B201CB4DD4@seaver.ussco.com> Can Razor be implemented on a per user basis? ie....I am able to archive email on per user basis. Will MailScanner give me the same functionality with Razor? -k From lindsay at pa.net Thu Sep 4 21:43:37 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:19:47 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> Message-ID: <200309041643.37759.lindsay@pa.net> On Thursday 04 September 2003 11:45, you wrote: > I have just seen one of my servers hang, due to the Bayes database getting > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > printed millions of error messages about a "partial write (number of > 665)". Presumably there was supposed to be a number before "of", which is > supposed to increment but doesn't. I switched off Bayes (use_bayes 0) to > work around the problem. > > What's the chance there are some messages out there which are capable of > causing Bayes corruption due to them containing strange characters/strings? > Has anyone suffered this problem who is using SA 2.60rc3? I see this rather frequently w/ SA 2.54. To fix, I stop MailScanner, destroy the bayes db's and restart. I have not tried 2.60rc3 yet though. So if anything, I second what you saw w/ the stuck bayes db's on SA 2.54. > > At 15:43 04/09/2003, you wrote: > >Not sure if this will help or not, but I have noticed MailScanner on my > >backup/test server hanging. An strace of the process showed nothing. But > >ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes > >database files opened. This is running MailScanner version 4.22-5 and > >SpamAssassin version 2.54. > > > >The strange thing is that MailScanner had been hung for over a day! I > > would have thought that MailScanner would have timed out SpamAssassin by > > then. Killing MailScanner and restarting would fix the problem for a > > while, then it would happen again. I know that some people who are > > having this problem are not using SpamAssassin, but perhaps there is a > > problem in the time out code for SpamAssassin or Virus Checking? > > > >I'm not complaining. My main MailScanner server is working, and I set > >"use_bayes 0" on my backup, and that seemed to clear its problem. The > >backup is a 233 MHz with 128 Mb of ram, and has other functions besides > >scanning email, so it is taxed when MailScanner scans email. > > > >Anyways, maybe this helps - if not, just ignore. > > > >Jason > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, September 04, 2003 5:26 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > /var/spool/mqueue.in > > > > > > > > > One of the things you could do to track it is this: > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > > > print STDERR "Got to point 1\n"; > > > statements through it (obviously changing the number). Then > > > set "Debug = > > > yes" and you should see this output. If it is pausing horribly at some > > > particular stage of processing a batch, then this should show > > > it up. Leave > > > all the spam checks disabled if you can, these take quite a > > > long time anyway. > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > in it. That's > > > important. > > > > > > At 10:26 04/09/2003, you wrote: > > > >Hi! > > > > > > > > > Without login access to somebody's machine which is > > > > > > *reliably* suffering > > > > > > > > from this problem, I'm a bit stuck. > > > > > > > >If it was happening _right now_ i would -love- to give a > > > > > > login, but it > > > > > > >isnt. > > > > > > > >One of the other people who is suffering from this wanting > > > > > > to give Julian > > > > > > >a login for looking into this ? > > > > > > > >Bye, > > > >Raymond. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support From hmkash at ARL.ARMY.MIL Thu Sep 4 21:54:20 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner+PostFix ---- try this Message-ID: <229A346E44379140A59A48951B56E0C07A7E32@ARLABML01.DS.ARL.ARMY.MIL> For me this seemed to cause lots of messages to get stuck in the incoming deferred queue. There would be 200 or so messages in the queue, but Mailscanner would only process 1 or 2 messages in each batch. Once I removed the patch, it immediately processed all of the queued messages in batches of 30. Howard -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 6:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4704 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/34cb70b6/smime.bin From mike at CAMAROSS.NET Thu Sep 4 21:59:47 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Razor per user? In-Reply-To: <210DF55DED65B547896F728FB057F3B201CB4DD4@seaver.ussco.com> Message-ID: <000701c37327$79f51710$640ba8c0@home.middlefinger.net> I think the only way you could do this would be to either enable or disable spam checks totally (via ruleset) for a user since SpamAssassin uses razor/pyzor/dcc...not MailScanner itself. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Shortt, Kevin Sent: Thursday, September 04, 2003 3:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Razor per user? Can Razor be implemented on a per user basis? ie....I am able to archive email on per user basis. Will MailScanner give me the same functionality with Razor? -k From mike at CAMAROSS.NET Thu Sep 4 22:01:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Message-ID: <000d01c37327$c8672eb0$640ba8c0@home.middlefinger.net> Are you using any DNSBL's at the MTA? This is usually caused by the SMTP session being terminated before it is completed. This could be a network issue from a legit host or the connection being dropped because you reject it. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Douglas Sent: Thursday, September 04, 2003 3:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail log syntax question I have the following: RedHat 9 MailScanner-4.23-11 DCC Razor2 Pentium4 1.8mhz 1 GB RAM 70 GB HDD In reviewing the mail logs I noticed syntax as noted "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA." What does this mean? From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 4 22:04:56 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> References: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Message-ID: <200309042105.h84L50530048@onyx.rockstone.co.uk> On Thursday 04 September 2003 9:31 pm, Steve Douglas wrote: > I have the following: > > Pentium4 1.8mhz !? :) > In reviewing the mail logs I noticed syntax as noted "did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA." What does this mean? Probably means somebody port scanned TCP 25 on your mail server. This message means a TCP connection was opened but no command was received from the client. Antony. -- Normal people think "if it ain't broke, don't fix it". Engineers think "if it ain't broke, it doesn't have enough features yet". From mike at CAMAROSS.NET Thu Sep 4 22:41:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: <200309042105.h84L50530048@onyx.rockstone.co.uk> Message-ID: <003501c3732d$3f27ee90$640ba8c0@home.middlefinger.net> an increase in hits from Infinite-Monkeys today? I even went to their site and checked my IP's because mail between my own servers was being tagged as spam. RBL checks: h84E8AA13025 found in Infinite-Monkeys Mike From raymond at PROLOCATION.NET Thu Sep 4 22:44:57 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: <003501c3732d$3f27ee90$640ba8c0@home.middlefinger.net> Message-ID: Hi! > an increase in hits from Infinite-Monkeys today? I even went to their site > and checked my IP's because mail between my own servers was being tagged as > spam. > > RBL checks: h84E8AA13025 found in Infinite-Monkeys No really, for today: 5702 spamcop.net 4484 NJABL 4459 Easynet-DNSBL 2551 RFC-IGNORANT-POSTMASTER 2527 RFC-IGNORANT-ABUSE 1970 Infinite-Monkeys 1746 spamhaus.org 1533 Easynet-Proxies 1291 Easynet-Dynablock 880 RFC-IGNORANT-DSN 697 RFC-IGNORANT-WHOIS 188 ORDB-RBL Did they list your netblock ? Bye, Raymond. From mike at CAMAROSS.NET Thu Sep 4 23:15:40 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: Message-ID: <004d01c37332$13815d30$640ba8c0@home.middlefinger.net> My netblock was NOT listed and the site said it had never been listed. Got the same response for several other IP's I checked that had been tagged as Spam for a hit on Monkeys.com. None of them had been listed ever. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, September 04, 2003 4:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Has anyone else noticed... Hi! > an increase in hits from Infinite-Monkeys today? I even went to their > site and checked my IP's because mail between my own servers was being > tagged as spam. > > RBL checks: h84E8AA13025 found in Infinite-Monkeys No really, for today: 5702 spamcop.net 4484 NJABL 4459 Easynet-DNSBL 2551 RFC-IGNORANT-POSTMASTER 2527 RFC-IGNORANT-ABUSE 1970 Infinite-Monkeys 1746 spamhaus.org 1533 Easynet-Proxies 1291 Easynet-Dynablock 880 RFC-IGNORANT-DSN 697 RFC-IGNORANT-WHOIS 188 ORDB-RBL Did they list your netblock ? Bye, Raymond. From sevans at FOUNDATION.SDSU.EDU Fri Sep 5 00:36:19 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner and Exchange Message-ID: <95B481BA6D181A4685081D263BF9A13A195E9C@mail.foundation.sdsu.edu> Has anyone found a way to have MailScanner protect messages sent between Exchange users? I've been trying to come up with a way for every message that is sent to be routed through our MailScanner boxes, even if the message is sent between two users on the same Exchange server. Steve Evans SDSU Foundation From TGFurnish at HERFF-JONES.COM Fri Sep 5 00:37:37 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:47 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in {Scanned by H JMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BA0@inex1.herffjones.hj-int> > -----Original Message----- > From: Keith Edmunds [mailto:keith@MIDNIGHTHAX.COM] > > - saves all that hassle with precisely _which_ key is the backtick. Um, was that supposed to be a curly brace or a paren? ;^) Just kidding. Good point - thanks. -- Trever From anders.andersson at LTKALMAR.SE Fri Sep 5 00:50:43 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:47 2006 Subject: SV: MailScanner and Exchange Message-ID: As far as i know it doesnt sound like anything exchange would do... maybe if you come up with a routing rule but I think it would skip that. That would mean defeating the hole purpose of using that kind of database they use. I guess in small invorment it would be ok but not if you wanna keep the database afficient. The cheapest way to protect would probably be bying a licence from CA. Cant compare to Antigen but at least you would have a virusscanner running your exchange computer for about 100$ or so. I cant say for exch2k but I doubt its possibel, dosnt sound like something MS even would try to make possible, though I might be wrong. > -----Ursprungligt meddelande----- > Fr?n: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > Skickat: den 5 september 2003 01:36 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: MailScanner and Exchange > > > Has anyone found a way to have MailScanner protect messages > sent between Exchange users? I've been trying to come up > with a way for every message that is sent to be routed > through our MailScanner boxes, even if the message is sent > between two users on the same Exchange server. > > Steve Evans > SDSU Foundation > From errol.neal at ENHTECH.COM Fri Sep 5 01:47:18 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner Error Message-ID: <5.1.0.14.0.20030904195130.042fccf0@mail.enhtech.com> Hi all, I just had a problem with my MailScanner that I fixed. I think this should be added to the FAQ or something because the fix to the problem was not very apparent... I am running MailScanner-4.22-4 on Solaris9 Sparc. The problem I ran into was when my system had just came back from a reboot, I was unable to start the MailScanner. It exited with this error: length is 0, should be 4 at Socket.pm which was directed at the Socket.pm file in my perl Installation. I did a search in the MailScanner archives and located this: " From: Frank Cheong Subject: Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 Recently, I have just installed MailScanner, Perl 5.8.0 and all related components according to the mailscanner installation guide onto my Solaris "Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.0/sun4-solaris/Socket.pm line 373." What is the problem ? I have tried to telnet localhost 514 which is the syslog port and the following message reported Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. I also checked that the below line is inside /etc/service syslog 514/udp Can I assume my solaris syslog configuration ok and it is the problem of the perl installation instead ? " His Problem was that he was trying to run the sophos-autoupdate script. My problem was with starting the MailScanner. So i tried to start the auto-update script to see if I would get an error. The sophos-autoupdate script also exited with an error, but this time the error mentioned the old hostname of my system that i THOUGHT I HAD CHANGED. When I initially setup my system, I did so using a temporary name. Not knowing the ins and outs of Solaris, I guess I did it incompletely because the system would configure itself with the old hostname after reboot. I changed my hostname back to the entries that I had in my /etc/hosts file and my /etc/hostname.dmfe0 file using the 'hostname' command and restarted MailScanner.. It started with no problems.. Then I modified all the files that mentioned the old hostname and restarted my server.. no issues... So the problem was with the MailScanner being unable to resolve my invalid system name.... (I think) Anyways, hope that helps someone in the future.. Regards, Errol U. Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From postmaster at hull.tradelair.com Fri Sep 5 02:45:17 2003 From: postmaster at hull.tradelair.com (MailScanner) Date: Thu Jan 12 21:19:47 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309050145.h851jHD19730@hull.tradelair.com> Our virus detector has just been triggered by a message you sent:- To: eferret@xbox-cheat-codes.com Subject: Re: Wicked screensaver Date: Thu Sep 4 21:45:17 2003 Any infected parts of the message (your_document.pif) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: your_document.pif contains Worm.Sobig.F Shortcuts to MS-Dos programs are very dangerous in email (your_document.pif) -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From smohan at VSNL.COM Fri Sep 5 03:55:54 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request Message-ID: This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From david at PLATFORMHOSTING.COM Fri Sep 5 04:01:37 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: References: Message-ID: <3F57FC91.3010407@platformhosting.com> Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From smohan at VSNL.COM Fri Sep 5 04:18:15 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request In-Reply-To: Message-ID: I'm on 4.03 I think. Thanks for the clarification. Regards Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Friday, September 05, 2003 8:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature request What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From mike at CAMAROSS.NET Fri Sep 5 04:18:31 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <3F57FC91.3010407@platformhosting.com> Message-ID: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From david at PLATFORMHOSTING.COM Fri Sep 5 04:16:23 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> References: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> Message-ID: <3F580007.5040508@platformhosting.com> So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of tehm > with a sendmail rule though, so they never even make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold increase in > Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From nathan at TCPNETWORKS.NET Fri Sep 5 04:25:24 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:36:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <3F580007.5040508@platformhosting.com> Message-ID: <00b001c3735e$dee89390$640ba8c0@home.middlefinger.net> I can't even connect to platformhosting.com period :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of > tehm with a sendmail rule though, so they never even make it to > MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold > increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:39:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00b101c3735f$53743d40$640ba8c0@home.middlefinger.net> In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From nathan at TCPNETWORKS.NET Fri Sep 5 04:38:44 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:52:22 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00b701c37361$1d998c50$640ba8c0@home.middlefinger.net> I am using sendmail-8.11.6-25.72 on a RHAS 2.1 box. I don't think it worked on a RH6.1 box with sendmail-8.11.6-1.62.3 Plug it into your .mc and see if it works...send yourself a test message with an offensive subject and watch your maillog. You'll know very quickly whether it will or will not work. If it doesn't work, just remove the lines from your .mc and remake your sendmail.cf and restart MailScanner again. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:55:56 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00c601c37361$9c63bd30$640ba8c0@home.middlefinger.net> Here's what a maillog entry looks like: Sep 4 22:46:13 genesis sendmail[26183]: h853kBb26183: ruleset=Check_subject, arg1=Re: Thank you!, relay=adsl-65-69-4-238.dsl.hstntx.swbell.net [65.69.4.238], reject=550 5.0.0 Possible Sobig-F Virus - Please change subject Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From sevans at FOUNDATION.SDSU.EDU Fri Sep 5 05:24:07 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only Message-ID: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sdsu.edu> Is there a way to run install.sh and have it stop once everything is compiled, and then run install.sh which will then just install MailScanner without needing to compile it? I need to install MailScanner on quite a few identical machines, and it takes a long time for everything to compile compared to how long it should take just to install it. Steve Evans SDSU Foundation From brose at MED.WAYNE.EDU Fri Sep 5 05:43:58 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Check your logs to see if you can determine who it is. It may just be one or two systems pounding the heck out of you. I found a comcast.net host that was hitting me close to 3000 times on Monday and blocked it at the firewall. I also started using the dynablock.easynet.nl RBL which is similar to the MAPS-DUL RBL where it has listings of the DHCP netblocks used by ISPS for dialup, ASDL, etc basically all those stupid home users with infected machines which should be directly sending messages anyway. -----Original Message----- From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: Thursday, September 04, 2003 11:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of > tehm with a sendmail rule though, so they never even make it to > MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold > increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From smohan at VSNL.COM Fri Sep 5 06:03:20 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request In-Reply-To: Message-ID: This still does not allow rules based on Subject field (rules take only To and From filed from the envelope). Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Friday, September 05, 2003 8:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature request What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From jrudd at UCSC.EDU Fri Sep 5 06:23:32 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <1707FBA8-DF61-11D7-B2D5-003065F939FE@ucsc.edu> I was the original author, and I'm still using sendmail 8.10.something. So I would expect it would work on 8.11.x. On Thursday, Sep 4, 2003, at 20:38 US/Pacific, Nathan Johanson wrote: > > Actually, I remembering seeing this but glossed over it for some > reason. > Do you know if this will work specifically in only certain Sendmail > versions... We're a little outdated with Sendmail 8.11.6, but would > love > to utilize it. > > Nathan > > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Thursday, September 04, 2003 8:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > In sendmail.mc, I added this: > > > LOCAL_RULESETS > > # Reject all mail with Sobig subjects. > HSubject: $>Check_subject > D{Msobig1}That movie > D{Msobig2}Wicked screensaver > D{Msobig3}Your application > D{Msobig4}Approved > D{Msobig5}My details > D{Msobig6}Details > D{Msobig7}Thank you! > D{Msobig8}Returned mail: see transcript for details > D{Mmsg} Possible Sobig-F Virus - Please change subject > > SCheck_subject > R${Msobig1} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} > R${Msobig2} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} > R${Msobig3} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} > R${Msobig4} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} > R${Msobig5} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} > R${Msobig6} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} > R${Msobig7} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} > R${Msobig8} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > > This was suggested on the list several days back and has been working > very > well. > May I remind you that the white gaps in text above are tabs and not > simply > spaces. > Run your .mc through m4 and then restart MailScanner. > > Mike > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Nathan Johanson > Sent: Thursday, September 04, 2003 10:25 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > Mike, > > Just curious... > What Sendmail rule are you using to block them? > We've been rejecting the most offending IP addresses with the access > database, but as you might expect... It's a little like a moving > target. > > Nathan > > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Thursday, September 04, 2003 8:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > The flow here has been trickling but steady. I am blocking LOTS of > tehm > with a sendmail rule though, so they never even make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold increase > in > Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================= > = > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================= > = From lance at WARE.NET Fri Sep 5 06:51:56 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Message-ID: <200309050552.h855qor15702@ori.rl.ac.uk> Hi folks, I'm scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I seem to have lost my virus scanning and updates. Any hints or tips? My upgrade process including building a new box and moving my config files over. Thanks. Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/39165847/attachment.html From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 08:28:17 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner Error Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496A4@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Hi all, > > I just had a problem with my MailScanner that I fixed. I think this > should be added to the FAQ or something Then add it, the FAQ is user editable. ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From brose at MED.WAYNE.EDU Fri Sep 5 03:58:48 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request Message-ID: What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From rc at ITSS.NERC.AC.UK Fri Sep 5 08:48:46 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning Message-ID: <3F583FDE.4050602@itss.nerc.ac.uk> We had an unpleasant experience this week when one of our mail relays got into SPAMCOP. It turned out this was due to "bounce messages" (non-existent users etc) hitting their spam-traps (whatever they are ?) It emerged that their system ignores delivery failure notices if they have the following line in their headers - Content-type: multipart/report; report-type=delivery-status; This may be common knowledge to some people, but it was a new one on me !! Cheers ... Ron From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:54:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only In-Reply-To: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sds u.edu> Message-ID: <5.2.0.9.2.20030905085356.060b2838@imap.ecs.soton.ac.uk> At 05:24 05/09/2003, you wrote: >Is there a way to run install.sh and have it stop once everything is >compiled, and then run install.sh which will then just install >MailScanner without needing to compile it? I need to install >MailScanner on quite a few identical machines, and it takes a long time >for everything to compile compared to how long it should take just to >install it. No, you can't do it that way as some of the modules have to be installed before other modules will compile. If you want to speed it up, remove the "sleep" statements. Then it goes *much* faster, just you don't get much of a chance to see what happened. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:46:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner+PostFix ---- try this In-Reply-To: <229A346E44379140A59A48951B56E0C07A7E32@ARLABML01.DS.ARL.AR MY.MIL> Message-ID: <5.2.0.9.2.20030905084521.049f7ff8@imap.ecs.soton.ac.uk> All it made happen was that it wouldn't process a message until it had sat in the deferred queue for 3 seconds, it should still process them all but with a 3 second latency. Try reducing the 3 to 1 and see if that helps at all. At 21:54 04/09/2003, you wrote: >For me this seemed to cause lots of messages to get stuck in the >incoming deferred queue. There would be 200 or so messages in the >queue, but Mailscanner would only process 1 or 2 messages in each batch. >Once I removed the patch, it immediately processed all of the queued >messages in batches of 30. > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 09:04:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: <3F583FDE.4050602@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> I never use spamcop at all. Loads of people have reported that they will happily add any mail server listed in the headers of a message sent to them, whether the relaying was on their host or not. And it's very difficult to get off their list as well. It's one of the less useful lists. At 08:48 05/09/2003, you wrote: >We had an unpleasant experience this week when one of our mail relays >got into SPAMCOP. It turned out this was due to "bounce messages" >(non-existent users etc) hitting their spam-traps (whatever they are ?) > >It emerged that their system ignores delivery failure notices if they >have the following line in their headers - > >Content-type: multipart/report; report-type=delivery-status; > > >This may be common knowledge to some people, but it was a new one >on me !! > > > Cheers ... Ron -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:53:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: <200309050552.h855qor15702@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030905085219.03f0cfd8@imap.ecs.soton.ac.uk> Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 09:59:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Long time! A few questions when you have a minute... In-Reply-To: Message-ID: <5.2.0.9.2.20030905095812.03f7d8d8@imap.ecs.soton.ac.uk> At 10:38 04/09/2003, you wrote: >One thing I wanted to check with you is I wondered if you considered >making it possible to configure via filename/type rules which files to >delete and which to quarantine. The reason why I ask is that in the midst >of the Sobig exitement I actually had a partition fill due to mainly the >quarantined copies of the virus. Of course I removed a lot of this but I >thought that it might be useful to have a rule that prevented MailScanner >from saving .pif files for example, that are almost never anything but >viruses. Not a big deal but thought I'd mention it. Try out www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.24-1.tar.gz or www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.24-1.rpm.tar.gz or www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.24-1.suse.tar.gz It seems to work just fine for me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Sep 5 10:11:01 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: Hi! > What Sendmail rule are you using to block them? > We've been rejecting the most offending IP addresses with the access > database, but as you might expect... It's a little like a moving target. # LOCAL_RULESETS # HSubject: $>Check_Subject D{SobigPattern1}Re: That movie D{SobigPattern2}Re: Wicked screensaver D{SobigPattern3}Re: Your application D{SobigPattern4}Re: Approved D{SobigPattern5}Re: Re: My details D{SobigPattern6}Re: Thank you! D{SobigPattern7}Re: Details D{SobigPattern8}Your details D{SobigPattern9}Thank you! D{SobigPattern10}Use this patch immediately ! D{SobigMesg}Hernoem het onderwerp van deze e-mail en stuur deze opnieuw. De omschrijving duidt mogelijk op een virus en is geblokkeerd. Please re-phrase the subject of this message and try again - Possible worm - BLOCKED - See http://www.multikabel.nl/viruswarning SCheck_Subject R${SobigPattern1} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern2} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern3} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern4} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern5} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern6} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern7} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern8} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern9} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern10} $#error $@ 5.7.1 $: ${SobigMesg} Bye, Raymond. From shrek-m at GMX.DE Fri Sep 5 10:01:50 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack Message-ID: <3F5850FE.50307@gmx.de> hi, with the wrong setting "Virus Scanners=" instead "Virus Scanners = none" mailscanner begins a DOS-attack with the correct seeting eg. "none" or "sophos" mailscanner is working correct. is this reproducable on other sytems? $ rpm -q mailscanner mailscanner-4.22-5 $ cat /etc/redhat-release Red Hat Linux release 8.0 (Psyche) - check your av-wrapper, eg. $ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar 1 file swept in 0 seconds. 1 virus was discovered. 