From anders.andersson at LTKALMAR.SE Mon Sep 1 00:10:03 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:40 2006 Subject: SV: Quote Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 31 augusti 2003 12:22 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Quote > > > At 19:11 30/08/2003, you wrote: > >He be the author of Postfix > > And I don't think he likes me very much ;) Hmm, sound like you should put your brains together and figure out something both accepts, or maybe thats been tried already. I found this on the list and just curious what they mean... Maybe you could make a readers digest for a stupid swede, just for education :) ######### http://archives.neohapsis.com/archives/postfix/2003-08/0595.html We use mailscanner w/ the hold queue. We have a header check: /^Received:/ HOLD And then setup mailscanner to pick messages up from hold and move|link them to incoming. Before this setup, we had postfix delivering messages to mailscanner from a pipe transport and then reinjecting w/ sendmail. I can share how we did either if anyone is interested. We have shared both of these setups w/ the mailscanner developer a couple of times but he has not yet shown much interest. lindsay ########## > > > >-----Original Message----- > >From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Michele Neylon:: Blacknight Solutions > >Sent: Saturday, August 30, 2003 12:40 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Quote > > > > > >Excuse my ignorance, but who is Wietse Venema? And more importantly, > >why does this person's opinion matter? > > > >Mr. Michele Neylon > >Blacknight Solutions > >http://www.blacknightsolutions.ie/ > >Possibly the cheapest ie's in Ireland > >Tel. +353 (0)59 9139897 > >Fax. +353 (0)59 9139897 > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > On Behalf Of Forrest Aldrich > > > Sent: 30 August 2003 18:32 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Quote > > > > > > This is what Wietse Venema says about MailScanner: > > > > > > >>>> > > > MailScanner is unsafe. It bypasses the correct interfaces > to access > > > queue files. I would not trust it with Postfix or with any other > > > MTA. <<<< > > > > > > > > > > > > Forrest > > > > > > > > > > > >######################################################### > >This message (and any attachment) is intended only for the recipient > >and may contain confidential and/or privileged material. If > you have > >received this in error, please contact the sender and delete this > >message immediately. Disclosure, copying or other action taken in > >respect of this email or in reliance to it is prohibited. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From dbird at SGHMS.AC.UK Mon Sep 1 01:18:00 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:40 2006 Subject: Trend Autoupdate broken in 4.23-10 Message-ID: <3F529038.90001@sghms.ac.uk> Dear all, The trend autoupdate in 4.23-10 is broken. Attached is a fixed version. Dan -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- #!/bin/sh # Trend Autoupdate Script. # V0.1 Dan Bird. dbird@sghms.ac.uk # 12/08/2003 OPRINI=opr.ini.$$ export OPRINI # source of IScan dat files FTPSERV="ftp://ftp.antivirus.com/products/pattern/" # Get the info on new version... echo "Checking for latest DAT version..." wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini NEWVER=`grep PatternVersion /tmp/opr.ini.$$ | sed s/^PatternVersion=//g | cut -c 1-3` # What's out current version? CURRENTVER=`ls /etc/iscan/* | grep lpt | tail -1 | cut -d. -f 2` if [ "$CURRENTVER" = "" ] then CURRENTVER=0 fi echo "Current version is : $CURRENTVER" fail () { trap EXIT echo "Test run failed -- removing bad Trend data files" echo "$OUT" rm -rf /etc/iscan/lpt*$NEWVER* exit 1 } # If our current one is older, download the new one!!! if [ $CURRENTVER -lt $NEWVER ] then echo "Getting new DAT version : $NEWVER" wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip printf "Testing file for corruption...." DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip | grep "No errors"` if [ "$DATCHECK" != "" ] then echo "OK" mv /tmp/lpt$NEWVER.zip /etc/iscan printf "installing...." cd /etc/iscan unzip -q -o lpt$NEWVER.zip echo "DONE" else echo "BAD ARCHIVE" fi trap fail EXIT CMD="/opt/trend/ISBASE/IScan.BASE/vscan -v 2>&1" OUT=`$CMD` case "$OUT" in *"read pattern failed"* | \ *"invalid pattern file"* | \ *"pattern file not found"* | \ *"incorrect pattern format"* | \ *"read error"* | \ *"out of memory"* ) fail ;; esac trap EXIT else echo "DAT files are upto date" fi rm -f /tmp/*.zip /tmp/$OPRINI /etc/iscan/*.zip From raymond at PROLOCATION.NET Mon Sep 1 01:47:46 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:40 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have just released a new "stable" version of MailScanner. There are many > improvements and some fixes this time, rather more than I can easily list > for you here, so please see the ChangeLog which is at the bottom of this > message. Seems to run just fine! Just upgraded. I noticed in the spam.lists.conf that the two BAD ones are still listed: osirusoft / SPEWS Could you take those out in a upcomming package ? =) I dont think its wise to put them inside the standard configs anymore. And perhaps put in also NJABL, i am getting very good results with that one also... NJABL dnsbl.njabl.org Bye, Raymond. From gerry at DORFAM.CA Mon Sep 1 02:36:24 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F Message-ID: I've noticed that ClamAV seems to be missing Sobig.F (or a variant). F-Prot and Trend are picking them up but ClamAV is letting them right through. I've even tried scanning the quarantine directory with each of the three scanners. ClamAV can't find the virus but the other two do. And before you ask...yes, I have the latest ClamAV data files. I even did a freshclam to be sure. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From oliver at LINUX-KERNEL.AT Mon Sep 1 03:25:55 2003 From: oliver at LINUX-KERNEL.AT (Oliver Pitzeier) Date: Thu Jan 12 21:19:40 2006 Subject: ANNOUNCE: Stable 4.23-10 released Message-ID: <200309010222.h812Mtxg025149@indianer.linux-kernel.at> Hi Julian! Hi folks! > I have just released a new "stable" version of MailScanner. > There are many improvements and some fixes this time, rather > more than I can easily list for you here, so please see the > ChangeLog which is at the bottom of this message. Works fine for me... Even with my SQL-black-/whitelists everything is still fine - as expected!!! Thanks! Best regards, Oliver From ashley at IMS.TELSTRA.COM.AU Mon Sep 1 04:54:36 2003 From: ashley at IMS.TELSTRA.COM.AU (ash) Date: Thu Jan 12 21:19:40 2006 Subject: Tagging the subject line of e-mail Message-ID: Did this ever get resolved? I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the subject line modifications notices that use the curly brackets, other than if I set "Scanned Modify Subject" , for example any violation be it a virus ,bad file name/type receives the subject line "Warning: E-mail viruses detected", I haven't had a spam message yet to see if that notification has also stopped working from my conf file Virus Modify Subject = yes Virus Subject Text = {Virus?} Filename Modify Subject = yes Filename Subject Text = {Filename?} Content Modify Subject = yes Content Subject Text = {Dangerous Content?} Spam Modify Subject = yes Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {Spam?} running perl 5.6.0 regards ash On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin wrote: >Mike, > >Thanks for responding. > >I'm planning on adding SpamAssassin later in the project. Is it required to >make the system function as I want? I didn't get that from the >documentation. They way I read the docs, SpamAssassin just improves >MailScanner's abilities. > >Kevin > >> -----Original Message----- >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >> Sent: Tuesday, August 19, 2003 1:59 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Tagging the subject line of e-mail >> >> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >> You can also >> set Log Spam = yes and watch your maillog after restarting >> MailScanner. >> >> Mike >> >> >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >> Of Collins, Kevin >> Sent: Tuesday, August 19, 2003 12:31 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Tagging the subject line of e-mail >> >> >> Hi! >> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >> machine to act as >> my company's "SPAM Filter". First, I want to say THANKS for >> creating such a >> project and for making it available to the masses for free. >> >> A little background: >> >> MailScanner machine: >> Red Hat 8.0 (fully up2dated) >> Sendmail 8.12.8 >> Perl 5.8.0 >> ClamAV 0.60 (compiled from source) >> Sendmail set to relay everything to internal Exchange Server >> >> Everything seems to be working fine - I've even let a few e-mails pass >> through the machine for testing. Which is why I'm writing; I >> now have a >> question. >> >> First, of the 20 some odd messages that have passed through >> MailScanner, it >> has tagged 3 as SPAM and one of them as having a Virus >> (actually it was an >> HTML Form in the message). The "Virus" message behaved as >> expected - the >> e-mail was deleted and not passed on and I got a notification of the >> deletion. But the remaining messages aren't working as I >> expected them to >> (I think). >> >> I've configured MailScanner to modify the subject line of >> every e-mail it >> touches to include {Scanned} at the beginning. (This is to >> let me - and >> everyone else - know that MS is working) In addition I want all SPAM >> messages flagged with {Spam} as the beginning of the subject line and >> {Virus} for those that were found to have Viruses. >> >> To this point, all of the e-mail coming in (save the "Virus" message >> mentioned above) have only had the word {Scanned} pre-pended >> to the Subject >> Line. I've not seen the {Spam} label anywhere. Here are the >> (I think) >> appropriate sections of the MailScanner.conf: >> >> ---- >> Scanned Modify Subject = start >> Scanned Subject Text = {Scanned} >> Virus Modify Subject = yes >> Virus Subject Text = {Virus} >> Filename Modify Subject = yes >> Filename Subject Text = {Filename} >> Spam Modify Subject = yes >> Spam Subject Text = {Spam} >> High Scoring Spam Modify Subject = yes >> High Scoring Spam Subject Text = {Spam} >> ---- >> Spam Checks = yes >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >> .ac.uk) >> Spam Domain List = >> Spam Lists To Reach High Score = 5 >> Spam List Timeout = 10 >> Max Spam List Timeouts = 7 >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >> Is Definitely Spam = no >> ---- >> >> >From this, is my description of how MailScanner should work valid? >> >Have I >> forgot to do something? What do I need to change/add/delete >> to make it work >> as I describe? >> >> Thanks in advance. >> >> -- >> Kevin L. Collins, MCSE >> Systems Manager >> Nesbitt Engineering, Inc. >> From dh at UPTIME.AT Mon Sep 1 08:05:06 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:40 2006 Subject: Umlaut in languages.conf for German. Message-ID: <9DC71316-DC4A-11D7-AA50-00039379E28A@uptime.at> Hello all. As I am not an total expert for Mail, I was wondering whether The Mail Header is encoded in a special Charset as well? When I send Mail through our gateway and donot correct languages.conf to not contain Umlauts, the Message Header shows up mangled in my MUA (it's Mail.app set to utf-8). Umlauts in the Body are displayed just fine. When I alter the Umlauts to their alternative spelling (as in ?=ae, ?=oe, ?=ue) everythign shows up fine -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/c99f2634/attachment.bin From pndiku at DSMAGIC.COM Mon Sep 1 08:37:06 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:40 2006 Subject: Mailwatch 0.2 sql prob In-Reply-To: References: Message-ID: <1062401826.16023.43.camel@mufasa.ds.co.ug> Hi Chris. Try this CustomConfig.pm. I got it by combining Mailwatch's version with the default Mailscanner one. It's more efficient than my last hack in that it only connects to the dB once per batch of messages rather than once per message. It uses a temporary file, so doesn't have the default mailwatch problem of losing the dB connection. If you (and anyone else using mailwatch) like it I'll send a diff to the mailwatch maintainer. Peter On Fri, 2003-08-29 at 15:22, Chris Campbell wrote: > Hey Peter.... > Would you mind dumping your table schema for me? I think I messed stuff > up... Your "hack" seems to work a little..... but > > Aug 29 08:21:32 nycexmx1 MailScanner[6895]: Cannot insert row: called with > 20 bind variables when 2 are needed > > > ..................................... > Christopher S. Campbell > UNIX Admin > First Albany Corp > 518.447.8544 > chris.campbell@fac.com > > > > > > "Peter C. > Ndikuwera" To: MAILSCANNER@JISCMAIL.AC.UK > M> Subject: Re: Mailwatch 0.2 sql prob > Sent by: > MailScanner > mailing list > AIL.AC.UK> > > > 08/29/03 03:16 AM > Please respond to > MailScanner > mailing list > > > > > > > Hi Daniel, > > I have a fix which is really a hack. I'm sure it's the wrong way to do > it but it works for me. I've attached the relevant part of my > CustomConfig.pm. > > Peter > On Wed, 2003-08-27 at 17:14, Daniel Bird wrote: > > Hi, > > I noticed in the archives the same problem I'm having, but no solution: > > I keep seeing this in the maillog: > > > > Cannot insert row: MySQL server has gone away > > > > I was wondering if anyone has had this problem and managed to find a fix? > > > > Regards > > -- > > ____________________________________ > > > > Daniel Bird > > Network & Systems Manager > > St. George's Hospital Medical School > > Tooting > > London SW17 0RE > > > > P: +44 20 8725 2897 > > F: +44 20 8725 3583 > > E: dan@sghms.ac.uk > > ____________________________________ > > > > Hex dump: Where witches put used curses... > > "#define QUESTION ((bb) || !(bb)) - Shakespeare." > (See attached file: SQLLogging.pm) > -------------- next part -------------- # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: CustomConfig.pm,v 1.3.2.10 2003/08/11 20:35:40 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # package MailScanner::CustomConfig; use strict 'vars'; use strict 'refs'; no strict 'subs'; # Allow bare words for parameter %'s use vars qw($VERSION); ### The package version, both in 1.23 style *and* usable by MakeMaker: $VERSION = substr q$Revision: 1.3.2.10 $, 10; # # These are the custom functions that you can write to produce a value # for any configuration keyword that you want to do clever things such # as retrieve values from a database. # # Your function may be passed a "message" object, and must return # a legal value for the configuration parameter. No checking will be # done on the result, for extra speed. If you want to find out what # there is in a "message" object, look at Message.pm as they are all # listed there. # # You must handle the case when no "message" object is passed to your # function. In this case it should return a sensible default value. # # Return value: You must return the internal form of the result values. # For example, if you are producing a yes or no value, # you return 1 or 0. To find all the internal values # look in ConfigDefs.pl. # # For each function "FooValue" that you write, there needs to be a # function "InitFooValue" which will be called when the configuration # file is read. In the InitFooValue function, you will need to set up # any global state such as create database connections, read more # configuration files and so on. # ## ## This is a trivial example function to get you started. ## You could use it in the main MailScanner configuration file like ## this: ## VirusScanning = &ScanningValue ## #sub InitScanningValue { # # No initialisation needs doing here at all. # MailScanner::Log::InfoLog("Initialising ScanningValue"); #} # #sub EndScanningValue { # # No shutdown code needed here at all. # # This function could log total stats, close databases, etc. # MailScanner::Log::InfoLog("Ending ScanningValue"); #} # ## This will return 1 for all messages except those generated by this ## computer. #sub ScanningValue { # my($message) = @_; # # return 1 unless $message; # Default if no message passed in # # return 0 if $message->{subject} =~ /jules/i; # return 1; # # #my($IPAddress); # #$IPAddress = $message->{clientip}; # #return 0 if $IPAddress eq '127.0.0.1'; # #return 1; #} #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** # # This set of functions provides per-domain simple spam whitelists and # blacklists. Each of the 2 directories set below contains 1 file for # each domain, with the domain name being the filename. The file contains # a list