1 file out of 1 was infected. - set "Virus Scanners =" $grep "Virus Scanners" /etc/MailScanner/MailScanner.conf # then set "Virus Scanners = none" instead. # Virus Scanners = sophos f-prot mcafee ##Virus Scanners = none ##Virus Scanners = sophos Virus Scanners = - # service MailScanner restart - send *1* infected email (or spam?) for testing to an local user-account - the hdd begins immediately a never ending work - wait a short time - # service MailScanner stop - the system calmes down - check your mailbox Message 1842: From postmaster@xp1800.localdomain Fri Sep 5 10:05:02 2003 Date: Fri, 5 Sep 2003 10:05:02 +0200 From: "MailScanner" To: postmaster@xp1800.localdomain Subject: {Virus?} Warning: E-mail viruses detected X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be infected Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" Content-Disposition: inline; filename="VirusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 10:05:02 2003 the virus scanner said: Denial of Service attack in message! Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= tine/20030905 (message h85852wQ002545). --=20 Postmaster Mailscanner thanks transtec Computers for their support -- shrek-m From raymond at PROLOCATION.NET Fri Sep 5 10:12:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: Hi! > Actually, I remembering seeing this but glossed over it for some reason. > Do you know if this will work specifically in only certain Sendmail > versions... We're a little outdated with Sendmail 8.11.6, but would love > to utilize it. Should work. Bye, Raymond. From David.While at UCE.AC.UK Fri Sep 5 10:13:42 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: mailstats v0.24 Message-ID: <107DE25EC0216C45AEF670016024245F6F1C@exchangea.staff.uce.ac.uk> I have just released V0.24 of mailstats.pl - this includes the facility to add persistent virus senders to the access list. At the moment it uses the same criteria as spam but I will be lookign at providing separate values for the two in a later version. NOTE: it currently requires Tony's patch detailed in http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0309&L=mailscanner&T=0&F=&S=&P=9827 to provide the log file entries. Once Julian releases the next version of MailScanner then this is incorporated. Download as usual from http://www.while.homeunix.net/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/3bb308ba/attachment.html From mailscanner at ecs.soton.ac.uk Fri Sep 5 10:16:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack In-Reply-To: <3F5850FE.50307@gmx.de> Message-ID: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> It's hardly a DoS attack, it's a case of me not checking the configuration well enough. DoS attacks are generally attacks coming from outside. There are a million packages that don't work well if you configure them wrong. Setting up software wrong is not an "attack" of any sort, it's a screw-up by the admin. Anyway, the patch to add more checking is this: --- SweepViruses.pm.old 2003-09-04 15:50:05.000000000 +0100 +++ SweepViruses.pm 2003-09-05 10:16:54.000000000 +0100 @@ -573,6 +571,7 @@ $scannerlist = MailScanner::Config::Value('virusscanners'); $scannerlist =~ tr/,//d; + $scannerlist = "none" unless $scannerlist; # Catch empty setting @scanners = split(" ", $scannerlist); $counter = 0; At 10:01 05/09/2003, you wrote: >hi, > > >with the wrong setting "Virus Scanners=" >instead "Virus Scanners = none" >mailscanner begins a DOS-attack No, it stops working because you broke it. >with the correct seeting eg. "none" or "sophos" >mailscanner is working correct. > > > >is this reproducable on other sytems? > > > > >$ rpm -q mailscanner >mailscanner-4.22-5 >$ cat /etc/redhat-release >Red Hat Linux release 8.0 (Psyche) > > >- check your av-wrapper, eg. > >$ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar > >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar >1 file swept in 0 seconds. >1 virus was discovered. >1 file out of 1 was infected. > > >- set "Virus Scanners =" > >$grep "Virus Scanners" /etc/MailScanner/MailScanner.conf ># then set "Virus Scanners = none" instead. ># Virus Scanners = sophos f-prot mcafee >##Virus Scanners = none >##Virus Scanners = sophos >Virus Scanners = > > > >- # service MailScanner restart >- send *1* infected email (or spam?) for testing to an local user-account >- the hdd begins immediately a never ending work >- wait a short time >- # service MailScanner stop >- the system calmes down >- check your mailbox > > > >Message 1842: > From postmaster@xp1800.localdomain Fri Sep 5 10:05:02 2003 >Date: Fri, 5 Sep 2003 10:05:02 +0200 >From: "MailScanner" >To: postmaster@xp1800.localdomain >Subject: {Virus?} Warning: E-mail viruses detected >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be infected > >Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" >Content-Disposition: inline; filename="VirusWarning.txt" >Content-Transfer-Encoding: quoted-printable > >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "the entire message" >was believed to be infected by a virus and has been replaced by this warning >message. > >If you wish to receive a copy of the *infected* attachment, please >e-mail helpdesk and include the whole of this message >in your request. Alternatively, you can call them, with >the contents of this message to hand when you call. > >At Fri Sep 5 10:05:02 2003 the virus scanner said: > Denial of Service attack in message! > >Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= >tine/20030905 (message h85852wQ002545). >--=20 >Postmaster >Mailscanner thanks transtec Computers for their support > > > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at utwente.nl Fri Sep 5 12:07:51 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> References: <3F583FDE.4050602@itss.nerc.ac.uk> <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> Message-ID: On Fri, 5 Sep 2003 09:04:52 +0100, you wrote: >I never use spamcop at all. Loads of people have reported that they will >happily add any mail server listed in the headers of a message sent to >them, whether the relaying was on their host or not. And it's very >difficult to get off their list as well. It's one of the less useful lists. But other people do and you could be blocked. As far as I know you can get on their list and you will be automatically deleted when (in a certain timeframe) your IP-address does not come up again. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From shrek-m at GMX.DE Fri Sep 5 12:11:34 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack In-Reply-To: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> Message-ID: <3F586F66.9060901@gmx.de> Julian Field wrote: > It's hardly a DoS attack, it's a case of me not checking the > configuration > well enough. DoS attacks are generally attacks coming from outside. There > are a million packages that don't work well if you configure them wrong. > Setting up software wrong is not an "attack" of any sort, it's a screw-up > by the admin. > > Anyway, the patch to add more checking is this: > > --- SweepViruses.pm.old 2003-09-04 15:50:05.000000000 +0100 > +++ SweepViruses.pm 2003-09-05 10:16:54.000000000 +0100 > @@ -573,6 +571,7 @@ > > $scannerlist = MailScanner::Config::Value('virusscanners'); > $scannerlist =~ tr/,//d; > + $scannerlist = "none" unless $scannerlist; # Catch empty setting > @scanners = split(" ", $scannerlist); > $counter = 0; thanks, solved. # pwd /usr/lib/MailScanner/MailScanner # diff -Naur SweepViruses.pm.old SweepViruses.pm --- SweepViruses.pm.old 2003-09-05 11:37:14.000000000 +0200 +++ SweepViruses.pm 2003-09-05 12:32:31.000000000 +0200 @@ -538,6 +538,7 @@ $scannerlist = MailScanner::Config::Value('virusscanners'); $scannerlist =~ tr/,//d; + $scannerlist = "none" unless $scannerlist; # Catch empty setting @scanners = split(" ", $scannerlist); $counter = 0; > At 10:01 05/09/2003, you wrote: > >> [...] If you wish to receive a copy of the *infected* attachment, please >> e-mail helpdesk and include the whole of this message >> in your request. Alternatively, you can call them, with >> the contents of this message to hand when you call. >> >> At Fri Sep 5 10:05:02 2003 the virus scanner said: >> Denial of Service attack in message! > no "DOS attack" with misconfigured "Virus Scanners=" ;-) >> >> >> Note to Help Desk: Look on the MailScanner in >> /var/spool/MailScanner/quaran= >> tine/20030905 (message h85852wQ002545). >> --=20 >> Postmaster >> Mailscanner thanks transtec Computers for their support >> >> > -- shrek-m From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 12:11:46 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: References: <3F583FDE.4050602@itss.nerc.ac.uk> <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> Message-ID: <200309051111.h85BBo500654@onyx.rockstone.co.uk> On Friday 05 September 2003 12:07 pm, Peter Peters wrote: > On Fri, 5 Sep 2003 09:04:52 +0100, you wrote: > >I never use spamcop at all. Loads of people have reported that they will > >happily add any mail server listed in the headers of a message sent to > >them, whether the relaying was on their host or not. And it's very > >difficult to get off their list as well. It's one of the less useful > > lists. > > But other people do and you could be blocked. This, IMHO, is a good reason to discourage other people from using it. Antony. -- If at first you don't succeed, destroy all the evidence that you tried. From gerry at DORFAM.CA Fri Sep 5 12:56:54 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: <200309050552.h855qor15702@ori.rl.ac.uk> Message-ID: You really shouldn't post using html. What virus scanner are you using? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From steve.freegard at LBSLTD.CO.UK Fri Sep 5 13:08:47 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mike at CAMAROSS.NET Fri Sep 5 13:30:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only In-Reply-To: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sdsu.edu> Message-ID: <00e101c373a9$7dc251a0$640ba8c0@home.middlefinger.net> If the machines are identical, I'd run install.sh on one machine and then copy the newly compiled rpm's out of /usr/src/... and install them on the other machines without using the install.sh After that, you should be able to install the mailscanner.rpm Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Evans Sent: Thursday, September 04, 2003 11:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: RPM Install - Compile Only Is there a way to run install.sh and have it stop once everything is compiled, and then run install.sh which will then just install MailScanner without needing to compile it? I need to install MailScanner on quite a few identical machines, and it takes a long time for everything to compile compared to how long it should take just to install it. Steve Evans SDSU Foundation From KCollins at NESBITTENGINEERING.COM Fri Sep 5 13:27:25 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: test Message-ID: <2B1F39EA56FA7643A328F66521D41B760D3F@magellan.nesbitt.local> I'm having trouble posting to the list - I'm trying a test. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From Chris.Campbell at FAC.COM Fri Sep 5 13:33:15 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From rich at MAIL.WVNET.EDU Fri Sep 5 13:46:13 2003 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:19:47 2006 Subject: Unusual error message from MailScanner Message-ID: <1062765973.2171.13.camel@localhost.localdomain> I'm getting an unusual error message in my maillog from MailScanner. Sep 5 08:33:12 barney MailScanner[17513]: Commercial virus checker failed with real error: Modification of a read-only value attempted at /usr/lib/MailScanner/MailScanner/Log.pm line 103, line 1. If I scan backward and find the preceding messages for pid 17513 I find. Sep 5 08:33:10 barney MailScanner[17513]: Virus and Content Scanning: Starting Sep 5 08:33:10 barney MailScanner[17513]: /var/spool/MailScanner/incoming/17513/h84KAwCg01142 5/%nTips.bat Infection: W32/Klez.H@mm Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found 1 infections This is just one example. There are hundreds of them. I looked at yesterdays log and there were some there too. I'm not sure how long this has been going on. Other than the message things seem to be running fine. Is this something to worry about? I'm running... RedHat 7.3 mailscanner-4.22-5 spamassassin 2.55 f-prot 4.2.0, Mcafee 4.24.0, ClamAV-0.60 I'm also running incomming mounted on tmpfs. -- Richard Lynch From lists at MASONC.COM Fri Sep 5 13:58:42 2003 From: lists at MASONC.COM (Chris Mason) Date: Thu Jan 12 21:19:47 2006 Subject: Getting false virus reports Message-ID: <001901c373ad$6f335f40$7500a8c0@poseiden> I am getting a lot of shipping emails from buy.com since I have been doing a lot of shopping there lately, and each time I find the shipping notice in the spambox marked as a Virus. All buy.com mail is whitelisted. "At Thu Sep 4 21:35:18 2003 the virus scanner said: Found a form in HTML message" This seems to be a constant problem. Are we being overly cautious by blocking forms? If they are common doesn't it create a large problem? Chris Mason masonc@masonc.com Box 340, The Valley, Anguilla, British West Indies Yahoo IM: netconcepts_anguilla@yahoo.com 264 497-5670 Fax: 264 497-8463 www.netconcepts.ai From rob at thehostmasters.com Fri Sep 5 14:07:43 2003 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:19:47 2006 Subject: WHy was this not caught?? References: <001901c373ad$6f335f40$7500a8c0@poseiden> Message-ID: <00bc01c373ae$b26d30f0$0a01a8c0@basement> Just wondering why this was not caught by MS, as it even says in the header "(may be forged)" I seem to be getting more and more spam now that is not caught even after adjusting my settings to 4 rather than 5 for a hit and deleting spam over a score of 10 Anything I am doing wrong or not doing? Any help appreciated... Thanks and have a great day/night or evening depending on where you are in the world.. :) see headers below of email received ----------------------------------------------------------------------- Return-Path: Received: from mg134046.user.veloxzone.com.br (MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 for ; Fri, 5 Sep 2003 08:59:43 -0400 Message-ID: From: "Leanne Bowers" Reply-To: "Leanne Bowers" To: rob@stupidguytalk.org Subject: Medical Breakthrough for MEN Today_0NLY! Date: Sat, 06 Sep 2003 07:49:14 +0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="B__.28_.E9_02.3F.EC_2F" X-MailScanner-Information: Please contact info@thehostmasters.com for more info X-MailScanner: Found to be clean X-UIDL: M`-!!U@/!!F~U"!cAM!! Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:15:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: Unusual error message from MailScanner In-Reply-To: <1062765973.2171.13.camel@localhost.localdomain> Message-ID: <5.2.0.9.2.20030905141451.03f46560@imap.ecs.soton.ac.uk> Upgrade to 4.23-11 and this problem will disappear. At 13:46 05/09/2003, you wrote: >I'm getting an unusual error message in my maillog from MailScanner. > >Sep 5 08:33:12 barney MailScanner[17513]: Commercial virus checker >failed with real error: Modification of a read-only value attempted at >/usr/lib/MailScanner/MailScanner/Log.pm line 103, line 1. > >If I scan backward and find the preceding messages for pid 17513 I >find. > >Sep 5 08:33:10 barney MailScanner[17513]: Virus and Content Scanning: >Starting >Sep 5 08:33:10 barney MailScanner[17513]: >/var/spool/MailScanner/incoming/17513/h84KAwCg01142 >5/%nTips.bat Infection: W32/Klez.H@mm >Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found >virus W32/Klez.H@mm >Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found >1 infections > >This is just one example. There are hundreds of them. I looked at >yesterdays log and there were some there too. I'm not sure how long >this has been going on. Other than the message things seem to be >running fine. Is this something to worry about? I'm running... > >RedHat 7.3 >mailscanner-4.22-5 >spamassassin 2.55 >f-prot 4.2.0, Mcafee 4.24.0, ClamAV-0.60 > >I'm also running incomming mounted on tmpfs. > >-- >Richard Lynch -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:16:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? In-Reply-To: <00bc01c373ae$b26d30f0$0a01a8c0@basement> References: <001901c373ad$6f335f40$7500a8c0@poseiden> Message-ID: <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> There is a new release of SpamAssassin coming out shortly, give that a try and you should find the spam-spotting improves. At 14:07 05/09/2003, you wrote: >Just wondering why this was not caught by MS, as it even says in the header >"(may be forged)" > >I seem to be getting more and more spam now that is not caught even after >adjusting my settings to 4 rather than 5 for a hit and deleting spam over a >score of 10 > >Anything I am doing wrong or not doing? > >Any help appreciated... > >Thanks and have a great day/night or evening depending on where you are in >the world.. >:) > >see headers below of email received >----------------------------------------------------------------------- > > >Return-Path: >Received: from mg134046.user.veloxzone.com.br >(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) > by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 > for ; Fri, 5 Sep 2003 08:59:43 -0400 >Message-ID: >From: "Leanne Bowers" >Reply-To: "Leanne Bowers" >To: rob@stupidguytalk.org >Subject: Medical Breakthrough for MEN Today_0NLY! >Date: Sat, 06 Sep 2003 07:49:14 +0500 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="B__.28_.E9_02.3F.EC_2F" >X-MailScanner-Information: Please contact info@thehostmasters.com for more >info >X-MailScanner: Found to be clean >X-UIDL: M`-!!U@/!!F~U"!cAM!! > > >Rob Charles >TheHostMasters >Montreal, Canada >514-846-0006 >Rob@TheHostMasters.com >http://www.TheHostMasters.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sailer at BNL.GOV Fri Sep 5 14:35:58 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: References: <200308281109.h7SB9Fk06653@camelot.blacknightsolutions.com> Message-ID: <20030905133558.GA19537@bnl.gov> I have a small RBL and domain, spambites.net. I am making it 'subscription' only, and it will be manually administered, as far as entries. Either a web form, or email submission. Entries will be 'expired' after so many days, depending on why it was entered (SPAM, open relay, etc). So, if any one is serious about this, I've got the framework in place. Tim On Thu, Aug 28, 2003 at 01:13:11PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > We might be interested in following suit, as the quantity of spam getting > > through recently is not acceptable (Spam Assasin keeps on timing out!) > > Its perhaps completely OT here, but why not combine forces? I am willing > to facilitate a couple of DNSes and we are with a lot of network guys > here, so we might do it right for once. > > We all try to fight spam, we all see the spammers comming in, so we only > need a interface to get things in. > > Are there people interested in that idea ? > > Bye, > Raymond. > -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From bp at LICENG.DK Fri Sep 5 14:44:47 2003 From: bp at LICENG.DK (Bjarke Pedersen) Date: Thu Jan 12 21:19:48 2006 Subject: Unsubscribe Message-ID: -- Bjarke Pedersen LICengineering A/S Ehlersvej 24 DK-2900 Hellerup Denmark +45 39 62 16 42 (voice) +45 39 62 54 80 (fax) From RKearney at AZERTY.COM Fri Sep 5 14:44:56 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules Message-ID: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> This might belong on the SA list, so lemme know if I should try there instead. We are running MS 4.21-9, SA 2.55 in spam.assassin.prefs.conf we have this set of rules to flag SoBig as spam. header __SOBIG_X X-MailScanner =~ /Found to be clean/ header __SOBIG_SUBJ1 Subject =~ /(?:Re\: Details|Re\: Re\: My details|Your details)/ header __SOBIG_SUBJ2 Subject =~ /(?:Re\: Thank you\!|Thank you\!)/ header __SOBIG_SUBJ3 Subject =~ /(?:Re\: Approved|Re\: That movie|Re\: Wicked screensaver|Re\: Your application)/ body __SOBIG_BODY /(?:See the attached file for details|Please see the attached file for details\.)/ meta SOBIG __SOBIG_X && (__SOBIG_SUBJ1 || __SOBIG_SUBJ2 || __SOBIG_SUBJ3) && __SOBIG_BODY describe SOBIG Sobig virus score SOBIG 20.0 For example.. here are the headers of a current sobig virus that got through(Our MS/SA gateway forwards to a Antivirus server which detects anyways) (with the received by headers and some stuff delete to protect the inocent) Message-Id: <200309051320.h85DJxHl008772@host.domain.com> From: To: Subject: Re: Wicked screensaver Date: Fri, 5 Sep 2003 10:14:01 --0300 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 X-COMPANY-MailScanner-Information: Please contact the Helpdesk for more information X-COMPANY-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.2, required 5, MICROSOFT_EXECUTABLE 0.10, RAZOR2_CHECK 2.06) X-COMPANY-MailScanner-SpamScore: ss I doublechecked my mySQL database and can ensure that the rule stated above is being used on some of these mails. thanks, -rob From errol.neal at ENHTECH.COM Fri Sep 5 15:00:03 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... Message-ID: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Hi all, Can someone explain to me how a scenario like this would work... MailScanner begins to process a batch of 100 messages. It unpacks those messages say in /tmp in a directory 360. For some reason, I need to restart the MailScanner, possibly to make a config change or whatever however MailScanner is not finished processing those 100 messages it unpacked in the work directory. It is only say 20% done. Will MailScanner know that there are 80 messages waiting in the subdirectory 360 in its work directory? If so, how? Regards, Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:02:35 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules In-Reply-To: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> References: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> Message-ID: <200309051402.h85E2d502222@onyx.rockstone.co.uk> On Friday 05 September 2003 2:44 pm, Kearney, Rob wrote: > This might belong on the SA list, so lemme know if I should try there > instead. > > We are running MS 4.21-9, SA 2.55 > > in spam.assassin.prefs.conf we have this set of rules to flag SoBig as > spam. > > header __SOBIG_X X-MailScanner =~ /Found to be clean/ Please don't create an SA rule to label emails which have been scanned by MailScanner (in its default configuration) as spam. PLEASE do not post anything like this to the SA mailing list - people will use it without understanding the significance of what they are using. Regards, Antony. -- Mahatma Gandhi was once asked what he thought of Western Civilisation. He replied, "That would be a very good idea." From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:04:45 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... In-Reply-To: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> References: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Message-ID: <200309051404.h85E4n502249@onyx.rockstone.co.uk> On Friday 05 September 2003 3:00 pm, Errol Neal wrote: > Hi all, > > Can someone explain to me how a scenario like this would work... > > MailScanner begins to process a batch of 100 messages. It unpacks those > messages say in /tmp in a directory 360. > For some reason, I need to restart the MailScanner, possibly to make a > config change or whatever however MailScanner is not finished processing > those 100 messages it unpacked in the work directory. It is only say 20% > done. Will MailScanner know that there are 80 messages waiting in the > subdirectory 360 in its work directory? No. When you restart MailScanner it will find the batch of 100 unprocessed messages and start processing them again. Only messages which have been completely processed and removed from the input queue will go unseen by MailScanner the secodn time around. Regards, Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? !X- !R K--? From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:59:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... In-Reply-To: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Message-ID: <5.2.0.9.2.20030905145832.07483770@imap.ecs.soton.ac.uk> When shutting down, MailScanner will delete its temporary working directories if at all possible (which are usually under /var/spool/MailScanner/incoming, but this is defined in your MailScanner.conf file). Whether it manages it or not, it will simply restart processing the batch from scratch when it is started up again. So don't worry, nothing can get lost when this happens. At 15:00 05/09/2003, you wrote: >Hi all, > >Can someone explain to me how a scenario like this would work... > >MailScanner begins to process a batch of 100 messages. It unpacks those >messages say in /tmp in a directory 360. >For some reason, I need to restart the MailScanner, possibly to make a >config change or whatever however MailScanner >is not finished processing those 100 messages it unpacked in the work >directory. It is only say 20% done. Will MailScanner >know that there are 80 messages waiting in the subdirectory 360 in its work >directory? If so, how? > > >Regards, > > >Errol Neal > > >Errol Neal, Systems/Network Administrator >eneal@enhtech.com >Enhanced Technologies Inc. >http://www.enhtech.com >703-924-0301 or 800-368-3249 >703-924-0302 Fax -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Fri Sep 5 15:10:58 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.u k> Message-ID: <27969765.1062774658@mallard.open.ac.uk> On 05 September 2003 13:08 +0100 Steve Freegard wrote: > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch Hmm - for some reason I just get a list of files in the /var/www/html/mailscanner directory when I point my browser at it. MailWatch 0.2 worked fine... Have I done something silly? Mike. From ree at THUNDERSTAR.NET Fri Sep 5 07:12:25 2003 From: ree at THUNDERSTAR.NET (Ron E.) Date: Thu Jan 12 21:19:48 2006 Subject: postfix @xxxx.test files showing up in deferred Message-ID: Just wondering if anyone else running postfix + mailscanner has noticed this - I have recently had some zero byte files showing up in the incoming postfix deferred directory. The files are named like: @xxxxx.test xxxxx = 5 digit number Whenever the incoming postfix is reloaded I get some errors about these files that look like this: warning: valid_hostname: invalid character 64(decimal): @xxxxx.test Just wondering if these can be safely removed or what. Regards, Ron From steve.freegard at LBSLTD.CO.UK Fri Sep 5 15:16:55 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.uk> Hi Mike, No I've done something silly ;-))) When I did the CVS export I forgot to re-create the symbolic link from status.php to index.php. Just run 'ln -s status.php index.php' from /var/www/html/mailscanner and it'll start working. Regards, Steve. -----Original Message----- From: Mike Zanker [mailto:mike@ZANKER.ORG] Sent: 05 September 2003 15:11 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On 05 September 2003 13:08 +0100 Steve Freegard wrote: > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch Hmm - for some reason I just get a list of files in the /var/www/html/mailscanner directory when I point my browser at it. MailWatch 0.2 worked fine... Have I done something silly? Mike. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mike at ZANKER.ORG Fri Sep 5 15:21:56 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> Message-ID: <28627515.1062775316@mallard.open.ac.uk> Thanks! Mike. On 05 September 2003 15:16 +0100 Steve Freegard wrote: > Hi Mike, > > No I've done something silly ;-))) > > When I did the CVS export I forgot to re-create the symbolic link from > status.php to index.php. > > Just run 'ln -s status.php index.php' from /var/www/html/mailscanner > and it'll start working. > > Regards, > Steve. > > -----Original Message----- > From: Mike Zanker [mailto:mike@ZANKER.ORG] > Sent: 05 September 2003 15:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta > > > On 05 September 2003 13:08 +0100 Steve Freegard > wrote: > >> I've (finally!) released a beta of 0.3 - you can download it from >> http://www.sourceforge.net/projects/mailwatch > > Hmm - for some reason I just get a list of files in the > /var/www/html/mailscanner directory when I point my browser at it. > > MailWatch 0.2 worked fine... Have I done something silly? > > Mike. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer > viruses. From KShortt at AZERTY.COM Fri Sep 5 15:24:31 2003 From: KShortt at AZERTY.COM (Shortt, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules Message-ID: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> > header __SOBIG_X X-MailScanner =~ /Found to be clean/ >>Please don't create an SA rule to label emails which have been scanned by >>MailScanner (in its default configuration) as spam. >>PLEASE do not post anything like this to the SA mailing list - people will >>use it without understanding the significance of what they are using. It's not a default config. It happens to be a characteristic of the virus that was propogated and as the rule is written only matches such messages. It is also written with the "__" which does not add hits to the message by default. One can not presume the knowledge level (or lack of) when asking a question. A question is asked and directed at the people that have the knowledge. If someone uses the information incorrectly that is no ones fault but thier own. I thought that what the internet was about. Anyway...back to the original post. The rule was working and catching only SOBIG virii. We've recently noticed it's no longer functioning. Does anyone have any ideas for us to trouble shoot this? -k From pndiku at DSMAGIC.COM Fri Sep 5 15:19:21 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: References: Message-ID: <1062771560.30678.4.camel@mufasa.ds.co.ug> Hi all, Failed to get this working on a SuSE 7.0 system. Just like with previous mailwatch versions I had to cook up my own Logging function (see attached). It's based on Julian's work in the original CustomConfig.pm and seems to work fine for me! Comments? Peter On Fri, 2003-09-05 at 15:33, Chris Campbell wrote: > Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh > 7.3 (I was getting the same mysql server died error these bsd kids were > getting) > > > But, here is a question for you.... > > What are the odds we can grab and insert into the sql db the sendmail relay > log......and the status..... > I am looking for the relay part and whether is was Sent, Queued, etc..... > > > > > ..................................... > Christopher S. Campbell > UNIX Admin > First Albany Corp > 518.447.8544 > chris.campbell@fac.com > > > > > > Steve Freegard > LTD.CO.UK> cc: > Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta > MailScanner mailing > list > IL.AC.UK> > > > 09/05/03 08:08 AM > Please respond to > MailScanner mailing > list > > > > > > > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch > > If you haven't already noticed - the project has been moved to Sourceforge, > so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists > that are available and to use the other features such as the Feature > Requests, Bug Tracking, Forums and Patches from this point onward. > > Changes in this release: > > - New MailWatch.pm file that contains the MailWatch SQL Logging code. > > - Changed the SQL Logging procedure names from SQLLogging to > MailWatchLogging > to save confusion as to which versions people are using. > > - Updated MailWatchLogging procedures to better handle MySQL death and > subsequent restart without needing to restart MailScanner. > > - Message headers now displayed on the Message Detail page. > > - OpenRBL lookup address fixed (OpenRBL had updated their site). > > - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message > Detail page. > > - New 'Quarantine Manager' allows quarantined messages to be released to > recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. > > - Major speed-ups on page display. > > - Added extra Virus regular expressions and modified the existing to drop > the requirement of 'Include Scanner Name in Reports' in > MailScanner.conf. > > - New Sendmail inbound/outbound queue display. > > - Fixed the display of the 'Blocked Files' percentage in Today's Totals. > > - Fixed the volume display in the reports to use the average over the > reporting period e.g. if you receive 500Mb of mail on average per day > but > you occasionally spike at 1Gb - the reports will display the volume in > Mb. > > - Added new 'MySQL status' page to the 'Other' page. > > - Fixed 'SpamAssassin Rule Hits' report not display any data under some > installations of MailScanner. > > - New reports 'Top Mail Relays' and 'Top Sender Domains by > Quantity/Volume'. > > - Added 'hostname' the the list of available filters to allow people with > multiple scanners report only on a specific one. > > Kind regards, > Steve > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- # # MailWatch for MailScanner # Copyright (C) 2003 Steve Freegard (smf@f2s.com) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # use DBI; use Sys::Hostname; # Trace settings - uncomment this to debug # DBI->trace(2,'/root/dbitrace.log'); my($dbh); my($sth); my($hostname) = hostname; # Modify this as necessary for your configuration my($db_name) = "mailscanner"; my($db_host) = "localhost"; my($db_user) = "root"; my($db_pass) = ""; sub InitMailWatchLogging { MailScanner::Log::InfoLog("Initialising MailWatch Logging temp file"); $logfile1 = IO::File->new_tmpfile or die "IO::File->new_tmpfile: $!"; } # Shutdown. Write all the log entries to the SQL database, then close # the temporary log files. Closing them will also delete them as they were # created with tmpfile(). sub EndMailWatchLogging { my(@fields); MailScanner::Log::InfoLog("Ending SQL Logging temp output " . "and flushing to database"); # Create database connection my($dbh); # Connect to the database $dbh = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", $db_user, $db_pass, {PrintError => 0}); or MailScanner::Log::DieLog("Cannot connect to the database: %s", $DBI::errstr); # Rewind to start of logfile1 $logfile1->flush(); seek($logfile1, 0, 0) or MailScanner::Log::DieLog("EndSQLLogging seek: %s", $!); while(<$logfile1>) { chomp; @fields = split(/\t/); # Work through each field protecting any special characters such as ' # The line below replaces ' with \' # @fields = map { s/\'/\\'/g } @fields; # Set any empty strings to NULL so the SQL insert works correctly @fields = map { ($_ eq '')?'NULL':"$_" } @fields; # Insert @fields into a database table my($sth) = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); $sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fields[4],$fields[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fields[11],$fields[12],$fields[13],$fields[14],$fields[15],$fields[16],$fields[17],$fields[18],$fields[19],$fields[20],$fields[21],$fields[22]) or MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); } # Close database connection $dbh->disconnect(); # Close and delete the temporary files (deletion is done automatically) $logfile1->close(); MailScanner::Log::InfoLog("Database flush completed"); } # Write all the log information for 1 message to the temporary file. # For messages with reports, write 1 line for each report. sub MailWatchLogging { my($message) = @_; # Get rid of control chars and tidy-up SpamAssassin report my $spamreport = $message->{spamreport}; $spamreport =~ s/\n/ /g; $spamreport =~ s/\t//g; # Get timestamp, and format it so it is suitable to use with MySQL my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", $year+1900,$mon+1,$mday,$hour,$min,$sec); my($date) = sprintf("%d-%02d-%02d",$year+1900,$mon+1,$mday); my($time) = sprintf("%02d:%02d:%02d",$hour,$min,$sec); # Also print 1 line for each report about this message. These lines # contain all the info above, + the attachment filename and text of # each report. my($file, $text, @report_array); while(($file, $text) = each %{$message->{allreports}}) { $file = "the entire message" if $file eq ""; # Use the sanitised filename to avoid problems caused by people forcing # logging of attachment filenames which contain nasty SQL instructions. $file = $message->{file2safefile}{$file} or $file; $text =~ s/\n/ /; # Make sure text report only contains 1 line $text =~ s/\t/ /; # and no tab characters push (@report_array, $text); } # Sanitize reports my $reports = join(",",@report_array); my $headers = join('\n',@{$message->{headers}}); # Print 1 line for each message. print $logfile1 join("\t", $timestamp, $message->{id}, $message->{size}, $message->{from}, join(',', @{$message->{to}}), $message->{subject}, $message->{clientip}, join(',', @{$message->{archiveplaces}}), $message->{isspam}, $message->{ishigh}, $message->{issaspam}, $message->{isrblspam}, $message->{spamwhitelisted}, $message->{sascore}, $spamreport, $message->{virusinfected}, $message->{nameinfected}, $message->{otherinfected}, $reports, 'entandikwa.ds.co.ug', $date, $time, $headers ). "\n"; } 1; From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:35:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules In-Reply-To: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> References: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> Message-ID: <200309051435.h85EZe502523@onyx.rockstone.co.uk> On Friday 05 September 2003 3:24 pm, Shortt, Kevin wrote: > > header __SOBIG_X X-MailScanner =~ /Found to be clean/ > > > >>Please don't create an SA rule to label emails which have been scanned by > >>MailScanner (in its default configuration) as spam. > >> > >>PLEASE do not post anything like this to the SA mailing list - people > >> will use it without understanding the significance of what they are > >> using. > > It's not a default config. It happens to be a characteristic of the virus > that was propogated and as the rule is written only matches such messages. No, what I meant by "default config" was that this header is exactly what gets added to emails which have been scanned by a default MailScanner installation. Therefore this particular rule will match perfectly innocent messages long after Sobig has disappeared over the horizon. I was merely saying that I do not think it is a good idea to encourage people to even think about matching on a part of the Sobig emails which will cause a high false positive rate if applied to other emails. I agree that in combination with your other rules this becomes less likely, but please use the other rules to achieve that without including this one. > One can not presume the knowledge level (or lack of) when asking a > question. A question is asked and directed at the people that have the > knowledge. If someone uses the information incorrectly that is no ones > fault but thier own. I thought that what the internet was about. If this means you think I was suggesting that you don't know what you're doing, then I never meant to say that. I was trying to say "please don't post a suggestion that SA should match on the MailScanner header in a bid towards identifying a message as spam", because people who don't know that it matches perfectly innocent MailScanner-scanned messages as well as the Sobig ones will end up blocking good email as a result. There's no need to include this header in the rule, so I think it should not be advocated as a way to identify spam. If that wasn't what you meant then please ignore the above. Regards, Antony. -- It suddenly dawns on the observer that there is no end to the creativity that these mindless hackers can come up with. - Kevin Kelly, Out of Control From anders.andersson at LTKALMAR.SE Fri Sep 5 15:41:13 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:48 2006 Subject: SV: how to set up an RBL Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Tim Sailer [mailto:sailer@BNL.GOV] > > I have a small RBL and domain, spambites.net. I am making it > 'subscription' only, and it will be manually administered, as > far as entries. Either a web form, or email submission. > Entries will be 'expired' after so many days, depending on > why it was entered (SPAM, open relay, etc). > > So, if any one is serious about this, I've got the framework in place. Add me to the offline list, Ive got a meeting in the end of the month and might get some more mailadmins interested. /Anders > > Tim > > On Thu, Aug 28, 2003 at 01:13:11PM +0200, Raymond Dijkxhoorn wrote: > > Hi! > > > > > We might be interested in following suit, as the quantity of spam > > > getting through recently is not acceptable (Spam Assasin keeps on > > > timing out!) > > > > Its perhaps completely OT here, but why not combine forces? I am > > willing to facilitate a couple of DNSes and we are with a lot of > > network guys here, so we might do it right for once. > > > > We all try to fight spam, we all see the spammers comming in, so we > > only need a interface to get things in. > > > > Are there people interested in that idea ? > > > > Bye, > > Raymond. > > > > -- > Tim Sailer > Information and Special Technologies Program > Office of CounterIntelligence > Brookhaven National Laboratory (631) 344-3001 > From phil at NXTEK.NET Fri Sep 5 15:47:49 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence In-Reply-To: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> Message-ID: <00bd01c373bc$b3ad49b0$641be5ce@PHIL> Can you let me know specifically how to do this? I saw a way to do it with other MTAs but may have missed how to with Sendmail. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Thursday, September 04, 2003 10:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > The flow here has been trickling but steady. I am blocking > LOTS of tehm with a sendmail rule though, so they never even > make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of David Hooton > > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 > fold increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ============================================================== > ========== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ============================================================== > ========== > From greyhair at GREYHAIR.NET Fri Sep 5 15:50:50 2003 From: greyhair at GREYHAIR.NET (Mr. Greyhair) Date: Thu Jan 12 21:19:48 2006 Subject: No subject Message-ID: <200309051450.h85Eooa03007@localhost.greyhair.net> It is mentioned on the mailscanner website that "MailScanner knows about a list of viruses that" ... "fake "From" address". "... up to system administrators to keep this list up to date." How does one maintain this list (correctly)? >From http://www.sng.ecs.soton.ac.uk/mailscanner/sobig.html: Why am I getting all this mail from you? First of all, the mail is not coming from us. Please read on... This virus sends e-mail messages with a fake "From" address, which might happen to be your address. MailScanner knows about a list of viruses that do this, and knows not to respond to the sender if the message contains any of these "faking" viruses. However, it is currently up to the individual system administrators to keep this list up to date. If they haven't added "Sobig" to the list, then their MailScanner will continue to issue warnings to the senders, not knowing that they are fake. Thanks. From david at PLATFORMHOSTING.COM Fri Sep 5 15:57:40 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <28627515.1062775316@mallard.open.ac.uk> References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> <28627515.1062775316@mallard.open.ac.uk> Message-ID: <3F58A464.6050507@platformhosting.com> Next upgrade question... I'm running the upgrade.php file and am getting the following error: - AlwaysLookedUpLast ................................................ OK *** ERROR/WARNING SUMMARY *** Database connection failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) MailScanner.conf: SpamActions != store (=deliver) MailScanner.conf: HighScoringSpamActions != store (=deliver) Now I would normally think ok, MySQL is dead, but it's running. My DB Name is mailwatch rather than mailscanner, but I can't seem to see the db name hardcoded in the php. Any ideas? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From steve.freegard at LBSLTD.CO.UK Fri Sep 5 15:57:49 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773ADD@neelix.lbsltd.co.uk> Hi Chris, >>> What are the odds we can grab and insert into the sql db the sendmail.... I'm reluctant to put this into MailWatch as it requires some intellegent parsing of the maillog on the message id which could and usually does appear more than once (particualarly when the message is deferred) and maillog should also only be readable by root which poses another problem. That said - I've written something for you which should give you the beginnings of what you're after - it is pretty crude however. I'm also presuming that you're using 0.2. Copy the attached files to /var/www/html/mailscanner. Run 'mysql mailscanner < create_relay_table.sql' to create the table. Make sure that sendmail_relay.php is executable and make an entry into root's crontab to run it every 'n' minutes - this script parses the maillog and for every entry that has the line 'Sendmail','relay=' and 'stat=' is makes an entry into the sendmail_relay table - if one already exists for the message id being inserted it is overwritten. You will then be able to see the relay information at the bottom of the Message Detail page. Kind regards, Steve -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: 05 September 2003 13:33 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- A non-text attachment was scrubbed... Name: detail.php Type: application/octet-stream Size: 3151 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/detail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: create_relay_table.sql Type: application/octet-stream Size: 204 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/create_relay_table.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail_relay.php Type: application/octet-stream Size: 806 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/sendmail_relay.obj From kodak at FRONTIERHOMEMORTGAGE.COM Fri Sep 5 15:58:00 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses In-Reply-To: <200309051450.h85Eooa03007@localhost.greyhair.net> Message-ID: <006301c373be$1999dbc0$0501a8c0@darkside> >It is mentioned on the mailscanner website that "MailScanner knows >about a list of viruses that" ... "fake "From" address". "... up to >system administrators to keep this list up to date." How does one >maintain this list (correctly)? Your MailScanner.conf has a line: Silent Viruses = blah blah blah Add Sobig to that line. (And other viruses as they crop up.) --J(K) From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:59:02 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: No subject In-Reply-To: <200309051450.h85Eooa03007@localhost.greyhair.net> References: <200309051450.h85Eooa03007@localhost.greyhair.net> Message-ID: <200309051459.h85Ex7502752@onyx.rockstone.co.uk> On Friday 05 September 2003 3:50 pm, Mr. Greyhair wrote: > It is mentioned on the mailscanner website that "MailScanner knows > about a list of viruses that" ... "fake "From" address". "... up to > system administrators to keep this list up to date." How does one > maintain this list (correctly)? The only way I know is by keeping up to date with the latest virus definitions and checking which ones forge the sender's address and which ones don't. The way things are going at present, you'd be pretty safe assuming a new email virus does forge the sender's address until you know otherwise :) Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. From KCollins at NESBITTENGINEERING.COM Fri Sep 5 16:13:04 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Problem posting to list` Message-ID: <2B1F39EA56FA7643A328F66521D41B760D41@magellan.nesbitt.local> I've tried for the past several days to post a reply back to the "False Positive" thread that I started a day or two ago. I'm obviously doing something wrong because when I post a new message it seems to come through just fine, but when I send my reply with things like mail headers and such my message just disappears into ether. I don't get a "bounce" or failure. My server sends the message out and then it disappears. Anyone else experiencing this? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From pndiku at DSMAGIC.COM Fri Sep 5 15:55:48 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <27969765.1062774658@mallard.open.ac.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.u k> <27969765.1062774658@mallard.open.ac.uk> Message-ID: <1062773747.30678.6.camel@mufasa.ds.co.ug> >From /var/www/html/mailscanner type: ln -s status.php index.php On Fri, 2003-09-05 at 17:10, Mike Zanker wrote: > On 05 September 2003 13:08 +0100 Steve Freegard > wrote: > > > I've (finally!) released a beta of 0.3 - you can download it from > > http://www.sourceforge.net/projects/mailwatch > > Hmm - for some reason I just get a list of files in the > /var/www/html/mailscanner directory when I point my browser at it. > > MailWatch 0.2 worked fine... Have I done something silly? > > Mike. From sailer at BNL.GOV Fri Sep 5 16:21:45 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: References: <20030905133558.GA19537@bnl.gov> Message-ID: <20030905152145.GS19537@bnl.gov> On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > I have a small RBL and domain, spambites.net. I am making it 'subscription' > > only, and it will be manually administered, as far as entries. Either > > a web form, or email submission. Entries will be 'expired' after so many > > days, depending on why it was entered (SPAM, open relay, etc). > > > > So, if any one is serious about this, I've got the framework in place. > > > > We all try to fight spam, we all see the spammers comming in, so we only > > > need a interface to get things in. > > > > > > Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. OK, basic rules, that I'm just tarting to flesh out is: Don't abuse the system. Keep a local DNS zone running (to save my connection). I can add you to the email alias I'm using as a starting point, so interested parties can bang around ideas. Let me know. Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From lance at WARE.NET Fri Sep 5 16:22:02 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:48 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: A<5.2.0.9.2.20030905085219.03f0cfd8@imap.ecs.soton.ac.uk> Message-ID: <200309051522.h85FMxr14769@ori.rl.ac.uk> Ok I'll try that, although I don't seem to have an /etc/MailScanner/lib. Guess I'll get it from the generic tar file. I fixed it temporarily by moving the new 3 column virus.scanners.conf into etc and manually editing the clam wrapper to the correct path for clamscan. Editing virus.scanners.conf didn't seem to help. TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 05, 2003 12:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Sep 5 15:14:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: <20030905133558.GA19537@bnl.gov> Message-ID: Hi! > I have a small RBL and domain, spambites.net. I am making it 'subscription' > only, and it will be manually administered, as far as entries. Either > a web form, or email submission. Entries will be 'expired' after so many > days, depending on why it was entered (SPAM, open relay, etc). > > So, if any one is serious about this, I've got the framework in place. > > We all try to fight spam, we all see the spammers comming in, so we only > > need a interface to get things in. > > > > Are there people interested in that idea ? I am surely interested, please submit me some info offlist. Bye, Raymond. From sailer at BNL.GOV Fri Sep 5 16:24:59 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: <20030905152145.GS19537@bnl.gov> References: <20030905133558.GA19537@bnl.gov> <20030905152145.GS19537@bnl.gov> Message-ID: <20030905152459.GU19537@bnl.gov> Offlist. Why do my fingers not listen when replying to email. Sorry folks. Tim On Fri, Sep 05, 2003 at 11:21:45AM -0400, Tim Sailer wrote: > On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > > Hi! > > > > > I have a small RBL and domain, spambites.net. I am making it 'subscription' > > > only, and it will be manually administered, as far as entries. Either > > > a web form, or email submission. Entries will be 'expired' after so many > > > days, depending on why it was entered (SPAM, open relay, etc). > > > > > > So, if any one is serious about this, I've got the framework in place. > > > > > > We all try to fight spam, we all see the spammers comming in, so we only > > > > need a interface to get things in. > > > > > > > > Are there people interested in that idea ? > > > > I am surely interested, please submit me some info offlist. > > OK, basic rules, that I'm just tarting to flesh out is: > > Don't abuse the system. > Keep a local DNS zone running (to save my connection). > > I can add you to the email alias I'm using as a starting point, > so interested parties can bang around ideas. Let me know. > > Tim > > -- > Tim Sailer > Information and Special Technologies Program > Office of CounterIntelligence > Brookhaven National Laboratory (631) 344-3001 > -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From rob at thehostmasters.com Fri Sep 5 16:25:53 2003 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? References: <001901c373ad$6f335f40$7500a8c0@poseiden> <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> Message-ID: <016201c373c2$00a922c0$0a01a8c0@basement> Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, my MS to the latest.... would not that also install the latest SA too? Thanks.. Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Julian Field" To: Sent: Friday, September 05, 2003 9:16 AM Subject: Re: WHy was this not caught?? > There is a new release of SpamAssassin coming out shortly, give that a try > and you should find the spam-spotting improves. > > At 14:07 05/09/2003, you wrote: > >Just wondering why this was not caught by MS, as it even says in the header > >"(may be forged)" > > > >I seem to be getting more and more spam now that is not caught even after > >adjusting my settings to 4 rather than 5 for a hit and deleting spam over a > >score of 10 > > > >Anything I am doing wrong or not doing? > > > >Any help appreciated... > > > >Thanks and have a great day/night or evening depending on where you are in > >the world.. > >:) > > > >see headers below of email received > >----------------------------------------------------------------------- > > > > > >Return-Path: > >Received: from mg134046.user.veloxzone.com.br > >(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) > > by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 > > for ; Fri, 5 Sep 2003 08:59:43 -0400 > >Message-ID: > >From: "Leanne Bowers" > >Reply-To: "Leanne Bowers" > >To: rob@stupidguytalk.org > >Subject: Medical Breakthrough for MEN Today_0NLY! > >Date: Sat, 06 Sep 2003 07:49:14 +0500 > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="B__.28_.E9_02.3F.EC_2F" > >X-MailScanner-Information: Please contact info@thehostmasters.com for more > >info > >X-MailScanner: Found to be clean > >X-UIDL: M`-!!U@/!!F~U"!cAM!! > > > > > >Rob Charles > >TheHostMasters > >Montreal, Canada > >514-846-0006 > >Rob@TheHostMasters.com > >http://www.TheHostMasters.com > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 16:29:27 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? Message-ID: <200309051529.h85FTW503063@onyx.rockstone.co.uk> On Friday 05 September 2003 4:25 pm, Rob Charles wrote: > Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, > my MS to the latest.... would not that also install the latest SA too? No. Independent packages. Different developers, maintainers, release dates... Some people use MS without SA. Some people use SA without MS. Regards, Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics From michele at BLACKNIGHTSOLUTIONS.COM Fri Sep 5 16:31:26 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:48 2006 Subject: Offlist/Onlist was RE: how to set up an RBL In-Reply-To: <20030905152459.GU19537@bnl.gov> Message-ID: <200309051529.h85FTWaM040294@lancelot.blacknightsolutions.com> > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tim Sailer > Sent: 05 September 2003 16:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: how to set up an RBL > > Offlist. Why do my fingers not listen when replying to email. > > Sorry folks. > > Tim It could have been a lot worse! Our last accountant posted an email to a mailing list instead of sending it to me... Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 From martinh at SOLID-STATE-LOGIC.COM Fri Sep 5 16:29:53 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? In-Reply-To: <016201c373c2$00a922c0$0a01a8c0@basement> References: <001901c373ad$6f335f40$7500a8c0@poseiden> <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> <016201c373c2$00a922c0$0a01a8c0@basement> Message-ID: <3F58ABF1.5030904@solid-state-logic.com> Rob no upgrading all the underlying sw is a seperate task, just like when you installed it first time around -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Rob Charles wrote: > Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, > my MS to the latest.... would not that also install the latest SA too? > > Thanks.. > > > Rob Charles > TheHostMasters > Montreal, Canada > 514-846-0006 > Rob@TheHostMasters.com > http://www.TheHostMasters.com > > > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Friday, September 05, 2003 9:16 AM > Subject: Re: WHy was this not caught?? > > > >>There is a new release of SpamAssassin coming out shortly, give that a try >>and you should find the spam-spotting improves. >> >>At 14:07 05/09/2003, you wrote: >> >>>Just wondering why this was not caught by MS, as it even says in the > > header > >>>"(may be forged)" >>> >>>I seem to be getting more and more spam now that is not caught even after >>>adjusting my settings to 4 rather than 5 for a hit and deleting spam over > > a > >>>score of 10 >>> >>>Anything I am doing wrong or not doing? >>> >>>Any help appreciated... >>> >>>Thanks and have a great day/night or evening depending on where you are > > in > >>>the world.. >>>:) >>> >>>see headers below of email received >>>----------------------------------------------------------------------- >>> >>> >>>Return-Path: >>>Received: from mg134046.user.veloxzone.com.br >>>(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) >>> by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 >>> for ; Fri, 5 Sep 2003 08:59:43 -0400 >>>Message-ID: >>>From: "Leanne Bowers" >>>Reply-To: "Leanne Bowers" >>>To: rob@stupidguytalk.org >>>Subject: Medical Breakthrough for MEN Today_0NLY! >>>Date: Sat, 06 Sep 2003 07:49:14 +0500 >>>MIME-Version: 1.0 >>>Content-Type: multipart/alternative; >>> boundary="B__.28_.E9_02.3F.EC_2F" >>>X-MailScanner-Information: Please contact info@thehostmasters.com for > > more > >>>info >>>X-MailScanner: Found to be clean >>>X-UIDL: M`-!!U@/!!F~U"!cAM!! >>> >>> >>>Rob Charles >>>TheHostMasters >>>Montreal, Canada >>>514-846-0006 >>>Rob@TheHostMasters.com >>>http://www.TheHostMasters.com >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From miguelk at KONSULTEX.COM.BR Fri Sep 5 16:37:04 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> <28627515.1062775316@mallard.open.ac.uk> <3F58A464.6050507@platformhosting.com> Message-ID: <3F58ADA0.8020605@konsultex.com.br> David; I haven't see MailWatch and I plan to try it. This is advice based on my experience with other web systems. I found that if you use 'localhost' for the dbname if dns is not ok on the machine this fails. I suggest to check that (host localhost) or try 127.0.0.1 Miguel David Hooton wrote: > Next upgrade question... > > I'm running the upgrade.php file and am getting the following error: > > > - AlwaysLookedUpLast ................................................ OK > > *** ERROR/WARNING SUMMARY *** > Database connection failed: Can't connect to local MySQL server through > socket '/tmp/mysql.sock' (2) > MailScanner.conf: SpamActions != store (=deliver) > MailScanner.conf: HighScoringSpamActions != store (=deliver) > > > Now I would normally think ok, MySQL is dead, but it's running. My DB > Name is mailwatch rather than mailscanner, but I can't seem to see the > db name hardcoded in the php. > > Any ideas? > > > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Chris.Campbell at FAC.COM Fri Sep 5 16:41:52 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: Thanks for the reply Steve... However, I have 4 external (dmz) mailscanner boxes, with the maiwatch mysql db sever internally. I have all 4 inserting to this one mailwatch mysql box.... This is why I want the functionality without parsing the maillog.... I have written my own perl to do basically what you said below, and it seems to work for me. My goal is to let our help desk be able to get this information without my help though. I am sure the below will be helpful and useful for others, but in the meantime if I have some free time maybe I can come up with some php magic myself.... ..................................... Christopher S. Campbell UNIX Admin Steve Freegard ltd.co.uk> cc: "'MailScanner mailing list'" Subject: RE: ANNOUNCE: MailWatch for MailScanner 0.3 Beta 09/05/03 10:57 AM Hi Chris, >>> What are the odds we can grab and insert into the sql db the sendmail.... I'm reluctant to put this into MailWatch as it requires some intellegent parsing of the maillog on the message id which could and usually does appear more than once (particualarly when the message is deferred) and maillog should also only be readable by root which poses another problem. That said - I've written something for you which should give you the beginnings of what you're after - it is pretty crude however. I'm also presuming that you're using 0.2. Copy the attached files to /var/www/html/mailscanner. Run 'mysql mailscanner < create_relay_table.sql' to create the table. Make sure that sendmail_relay.php is executable and make an entry into root's crontab to run it every 'n' minutes - this script parses the maillog and for every entry that has the line 'Sendmail','relay=' and 'stat=' is makes an entry into the sendmail_relay table - if one already exists for the message id being inserted it is overwritten. You will then be able to see the relay information at the bottom of the Message Detail page. Kind regards, Steve -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: 05 September 2003 13:33 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. (See attached file: detail.php)(See attached file: create_relay_table.sql) (See attached file: sendmail_relay.php) -------------- next part -------------- A non-text attachment was scrubbed... Name: detail.php Type: application/octet-stream Size: 3238 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/detail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: create_relay_table.sql Type: application/octet-stream Size: 215 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/create_relay_table.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail_relay.php Type: application/octet-stream Size: 829 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/sendmail_relay.obj From kylist at SHCORP.COM Fri Sep 5 16:50:14 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:19:48 2006 Subject: how to drop "cleaned html" warnings to postmaster? Message-ID: <42999.10.10.1.71.1062777014.squirrel@webmailtest.shcorp.com> I'm running Mailscanner 4.22-5, which scans for unsafe HTML, etc. However, when such is found, the admin gets an email, so I get a bunch of emails full of these. I'd prefer to only get email telling me about "real" viruses. The "silent" option doesn't seem to be what I want here, since it only suppresses warnings to the sender. So how do I stop Mailscanner from sending warnings to me about "dangerous IFrame", etc? -- Kurt Yoder Sport & Health network administrator From errol.neal at ENHTECH.COM Fri Sep 5 16:51:40 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners Message-ID: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Hi all, I have a MailScanner that is about 13 hrs behind in terms of mail delivery. I need to move part of the queued mail onto another Scanner. What is the best way to do this while taking into consideration the mail already unpacked and probably half processed? Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From stiret at ONEREDSHOE.NET Fri Sep 5 16:52:29 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062777148.3080.15.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/51de96a8/attachment.bin From phil at NXTEK.NET Fri Sep 5 17:06:10 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses In-Reply-To: <006301c373be$1999dbc0$0501a8c0@darkside> Message-ID: <00d101c373c7$a24ac0c0$641be5ce@PHIL> Do silent viruses still get reported in the various mrtg scripts that monitor virus activity totals? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki > Sent: Friday, September 05, 2003 9:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses > > > >It is mentioned on the mailscanner website that "MailScanner knows > >about a list of viruses that" ... "fake "From" address". "... up to > >system administrators to keep this list up to date." How does one > >maintain this list (correctly)? > > Your MailScanner.conf has a line: > > Silent Viruses = blah blah blah > > Add Sobig to that line. (And other viruses as they crop up.) > > --J(K) > From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 17:08:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners In-Reply-To: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> References: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <200309051608.h85G8R503414@onyx.rockstone.co.uk> On Friday 05 September 2003 4:51 pm, Errol Neal wrote: > Hi all, > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > I need to move part of the queued mail onto another Scanner. What is the > best way to do this while taking into consideration the mail already > unpacked and probably half processed? Why not redirect your incoming mail to the other server so it handles the load from now on, and leaves the existing one to chug its way through the queue without having to deal with anything new? That way you don't have to work out which mails are half-processed and you don't have the overhead of moving the mail files across your network either. Antony. -- "I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. It is NOT portable , and it probably never will support anything other than AT-harddisks, as that's all I have :-(." - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 From David.While at UCE.AC.UK Fri Sep 5 17:08:56 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses Message-ID: <107DE25EC0216C45AEF670016024245F644180@exchangea.staff.uce.ac.uk> They certainly get reported in my mailstats.pl David While -----Original Message----- From: Phil Iovino [mailto:phil@NXTEK.NET] Sent: Fri 05/09/2003 17:06 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Silent Viruses Do silent viruses still get reported in the various mrtg scripts that monitor virus activity totals? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki > Sent: Friday, September 05, 2003 9:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses > > > >It is mentioned on the mailscanner website that "MailScanner knows > >about a list of viruses that" ... "fake "From" address". "... up to > >system administrators to keep this list up to date." How does one > >maintain this list (correctly)? > > Your MailScanner.conf has a line: > > Silent Viruses = blah blah blah > > Add Sobig to that line. (And other viruses as they crop up.) > > --J(K) > From steve.freegard at LBSLTD.CO.UK Fri Sep 5 17:11:24 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Scott, It seems like MailScanner can't find MailWatch.pm - double-check the "require 'MailScanner/MailWatch.pm';" line that you put in the top of CustomConfig.pm. This syntax seems to work okay for me, but I'm no Perl guru - have I done this correctly Julian?? Kind regards, Steve. -----Original Message----- From: Scott Tiret [mailto:stiret@ONEREDSHOE.NET] Sent: 05 September 2003 16:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From ellis at KAZAKCOMPOSITES.COM Fri Sep 5 17:11:40 2003 From: ellis at KAZAKCOMPOSITES.COM (Steve Ellis) Date: Thu Jan 12 21:19:48 2006 Subject: Bounced sobig passes thru MS and anti-virus checks Message-ID: <000f01c373c8$640db820$6600a8c0@Orthanc> Some automated replies, which also contained the Sobig virus, notifying users that they had sent an infected message apparently made it thru MS and anti-virus checks. The desktop AV package identified the message attachment as infected with Sobig.f. Directly sent Sobig messages are correctly handled both by MS checking the extension and by the anti-virus scan. Any suggestions as to where to start looking to determine why these messages made it thru? Steve Ellis Sr Engineer KaZaK Composites, Inc. 781.932.5667 x105 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/7ededbbe/attachment.html From steve.freegard at lbsltd.co.uk Fri Sep 5 17:11:24 2003 From: steve.freegard at lbsltd.co.uk (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Scott, It seems like MailScanner can't find MailWatch.pm - double-check the "require 'MailScanner/MailWatch.pm';" line that you put in the top of CustomConfig.pm. This syntax seems to work okay for me, but I'm no Perl guru - have I done this correctly Julian?? Kind regards, Steve. -----Original Message----- From: Scott Tiret [mailto:stiret@ONEREDSHOE.NET] Sent: 05 September 2003 16:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From errol.neal at ENHTECH.COM Fri Sep 5 17:13:04 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence In-Reply-To: <00b101c3735f$53743d40$640ba8c0@home.middlefinger.net> References: Message-ID: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Man that's tough! You are rejecting thank you messages? The best way to deal with this stuff is with this: ## # enable these for DNS blacklist protection from spam ## dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " $&{client_addr} " was rejected; please see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`proxies.relays.monkeys.com', `"550 Mail from " $&{client_addr} " was rejected; please see http://www.ordb.org/lookup/?host=" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail from " $&{client_addr} "was rejected; please see "')dnl dnl FEATURE(`dnsbl',`rbl.maps.vix.com', `"550 Mail from " $&{client_addr} " was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`dul.maps.vix.com')dnl dnl FEATURE(`dnsbl',`blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`dialups.mail-abuse.org', `"550 Mail from " $&{client_addr}" was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`relays.mail-abuse.org', `"550 Mail from " $&{client_addr}" was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl dnl FEATURE(`rhsbl',`dsn.rfc-ignorant.org', `550 You do not accept bounces violating RFC 821/2505/2821 - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`postmaster.rfc-ignorant.org', `550 Mail rejected as your domain does not have a working postmaster address - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`abuse.rfc-ignorant.org', `550 Mail rejected as your domain does not have a working abuse address - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`whois.rfc-ignorant.org', `550 Mail rejected as your whois information does not exist or is obviously fictitous - see http://www.rfc-ignorant.org/', `h')dnl Since most of these relays are already in rbls and dnsbl, it is easy to just reject them on the basis of the relaying server at the rcpt as opposed to the parsing message headers. This ways, thank you messages from valid senders actually make it to your clients... Errol Neal At 10:39 PM 9/4/2003 -0500, you wrote: >In sendmail.mc, I added this: > > >LOCAL_RULESETS > ># Reject all mail with Sobig subjects. >HSubject: $>Check_subject >D{Msobig1}That movie >D{Msobig2}Wicked screensaver >D{Msobig3}Your application >D{Msobig4}Approved >D{Msobig5}My details >D{Msobig6}Details >D{Msobig7}Thank you! >D{Msobig8}Returned mail: see transcript for details >D{Mmsg} Possible Sobig-F Virus - Please change subject > >SCheck_subject >R${Msobig1} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} >R${Msobig2} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} >R${Msobig3} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} >R${Msobig4} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} >R${Msobig5} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} >R${Msobig6} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} >R${Msobig7} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} >R${Msobig8} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > >This was suggested on the list several days back and has been working very >well. >May I remind you that the white gaps in text above are tabs and not simply >spaces. >Run your .mc through m4 and then restart MailScanner. > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Nathan Johanson >Sent: Thursday, September 04, 2003 10:25 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F resurgence > > >Mike, > >Just curious... >What Sendmail rule are you using to block them? >We've been rejecting the most offending IP addresses with the access >database, but as you might expect... It's a little like a moving target. > >Nathan > >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Thursday, September 04, 2003 8:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F resurgence > > >The flow here has been trickling but steady. I am blocking LOTS of tehm >with a sendmail rule though, so they never even make it to MailScanner. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of David Hooton >Sent: Thursday, September 04, 2003 10:02 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Sobig.F resurgence > > >Hi All, > >A little off topic, but we've started noticing about a 10 fold increase in >Sobig.F traffic over the last 48 hours. > >Is anyone else noticing this? >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > >======================================================================== Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From errol.neal at ENHTECH.COM Fri Sep 5 17:16:27 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners In-Reply-To: <200309051608.h85G8R503414@onyx.rockstone.co.uk> References: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <5.1.0.14.0.20030905121452.101176b0@mail.enhtech.com> Already did that. SMTP is shutdown at this point and I am only delivering messages already queued in /var/spool/mqueue or those going to be queued there by MailScanner. But that does not deal with the fact that it will take the server several hours to deliver all of that mail and my clients being disappointed. Errol At 05:08 PM 9/5/2003 +0100, you wrote: >On Friday 05 September 2003 4:51 pm, Errol Neal wrote: > > > Hi all, > > > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > > I need to move part of the queued mail onto another Scanner. What is the > > best way to do this while taking into consideration the mail already > > unpacked and probably half processed? > >Why not redirect your incoming mail to the other server so it handles the >load from now on, and leaves the existing one to chug its way through the >queue without having to deal with anything new? > >That way you don't have to work out which mails are half-processed and you >don't have the overhead of moving the mail files across your network either. > >Antony. > >-- > >"I'm doing a (free) operating system (just a hobby, won't be big and >professional like gnu) for 386(486) AT clones. > >It is NOT portable , and it probably never will support anything other than >AT-harddisks, as that's all I have :-(." > > - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From dh at UPTIME.AT Fri Sep 5 17:19:57 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: Message-ID: On Freitag, September 5, 2003, at 04:14 Uhr, Raymond Dijkxhoorn wrote: > Hi! > >> I have a small RBL and domain, spambites.net. I am making it >> 'subscription' >> only, and it will be manually administered, as far as entries. Either >> a web form, or email submission. Entries will be 'expired' after so >> many >> days, depending on why it was entered (SPAM, open relay, etc). >> >> So, if any one is serious about this, I've got the framework in place. > >>> We all try to fight spam, we all see the spammers comming in, so we >>> only >>> need a interface to get things in. >>> >>> Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. > same goes for me. Thanks -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/cc5d3121/PGP.bin From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 17:23:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496A9@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Man that's tough! You are rejecting thank you messages? > The best way to deal with this stuff is with this: > >FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail > from " $&{client_addr} "was rejected; please see "') You might like to review the list of relays you are using BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lance at WARE.NET Fri Sep 5 17:20:22 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:48 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: A<200309051522.h85FMxr14769@ori.rl.ac.uk> Message-ID: <200309051621.h85GLRr27458@ori.rl.ac.uk> Julian, I didn't seem to have any ".rpmnew" files. I also didn't have a lib directory in /etc/MailScanner. I downloaded the Solaris tar file and didn't find any there, or elsewhere also. What's the safest way to get to a current config while keeping my old changes? TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Lance Ware Sent: Friday, September 05, 2003 8:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Ok I'll try that, although I don't seem to have an /etc/MailScanner/lib. Guess I'll get it from the generic tar file. I fixed it temporarily by moving the new 3 column virus.scanners.conf into etc and manually editing the clam wrapper to the correct path for clamscan. Editing virus.scanners.conf didn't seem to help. TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 05, 2003 12:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 17:26:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496AA@pascal.priv.bmrb.co.uk> Spicer, Kevin wrote: > Errol Neal wrote: >> Man that's tough! You are rejecting thank you messages? >> The best way to deal with this stuff is with this: >> >> FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail >> from " $&{client_addr} "was rejected; please see "') > > You might like to review the list of relays you are using > doh! Just goes to show I shouldn't mail the list while I'm on the phone! I meant blacklists not relays of course! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From stiret at ONEREDSHOE.NET Fri Sep 5 17:36:08 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Message-ID: <1062779768.3080.20.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 12:11, Steve Freegard wrote: > Scott, > > It seems like MailScanner can't find MailWatch.pm - double-check the > "require 'MailScanner/MailWatch.pm';" line that you put in the top of > CustomConfig.pm. Thanks Steve, I worked it out. I had the require 'MailScanner/MailWatch.pm'; BEFORE the package MailScanner::CustomConfig; I interpreted near the top with at the top. I moved it below the package MailScanner::CustomConfig; and it seems to work fine now. INCORRECT: require 'MailScanner/MailWatch.pm'; package MailScanner::CustomConfig; CORRECT package MailScanner::CustomConfig; require 'MailScanner/MailWatch.pm'; Thanks again, -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/d0d83a49/attachment.bin From stiret at ONEREDSHOE.NET Fri Sep 5 17:47:32 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062780451.3080.25.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There seem to be some permission issues on the quarantine folders. They are owned by root, but need to be opened and used by others. What are the correct permissions for the /var/spool/MailScanner/quarantine folder? drwx------ 37 root root 4096 Sep 5 12:05 quarantine MailWatch cannot open the folders when they are like this. -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/8a61835a/attachment.bin From errol.neal at ENHTECH.COM Fri Sep 5 17:49:09 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016496AA@pascal.priv.bmrb. co.uk> Message-ID: <5.1.0.14.0.20030905124840.04093a08@mail.enhtech.com> Actually, no longer using osi, it is commented out in the .mc but I have not removed it. At 05:26 PM 9/5/2003 +0100, you wrote: >Spicer, Kevin wrote: > > Errol Neal wrote: > >> Man that's tough! You are rejecting thank you messages? > >> The best way to deal with this stuff is with this: > >> > >> FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail > >> from " $&{client_addr} "was rejected; please see "') > > > > You might like to review the list of relays you are using > > >doh! Just goes to show I shouldn't mail the list while I'm on the >phone! I meant blacklists not relays of course! > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From stiret at ONEREDSHOE.NET Fri Sep 5 17:50:35 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062780635.3080.28.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There are a couple of leftover php pages from 0.2 that are still a problem. rep_top_recipients_by_quantity.php rep_top_recipients_by_volume.php Both of these reports do not display the graph correctly. Thanks, -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/57cc1b96/attachment.bin From stiret at ONEREDSHOE.NET Fri Sep 5 17:54:52 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <1062780451.3080.25.camel@alain.oneredshoe.net> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> <1062780451.3080.25.camel@alain.oneredshoe.net> Message-ID: <1062780892.3080.32.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 12:47, Scott Tiret wrote: > On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > > Hi all, > > > > I've (finally!) released a beta of 0.3 - you can download it from > > http://www.sourceforge.net/projects/mailwatch > > There seem to be some permission issues on the quarantine folders. They > are owned by root, but need to be opened and used by others. What are > the correct permissions for the /var/spool/MailScanner/quarantine > folder? Never Mind. I've just read through the INSTALL file. The permissions issue wasn't addressed in the UPGRADING file. Sorry. -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/d777d80a/attachment.bin From gerry at dorfam.ca Fri Sep 5 18:15:00 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? Message-ID: <63374.129.80.22.143.1062782100.squirrel@tiger.dorfam.ca> I am comparing two separate virus notifications and can't figure out why there is a difference. In the first message below F-Prot and Trend each found the Sobig.F virus. However it was missed by ClamAV and MailScanner didn't complain about the file tpye. In the second message ClamAV, F-Prot, and Trend found the same virus AND MailScanner flagged the filename. It appears that the actual problem file was hidden from ClamAV and MailScanner in the first message by sticking it in a txt file. Is this the reason for the difference? In other words, this is a serious short coming for those only running ClamAV. Gerry Message 1 Sender: mailer-daemon@twista.freelimit.com IP Address: 127.0.0.1 Recipient: bdoris@localhost Subject: Mail delivery failed: returning message to sender MessageID: h85GKCv7010242 Report: F-Prot: /var/spool/MailScanner/incoming/6184/h85GKCv7010242/msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file ./h85GKCv7010242/msg-6184-52.txt Message 2 Sender: 7uifbbly6@compuserve.com IP Address: 127.0.0.1 Recipient: bdoris@localhost Subject: Your details MessageID: h85GUEv7010704 Report: ClamAV: document_9446.pif contains Worm.Sobig.F F-Prot: /var/spool/MailScanner/incoming/6184/h85GUEv7010704/document_9446.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file ./h85GUEv7010704/document_9446.pif MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (document_9446.pif) No programs allowed (document_9446.pif) From stiret at ONEREDSHOE.NET Fri Sep 5 18:16:19 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062782179.3080.35.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There is a problem with Cron /usr/sbin/mailq.php. Have I done something else wrong? >
> Warning: main(/var/www/html/mailwatch/mailscanner/functions.php): failed to open stream: No such file or directory in /usr/sbin/mailq.php on line 22
>
> Fatal error: main(): Failed opening required '/var/www/html/mailwatch/mailscanner/functions.php' (include_path='.:/usr/share/pear') in /usr/sbin/mailq.php on line 22
-- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/6a933162/attachment.bin From mailscanner at LISTS.COM.AR Fri Sep 5 18:21:29 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Moving Mail between Scanners In-Reply-To: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <3F589BE9.27286.116BF7C@localhost> Well... you can't have it all, that is, some of the mail "in process" will have to be reprocessed, but you will (quite probably) not lose any message by following this procedure: As the standard init.d script doesn't allow for individual service handling, the easiest way to keep the output queue being processed while leaving everything else stopped (so the input queue which you'll be fiddling with doesn't get corrupted) is the following: service MailScanner stop (what 10 seconds approx. given that MailScanner processes take a while) this will have stopped everything. Regretfully, the half-processed messages at this point are discarded, but they will be processed again later. This will include at most "Max Children" messages (as configured in your MailScanner.conf file, default=5). It is a relatively small price. Now keep the outgoing sendmail (or whatever mta you're using) going: service MailScanner startout Now you have to look in the incoming queue directory(ies) (they're specified in MailScanner.conf as "Incoming Queue Dir =") and take the files from there to the other servers (you can include the current server among the ones that get part of the share). If you're using a 2-file queue MTA (sendmail or Exim) you have to move the files in pairs (q file & d file). Suppose you have: qf200309051122335321 df200309051122335321 qf200309051122333161 df200309051122333161 qf200309051122412612 df200309051122412612 you can decide to move the qf200309051122335321+df200309051122335321 pair to server1, the qf200309051122333161+df200309051122333161 pair to server2 and leave qf200309051122412612+df200309051122412612 in the current server (server0). First move the files you will move out from /var/spool/mqueue.in (or whatever incoming queue directory) to some place else Create the following directories in the _SAME_ filesystem as your incoming queue directory: mkdir /var/spool/migrate.2.server1 mkdir /var/spool/migrate.2.server2 mv qf200309051122335321 df200309051122335321 /var/spool/migrate.2.server1 mv qf200309051122333161 df200309051122333161 /var/spool/migrate.2.server2 (you'll have to script this reasonably and not do it manually). Once you've taken this queue files off the incoming spool, you can start all of MailScanner in server0 so it keeps processing. service MailScanner start In the destination servers, create one new directory in the _SAME_ filesystem as the incoming queue dir (it is _KEY_ for this to work that everything is in the same filesystem): mkdir /var/spool/migrated.from.server0 Now, copy the files to the new servers: scp /var/spool/migrate.2.server1/* server1:/var/spool/migrated.from.server0 scp /var/spool/migrate.2.server2/* server2:/var/spool/migrated.from.server0 Now in each of the new servers do: mv /var/spool/migrated.from.server0/df* /var/spool/mqueue.in mv /var/spool/migrated.from.server0/qf* /var/spool/mqueue.in The order is important, since MailScanner first looks for the qf file and then for the df file, so, by the time the qf file is found, you are sure that the corresponding qf file is already there. The "mv" inside a filesystem guarantees you that the file is complete by the time it is inserted in the queue directory. El 5 Sep 2003 a las 11:51, Errol Neal escribi?: > Hi all, > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > I need to move part of the queued mail onto another Scanner. What is the > best way to do this while taking into consideration the mail already > unpacked and probably half processed? > > > Errol Neal > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax -- Mariano Absatz El Baby ---------------------------------------------------------- Lottery: A tax on people who are bad at math. From Kevin_Miller at CI.JUNEAU.AK.US Fri Sep 5 18:27:39 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence Message-ID: <08146035CA49D6119A36009027AC822A0264E71A@CITY-EXCH-NTS> >Man that's tough! You are rejecting thank you messages? >The best way to deal with this stuff is with this: > > >## ># enable these for DNS blacklist protection from spam >## >dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " snip Am I correct in thinking these are strictly sendmail actions and that they occur when the smtp server is first contacted, thus saving MS of having to do the grunt work? If so, do you just ignore, or leave blank the RBL entries in the MS configuration? ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From raymond at PROLOCATION.NET Fri Sep 5 18:31:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Message-ID: Hi! > dnl FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail from " > $&{client_addr} "was rejected; please see "')dnl Haha, you must have a load of spam if this is your current config =) Bye, Raymond. From gerry at dorfam.ca Fri Sep 5 18:33:10 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Bounced sobig passes thru MS and anti-virus checks In-Reply-To: <000f01c373c8$640db820$6600a8c0@Orthanc> References: <000f01c373c8$640db820$6600a8c0@Orthanc> Message-ID: <64754.129.80.22.133.1062783190.squirrel@tiger.dorfam.ca> > Some automated replies, which also contained the Sobig virus, notifying > users that they had sent an infected message apparently made it thru MS > and anti-virus checks. The desktop AV package identified the message > attachment as infected with Sobig.f. Directly sent Sobig messages are > correctly handled both by MS checking the extension and by the > anti-virus scan. > > > > Any suggestions as to where to start looking to determine why these > messages made it thru? > > > > > > Steve Ellis > > Sr Engineer > > KaZaK Composites, Inc. > > 781.932.5667 x105 I just sent a message to the list where I described two difference Sobig.F virus emails arriving at my system. One was picked up by F-Prot and Trend and the other was picked up by F-Prot, Trend, and ClamAV. Also, MailScanner flagged the filename in the second message by missed the first. It appears that the actual virus vile was contained within another file in the first message. While I expected that MailScanner wouldn't see the problem file name I wasn't aware that ClamAV would just pass the entire mess right through! Gerry From steve.freegard at LBSLTD.CO.UK Fri Sep 5 18:34:54 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE5@neelix.lbsltd.co.uk> Hi Scott, It looks like you need to edit the require line in mailq.php to reflect the real location of functions.php - probably something like /var/www/html/mailscanner/functions.php. I'll add this to the docs. Regards, Steve. -----Original Message----- From: Scott Tiret To: MAILSCANNER@JISCMAIL.AC.UK Sent: 05/09/03 18:16 Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There is a problem with Cron /usr/sbin/mailq.php. Have I done something else wrong? >