of entries, 1 per line, each one either being a full address: # user@domain.com # or an entire domain: # domain.com # The addresses contained in the file for a domain make up the entire # spam whitelist or blacklist for that domain. # # For example, say you had /etc/MailScanner/spam.bydomain/whitelist/jules.fm # which included the lines # soton.ac.uk # ecs.soton.ac.uk # jules@julianfield.net # 123.234.45.56 # Then all mail from anything@soton.ac.uk, anything@ecs.soton.ac.uk or # jules@julianfield.net would be whitelisted if it was heading to any # address @jules.fm. Also all mail from IP address 123.234.45.56 would be # whitelisted if it was heading to any address @jules.fm. # The same thing works for the blacklist directory. # # Overall white and blacklists should be put in a file in each directory # called 'default'. # # To enable these functions, set the following in your MailScanner.conf file: # Is Definitely Not Spam = &ByDomainSpamWhitelist # Is Definitely Spam = &ByDomainSpamBlacklist # # Set these to be the location of your whitelist files and blacklist files my $WhitelistDir = '/etc/MailScanner/spam.bydomain/whitelist'; my $BlacklistDir = '/etc/MailScanner/spam.bydomain/blacklist'; use DirHandle; use FileHandle; my(%Whitelist, %Blacklist); # # Initialise by-domain spam whitelist and blacklist # sub InitByDomainSpamWhitelist { MailScanner::Log::InfoLog("Starting up by-domain spam whitelist, " . "reading from %s", $WhitelistDir); my $domains = CreateByDomainList($WhitelistDir, \%Whitelist); MailScanner::Log::InfoLog("Read whitelist for %d domains", $domains); } sub InitByDomainSpamBlacklist { MailScanner::Log::InfoLog("Starting up by-domain spam blacklist, " . "reading from %s", $BlacklistDir); my $domains = CreateByDomainList($BlacklistDir, \%Blacklist); MailScanner::Log::InfoLog("Read blacklist for %d domains", $domains); } # # Lookup a message in the by-domain whitelist and blacklist # sub ByDomainSpamWhitelist { my($message) = @_; return LookupByDomainList($message, \%Whitelist); } sub ByDomainSpamBlacklist { my($message) = @_; return LookupByDomainList($message, \%Blacklist); } # # Close down the by-domain whitelist and blacklist # sub EndByDomainSpamWhitelist { MailScanner::Log::InfoLog("Closing down by-domain spam whitelist"); } sub EndByDomainSpamBlacklist { MailScanner::Log::InfoLog("Closing down by-domain spam blacklist"); } # # Setup the per-domain spam white or black list. # Note this doesn't do anything much in the way of syntax-checking the # files, so they better be right! If there are duff lines in the files, # they just won't produce any matches, they can't actually cause any harm. # sub CreateByDomainList { my($dirname, $BlackWhite) = @_; my($dir, $filename, $fh, $domains); $dir = new DirHandle; $dir->open($dirname) or return 0; $domains = 0; # Count the number of domains we have read while ($filename = $dir->read()) { next if $filename =~ /^\./; next unless -f "$dirname/$filename"; $fh = new FileHandle; $fh->open("$dirname/$filename") or next; $filename = lc($filename); # Going to store the name in lower case while(<$fh>) { chomp; #print STDERR "Line is \"$_\"\n"; s/#.*$//; # Strip comments s/\S*:\S*//g; # Strip any words with ":" in them s/^\s+//g; # Strip leading whitespace s/^(\S+)\s.*$/$1/; # Use only the 1st word s/^\*\@//; # Strip any leading "*@" they might have put in #print STDERR "Line is \"$_\"\n"; next if /^$/; # Strip blank lines $BlackWhite->{$filename}{lc($_)} = 1; # Store the whitelist entry } $fh->close(); $domains++; } $dir->close(); return $domains; } # # Based on the address it is going to, choose the right spam white/blacklist. # Return 1 if the "from" address is white/blacklisted, 0 if not. # sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$from}; return 1 if $BlackWhite->{'default'}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$ip}; # It is not in the list return 0; } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** ########################################################################### # # Handy little feature to let you use the same MailScanner.conf file on # lots of different hosts, where the only difference is the hostname. # Just uncomment the "use Sys::Hostname" line and then set # Hostname = &Hostname # in your MailScanner.conf to use this. # # Many thanks to Tony Finch for this. # ########################################################################### use Sys::Hostname; my $hostname; sub InitHostname { $hostname = hostname; } sub Hostname { return $hostname; } sub EndHostname { # nothing to do } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** ########################################################################### # # This is a setup to do logging to an SQL database. # For speed, the per-message logs are written to a tab-separated file # during execution. # When the child process dies of old age (or is politely killed), the # log file is read and inserted into a database table. # # If you want to use this code, you must: # 1. uncomment the "use DBI;" line just below this comment. # 2. Read the README.sql-logging file in the docs directory # of the distribution. # ########################################################################### use IO::File; use DBI; my($logfile1); my($hostname) = hostname; # Don't forget to uncomment Use Sys::Hostname above # Modify this as necessary for your configuration my($db_name) = "mailscanner"; my($db_host) = "localhost"; my($db_user) = "mailscanner"; my($db_pass) = "mailscanner"; # Initialise. All we need to do is create the temporary log files. These # are created using tmpfile() to avoid security problems caused by any # other process on the system being able to read (or even write!) to # the log files. The files created are not accessible to any other processes # at all, as they don't have an entry in a directory. sub InitSQLLogging { MailScanner::Log::InfoLog("Initialising SQL Logging temp file"); $logfile1 = IO::File->new_tmpfile or die "IO::File->new_tmpfile: $!"; #$logfile->autoflush(1); } # Shutdown. Write all the log entries to the SQL database, then close # the temporary log files. Closing them will also delete them as they were # created with tmpfile(). sub EndSQLLogging { my(@fields); MailScanner::Log::InfoLog("Ending SQL Logging temp output " . "and flushing to database"); # Create database connection my($dbh) = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", $db_user, $db_pass, {PrintError => 0}) or MailScanner::Log::DieLog("Cannot connect to the database: %s", $DBI::errstr); # Rewind to start of logfile $logfile1->flush(); seek($logfile1, 0, 0) or MailScanner::Log::DieLog("EndSQLLogging seek: %s", $!); while(<$logfile1>) { chomp; @fields = split(/\t/); print join(",", @fields); # Work through each field protecting any special characters such as single quote # The line below replaces ' with \' # @fields = map { s/\'/\\'/g } @fields; # ADD: Peter C. Ndikuwera. The above line doesn't seem to work... # Set any empty strings to NULL so the SQL insert works correctly @fields = map { ($_ eq '')?'NULL':"$_" } @fields; # Insert @fields into a database table my($sth) = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); $sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fields[4],$fields[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fields[11],$fields[12],$fields[13],$fields[14],$fields[15],$fields[16],$fields[17],$fields[18],$fields[19]) or MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); } # Close database connection $dbh->disconnect(); # Close and delete the temporary files (deletion is done automatically) $logfile1->close(); MailScanner::Log::InfoLog("Database flush completed"); } # Write all the log information for 1 message to the temporary file. sub SQLLogging { my($message) = @_; # Get rid of control chars and tidy-up SpamAssassin report my $spamreport = $message->{spamreport}; $spamreport =~ s/\n/ /g; $spamreport =~ s/\t//g; # Get timestamp, and format it so it is suitable to use with MySQL my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", $year+1900,$mon+1,$mday,$hour,$min,$sec); # Also print 1 line for each report about this message. These lines # contain all the info above, + the attachment filename and text of # each report. my($file, $text, @report_array); while(($file, $text) = each %{$message->{allreports}}) { $file = "the entire message" if $file eq ""; # Use the sanitised filename to avoid problems caused by people forcing # logging of attachment filenames which contain nasty SQL instructions. $file = $message->{file2safefile}{$file} or $file; $text =~ s/\n/ /; # Make sure text report only contains 1 line $text =~ s/\t/ /; # and no tab characters push (@report_array, $text); } # Sanitize reports my $reports = join(",",@report_array); # Print 1 line for each message. print $logfile1 join("\t", $timestamp, $message->{id}, $message->{size}, $message->{from}, join(',', @{$message->{to}}), $message->{subject}, $message->{clientip}, join(',', @{$message->{archiveplaces}}), $message->{isspam}, $message->{ishigh}, $message->{issaspam}, $message->{isrblspam}, $message->{spamwhitelisted}, $message->{sascore}, $spamreport, $message->{virusinfected}, $message->{nameinfected}, $message->{otherinfected}, $reports, $hostname) . "\n"; } #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** #************************************************************************** # # This Custom Function provides a facility whereby some internal-only # accounts can only send mail to other "internal" domain names, and cannot # send mail to any other addresses apart from those domains. # # To use it, specify # Non Spam Actions = &InternalActions # Spam Actions = &InternalActions # High Scoring Spam Actions = &InternalActions # in your MailScanner.conf file, having added this code to # /usr/lib/MailScanner/MailScanner/CustomConfig.pm # # It uses a configuration file whose path is my($InternalAccountList) = '/etc/MailScanner/internal.accounts.conf'; # to read lines that look like one of these # domain yourdomain.com # account local-only1 # These 2 lines in the file would define that a local email account # "local-only1" could not send mail to any address except addresses # @yourdomain.com. # There can be many domains and many accounts specified, one per line. # # Mail from the internal-only accounts to external domains will have the my($InternalFailAction) = 'delete'; # action applied to it. This can be any of the legal "spam actions" as # defined in the MailScanner.conf file. # use FileHandle; my(%InternalDomains, %InternalAccounts); sub InitInternalActions { MailScanner::Log::InfoLog("Initialising Internal account list"); my $listfile = new FileHandle; unless($listfile->open("<$InternalAccountList")) { MailScanner::Log::WarnLog("Could not read list of internal accounts " . "from %s", $InternalAccountList); return; } my($keyword, $value); my $line = 0; my $domains = 0; my $accounts = 0; while(<$listfile>) { $line++; chomp; s/^#.*$//; s/^\s*//g; s/\s*$//g; next if /^$/; $keyword = undef; $value = undef; /^([^\s]+)\s*([^\s]+)$/; ($keyword, $value) = (lc($1), lc($2)); $value =~ s/\@.*$//; # Delete the @ and everything after it if ($keyword =~ /domain/i) { #print STDERR "Storing domain $value\n"; $InternalDomains{$value} = 1; $domains++; } elsif ($keyword =~ /account|user/i) { #print STDERR "Storing account $value\n"; $InternalAccounts{$value} = 1; $accounts++; } else { MailScanner::Log::WarnLog("Syntax error in %s at line %d", $InternalAccountList, $line); } } $listfile->close(); MailScanner::Log::InfoLog("Internal Account List read %d domains and %d " . "accounts", $domains, $accounts); } sub EndInternalActions { # No shutdown code needed here at all. MailScanner::Log::InfoLog("Shutting down internal accounts list"); } # This will return 1 for all messages except those generated by this # computer. # This will return "deliver" for all internal mail as requested, # and $InternalFailAction for everything else. sub InternalActions { my($message) = @_; return 'deliver' unless $message; # Default if no message passed in return 'deliver' unless $message->{from}; # Default if duff message my($fromac, $fromdomain, $todomain); $fromac = lc($message->{from}); $fromdomain = $fromac; $fromac =~ s/\@.*$//; # Leave everything before @ $fromdomain =~ s/^.