> Warning: main(/var/www/html/mailwatch/mailscanner/functions.php): failed to open stream: No such file or directory in /usr/sbin/mailq.php on line 22
>
> Fatal error: main(): Failed opening required '/var/www/html/mailwatch/mailscanner/functions.php' (include_path='.:/usr/share/pear') in /usr/sbin/mailq.php on line 22
-- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From kevins at BMRB.CO.UK Fri Sep 5 18:35:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A79F4@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F4@pascal.priv.bmrb.co.uk> Message-ID: <1062783354.24760.15.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 17:49, Errol Neal wrote: >Actually, no longer using osi, it is commented out in the .mc but I >have >not removed it. Sorry, yes thats quite clear now I look more carefully. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From errol.neal at ENHTECH.COM Fri Sep 5 18:39:25 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <08146035CA49D6119A36009027AC822A0264E71A@CITY-EXCH-NTS> Message-ID: <5.1.0.14.0.20030905133800.100edde0@mail.enhtech.com> Yep you are correct. This is done at the rcpt before mail is even queued. This will save you alot of load and cpu. If you want sendmail to do this, just disable rbl checks in your spamassassin.prefs file in your MailScanner directory. At 09:27 AM 9/5/2003 -0800, you wrote: > >Man that's tough! You are rejecting thank you messages? > >The best way to deal with this stuff is with this: > > > > > >## > ># enable these for DNS blacklist protection from spam > >## > >dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " >snip > >Am I correct in thinking these are strictly sendmail actions and that they >occur when the smtp server is first contacted, thus saving MS of having to >do the grunt work? If so, do you just ignore, or leave blank the RBL >entries in the MS configuration? > >...Kevin >------------------- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From kevins at BMRB.CO.UK Fri Sep 5 18:42:06 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> Message-ID: <1062783727.24760.22.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 18:15, Gerry Doris wrote: >I am comparing two separate virus notifications and can't figure out why >there is a difference. In the first message below F-Prot and Trend each >found the Sobig.F virus. However it was missed by ClamAV and >MailScanner >didn't complain about the file tpye. It looks like the message is a bounce and the txt file is in fact the original message. MailScanner's blocking rules only look at the top level attachment IIRC, but the virus is in a second level (just like putting it in a zip file). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From slwatts at WINCKWORTHS.CO.UK Fri Sep 5 18:42:22 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:49 2006 Subject: OT: - holding mail for a particular domain Message-ID: Hi, I know this is off topic as it only really relates to the MTA but wandered if anyone could help. Using postfix 2 is it possible to stop delivery of all mail to a domain and hold it until the block is released? Thanks and sorry for posting this here but Kinda desperate! Sam -----Original Message----- From: Tim Sailer [mailto:sailer@BNL.GOV] Sent: 05 September 2003 16:22 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: how to set up an RBL On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > I have a small RBL and domain, spambites.net. I am making it > > 'subscription' only, and it will be manually administered, as far as > > entries. Either a web form, or email submission. Entries will be > > 'expired' after so many days, depending on why it was entered (SPAM, > > open relay, etc). > > > > So, if any one is serious about this, I've got the framework in > > place. > > > > We all try to fight spam, we all see the spammers comming in, so > > > we only need a interface to get things in. > > > > > > Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. OK, basic rules, that I'm just tarting to flesh out is: Don't abuse the system. Keep a local DNS zone running (to save my connection). I can add you to the email alias I'm using as a starting point, so interested parties can bang around ideas. Let me know. Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From errol.neal at ENHTECH.COM Fri Sep 5 18:46:53 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Using Bayesian Engine Message-ID: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com> Hi again all, Trying to optimize my "babies" :-) What are the disadvantages of disabling the "Bayesian" engine? The notes in the Advanced Spam Assassin config say that it is a real resource hog. Will i notice a difference in the amount of spam that is actually blocked? Regards, Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From slwatts at WINCKWORTHS.CO.UK Fri Sep 5 18:53:53 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:49 2006 Subject: - holding mail for a particular domai - found it Message-ID: Sorry - I have found a way... Not sure if its correct but it appears to work: Re-write the transport mapping for that doimain to use 'defer:' Sam -----Original Message----- From: Samuel Luxford-Watts [mailto:slwatts@WINCKWORTHS.CO.UK] Sent: 05 September 2003 18:42 To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: - holding mail for a particular domain Hi, I know this is off topic as it only really relates to the MTA but wandered if anyone could help. Using postfix 2 is it possible to stop delivery of all mail to a domain and hold it until the block is released? Thanks and sorry for posting this here but Kinda desperate! Sam -----Original Message----- From: Tim Sailer [mailto:sailer@BNL.GOV] Sent: 05 September 2003 16:22 To: MAILSCANNER@JISCMAIL.AC.UK Sub -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From mikea at MIKEA.ATH.CX Fri Sep 5 18:59:01 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:49 2006 Subject: Using Bayesian Engine In-Reply-To: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com>; from errol.neal@ENHTECH.COM on Fri, Sep 05, 2003 at 01:46:53PM -0400 References: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com> Message-ID: <20030905125900.A77097@mikea.ath.cx> On Fri, Sep 05, 2003 at 01:46:53PM -0400, Errol Neal wrote: > Hi again all, > > Trying to optimize my "babies" :-) > > What are the disadvantages of disabling the "Bayesian" engine? The notes in > the Advanced Spam Assassin config say that it is a real resource hog. > Will i notice a difference in the amount of spam that is actually blocked? You may indeed, though I won't guarantee it. I certainly did -- by a *MUCH* bigger factor than I had expected. Which is the bigger resource hog: spam or the spam-filtering machine? I save a lot of resources for my users by filtering their mail for them, and they're _ever_ so glad I do. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at LISTS.COM.AR Fri Sep 5 19:05:44 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Filename Subject Text vs. Content Subject Text Message-ID: <3F58A648.16303.13F40ED@localhost> Hi, I'm using MS 4.23-11 with SA 2.55. It seems MS is somehow confusing "Filename Subject Text" "Content Subject Text". I have the following settings: Allow IFrame Tags = no Log IFrame Tags = yes Allow Form Tags = no Allow Object Codebase Tags = no Filename Modify Subject = no Filename Subject Text = {Nombre de archivo anexo prohibido} Content Modify Subject = yes Content Subject Text = {Contenido potencialmente peligroso} And, when getting a message with IFrame, it added the "Filename Subject Text" instead of the "Content Subject Text" I expected. Here's the log: Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html (no rule matched) Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from boletininformar@redinformar.com.ar Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific exploits in 1221617 Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent viruses And the modified was: {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: A?o 1 - N?mero 51 - SEPTIEMBRE 5, 2003 Are these entries mixed up? -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 19:19:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062783727.24760.22.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> <1062783727.24760.22.camel@bach.kevinspicer.co.uk> Message-ID: <200309051819.h85IJT504407@onyx.rockstone.co.uk> On Friday 05 September 2003 6:42 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 18:15, Gerry Doris wrote: > > I am comparing two separate virus notifications and can't figure out > > why there is a difference. In the first message below F-Prot and Trend > > each found the Sobig.F virus. However it was missed by ClamAV and > > MailScanner didn't complain about the file tpye. > > It looks like the message is a bounce and the txt file is in fact the > original message. MailScanner's blocking rules only look at the top > level attachment IIRC, but the virus is in a second level (just like > putting it in a zip file). This doesn't sound like a plausible explanation to me. I thought MailScanner recursively checked archives/zips/etc until it found a 'real file' to check for being a virus or not. I just tested this by taking eicar.com, tar-gzipping it, then winzipping the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 file. Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I run on this mail server, means it got missed by BitDefender, F-Prot, Inoculan, Kaspersky and NOD32). Not a good result (but I notice ClamAV, which the original posting was about, did see it). Antony. -- 90% of network problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. From errol.neal at ENHTECH.COM Fri Sep 5 19:24:15 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. Message-ID: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Hi again.. My boss is giving me headaches about the performance of our MailScanners. What kind of performance should one expect on Sun Solaris 500 mhz sparc with 512 ram and ide disks running 4.22-4? I think right now we are pumping out somewhere in the neighborhood of 300-500 messages per hour. I think that is reasonable for the hardware we have and these system are dedicated Scanners. Can someone throw some hardware templates at me based upon their experiences and give me some numbers? Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 19:27:58 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <200309051819.h85IJT504407@onyx.rockstone.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> <1062783727.24760.22.camel@bach.kevinspicer.co.uk> <200309051819.h85IJT504407@onyx.rockstone.co.uk> Message-ID: <200309051828.h85IS3504437@onyx.rockstone.co.uk> On Friday 05 September 2003 7:19 pm, Antony Stone wrote: > I thought MailScanner recursively checked archives/zips/etc until it found > a 'real file' to check for being a virus or not. Before anyone else points it out, I realise that I was clearly wrong in this thinking, as my own test results demonstrated: > I just tested this by taking eicar.com, tar-gzipping it, then winzipping > the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 > file. > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I > run on this mail server, means it got missed by BitDefender, F-Prot, > Inoculan, Kaspersky and NOD32). It's also clear from the output of AntiVir that it's doing its own archive unpacking. Here's the message logged by MailScanner (which is simply the output it recevied from AntiVir): AntiVir: ALERT: [Eicar-Test-Signatur virus] thisiseicar.bz2 --> thisiseicar --> thisiseicar.tgz --> unkwn.tar --> thisiseicar.com <<< Contains code of the Eicar-Test-Signatur virus As you can see it works its own way down inside the files until it sees what's lurking in the middle. Antony -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From mikea at MIKEA.ATH.CX Fri Sep 5 19:42:26 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. In-Reply-To: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com>; from errol.neal@ENHTECH.COM on Fri, Sep 05, 2003 at 02:24:15PM -0400 References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <20030905134226.D77167@mikea.ath.cx> On Fri, Sep 05, 2003 at 02:24:15PM -0400, Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? I'm currently running a dedicated Intel P-III 450 MHz with IDE disks, 384 MB RAM. OS is FreeBSD 4.8, with sendmail 8.12.something, MailScanner, SpamAssassin using Bayesian filtering, and ClamAV. The box does pretty well at this load, although it *will* be nice to get the long-promised server-grade dual-P-IV-2.4-GHz box with 1 GB RAM and huge Fast Wide SCSI-III disks: Mail Statistics; Produced by isdmon2:/home/mikea/bin/mailstats.pl; Run by isdmon2:/etc/crontab Mails spamassassin rejected scanner total mails Total says 'spam' by ruleset says virus undelivered Sep 3 6194 1543 (24.91%) 471 ( 7.60%) 651 (10.51%) 2665 (43.03%) Sep 2 6910 1400 (20.26%) 427 ( 6.18%) 703 (10.17%) 2530 (36.61%) Sep 1 129 4 ( 3.10%) 5 ( 3.88%) 45 (34.88%) 54 (41.86%) Aug 31 51 1 ( 1.96%) 2 ( 3.92%) 5 ( 9.80%) 8 (15.69%) Aug 30 585 255 (43.59%) 43 ( 7.35%) 89 (15.21%) 387 (66.15%) Aug 29 5381 1419 (26.37%) 407 ( 7.56%) 513 ( 9.53%) 2339 (43.47%) Aug 28 6131 1464 (23.88%) 454 ( 7.40%) 696 (11.35%) 2614 (42.64%) Aug 27 6638 1363 (20.53%) 495 ( 7.46%) 856 (12.90%) 2714 (40.89%) My `top` output tends to look like this: last pid: 51725; load averages: 0.50, 0.62, 0.52 up 30+05:40:08 13:41:16 147 processes: 147 sleeping CPU states: 41.2% user, 0.0% nice, 12.0% system, 0.4% interrupt, 46.5% idle Mem: 124M Active, 125M Inact, 77M Wired, 13M Cache, 48M Buf, 34M Free Swap: 2048M Total, 55M Used, 1993M Free, 2% Inuse PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 38768 mikea 2 0 13420K 10812K select 63:34 4.54% 4.54% Xvnc 39894 root 10 0 27432K 25996K nanslp 0:19 2.00% 2.00% perl 40821 root 10 0 27324K 25876K nanslp 0:14 0.44% 0.44% perl 39825 root 10 0 27500K 26072K nanslp 0:17 0.29% 0.29% perl -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Fri Sep 5 20:16:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> Message-ID: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > I just tested this by taking eicar.com, tar-gzipping it, then winzipping > the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 > file. > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I > run on this mail server, means it got missed by BitDefender, F-Prot, > Inoculan, Kaspersky and NOD32). And of course MailScanner didn't pick up the .com file & block it. I performed a test myself, which I hoped would imitate the message which the original post was about. I created an email with email.com and eicar.zip attached, then forwarded the email as an attachment to myself. Both Sophos(savi) and Clam picked up both copies of eicar, whats more MailScanner also blocked the com file. This suggests that although the original post's problem message (I guess) had the original email attached ther was something irregular about its formatting which prevented MailScanner and Clam from recognising it as an attached message and treat it as such. It would be most interesting to see the source of the original message (if you still have it Gerry). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 20:23:37 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> <1062789400.24760.39.camel@bach.kevinspicer.co.uk> Message-ID: <200309051923.h85JNg504643@onyx.rockstone.co.uk> On Friday 05 September 2003 8:16 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > > I just tested this by taking eicar.com, tar-gzipping it, then > > winzipping the tgz file, then bzip2-ing the winzip file, and emailing > > myself the .bz2 file. > And of course MailScanner didn't pick up the .com file & block it. Well, that is what I would expect (not picking it up) since MailScanner's file extension rules definitely only apply to the actual file being attached. > It would be most interesting to see the source of the original message > (if you still have it Gerry). I agree :) Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer From kevins at BMRB.CO.UK Fri Sep 5 20:36:44 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> Message-ID: <1062790604.24761.49.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 20:23, Antony Stone wrote: >> And of course MailScanner didn't pick up the .com file & block it. >Well, that is what I would expect (not picking it up) since >MailScanner's >file extension rules definitely only apply to the actual file being >attached. I agree thats correct, but thats why my test results... >>I performed a test myself, which I hoped would imitate the message >>which >>the original post was about. I created an email with email.com and >>eicar.zip attached, then forwarded the email as an attachment to >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, >>whats more MailScanner also blocked the com file. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ surprised me (pleasantly). I didn't really expect that MailScanner would recurse through attached emails (Julians too clever by half!). Which begs the question why didn't it recurse through the attached message in Gerry's file. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jase at SENSIS.COM Fri Sep 5 20:40:18 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? Message-ID: > >>I performed a test myself, which I hoped would imitate the message > >>which > >>the original post was about. I created an email with email.com and > >>eicar.zip attached, then forwarded the email as an attachment to > >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, > >>whats more MailScanner also blocked the com file. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > surprised me (pleasantly). I didn't really expect that MailScanner > would recurse through attached emails (Julians too clever by half!). > Which begs the question why didn't it recurse through the attached > message in Gerry's file. Without seeing the file myself, I would guess that it is inside of an attached email message (.txt) in some rfc format which Clam does not unpack to check for viruses. Jason From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 20:44:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062790604.24761.49.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> <1062790604.24761.49.camel@bach.kevinspicer.co.uk> Message-ID: <200309051944.h85Jia504722@onyx.rockstone.co.uk> On Friday 05 September 2003 8:36 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 20:23, Antony Stone wrote: > >> And of course MailScanner didn't pick up the .com file & block it. > > > >Well, that is what I would expect (not picking it up) since > >MailScanner's > >file extension rules definitely only apply to the actual file being > >attached. > > I agree thats correct, but thats why my test results... > > >>I performed a test myself, which I hoped would imitate the message > >>which > >>the original post was about. I created an email with email.com and > >>eicar.zip attached, then forwarded the email as an attachment to > >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, > >>whats more MailScanner also blocked the com file. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > surprised me (pleasantly). I didn't really expect that MailScanner > would recurse through attached emails (Julians too clever by half!). > Which begs the question why didn't it recurse through the attached > message in Gerry's file. Hm. I think finding a file in an RFC822 attachment is different from recursing inside zip-type archives - I would expect MailScanner's filename rules to match the first but not the second. Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From mailscanner at BARENDSE.TO Fri Sep 5 21:10:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:49 2006 Subject: sendmail discard subjects Message-ID: I am using mailscanner rules to discard emails that have a certain subject. This works great for some viruses and read and not read receipt messages that are extremely annoying. Any read / not read messages usually have subject that looks like Read: blabla subject This is only the case for replies to mails that are in the regular character set. These rules do not catch mails that reply to mails that were in a different character set. If I look in pine the mail subject looks normal but when I look in the qf/df pairs the subject looks like this: H??Subject: =?iso-8859-1?Q?Read=3A_Angaben_f=FCr_Tarragona I tried the following in my subjects file: read: =?iso-8859-1?Q?Read=3A_ not.read: ?iso-8859-1?Q?not_read gelezen: niet.gelezen: le?do: no.le?do: lida: lidas: but the strange character set ones still get through and the 2 lines that include the iso char set do not seem to work. need I do anything special so sendmail will recognize these other messages as well?? From vosburgh at DALSEMI.COM Fri Sep 5 21:22:02 2003 From: vosburgh at DALSEMI.COM (David Vosburgh) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <3F58F06A.2090800@dalsemi.com> We have MailScanner/SA/Sophos on a Sun 220R running Solaris 8 with 2x450Mhz and 1GB RAM. Prior to the Sobig-f outbreak two weeks ago the system was comfortably handling about 20-25k messages per day with an infection rate < 1%. The load average was generally between 1 and 2. In the last few days, we have been getting 30-40k messages per day, with an infection rate of about 20%. While the delivery times haven't changed much (still ~3 to 6 seconds), the load average on the system is generally between 3 and 5 now. I think we're getting close to the capacity of this system at the current load. Dave Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? > > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > From HancockS at MORGANCO.COM Fri Sep 5 21:24:40 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root Message-ID: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Is anyone running Exim, MS, and eTrust? Exim wants to run as mail and etrust inocmd32 must run as root. Any ideas? Part two. What is a simple MTA that runs as root. I'm just using MS as an email gateway. I've install sendmail on a dev box but it's a bit intimidating. Thanks Scott Hanocck From Denis.Beauchemin at USHERBROOKE.CA Fri Sep 5 21:26:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:49 2006 Subject: Spam actions rules precedence Message-ID: <1062793594.3309.13.camel@dbeauchemin.sti.usherbrooke.ca> Hi, I have a problem with a user that doesn't want to receive any spam message (I usually tag them and send them). So I used: Spam Actions = /etc/MailScanner/rules/spam.action.rules High Scoring Spam Actions = /etc/MailScanner/rules/spam.action.rules And /etc/MailScanner/rules/spam.action.rules contains: To: user1@biblio.usherb.ca store delete To: user1@courrier.usherb.ca store delete To: *@courrier.usherb.ca attachment deliver To: *@biblio.usherb.ca attachment deliver FromOrTo: Default deliver User1 received an email that was on my blacklist (log says "is spam (blacklisted)". Shouldn't the above rules have dropped it? Log says "actions are attachment,store,deliver". Looks like it added them all. I thought it would have used the first one (store delete). How can I do this? I am running 4.21-9. Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 21:30:44 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> References: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Message-ID: <200309052030.h85KUm504948@onyx.rockstone.co.uk> On Friday 05 September 2003 9:24 pm, Hancock, Scott wrote: > Is anyone running Exim, MS, and eTrust? > > Exim wants to run as mail and etrust inocmd32 must run as root. > > Any ideas? sudo in the eTrust wrapper script? > Part two. > > What is a simple MTA that runs as root. I would suspect none these days. Dropping privilege is such a standard security measure that I'd be surprised if anything up to date didn't do it. Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. From damien at MC-KENNA.COM Fri Sep 5 21:46:20 2003 From: damien at MC-KENNA.COM (Damien McKenna) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> References: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Message-ID: <200309051646.20357.damien@mc-kenna.com> On Friday 05 September 2003 04:24 pm, Hancock, Scott wrote: > Exim wants to run as mail and etrust inocmd32 must run as root. Recompile exim? -- Damien McKenna damien@mc-kenna.com http://mc-kenna.com/ From dustin.baer at IHS.COM Fri Sep 5 21:34:44 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence References: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Message-ID: <3F58F364.82CC3545@ihs.com> > > > >LOCAL_RULESETS > > > ># Reject all mail with Sobig subjects. > >HSubject: $>Check_subject > >D{Msobig1}That movie > >D{Msobig2}Wicked screensaver > >D{Msobig3}Your application > >D{Msobig4}Approved > >D{Msobig5}My details > >D{Msobig6}Details > >D{Msobig7}Thank you! > >D{Msobig8}Returned mail: see transcript for details > >D{Mmsg} Possible Sobig-F Virus - Please change subject > > > >SCheck_subject > >R${Msobig1} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} > >R${Msobig2} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} > >R${Msobig3} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} > >R${Msobig4} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} > >R${Msobig5} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} > >R${Msobig6} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} > >R${Msobig7} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} > >R${Msobig8} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > > > > >This was suggested on the list several days back and has been working very > >well. > >May I remind you that the white gaps in text above are tabs and not simply > >spaces. > >Run your .mc through m4 and then restart MailScanner. To anyone who is doing the above: With all the complaints about how much email traffic is being generated by virus scanners (thankfully NOT MailScanner) rejecting the SoBig virus to the spoofed address, why on earth would you want to reject these subjects? You are creating just as much INCORRECT rejection traffic. I have the same list with "$#discard $: discard" and I couldn't care less if someone doesn't get a "Thank you!" or "Re: Thank you!" message for a few weeks. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From DelislMa at COLLEGESHERBROOKE.QC.CA Fri Sep 5 22:24:13 2003 From: DelislMa at COLLEGESHERBROOKE.QC.CA (Marc Delisle) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn Message-ID: <3F58FEFD.1020103@CollegeSherbrooke.qc.ca> Hi, I just installed MailScanner and enjoy it very much! However, I could not make the user_scores_dsn feature of SpamAssassin 2.55 work. I added the same user_scores_dsn, user_scores_sql_username, user_scores_sql_password and user_scores_sql_table lines that I had in my local.cf file, to /opt/MailScanner/etc/spam.assassin.prefs.conf and restarted MailScanner. MailScanner.conf contains: SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf In this database I have per-user preferences about "required_hits". Maybe MailScanner is not sending spamassassin the username to do the lookup? Thanks. Marc Delisle Coll?ge de Sherbrooke (Qu?bec) From kevins at BMRB.CO.UK Fri Sep 5 22:34:41 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A15@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A15@pascal.priv.bmrb.co.uk> Message-ID: <1062797682.24760.59.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:34, Dustin Baer wrote: >With all the complaints about how much email traffic is being generated >by virus scanners (thankfully NOT MailScanner) rejecting the SoBig >virus Actually that does affect MailScanner if the mailscanner admin has notify senders on (default until latest version I think) and has not added Sobig to the silent viruses list. >to the spoofed address, why on earth would you want to reject these >subjects? You are creating just as much INCORRECT rejection traffic. The Sobig virus uses its own SMTP engine to send directly to your server (unless you're using an ISP's server that you have no control over as a secondary queueing MX and it hits that first). Therefore rejecting the message with a 550 error would normally cause the _remote_ MTA to generate a bounce to the 'sender'. Since in this case that 'remote MTA' would be the virus itself it is not going to produce a bounce message, instead just silently ignore the error. Therefore (with the exception of the case mentioned above) the only time this ruleset should cause someone to receive a bounce from their local MTA is when they have sent a genuine message which happens to use that subject. In this scenario I think it is appropriate to issue a 550 response rather than silently dropping the mail. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at DORFAM.CA Fri Sep 5 22:37:42 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> Message-ID: On Fri, 5 Sep 2003, Kevin Spicer wrote: > On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > > > I just tested this by taking eicar.com, tar-gzipping it, then > winzipping > > the tgz file, then bzip2-ing the winzip file, and emailing myself the > .bz2 > > file. > > > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV > engines I > > run on this mail server, means it got missed by BitDefender, F-Prot, > > Inoculan, Kaspersky and NOD32). > > And of course MailScanner didn't pick up the .com file & block it. > > I performed a test myself, which I hoped would imitate the message which > the original post was about. I created an email with email.com and > eicar.zip attached, then forwarded the email as an attachment to > myself. Both Sophos(savi) and Clam picked up both copies of eicar, > whats more MailScanner also blocked the com file. > > This suggests that although the original post's problem message (I > guess) had the original email attached ther was something irregular > about its formatting which prevented MailScanner and Clam from > recognising it as an attached message and treat it as such. > > It would be most interesting to see the source of the original message > (if you still have it Gerry). I have attached the headers for both messages. I'm really confused on this. The first message's attachment in my quarantine directory is only the warning text message put in by MailScanner. It is included as msg-6184-52.txt. The second messsage has an actual virus document_9446.pif stored in the quarantine directory. It didn't bother with attaching this. There seems to be something about the first message that triggered F-Prot and Trend to believe there was a virus in it and MailScanner duly quarantined the txt message...which was nothing but the warning message??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer -------------- next part -------------- From Mailer-Daemon@twista.freelimit.com Fri Sep 5 12:21:13 2003 Return-Path: Received: from localhost (localhost [127.0.0.1]) by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GKCv7010242 for ; Fri, 5 Sep 2003 12:20:13 -0400 Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101] by localhost with POP3 (fetchmail-6.2.0) for bdoris@localhost (single-drop); Fri, 05 Sep 2003 12:20:13 -0400 (EDT) Received: from twista.freelimit.com ([69.57.144.39]) by fep01-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <20030905161929.NTIY232520.fep01-mail.bloor.is.net.cable.rogers.com@twista.freelimit.com> for ; Fri, 5 Sep 2003 12:19:29 -0400 Received: from mailnull by twista.freelimit.com with local (Exim 4.20) id 19vJJ2-0005O9-7M for bdoris@rogers.com; Fri, 05 Sep 2003 11:19:28 -0500 X-Failed-Recipients: comments@kidschat.ws From: Mail Delivery System To: bdoris@rogers.com Subject: {Virus?} Mail delivery failed: returning message to sender Message-Id: Date: Fri, 05 Sep 2003 11:19:28 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - twista.freelimit.com X-AntiAbuse: Original Domain - rogers.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-DORFAM-MailScanner-Info: Contact postmaster@dorfam.ca X-DORFAM-MailScanner: Found to be infected X-DORFAM-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.1, required 7, BAYES_30, LARGE_HEX, MAILER_DAEMON, UPPERCASE_25_50) X-IMAPbase: 1062795648 3 Status: RO X-Status: X-Keywords: X-UID: 1 Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:21:12 2003 the virus scanner said: F-Prot: msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242). -- Postmaster Mailscanner thanks transtec Computers for their support From 7UIfBBLy6@compuserve.com Fri Sep 5 12:30:26 2003 Return-Path: <7UIfBBLy6@compuserve.com> Received: from localhost (localhost [127.0.0.1]) by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GUEv7010704 for ; Fri, 5 Sep 2003 12:30:17 -0400 Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101] by localhost with POP3 (fetchmail-6.2.0) for bdoris@localhost (single-drop); Fri, 05 Sep 2003 12:30:17 -0400 (EDT) Received: from SILVERTH-ULL7ZO ([24.42.1.205]) by fep01-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com@SILVERTH-ULL7ZO> for ; Fri, 5 Sep 2003 12:28:02 -0400 From: <7UIfBBLy6@compuserve.com> To: Subject: {Virus?} {Spam?} Your details Date: Fri, 5 Sep 2003 12:28:08 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_013A03D1" Message-Id: <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com@SILVERTH-ULL7ZO> X-DORFAM-MailScanner-Info: Contact postmaster@dorfam.ca X-DORFAM-MailScanner: Found to be infected X-DORFAM-MailScanner-SpamCheck: spam, SpamAssassin (score=10.6, required 7, DATE_IN_PAST_03_06, DCC_CHECK, FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS, INVALID_DATE, MICROSOFT_EXECUTABLE, MIME_BOUND_NEXTPART, MISSING_MIMEOLE, NO_REAL_NAME, PYZOR_CHECK, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK) Status: RO X-Status: X-Keywords: X-UID: 2 This is a multipart message in MIME format --_NextPart_000_013A03D1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Warning: This message has had one or more attachments removed Warning: (document_9446.pif). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Please see the attached file for details. --_NextPart_000_013A03D1 Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" Content-Disposition: attachment; filename="VirusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "document_9446.pif" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:30:25 2003 the virus scanner said: ClamAV: document_9446.pif contains Worm.Sobig.F=20 F-Prot: document_9446.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file document_9446.pif MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (d= ocument_9446.pif) No programs allowed (document_9446.pif) Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= tine/20030905 (message h85GUEv7010704). --=20 Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:21:12 2003 the virus scanner said: F-Prot: msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242). -- Postmaster Mailscanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 22:44:13 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: References: Message-ID: <200309052144.h85LiK505220@onyx.rockstone.co.uk> On Friday 05 September 2003 10:37 pm, Gerry Doris wrote: > On Fri, 5 Sep 2003, Kevin Spicer wrote: > > It would be most interesting to see the source of the original message > > (if you still have it Gerry). > I have attached the headers for both messages. I was hoping to see the headers for the original incoming message, rather than the 'cleaned' version sent on by MailScanner. I guess those headers have disappeared now? Ho Hum.... Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From kevins at BMRB.CO.UK Fri Sep 5 22:46:33 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spam actions rules precedence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A12@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A12@pascal.priv.bmrb.co.uk> Message-ID: <1062798394.24760.69.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:26, Denis Beauchemin wrote: >User1 received an email that was on my blacklist (log says "is spam >(blacklisted)". Shouldn't the above rules have dropped it? Say user1 is user1@biblio.usherb.ca then the following rules match To: user1@biblio.usherb.ca store delete To: *@biblio.usherb.ca attachment deliver >Log says "actions are attachment,store,deliver". Looks like it added >them all. I thought it would have used the first one (store delete). That would be correct - obviously it can't delete and deliver the same mail. >How can I do this? I am running 4.21-9. I think Julian recently implemented some way of giving certain rules precedence, but I can't find it documented in the distribution. If its there you'll need the latest version. (Search the archives for Julians post). You will have to consider what happens when a mail arrives that is destined for user1 and a.n.other. How the rules resolve in this case. Theres been some discussion about methods to split messages to achive one mail per recipient on various MTAs but this might create too much load. My personal preference is to educate users on filtering their mailboxes using the X-MailScanner-SpamScore header. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Sep 5 22:57:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A11@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A11@pascal.priv.bmrb.co.uk> Message-ID: <1062799028.24761.80.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:24, Hancock, Scott wrote: >Exim wants to run as mail and etrust inocmd32 must run as root. >Any ideas? ls -l /path/to/inocmd32 > some-file # In case is doesn't work & you # wanta to change it back! groupadd -g some-unused-group-number-lower-than-500 etrust usermod -G etrust mail chown root:etrust /path/to/inocmd32 chmod 4750 /path/to/inocmd32 (Whilst SUID isn't often a good idea this at least restricts it to only the one user.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Sep 5 23:07:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> Message-ID: <1062799636.24760.88.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 22:24, Marc Delisle wrote: >In this database I have per-user preferences about "required_hits". >Maybe MailScanner is not sending spamassassin the username >to do the lookup? MailScanner doesn't know the username, it only knows the email address and has no concept of whether the address relates to a user on the current machine (thats left to sendmail's rulesets). Also remember (unless you've configured otherwise) MailScanner processes incoming mail as is, therefore you will often get one mail addressed to several recipients which only goes through MS and SA once. If you want to do per-user stuff with SA you'll need to run it through procmail instead, which takes effect at the local delivery stage when the mail has been split by recipient. If its only scores you want to check you could write a procmail recipe that checks the X-MailScanner-SpamScore header (if necessary processing each mail through a small script which looks up the score in your database). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at LISTS.COM.AR Fri Sep 5 23:14:32 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Spanish translations update Message-ID: <3F58E098.23888.2230EF6@localhost> Hi Julian, I'm attaching an archive with revised Spanish report files. These are based on the 4.23-11 release version. I did a little bit of editing, changed some MIME headers, added the "transtec Computers" thanx message, eliminated some accented characters that sometimes are badly encoded, etc. Would you be so kind to put these in the next release? TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- Computers are only human. -------------- next part -------------- A non-text attachment was scrubbed... Name: MS-4.23-11-new_es_reports.tgz Type: application/octet-stream Size: 4774 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/12aca604/MS-4.23-11-new_es_reports.obj From chris at TRUDEAU.ORG Sat Sep 6 00:15:11 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> Message-ID: <00ea01c37403$8e533ed0$23c8a8c0@SERV> Uhhh.....don't send archive files as attachments to the list. I'm sure I'm not the only one that fired an illegal attachment warning in response to your post. CT ----- Original Message ----- From: "Mariano Absatz" To: Sent: Friday, September 05, 2003 6:14 PM Subject: {DefendMail File Violation} Spanish translations update > Warning: This message has had one or more attachments removed > Warning: (MS-4.23-11-new_es_reports.tgz). > Warning: Please read the "DefendMail_ATTACHMENT_Warning.txt" attachment(s) for more information. > > Hi Julian, > > I'm attaching an archive with revised Spanish report files. > > These are based on the 4.23-11 release version. > > I did a little bit of editing, changed some MIME headers, added the "transtec > Computers" thanx message, eliminated some accented characters that sometimes > are badly encoded, etc. > > Would you be so kind to put these in the next release? > > TIA. > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Computers are only human. > > > From mike at CAMAROSS.NET Sat Sep 6 00:23:01 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <00ea01c37403$8e533ed0$23c8a8c0@SERV> Message-ID: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> It didn't go off over here. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau-Personal Sent: Friday, September 05, 2003 6:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {File Violation} Spanish translations update Uhhh.....don't send archive files as attachments to the list. I'm sure I'm not the only one that fired an illegal attachment warning in response to your post. CT ----- Original Message ----- From: "Mariano Absatz" To: Sent: Friday, September 05, 2003 6:14 PM Subject: {DefendMail File Violation} Spanish translations update > Warning: This message has had one or more attachments removed > Warning: (MS-4.23-11-new_es_reports.tgz). > Warning: Please read the "DefendMail_ATTACHMENT_Warning.txt" > attachment(s) for more information. > > Hi Julian, > > I'm attaching an archive with revised Spanish report files. > > These are based on the 4.23-11 release version. > > I did a little bit of editing, changed some MIME headers, added the "transtec > Computers" thanx message, eliminated some accented characters that sometimes > are badly encoded, etc. > > Would you be so kind to put these in the next release? > > TIA. > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Computers are only human. > > > From Antony at SOFT-SOLUTIONS.CO.UK Sat Sep 6 00:20:57 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <00ea01c37403$8e533ed0$23c8a8c0@SERV> References: <3F58E098.23888.2230EF6@localhost> <00ea01c37403$8e533ed0$23c8a8c0@SERV> Message-ID: <200309052321.h85NL2505578@onyx.rockstone.co.uk> On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > Uhhh.....don't send archive files as attachments to the list. Why not? The standard file extension messages tell people that if their attachment got blocked, they should zip it and try again - because most people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their MailScanners. > I'm sure I'm not the only one that fired an illegal attachment warning in > response to your post. No problem here - I think this will be petty rare. Antony. -- Ramdisk is not an installation procedure. From steve.douglas at SBIINCORPORATED.COM Sat Sep 6 01:02:55 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCC1@mail.gardenbotanika.com> Thank you, Julian. I have completed the upgrade and followed as you suggested. I am finally out of the woodwork from all indications. SD :-) > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, September 02, 2003 5:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > Just follow the instructions, and don't forget to run > upgrade_MailScanner_conf to do the hard work for you. > > At 17:32 02/09/2003, you wrote: > >I have not yet ever performed an update. I am using 4.22.xx on RedHat v9 > >via RPM with the latest f-prot. I know there is an entry on just > performing > >the RPM update, but is there anything you might recommend on the side > that I > >back first and an extra precaution before running the new RPM? > > > >I already have the rules and .conf files backed up. Thank you. > > > >SD > >:-) > > > > > > > -----Original Message----- > > > From: Brett Moss [mailto:bamcomp@YAHOO.COM] > > > Sent: Monday, September 01, 2003 7:22 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > > > > > hello again, > > > sorry but i had forgot to change the mcafee-wrapper > > > from rpmnew > > > this is what happens when working between 2 and 5 am i > > > guess > > > thanks again > > > brett > > > > > > > i am unable to find an -I switch > > > > > > > > -I: invalid switch or incorrect usage > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > > http://sitebuilder.yahoo.com > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From vernon at COMP-WIZ.COM Sat Sep 6 03:01:30 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain Message-ID: <20030906015827.M72029@comp-wiz.com> Anyone know of any problems with using the latest version of Spamassain and MailScanner? I've finally figured out that my problem is when I enable "Use Spamassain" The minute an email is received when it is on MailScanner crashes out. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/83456acb/attachment.html From mike at CAMAROSS.NET Sat Sep 6 04:31:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <20030906015827.M72029@comp-wiz.com> Message-ID: <000a01c37427$6dca58f0$640ba8c0@home.middlefinger.net> I've been using 2.60 for quite some time with no issues. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Vernon Webb Sent: Friday, September 05, 2003 9:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassain Anyone know of any problems with using the latest version of Spamassain and MailScanner? I've finally figured out that my problem is when I enable "Use Spamassain" The minute an email is received when it is on MailScanner crashes out. Thanks From vanhorn at whidbey.com Sat Sep 6 04:37:41 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:49 2006 Subject: F-prot revisited References: <200309031917.h83JHUr02416@ori.rl.ac.uk> Message-ID: <3F595685.E640944B@whidbey.com> Alan Fiebig wrote: > The product works great, and is very cost effective. The license will run you around $129 per year, and for that price you get a license to install the product on any 5 hosts, including Windows and Linux servers, workstations, PocketPC PDAs, Groupwise servers, Exchange servers; all versions are included in the box. The 5 node license is the smallest they sell, but at $129 total, I think that's a very good price compared to what I was looking at. Based on your comments, I went looking for the product. I found http://www.my-etrust.com/ and browsed around a bit, even asked "Sammy" about Linux, but didn't see a trace of anything but Windows software. If I buy the five-pack, is there a Linux version in there somewhere, or can you post a URL that gets to the Linux version? I plan to continue running f-prot and ClamAV, but at this price I have no hesitation to add eTrust. I still won't bother putting it on my Windows workstation, Windows is slow enough without an AV product running! Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From errol.neal at ENHTECH.COM Sat Sep 6 04:06:17 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Specifying a rule set correctly. Message-ID: <1062817577.3f594f292e6a3@webmail.resume.com> Hi all, I need to correctly understand how the queue deliver method works and how to specify a ruleset so I can use batch for all other domains besides those that I specify. I want to set the method to queue for several domains. How do I do this properly? This is what I have so far.. To: @enhtech.com queue To: @resume.com queue And of course, I have specified the file name where I store the rule sets in the MailScanner.conf like so: Delivery Method = /opt/MailScanner/etc/rules/delivery.method.rules Okay, now for my understanding. If mailscanner has a batch of 100 messages and message number 52 in that batch is a clean message to enhtech.com, will that message be dropped in the queue immediately? Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mike at CAMAROSS.NET Sat Sep 6 05:00:14 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: Specifying a rule set correctly. In-Reply-To: <1062817577.3f594f292e6a3@webmail.resume.com> Message-ID: <001301c3742b$60c4ecc0$640ba8c0@home.middlefinger.net> What are you trying to achieve? Faster delivery or what? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Errol Neal Sent: Friday, September 05, 2003 10:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Specifying a rule set correctly. Hi all, I need to correctly understand how the queue deliver method works and how to specify a ruleset so I can use batch for all other domains besides those that I specify. I want to set the method to queue for several domains. How do I do this properly? This is what I have so far.. To: @enhtech.com queue To: @resume.com queue And of course, I have specified the file name where I store the rule sets in the MailScanner.conf like so: Delivery Method = /opt/MailScanner/etc/rules/delivery.method.rules Okay, now for my understanding. If mailscanner has a batch of 100 messages and message number 52 in that batch is a clean message to enhtech.com, will that message be dropped in the queue immediately? Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mike at ZANKER.ORG Sat Sep 6 08:05:31 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> References: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> Message-ID: <140826031.1062835531@jemima.zanker.org> On 05 September 2003 18:23 -0500 Mike Kercher wrote: > It didn't go off over here. It caused a whole load of error messages to be logged here, e.g. Sep 5 23:15:02 mallard MailScanner[30596]: es/sender.mcp.report.txt Sep 5 23:15:02 mallard MailScanner[30596]: ProcessClamAVOutput: unrecognised line "es/sender.mcp.report.txt". Please contact the authors! Mike. From kevins at BMRB.CO.UK Sat Sep 6 09:13:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> Message-ID: <1062836011.24760.107.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >Anyone know of any problems with using the latest version of Spamassain >and MailScanner? >I've finally figured out that my problem is when I enable "Use >>crashes out. Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 09:15:04 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> Message-ID: <1062836105.24761.110.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >Anyone know of any problems with using the latest version of Spamassain >and MailScanner? No, but if you're using 2.60 from the nightly CVS snapshots it may be worth downloading again, in case the particular snapshot you grabbed was broken. If you still have problems downgrade to 2.55. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 09:17:00 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A29@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A29@pascal.priv.bmrb.co.uk> Message-ID: <1062836221.24761.113.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 09:13, Spicer, Kevin wrote: >On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >>Anyone know of any problems with using the latest version of Spamassain >>and MailScanner? >>I've finally figured out that my problem is when I enable "Use >>crashes out. >Thanks Oops, accidentally hit the shortcut for 'send' there! Sorry. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From DelislMa at COLLEGESHERBROOKE.QC.CA Sat Sep 6 13:50:43 2003 From: DelislMa at COLLEGESHERBROOKE.QC.CA (Marc Delisle) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> <1062799636.24760.88.camel@bach.kevinspicer.co.uk> Message-ID: <3F59D823.7060305@CollegeSherbrooke.qc.ca> Kevin Spicer a ?crit: > On Fri, 2003-09-05 at 22:24, Marc Delisle wrote: > > >>In this database I have per-user preferences about "required_hits". >>Maybe MailScanner is not sending spamassassin the username >>to do the lookup? > > > MailScanner doesn't know the username, it only knows the email address > and has no concept of whether the address relates to a user on the > current machine (thats left to sendmail's rulesets). Also remember > (unless you've configured otherwise) MailScanner processes incoming mail > as is, therefore you will often get one mail addressed to several > recipients which only goes through MS and SA once. If you want to do > per-user stuff with SA you'll need to run it through procmail instead, > which takes effect at the local delivery stage when the mail has been > split by recipient. > > If its only scores you want to check you could write a procmail recipe > that checks the X-MailScanner-SpamScore header (if necessary processing > each mail through a small script which looks up the score in your > database). Thanks Kevin, I just noticed in http://au2.spamassassin.org/full/2.5x/dist/sql/README that "you must be running spamc/spamd in order for this to work". I understand that sometimes there are several recipients, however in practice most often there is one recipient, and I can relate this recipient to a local user, so per-user stuff was useful for me before I started using MailScanner (I used spamd and a milter). I would have preferred not having to learn procmail (I would have to code the lookup and the headers rewriting) and instead rely on MailScanner (which maybe could talk to spamd, is this planned? ). Marc Delisle From chris at TRUDEAU.ORG Sat Sep 6 14:47:05 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> <00ea01c37403$8e533ed0$23c8a8c0@SERV> <200309052321.h85NL2505578@onyx.rockstone.co.uk> Message-ID: <017901c3747d$5c4e8690$23c8a8c0@SERV> well then...the standard file extensions messages should be changed (as have mine)... Anyone remember MIMAIL? that was a zip/archive and with 4-8 hours between release and signature updates (depending on the AV company) there was a significant infection that filename/type rules missed because we all thought ZIP files were ok... CT ----- Original Message ----- From: "Antony Stone" To: Sent: Friday, September 05, 2003 7:20 PM Subject: Re: {File Violation} Spanish translations update > On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > > > Uhhh.....don't send archive files as attachments to the list. > > Why not? The standard file extension messages tell people that if their > attachment got blocked, they should zip it and try again - because most > people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their MailScanners. > > > I'm sure I'm not the only one that fired an illegal attachment warning in > > response to your post. > > No problem here - I think this will be petty rare. > > Antony. > > -- > > Ramdisk is not an installation procedure. From Antony at SOFT-SOLUTIONS.CO.UK Sat Sep 6 15:03:10 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <017901c3747d$5c4e8690$23c8a8c0@SERV> References: <3F58E098.23888.2230EF6@localhost> <200309052321.h85NL2505578@onyx.rockstone.co.uk> <017901c3747d$5c4e8690$23c8a8c0@SERV> Message-ID: <200309061403.h86E3F508760@onyx.rockstone.co.uk> On Saturday 06 September 2003 2:47 pm, Chris Trudeau-Personal wrote: > > On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > > > Uhhh.....don't send archive files as attachments to the list. > > > > Why not? The standard file extension messages tell people that if their > > attachment got blocked, they should zip it and try again - because most > > people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their > > MailScanners. > well then...the standard file extensions messages should be changed (as > have mine)... In which case, how do you recommend legitimate users send, for example, a .exe file to each other if you block the .exe and also any compressed archive they might put it into? My recommendation is to send such things in a password-protected zip, so that there has to be a deliberate action by the recipient to get access to the file inside the zip - they can't just open it "by accident". That won;t work if you simply block all zips though. Antony. -- This email was created using 100% recycled electrons. From chris at TRUDEAU.ORG Sat Sep 6 15:31:08 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> <200309052321.h85NL2505578@onyx.rockstone.co.uk> <017901c3747d$5c4e8690$23c8a8c0@SERV> <200309061403.h86E3F508760@onyx.rockstone.co.uk> Message-ID: <01db01c37483$842438d0$23c8a8c0@SERV> > In which case, how do you recommend legitimate users send, for example, a > .exe file to each other if you block the .exe and also any compressed archive > they might put it into? I suggest to my users that they use FTP, SSH, HTTP or some other means of providing a file that violates my policy. If this is not doable for them and they require exe and archives I allow it and make them request it in writing. I have done some in depth statsistical analysis on executables and archive files. There are very few of them used, and a LARGE percentage of those that are used end up infected with a virus. I simply think it makes more sense to err on the side of caution. > My recommendation is to send such things in a password-protected zip, so that > there has to be a deliberate action by the recipient to get access to the > file inside the zip - they can't just open it "by accident". That won;t > work if you simply block all zips though. There are commerical versions of content scanning solutions that will actually open the archive and scan the contents, which in the case of MIMAIL would have been enough as its payload was an executable. Your practice of allowing password-protection offers half of the solution using these systems, because the archive has to be encrypted for the contents not to be viewable to these scanners...thus the archive would have to be password-protected and encrypted. In addition, perhaps I allow .zip files...because they can be password protected...but the one that was sent to the list was neither a .zip OR password protected...so...again...I prefer to err on the side of caution to protect my users. my only point was that a mailing list is likely not the right place to send archives attached to emails. Especially one that many people probably have whitelisted for SPAM anyway. As I pointed out, I assumed I wasn't the only user of this list who has archives turned on...and simply advised against using the list as a distribution point for potentially harmful attachments. CT > Antony. > > -- > > This email was created using 100% recycled electrons. From kevins at BMRB.CO.UK Sat Sep 6 15:25:31 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A2C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A2C@pascal.priv.bmrb.co.uk> Message-ID: <1062858332.24760.129.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 13:50, Marc Delisle wrote: >I would have preferred not having to learn procmail (I would have to >code the lookup and the headers rewriting) and instead rely on >MailScanner I didn't make it clear that procmail will only work if your users have their mail accounts on the machine, which I should have done (I assumed that because you previously used SA you did this through procmail - which was clearly wrong). In my experience a good deal of the spam at my site is addressed to multiple local recipients (certainly that which I receive is) >MailScanner (which maybe could talk to spamd, is this planned) No, and frankly I doubt it ever will be. MailScanner talks to SA using SA's API which is the best way to do it. One further option (involving a little coding) is to configure your MTA to split messages into one recipient per message (note this has potential performance implications) and then write a Custom Config function which pulls the score for the user from your database. Then make Required SpamAssassin Score and/or High SpamAssassin Score point to your function. I imagine this would be quite simple to do. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Sat Sep 6 15:35:47 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <1062858332.24760.129.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > I didn't make it clear that procmail will only work if your users have > their mail accounts on the machine, which I should have done (I assumed > that because you previously used SA you did this through procmail - > which was clearly wrong). In my experience a good deal of the spam at > my site is addressed to multiple local recipients (certainly that which > I receive is) If you are using sendmail its possible to split that so it will work perfectly. This is also in the FAQ ... Bye, Raymond. From mike at CAMAROSS.NET Sat Sep 6 15:46:45 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <01db01c37483$842438d0$23c8a8c0@SERV> Message-ID: <002901c37485$b1f82d50$640ba8c0@home.middlefinger.net> Ugh...I have WAY too many users that can't even spell FTP ...much less use it! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau-Personal Sent: Saturday, September 06, 2003 9:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {File Violation} Spanish translations update > In which case, how do you recommend legitimate users send, for > example, a .exe file to each other if you block the .exe and also any > compressed archive > they might put it into? I suggest to my users that they use FTP, SSH, HTTP or some other means of providing a file that violates my policy. If this is not doable for them and they require exe and archives I allow it and make them request it in writing. I have done some in depth statsistical analysis on executables and archive files. There are very few of them used, and a LARGE percentage of those that are used end up infected with a virus. I simply think it makes more sense to err on the side of caution. > My recommendation is to send such things in a password-protected zip, > so that > there has to be a deliberate action by the recipient to get access to the > file inside the zip - they can't just open it "by accident". That won;t > work if you simply block all zips though. There are commerical versions of content scanning solutions that will actually open the archive and scan the contents, which in the case of MIMAIL would have been enough as its payload was an executable. Your practice of allowing password-protection offers half of the solution using these systems, because the archive has to be encrypted for the contents not to be viewable to these scanners...thus the archive would have to be password-protected and encrypted. In addition, perhaps I allow .zip files...because they can be password protected...but the one that was sent to the list was neither a .zip OR password protected...so...again...I prefer to err on the side of caution to protect my users. my only point was that a mailing list is likely not the right place to send archives attached to emails. Especially one that many people probably have whitelisted for SPAM anyway. As I pointed out, I assumed I wasn't the only user of this list who has archives turned on...and simply advised against using the list as a distribution point for potentially harmful attachments. CT > Antony. > > -- > > This email was created using 100% recycled electrons. From vernon at COMP-WIZ.COM Sat Sep 6 16:00:59 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062836105.24761.110.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> <1062836105.24761.110.camel@bach.kevinspicer.co.uk> Message-ID: <20030906150006.M92083@comp-wiz.com> > No, but if you're using 2.60 from the nightly CVS snapshots it may be > worth downloading again, in case the particular snapshot you grabbed was > broken. ?If you still have problems downgrade to 2.55. I've tried both and each time I set it to yes and restart MailScanner, MailScanner fails. :( -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/6438c063/attachment.html From kevins at BMRB.CO.UK Sat Sep 6 17:32:52 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> Message-ID: <1062865988.21420.7.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 16:00, Vernon Webb wrote: >> No, but if you're using 2.60 from the nightly CVS snapshots it may be >> worth downloading again, in case the particular snapshot you grabbed was >> broken. If you still have problems downgrade to 2.55. >I've tried both and each time I set it to yes and restart MailScanner, >MailScanner fails. :( You don't say which MTA you're using. If you use an MTA that runs as a user other than root make sure that user has a real home directory (SA writes into the home directory of the user that calls it). How did you install SA? tar/ rpm / CPAN? If you did it any other way than from the tarball uninstall and build the tarball. Make sure make test works (warning, it takes forever!) - don't worry if the spamd tests fail. Make sure SA works from the command line (spamassassin -D --lint) Make sure SA works from the command line using the MailScanner spam.assassin.prefs.conf file (spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf) If you're running your MTA as another user su to that user and try the command above again. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 18:26:43 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062865988.21420.7.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> <1062865988.21420.7.camel@bach.kevinspicer.co.uk> Message-ID: <20030906172004.M13077@comp-wiz.com> > You don't say which MTA you're using. ?If you use an MTA that runs as a > user other than root make sure that user has a real home directory (SA > writes into the home directory of the user that calls it).? I'm running sendmail on a RedHat 9.0 Box > How did you install SA? ?tar/ rpm / CPAN?? Using the rpm. > If you did it any other way than from the tarball uninstall and build > the tarball. ?Make sure make test works (warning, it takes forever!) - > don't worry if the spamd tests fail.? That was the first thing I tried and when I used the Makefile.PL I got the following error: Warning: I could not locate your pod2man program. Please make sure, ???????? your pod2man program is in your PATH before you execute 'make' When I attempted a lookup of these problem on Google I found that the Perl uses something or other that needed to be changed in /etc/sysconfig/i18n from LANG="en_US.UTF-8" to LANG="en_US" but this did not help at all. So I'm unable to install from the tarball. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/5ecade62/attachment.html From raymond at PROLOCATION.NET Sat Sep 6 18:37:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <20030906172004.M13077@comp-wiz.com> Message-ID: Hi! > I'm running sendmail on a RedHat 9.0 Box > > > How did you install SA? ?tar/ rpm / CPAN?? Please install via source or CPAN. RPM is known to give trouble. > That was the first thing I tried and when I used the Makefile.PL I got the following error: > > Warning: I could not locate your pod2man program. Please make sure, > ???????? your pod2man program is in your PATH before you execute 'make' Change your settings (check the faq) its mentioned there over and over. In your /etc/sysconfig there is a file: i18n [root@vmx30 sysconfig]# more i18n LANG="en_US" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" Most likely you have something different in the LANG section. Change it to the above. Bye, Raymond. From kevins at BMRB.CO.UK Sat Sep 6 18:40:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A35@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A35@pascal.priv.bmrb.co.uk> Message-ID: <1062870030.21420.12.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 18:26, Vernon Webb wrote: >That was the first thing I tried and when I used the Makefile.PL I got >the following error: >Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' See Julians instructions here... http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml They tell you how to get round the pod2man problem. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 18:38:41 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: References: <20030906172004.M13077@comp-wiz.com> Message-ID: <20030906173748.M74149@comp-wiz.com> > Change your settings (check the faq) its mentioned there over and over. > > In your /etc/sysconfig there is a file: i18n > > [root@vmx30 sysconfig]# more i18n > LANG="en_US" > SUPPORTED="en_US.UTF-8:en_US:en" > SYSFONT="latarcyrheb-sun16" > > Most likely you have something different in the LANG section. > Change it to the above. As I already mentioned, I've done this and I still get the error message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/43bcdd91/attachment.html From sevans at FOUNDATION.SDSU.EDU Sat Sep 6 18:47:33 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain Message-ID: <95B481BA6D181A4685081D263BF9A13A195EB8@mail.foundation.sdsu.edu> Well I assume you do have pod2man in your path, check to be sure (ie whereis pod2man) Then try this from the SpamAssassin FAQ, http://spamassassin.taint.org/faq/index.cgi?req=show&file=faq04.014.htp Steve Evans SDSU Foundation _____ From: Vernon Webb [mailto:vernon@COMP-WIZ.COM] Sent: Saturday, September 06, 2003 10:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassain > Change your settings (check the faq) its mentioned there over and over. > > In your /etc/sysconfig there is a file: i18n > > [root@vmx30 sysconfig]# more i18n > LANG="en_US" > SUPPORTED="en_US.UTF-8:en_US:en" > SYSFONT="latarcyrheb-sun16" > > Most likely you have something different in the LANG section. > Change it to the above. As I already mentioned, I've done this and I still get the error message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/c6e3e98f/attachment.html From raymond at PROLOCATION.NET Sat Sep 6 18:51:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <20030906173748.M74149@comp-wiz.com> Message-ID: Hi! > > [root@vmx30 sysconfig]# more i18n > > LANG="en_US" > > SUPPORTED="en_US.UTF-8:en_US:en" > > SYSFONT="latarcyrheb-sun16" > > > > Most likely you have something different in the LANG section. > > Change it to the above. > > As I already mentioned, I've done this and I still get the error message. You also opened a new shell ? Bye, Raymond. From vernon at COMP-WIZ.COM Sat Sep 6 19:29:51 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: References: <20030906173748.M74149@comp-wiz.com> Message-ID: <20030906182753.M93602@comp-wiz.com> > You also opened a new shell ? Not sure what you mean by that, but I've finally gotten it installed only to encouter the same problem. I start MailScanner with "Use SpamAssassin = yes" and the second a piece o mail comes in MailScanner crashes. Vern -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/a0bdff99/attachment.html From tunceresen at ERESEN.COM Sat Sep 6 19:43:44 2003 From: tunceresen at ERESEN.COM (Tunc Eresen) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com Message-ID: Hello, all (just joined the list) I am ing Mailscanner and spamassasin on Cobalt RAQ 550, --------- I am getting following error when I start mailscanner with following Shutting down MailScanner daemons: MailScanner: MailScanner ok incoming sendmail: ok outgoing sendmail: head: /var/run/sendmail.out.pid: No such file or directory ok [root spool]# /etc/rc.d/init.d/MailScanner start Starting MailScanner daemons: incoming sendmail: ok outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file or directory ok MailScanner: ok What changes should I make to correct this error? Thanks TUNC ERESEN From kevins at BMRB.CO.UK Sat Sep 6 20:24:35 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3C@pascal.priv.bmrb.co.uk> Message-ID: <1062876276.21420.18.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 19:43, Tunc Eresen wrote: > > outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file or directory >What changes should I make to correct this error? Well , you might like to start by checking that /var/spool/mqueue exists and is accessible. It seems odd that it isn't there - has your sendmail installation been built or configured to use a different queue directory? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 20:29:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> Message-ID: <1062876591.21420.25.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 19:29, Vernon Webb wrote: >> You also opened a new shell ? >Not sure what you mean by that, but I've finally gotten it installed >only to encouter the same problem. I start MailScanner with "Use >SpamAssassin = yes" and the second a piece o mail comes in MailScanner >crashes. >Vern He meant, did you either close your terminal window (if working in X) or logout and log back in - so that your environment reflects the changes that you made. Did you run the spamassassin -D --lint test I suggested? In what way does MailScanner 'crash'? Do the processes die? Is there anything in the maillog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From shrek-m at GMX.DE Sat Sep 6 20:34:05 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com In-Reply-To: References: Message-ID: <3F5A36AD.7000601@gmx.de> Tunc Eresen wrote: >Hello, all (just joined the list) >I am ing Mailscanner and spamassasin on Cobalt RAQ 550, >--------- >I am getting following error when I start mailscanner with following >Shutting down MailScanner daemons: > MailScanner: MailScanner ok > incoming sendmail: ok > outgoing sendmail: head: /var/run/sendmail.out.pid: No such file >or directory >ok >[root spool]# /etc/rc.d/init.d/MailScanner start >Starting MailScanner daemons: > incoming sendmail: ok > outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file >or directory >ok > MailScanner: ok >What changes should I make to correct this error? > # ll /var/spool drwx------ 2 root mail 4096 Sep 6 12:08 mqueue drwx------ 2 root root 16384 Sep 6 12:08 mqueue.in # rpm -q sendmail sendmail-8.12.8-6.80 # ll /var/run/sendmail.* -rw------- 1 root smmsp 150 Sep 6 21:30 /var/run/sendmail.in.pid -rw------- 1 root smmsp 66 Sep 6 21:30 /var/run/sendmail.out.pid -- shrek-m From vernon at COMP-WIZ.COM Sat Sep 6 21:24:02 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062876591.21420.25.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> <1062876591.21420.25.camel@bach.kevinspicer.co.uk> Message-ID: <20030906202352.M38025@comp-wiz.com> > Did you run the spamassassin -D --lint? test I suggested? I'm sorry I didn't get that. What as the command? When I do spamd -D --lint I get --lint not recognized. If I do spamd -D I get a bunch of stuff but it seems that things do start ok. What exactlyy am I looking for? > In what way does MailScanner 'crash'?? Do the processes die?? Is there > anything in the maillog? I'm not sure that this has anything to do with it, but I'm getting a bunch of these error messages in the maillog (can't be good): dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/fe0bb0bb/attachment.html From kevins at BMRB.CO.UK Sat Sep 6 22:14:01 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> Message-ID: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 21:24, Vernon Webb wrote: >> Did you run the spamassassin -D --lint test I suggested? >I'm sorry I didn't get that. What as the command? When I do spamd -D >--lint I get --lint not recognized. If I do spamd -D I get a bunch of >stuff but it seems that things do start ok. What exactly am I looking >for? The commands are... spamassassin -D --lint and spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf [Please note that the line wrapped in the second example above, you should type it all on one line] The -D option indicates Debug (so you get verbose output) --lint tells spamassassin to check the configuration files are sane (you'll get error messages if they are not). In the second example we also tell it to use the spamassassin config that MailScanner uses. The idea is to check that SpamAssassin is working okay (first command) then check that it hasn't been broken by something in the MailScanner config (second command). spamd has nothing to do with it. MailScanner doesn't use spamd, it calls the SA API directly - which is better. >> In what way does MailScanner 'crash'? Do the processes die? Is there >> anything in the maillog? >I'm not sure that this has anything to do with it, but I'm getting a >bunch of these error messages in the maillog (can't be good): >dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Possibly, the whole line would have been nice! Presumably this is being logged by a sendmail process? possibly a sign that sendmail isn't listening on the loopback interface. You can find out by doing... netstat -an | grep :25 If you get a line that looks line this... tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN [sorry it wrapped again - but you get the idea?] ...then that is not your problem, however if the first 0.0.0.0 is an ip address of one of your interfaces then it is. IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe someone has changed this to an IP of an external interface? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 23:01:24 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> <1062882842.21420.44.camel@bach.kevinspicer.co.uk> Message-ID: <20030906220113.M20527@comp-wiz.com> > The commands? are... > > spamassassin -D --lint I got no errors here. > spamassassin -D --lint > --config-file=/etc/MailScanner/spam.assassin.prefs.conf This one ran REAL fast and here's what got: debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 0 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 13662 untie-ing debug: bayes: 13662 untie-ing db_toks debug: bayes: 13662 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 0 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 13662 untie-ing debug: bayes: 13662 untie-ing db_toks debug: bayes: 13662 untie-ing db_seen debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= > Possibly, the whole line would have been nice! ? Here's the whole line: Sep? 6 17:30:45 home sm-msp-queue[11614]: h85D9arc008082: to=postmaster, delay=1+08:20:30, xdelay=00:00:00, mailer=relay, pri=15064715, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] > Presumably this is being > logged by a sendmail process?? possibly a sign that sendmail isn't > listening on the loopback interface.? You can find out by doing... > IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe > someone has changed this to an IP of an external interface? But you are right and this confuses me. If I set up sendmail options with: ? Port=smtp,Addr=127.0.0.1, Name=MTA then I don't get any incoming mail. However if I set it up with the public IP it works fine. Is that how it's supposed to work? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/f64a2a56/attachment.html From brose at MED.WAYNE.EDU Sun Sep 7 00:03:40 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc Message-ID: MailScanner doesn't seem to be catching this. I thought Ms was written to cehck for the mime enclosed in header stuff. Did this get broken along the later versions. -=Bobby From kevins at BMRB.CO.UK Sun Sep 7 00:16:53 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A43@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A43@pascal.priv.bmrb.co.uk> Message-ID: <1062890214.21422.82.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: >MailScanner doesn't seem to be catching this. I thought Ms was written >to cehck for the mime enclosed in header stuff. Did this get broken >along the later versions. This looks like it might be the same issue as yesterdays thread 'Missed Virus?'. Could you give a few more details, like MailScanner version, scanner name, format of the message that got through (was it an MTA bounce message with a .txt attachment containing the original mail with a virus?). Source of the mail would be good if you have it (but please snip out the encoded virus data from between the MIME section headers!!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 00:11:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A42@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A42@pascal.priv.bmrb.co.uk> Message-ID: <1062889876.21422.76.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 23:01, Vernon Webb wrote: >> spamassassin -D --lint >> --config-file=/etc/MailScanner/spam.assassin.prefs.conf >This one ran REAL fast and here's what got: >debug: running in taint mode? no Yeah that all looks in order >> Possibly, the whole line would have been nice! > Here's the whole line: >Sep 6 17:30:45 home sm-msp-queue[11614]: h85D9arc008082: >to=postmaster, delay=1+08:20:30, xdelay=00:00:00, mailer=relay, >pri=15064715, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection >refused by [127.0.0.1] Thats pretty much what I thought its a locally generated mail thats been queued and can't be passed to the incoming sendmail process because its not listening on the loopback interface. >> Presumably this is being >> logged by a sendmail process? possibly a sign that sendmail isn't >> listening on the loopback interface. You can find out by doing... >> IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe >> someone has changed this to an IP of an external interface? >But you are right and this confuses me. If I set up sendmail options >with: > Port=smtp,Addr=127.0.0.1, Name=MTA >then I don't get any incoming mail. However if I set it up with the >public IP it works fine. Is that how it's supposed to work? According to the comment in my sendmail.mc file (which is Mandrake, but presumably this holds for all sendmail configs) you should comment out the line entirely (by prepending dnl ) if you want to bind to all interfaces (the default behavior). Don't forget you'll need to rebuild sendmail.cf and stop/restart the sendmail processes started by MailScanner first. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Sun Sep 7 00:40:30 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: Message-ID: Do you still have a df/qf pair of the virus mail? Would like to study it. Bouncing it will not be much use as most MUAs tend to fix certain stuff. On Sat, 6 Sep 2003, Rose, Bobby wrote: > MailScanner doesn't seem to be catching this. I thought Ms was written > to cehck for the mime enclosed in header stuff. Did this get broken > along the later versions. > > -=Bobby > From brose at MED.WAYNE.EDU Sun Sep 7 01:17:52 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc Message-ID: I saw the thread and I think I see what folks were saying. I think we all thought people were saying they it was the pif guy coming thru bit it's the mm.enc one. I'm running 4.23.11 on Solaris with both Sophos and ClamAV running and I block exe, pif, com, bat, scr, etc. I don't have the actual message since NortonAV for Exchange is catching it and stripping it out. That's why I started looking into it because I thought it odd that Norton was blabbering about it since all external mail goes thru MailScanner before getting to Exchange. Sure enough it was external messages that Nav for Exchange was picking up. Our Exchange boxes are configured to only accept mail from the mail gateway. So I did some further checking and it's the .enc which is where it's encoded in the mime header. I thought that MS had been written in the early 4.xx version to blcok anything encoded in the headers so I'm thing that maybe it's gbeen broken due to all the new content checking options that's been added. Now I don't know if it's the virus or the AV software that someone is using but the message is from a postmaster@xxx.xxx.xx and is a rejection message saying that the message you sent was infected. So it's either a virus generated message or a real bounce message where the original message was sent back with the virus. It don't know if there are AV products out there that send the whole oringal message back if reject which sounds kind of dumb. -=B -----Original Message----- From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] Sent: Saturday, September 06, 2003 7:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: >MailScanner doesn't seem to be catching this. I thought Ms was written >to cehck for the mime enclosed in header stuff. Did this get broken >along the later versions. This looks like it might be the same issue as yesterdays thread 'Missed Virus?'. Could you give a few more details, like MailScanner version, scanner name, format of the message that got through (was it an MTA bounce message with a .txt attachment containing the original mail with a virus?). Source of the mail would be good if you have it (but please snip out the encoded virus data from between the MIME section headers!!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Sun Sep 7 15:27:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:50 2006 Subject: Please stop bouncing infected emails! In-Reply-To: Message-ID: <5.2.1.1.2.20030907152659.0280f050@imap.ecs.soton.ac.uk> Please read www.sng.ecs.soton.ac.uk/mailscanner/reject.html At 16:01 06/09/2003, Brian Tompsett wrote: > Please stop bouncing infected emails! > >http://www.spywareinfo.com/articles/sobigbounces/ > >Email server administrators, please read this message. > >If your mail server is set up to bounce emails with viruses attached >with a message to the sender, please turn that feature off. Unless >you've been in a cave for the past few days, you know that tens of >millions -possibly hundreds of millions- of emails carrying the >sobig.f virus have been hammering email servers worldwide. Not a >single one of these emails has the sender in the FROM: field. Not one >of them. > >The person listed in the FROM: field is not infected with a virus. >Someone with that person in their address book is infected. Your >bounce message serves no useful purpose and is contributing actively >to this problem. For Christ's sake, stop bouncing the virus emails. >Route them to /dev/null/ and be done with it. > >By bouncing these emails, you are making the problem twice as bad as >it is already is. Please, look at the CPU and bandwidth usage of your >servers. Every email server on the planet connected to the internet is >under the same or greater load, and you, personally, are contributing >to that load. > > Brian Tompsett > Universities of Hull, Edinburgh and London > +44 1482 465222 > > >From Postmaster@hull.ac.uk Sat Sep 06 09:50:28 2003 >Received: from [150.237.196.2] (helo=mailhub3.hull.ac.uk) > by mailhub.dcs.hull.ac.uk with esmtp (Exim 3.03 #2) > id 19vYm3-0002hS-00 > for bct@dcs.hull.ac.uk; Sat, 06 Sep 2003 09:50:27 +0100 >Received: from ensim.dbzgtlegacy.com by puccini.ucc.hull.ac.uk with ESMTP; >Sat, 6 Sep 2003 09:49:57 +0100 >Received: (from root@localhost) > by ensim.dbzgtlegacy.com (8.11.6/8.11.6) id h86Lq0231137; > Sat, 6 Sep 2003 16:52:00 -0500 >Date: Sat, 6 Sep 2003 16:52:00 -0500 >Message-Id: <200309062152.h86Lq0231137@ensim.dbzgtlegacy.com> >From: "MailScanner" >To: b.c.tompsett@dcs.hull.ac.uk >Subject: Warning: E-mail viruses detected >X-MailScanner: generated >Status: RO >Content-Length: 634 > >Our virus detector has just been triggered by a message you sent:- > To: smith@amazinghumor.com > Subject: Re: Your application > Date: Sat Sep 6 16:52:00 2003 >Any infected parts of the message (application.pif) >have not been delivered. > >This message is simply to warn you that your computer system may have a >virus present and should be checked. > >The virus detector said this about the message: >Report: application.pif contains Worm.Sobig.F >Shortcuts to MS-Dos programs are very dangerous in email (application.pif) > > >-- >MailScanner >Email Virus Scanner >www.mailscanner.info >Mailscanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Sep 7 19:19:34 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:50 2006 Subject: bayes and mailscanner 4.23-11 Message-ID: <200309071820.h87IKXr19816@ori.rl.ac.uk> Hi Folks, Do I need to adjust these based on the %org-name% entry? bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_ignore_header X-MailScanner-Information TIA Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/ff2e9ac5/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 09:24:07 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:50 2006 Subject: Real Expectations.. In-Reply-To: <3F5AE0E9.3F470715@whidbey.com> References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> <3F5AE0E9.3F470715@whidbey.com> Message-ID: <200309070824.h878OE512642@onyx.rockstone.co.uk> On Sunday 07 September 2003 8:40 am, G. Armour Van Horn wrote: > I don't know how it compares to a Sparc, but I'm running an AMD K6-2/500 > with 384 MB of RAM, RedHat 8.0, Sendmail per RH RPM, MailScanner 4.23-11, > f-prot, SpamAssassin 2.6. Every morning I send out the Quotes of the Day > through this machine, which uses a Perl script to merge the address lists > with the e-mails and dumps it off to Sendmail. The load average goes to 10 > or thereabouts during the mail run, but it gets through 6,200 messages in > less than two hours while handling any incoming mail. These Quote of the Day emails are going to be quite short (I hope!) in comparison to the "average" email coming in or going out through a normal system, they won't have any attachments which need unpacking or virus scanning, and the spam check is going to be pretty trivial too. It would be interesting to know, as well as the fact you can process 6,200 of these messages in something under 2 hours at a load average of 10, how many normal messages your system processes during the following 6 hours of the business day, and what its load average is during that time. Regards, Antony. -- It wasn't a sight to be seen on an empty stomach, although it could probably cause one. - Terry Pratchett, Soul Music From kevins at BMRB.CO.UK Sun Sep 7 12:39:03 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Real Expectations.. Message-ID: <1062934744.21420.116.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 08:40, G. Armour Van Horn wrote: >I suspect that I'm throttled by my 768K DSL, but the machine couldn't >handle >a lot more based on the LA. Hmmm, is the LA caused by processes waiting on I/O or processor? If its I/O then try sticking the MailScanner incoming directory in tmpfs (if you've not done so already) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:19:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A48@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A48@pascal.priv.bmrb.co.uk> Message-ID: <1062933571.21422.95.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 01:47, Rose, Bobby wrote: >Hah I think I found something to work with. I use DCC milter and >recently started using the greylisting function so I checked it's logs >and one of the messages that made it thru Mailscanner. It's not the >complete message but does contain the header makeup. Thats really useful, I looks like the headers generated by the MTA (in this case an iMail server - might have guessed it was a windaz boz ;) ) indicate that the message has a mime type of text/plain, however the 'text' message is actually a mime message of type message/rfc822 [I think...], which in turn is a multipart/mixed message. So the fault lies with iMail for giving the message the wrong mime type (which is incorrect) and sending the virus back (which is stupid). That doesn't help us though! Because MailScanner takes the text/plain at face value it doesn't recurse into the message looking for problems as it does with correctly formatted messages. Some of the virus scanners do recognise it as a message and do handle it correctly. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From David.While at UCE.AC.UK Sun Sep 7 10:58:28 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:50 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644182@exchangea.staff.uce.ac.uk> No my mailstats program analyses the log file produced by MailScanner. If an email is marked as spam by MailScanner (however it is configured) is added to the list using an algorithm. The sender has to send more than one in a certain time period before it gets added. Currently my set up only uses SpamAssassin to mark mails as spam so it is not relying on other RBLs (except in that SpamAssassin uses them but if it didn't it would still work). The most common SpamAssassin trap is the Bayes system at the moment. David While -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Sun 07/09/2003 10:46 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: RBL Hi! > I now have an RBL running which is dynamically updated using the output > from my mailstats.pl program. It is my intention to add this feature to > mailstats.pl so that the RBL can be updated using the collective power > of MailScanner users. At the moment it is being tested and seems to be > working OK. > > If you are interested to know more please email me off list. I know its silightly OT here, but what are you exactly blocking in that list? You block senders marked as spam, so you rely with the list totally on other RBLs ? Bye, Raymond. From David.While at UCE.AC.UK Sun Sep 7 11:05:39 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:50 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644183@exchangea.staff.uce.ac.uk> My plan was that the IP address would have to be reported by more than one client before it got added. David While -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Sun 07/09/2003 11:01 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: RBL Hi! > my mailstats program analyses the log file produced by MailScanner. If > an email is marked as spam by MailScanner (however it is configured) is > added to the list using an algorithm. The sender has to send more than > one in a certain time period before it gets added. k. > Currently my set up only uses SpamAssassin to mark mails as spam so it > is not relying on other RBLs (except in that SpamAssassin uses them but > if it didn't it would still work). The most common SpamAssassin trap is > the Bayes system at the moment. What about false positives ? They automaticly also get added. Not saying its bad, but just a thought. What would be nice is a inter face for the RBL where you could see the 'spam', headers/text and approve it to going on the list. If we havea couple of people watching over the output that should be do-able and more reliable... Else its depending on everyones site settings whats in the RBL. If i decide to filter all english messages, since we only want to get dutch mail, that would be nasty :) Bye, Raymond. From raymond at PROLOCATION.NET Sun Sep 7 11:01:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644182@exchangea.staff.uce.ac.uk> Message-ID: Hi! > my mailstats program analyses the log file produced by MailScanner. If > an email is marked as spam by MailScanner (however it is configured) is > added to the list using an algorithm. The sender has to send more than > one in a certain time period before it gets added. k. > Currently my set up only uses SpamAssassin to mark mails as spam so it > is not relying on other RBLs (except in that SpamAssassin uses them but > if it didn't it would still work). The most common SpamAssassin trap is > the Bayes system at the moment. What about false positives ? They automaticly also get added. Not saying its bad, but just a thought. What would be nice is a inter face for the RBL where you could see the 'spam', headers/text and approve it to going on the list. If we havea couple of people watching over the output that should be do-able and more reliable... Else its depending on everyones site settings whats in the RBL. If i decide to filter all english messages, since we only want to get dutch mail, that would be nasty :) Bye, Raymond. From SJCJonker at SJC.NL Sun Sep 7 12:16:41 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:50 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <3F5B1399.3070901@SJC.nl> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/df78883e/attachment.bin From kevins at BMRB.CO.UK Sun Sep 7 16:28:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5D@pascal.priv.bmrb.co.uk> Message-ID: <1062948539.21422.123.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 16:16, Antony Stone wrote: > Enc is where > it's encoded into the mime header. >Please can somebody explain to me what this means? Are you saying >that a >virus can be encoded in a MIME header, rather than (as is usual) in a MIME >body to which the header refers? No, I think the .enc actually means its base-64 encoded as it would appear within a mime body. Clearly a signature which matched the virus when decoded would not match the virus when it is encoded as part of a message. As we've seen in this thread there are some MTA's which bounce an encoded message but indicate (incorrectly) that it is plain text, this means mailscanner treats it as a text file and it will only be spotted by those virus scanners which either a) have special signatures for the encoded version or b) spot this it is encoded and decode it before scanning. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tunceresen at eresen.com Sun Sep 7 07:31:43 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:50 2006 Subject: DCC-Pyzor In-Reply-To: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> Message-ID: <200309070632.h876WBD11562@ns2.findmenet.com> Hello, all I run "spamassasin -D --lint" on Cobalt server 550 with Spamassasin+Mailscanner I had following errors. Should install these packages? debug: DCC is not available: dccproc not found debug: Pyzor is not available: pyzor not found Best Regards, O. TUNC ERESEN NT & Security Consultant. Mobile: (44)07785 363 481 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER tunc@eresen.com www.eresen.com eresen@hotmail.com (MSN Messenger service) eutsl@yahoo.com (Yahoo Messenger service) The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc@eresen.com as soon as possible. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Saturday, September 06, 2003 10:14 PM To: MAILSCANNER@JISCMAIL.AC.UK On Sat, 2003-09-06 at 21:24, Vernon Webb wrote: >> Did you run the spamassassin -D --lint test I suggested? >I'm sorry I didn't get that. What as the command? When I do spamd -D >--lint I get --lint not recognized. If I do spamd -D I get a bunch of >stuff but it seems that things do start ok. What exactly am I looking >for? The commands are... spamassassin -D --lint and spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf [Please note that the line wrapped in the second example above, you should type it all on one line] The -D option indicates Debug (so you get verbose output) --lint tells spamassassin to check the configuration files are sane (you'll get error messages if they are not). In the second example we also tell it to use the spamassassin config that MailScanner uses. The idea is to check that SpamAssassin is working okay (first command) then check that it hasn't been broken by something in the MailScanner config (second command). spamd has nothing to do with it. MailScanner doesn't use spamd, it calls the SA API directly - which is better. >> In what way does MailScanner 'crash'? Do the processes die? Is there >> anything in the maillog? >I'm not sure that this has anything to do with it, but I'm getting a >bunch of these error messages in the maillog (can't be good): >dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Possibly, the whole line would have been nice! Presumably this is being logged by a sendmail process? possibly a sign that sendmail isn't listening on the loopback interface. You can find out by doing... netstat -an | grep :25 If you get a line that looks line this... tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN [sorry it wrapped again - but you get the idea?] ...then that is not your problem, however if the first 0.0.0.0 is an ip address of one of your interfaces then it is. IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe someone has changed this to an IP of an external interface? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: OSMAN TUNC ERESEN (tunc@eresen.com).vcf Type: text/x-vcard Size: 697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/53a4058c/OSMANTUNCERESENtunceresen.com.vcf From raymond at PROLOCATION.NET Sun Sep 7 10:46:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644181@exchangea.staff.uce.ac.uk> Message-ID: Hi! > I now have an RBL running which is dynamically updated using the output > from my mailstats.pl program. It is my intention to add this feature to > mailstats.pl so that the RBL can be updated using the collective power > of MailScanner users. At the moment it is being tested and seems to be > working OK. > > If you are interested to know more please email me off list. I know its silightly OT here, but what are you exactly blocking in that list? You block senders marked as spam, so you rely with the list totally on other RBLs ? Bye, Raymond. From brose at MED.WAYNE.EDU Sun Sep 7 15:34:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc Message-ID: I'm the same way. Sobig is being caught for the most part but you have different versions going on here. You have mm and mm.enc. Enc is where it's encoded into the mime header. -----Original Message----- From: G. Armour Van Horn [mailto:vanhorn@whidbey.com] Sent: Sunday, September 07, 2003 3:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc I'm running 4.23-11, and most SoBig messages are getting caught not only by both virus scanners (f-prot and ClamAV) but also based on file name by MailScanner itself, since .pif files shouldn't be allowed to start with. It's not a problem with recent versions, how recent is your setup? Van "Rose, Bobby" wrote: > MailScanner doesn't seem to be catching this. I thought Ms was > written to cehck for the mime enclosed in header stuff. Did this get > broken along the later versions. > > -=Bobby -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From tunceresen at eresen.com Sun Sep 7 14:38:02 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <1062933815.21422.100.camel@bach.kevinspicer.co.uk> Message-ID: <200309071338.h87DcCD01154@ns2.findmenet.com> Hello, all Where is the install scripts for DCC-Pyzor on the www. Best Regards, O. TUNC ERESEN NT & Security Consultant. Mobile: (44)07785 363 481 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER tunc@eresen.com www.eresen.com eresen@hotmail.com (MSN Messenger service) eutsl@yahoo.com (Yahoo Messenger service) The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc@eresen.com as soon as possible. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Sunday, September 07, 2003 12:24 PM To: MAILSCANNER@JISCMAIL.AC.UK On Sun, 2003-09-07 at 07:31, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >I had following errors. Should install these packages? >debug: DCC is not available: dccproc not found >debug: Pyzor is not available: pyzor not found You don't need to, SA will function without them (it's just telling you that they are not there so it isn't going to try and use them). However adding them both (and razor2 if you have not yet done so) will improve your spam detection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: OSMAN TUNC ERESEN (tunc@eresen.com).vcf Type: text/x-vcard Size: 697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/6a7c4e1b/OSMANTUNCERESENtunceresen.com.vcf From brose at MED.WAYNE.EDU Sun Sep 7 01:47:54 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc Message-ID: Hah I think I found something to work with. I use DCC milter and recently started using the greylisting function so I checked it's logs and one of the messages that made it thru Mailscanner. It's not the complete message but does contain the header makeup. -=B -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: Saturday, September 06, 2003 7:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc Do you still have a df/qf pair of the virus mail? Would like to study it. Bouncing it will not be much use as most MUAs tend to fix certain stuff. On Sat, 6 Sep 2003, Rose, Bobby wrote: > MailScanner doesn't seem to be catching this. I thought Ms was > written to cehck for the mime enclosed in header stuff. Did this get > broken along the later versions. > > -=Bobby > -------------- next part -------------- VERSION: 3 DATE: 09/06/03 18:41:06 EDT IP: mail.straight-away.com ::ffff:12.96.54.33 HELO: straight-away.com env_From: <> mail_host= env_To: addr=tcrossle@exchange.med.wayne.edu dir=userdirs/relay/tcrossle@exchange.med.wayne.edu Date: Sat, 6 Sep 2003 19:58:15 -0400 Message-Id: <10309061958.AA74726420@straight-away.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Postmaster" Sender: To: Subject: Undeliverable Mail X-Mailer: Requested action not taken: virus detected Original message follows. Received: from TAIMUR-YRXU8L7C [68.41.139.205] by straight-away.com (SMTPD32-8.00) id A48B47900EA; Sat, 06 Sep 2003 19:58:03 -0400 From: To: Subject: Re: Wicked screensaver Date: Sat, 6 Sep 2003 18:43:01 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_000A06F8" Message-Id: <20030906195862.SM01312@TAIMUR-YRXU8L7C> This is a multipart message in MIME format --_NextPart_000_000A06F8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Please see the attached file for details. --_NextPart_000_000A06F8 Content-Type: application/octet-stream; name="wicked_scr.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wicked_scr.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v [message truncated] ### end of message body ######################## X-DCC-MessageCare-Metrics: eeyore 1108; Body=1 Fuz1=1 Fuz2=1 checksum server IP: c662cec7 0d155b95 bce5bb9d ff58c603 env_From: d41d8cd9 8f00b204 e9800998 ecf8427e From: 342e96a8 d0fd1448 210eb78e be98cab9 substitute mail_host: 617d4dcd 2d889dc3 be693d50 abc8d8bc Message-ID: 8dd46981 5ced570e 505354e0 5d3b0130 Body: 10f0b989 22c6bfa4 15799515 a6b73d06 0 Fuz1: 35cfefec f12cc999 7914fa41 c0d8d574 0 Fuz2: 969aa337 96782573 213678b0 57166e33 0 recipient : 25705ccc 2d472d5b b9c76cbf de557a76 First Embargo rejection message: 451 4.7.1 mail h86Mf65a022618 from ::ffff:12.96.54.33 embargoed by DCC result: reject From vanhorn at whidbey.com Sun Sep 7 08:40:25 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:51 2006 Subject: Real Expectations.. References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <3F5AE0E9.3F470715@whidbey.com> I don't know how it compares to a Sparc, but I'm running an AMD K6-2/500 with 384 MB of RAM, RedHat 8.0, Sendmail per RH RPM, MailScanner 4.23-11, f-prot, SpamAssassin 2.6. Every morning I send out the Quotes of the Day through this machine, which uses a Perl script to merge the address lists with the e-mails and dumps it off to Sendmail. The load average goes to 10 or thereabouts during the mail run, but it gets through 6,200 messages in less than two hours while handling any incoming mail. I suspect that I'm throttled by my 768K DSL, but the machine couldn't handle a lot more based on the LA. Van Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From kevins at BMRB.CO.UK Sun Sep 7 12:34:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A52@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A52@pascal.priv.bmrb.co.uk> Message-ID: <1062934470.21422.110.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 11:05, David While wrote: >My plan was that the IP address would have to be reported by more than >one client before it got added. You could perhaps also return different data (172.0.0.1, 172.0.0.2 etc.) depending on how many clients report it, or how many hits on it the reporting clients have - this would allow users of the RBL to make their own judgements about when a sender should be blacklited. Over time a sender with no more reports could drop back down the scale, where the more conservative clients will then start to detect and report it again, pushing it back up. Actually thats just got really complicated! Maybe for the future? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:23:35 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4A@pascal.priv.bmrb.co.uk> Message-ID: <1062933815.21422.100.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 07:31, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >I had following errors. Should install these packages? >debug: DCC is not available: dccproc not found >debug: Pyzor is not available: pyzor not found You don't need to, SA will function without them (it's just telling you that they are not there so it isn't going to try and use them). However adding them both (and razor2 if you have not yet done so) will improve your spam detection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:28:02 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: Real Expectations.. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4D@pascal.priv.bmrb.co.uk> Message-ID: <1062934083.21420.104.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 09:24, Antony Stone wrote: >These Quote of the Day emails are going to be quite short (I hope!) in >comparison to the "average" email coming in or going out through a >normal >system, they won't have any attachments which need unpacking or virus >scanning, and the spam check is going to be pretty trivial too. Especially if you whitelist outgoing mail for spam checks, you could even whitelist the address that send these messages for virus checks too (by using a ruleset). Presumably you already address each copy of the email to a batch of recipients rather than firing a single message for each recipient (or are the messages personalised?) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 16:16:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: References: Message-ID: <200309071516.h87FG8514090@onyx.rockstone.co.uk> On Sunday 07 September 2003 3:34 pm, Rose, Bobby wrote: > I'm the same way. Sobig is being caught for the most part but you have > different versions going on here. You have mm and mm.enc. Enc is where > it's encoded into the mime header. Please can somebody explain to me what this means? Are you saying that a virus can be encoded in a MIME header, rather than (as is usual) in a MIME body to which the header refers? I don't know much abut MIME encoding formats, but on the basis that the Sobig virus files I've seen are generally around 70kbytes in size, this suggests something very strange about what can be fitted into a MIME header...? Antony. -- Wanted: telepath. You know where to apply. From kevins at BMRB.CO.UK Sun Sep 7 16:31:57 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5B@pascal.priv.bmrb.co.uk> Message-ID: <1062948718.21422.126.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 14:38, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >Hello, all >Where is the install scripts for DCC-Pyzor on the www. Look for DCC and Pyzor on this page... http://au2.spamassassin.org/full/2.5x/dist/INSTALL It gives the URL's for downloading and instructions for installing. (Note these may be slightly different from the instructions on the DCC & Pyzor sites as they don't bother with the components that SpamAssassin doesn't use.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vanhorn at whidbey.com Sun Sep 7 08:28:17 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc References: Message-ID: <3F5ADE11.A2B2A24B@whidbey.com> I'm running 4.23-11, and most SoBig messages are getting caught not only by both virus scanners (f-prot and ClamAV) but also based on file name by MailScanner itself, since .pif files shouldn't be allowed to start with. It's not a problem with recent versions, how recent is your setup? Van "Rose, Bobby" wrote: > MailScanner doesn't seem to be catching this. I thought Ms was written > to cehck for the mime enclosed in header stuff. Did this get broken > along the later versions. > > -=Bobby -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From mailscanner at BARENDSE.TO Sun Sep 7 11:37:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644183@exchangea.staff.uce.ac.uk> Message-ID: Isn't that what DCC is doing, more or less? On Sun, 7 Sep 2003, David While wrote: > My plan was that the IP address would have to be reported by more than one client before it got added. > > David While > > -----Original Message----- > From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] > Sent: Sun 07/09/2003 11:01 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: RBL > > > > Hi! > > > my mailstats program analyses the log file produced by MailScanner. If > > an email is marked as spam by MailScanner (however it is configured) is > > added to the list using an algorithm. The sender has to send more than > > one in a certain time period before it gets added. > > k. > > > Currently my set up only uses SpamAssassin to mark mails as spam so it > > is not relying on other RBLs (except in that SpamAssassin uses them but > > if it didn't it would still work). The most common SpamAssassin trap is > > the Bayes system at the moment. > > What about false positives ? They automaticly also get added. Not saying > its bad, but just a thought. What would be nice is a inter face for the > RBL where you could see the 'spam', headers/text and approve it to going > on the list. > > If we havea couple of people watching over the output that should be > do-able and more reliable... > > Else its depending on everyones site settings whats in the RBL. If i > decide to filter all english messages, since we only want to get dutch > mail, that would be nasty :) > > Bye, > Raymond. > > > From mailscanner at ecs.soton.ac.uk Sun Sep 7 19:51:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: Message-ID: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> I can explain what is happening with all of these cases. A dumb MTA is rejecting the message, and including the entire content text of the rejected message in the rejection notice, rather than just the headers or the first few lines (which is what sensible ones do). As the MIME structure of the rejected message is completely broken by it being included very simply in the rejection notice, your email app can't actually decode the attachment anyway. So it's actually quite safe. But some AV products generate a false alarm on it, Norton in particular. At 01:17 07/09/2003, you wrote: >Now I don't know if it's the virus or the AV software that someone is >using but the message is from a postmaster@xxx.xxx.xx and is a rejection >message saying that the message you sent was infected. So it's either a >virus generated message or a real bounce message where the original >message was sent back with the virus. It don't know if there are AV >products out there that send the whole oringal message back if reject >which sounds kind of dumb. > >-----Original Message----- >From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >Sent: Saturday, September 06, 2003 7:17 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F@mm.enc > > >On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: > > >MailScanner doesn't seem to be catching this. I thought Ms was written > > >to cehck for the mime enclosed in header stuff. Did this get broken > >along the later versions. > >This looks like it might be the same issue as yesterdays thread 'Missed >Virus?'. Could you give a few more details, like MailScanner version, >scanner name, format of the message that got through (was it an MTA >bounce message with a .txt attachment containing the original mail with >a virus?). Source of the mail would be good if you have it (but please >snip out the encoded virus data from between the MIME section headers!!) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From SJCJonker at SJC.NL Sun Sep 7 14:24:16 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:51 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <3F5B1399.3070901@SJC.nl> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> <3F5B1399.3070901@SJC.nl> Message-ID: <3F5B3180.7070808@SJC.nl> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/2969deef/attachment.bin From David.While at UCE.AC.UK Sun Sep 7 10:16:44 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:51 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644181@exchangea.staff.uce.ac.uk> I now have an RBL running which is dynamically updated using the output from my mailstats.pl program. It is my intention to add this feature to mailstats.pl so that the RBL can be updated using the collective power of MailScanner users. At the moment it is being tested and seems to be working OK. If you are interested to know more please email me off list. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/8a26f619/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 02:29:06 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: References: Message-ID: <200309070129.h871TC511397@onyx.rockstone.co.uk> On Sunday 07 September 2003 1:17 am, Rose, Bobby wrote: > I thought that MS had been written in the early 4.xx version to blcok > anything encoded in the headers I'm not sure what you mean by this - "block anything encoded in the headers"? > so I'm thing that maybe it's gbeen broken due to > all the new content checking options that's been added. > > Now I don't know if it's the virus or the AV software that someone is > using but the message is from a postmaster@xxx.xxx.xx and is a rejection > message saying that the message you sent was infected. So it's either a > virus generated message or a real bounce message where the original > message was sent back with the virus. It don't know if there are AV > products out there that send the whole oringal message back if reject > which sounds kind of dumb. You're right - there are some very dumb mail systems out there - no need to blame the AV products - they just say "this is a virus" - it's the mail system which decides what to do with the email the virus was found in. Sensible ones check if the virus was of the type that forges sender addresses and keep quiet if it is. Slightly stupid ones bounce messages back saying "you just sent us a virus" to people who didn't. Really dumb and dangerous ones bounce messages back saying "you just sent us a virus and here it is back again" to people who didn't send it in the first place (but at least they've got it now...) Antony. -- Software development can be quick, high-quality, or low-cost. The customer gets to pick any two out of three. From kevins at BMRB.CO.UK Sun Sep 7 20:15:37 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: bayes and mailscanner 4.23-11 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A60@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A60@pascal.priv.bmrb.co.uk> Message-ID: <1062962138.32514.128.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 19:19, Lance Ware wrote: >Hi Folks, >Do I need to adjust these based on the %org-name% entry? >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck >bayes_ignore_header X-MailScanner-SpamScore >bayes_ignore_header X-MailScanner-Information Yes BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tomaz.borstnar at OVER.NET Sun Sep 7 20:44:39 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:19:51 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapid s.mi.us> References: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapids.mi.us> Message-ID: <6.0.0.22.0.20030907214359.02f649a0@127.0.0.1> At 20:03 2.9.2003, you wrote: >What can I do to assist in getting mcafee AV support in mailstats? also does it support specifying two AV engines? Tomaz From mailscanner at ecs.soton.ac.uk Mon Sep 8 04:41:39 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:51 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309080341.h883fdkE002940@seer.ecs.soton.ac.uk> New Guestbook-Entry from cheapku clam + mailscanner is great.

I appericiate your whole team!

From martinh at SOLID-STATE-LOGIC.COM Mon Sep 8 09:06:11 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:51 2006 Subject: list broke Message-ID: <3F5C3873.2080605@solid-state-logic.com> hmm very quiet over the weekend, I wonder I;m unsubscribed or something.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Sep 8 09:19:38 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:51 2006 Subject: list broke (OT) In-Reply-To: <3F5C3873.2080605@solid-state-logic.com> References: <3F5C3873.2080605@solid-state-logic.com> Message-ID: <3F5C3B9A.1000900@solid-state-logic.com> OK sorry guys - mozilla having a monday morning snarfle.. (goes off and gets coat :-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Martin Hepworth wrote: > hmm > > very quiet over the weekend, I wonder I;m unsubscribed or something.. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic Ltd > +44 (0)1865 842300 > > > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ********************************************************************** ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From philip.steeman at KHBO.BE Mon Sep 8 10:34:24 2003 From: philip.steeman at KHBO.BE (Philip Steeman) Date: Thu Jan 12 21:19:51 2006 Subject: readqf error in mqueue.in Message-ID: <3F5C4D20.7080003@khbo.be> Hello, I keep getting this error message when I look at my mqueue.in (a few errors a day, but they stay in the queue) > h87GbqSt004010readqf: cannot open ./dfh87GbqSt004010: No such file or directory > -1 Sun Sep 7 18:37 <> > (Deferred: Connection timed out with mail2.artmarket.com.) > info@artlist.com When I look a little