*\@//; # Leave everything after @ # Is it coming from inside? #print STDERR "Testing $fromdomain\n"; #print STDERR "Answer is " . $InternalDomains{$fromdomain} . "\n"; return 'deliver' unless $InternalDomains{$fromdomain}; #print STDERR "$fromdomain passed internaldomains test\n"; # and is it coming from an internal-only address? return 'deliver' unless $InternalAccounts{$fromac}; #print STDERR "$fromac passed internalaccounts test\n"; # Fail if it is being delivered to *any* external addresses foreach $todomain (@{$message->{todomain}}) { $todomain = lc($todomain); #print STDERR "Testing $todomain\n"; unless ($InternalDomains{$todomain}) { MailScanner::Log::WarnLog("Internal-only account %s attempted to " . "send mail to external address \@%s", $fromac, $todomain); return $InternalFailAction; } } # Passed that, so it must be only going to internal addresses return 'deliver'; } 1; From David.While at UCE.AC.UK Mon Sep 1 08:54:20 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F Message-ID: <107DE25EC0216C45AEF670016024245F64417B@exchangea.staff.uce.ac.uk> I use ClamAV and it picks up Sobig.F just fine - so far 453 and rising! David While -----Original Message----- From: Gerry Doris [mailto:gerry@DORFAM.CA] Sent: Mon 01/09/2003 02:36 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: ClamAV missing Sobig.F I've noticed that ClamAV seems to be missing Sobig.F (or a variant). F-Prot and Trend are picking them up but ClamAV is letting them right through. I've even tried scanning the quarantine directory with each of the three scanners. ClamAV can't find the virus but the other two do. And before you ask...yes, I have the latest ClamAV data files. I even did a freshclam to be sure. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From eja at URBAKKEN.DK Mon Sep 1 08:53:15 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:40 2006 Subject: Mails Message-ID: <3F52FAEB.2010708@urbakken.dk> Hi. I can see, that my MailScanner does work, but it seems, that it puts incomming mails in /var/spool/postfix/incoming: /var/spool/postfix/incoming/0/3 # ls -l total 12 drwxr-xr-x 2 postfix postfix 112 Sep 1 09:37 . drwxr-xr-x 5 postfix postfix 120 Sep 1 09:37 .. -rwx------ 1 postfix postfix 5541 Sep 1 08:54 03CBE2EB61 -rwx------ 1 postfix postfix 2798 Sep 1 09:37 03CBE37A08 I think it should have been /var/spool/postfix.in/incoming ?. Am I right, and if, what should be changed in my setup ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 09:35:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:40 2006 Subject: ClamAV missing Sobig.F In-Reply-To: References: Message-ID: <200309010835.h818ZS501908@onyx.rockstone.co.uk> On Monday 01 September 2003 2:36 am, Gerry Doris wrote: > I've noticed that ClamAV seems to be missing Sobig.F (or a variant). > F-Prot and Trend are picking them up but ClamAV is letting them right > through. Please email one of these files to my address. Regards, Antony. -- All matter in the Universe can be placed into one of two categories: 1. things which need to be fixed 2. things which will need to be fixed once you've had a few minutes to play with them From michele at BLACKNIGHTSOLUTIONS.COM Mon Sep 1 09:39:44 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:40 2006 Subject: Upgrade: werid problem Message-ID: <200309010839.h818ddt27127@camelot.blacknightsolutions.com> Hi I just tried to upgrade MailScanner from the previous version to the latest on a client's server, but the MailScanner.conf.rpmnew is not to be found anywhere. Any ideas? I ran the upgrade successfully on another server yesterday running the same version of RH, so I am a little confused M ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From dh at UPTIME.AT Mon Sep 1 10:00:59 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:40 2006 Subject: Never Notify Senders Of Precedence --> not working? Message-ID: Hello. Once again it is me. Using the latest Stable release I set: Never Notify Senders Of Precedence = list bulk I just received a Mail (even from this list) which has: Precedence: list But was marked as: spam, SpamAssassin (Wertung=4.1, benoetigt 4.1, FORGED_MUA_OUTLOOK 3.48, MISSING_OUTLOOK_NAME 0.58) Is there anything I setup wrongly? Thanks -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/24134954/attachment.bin From m.sapsed at BANGOR.AC.UK Mon Sep 1 10:08:56 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:40 2006 Subject: What's Going on here? References: <005601c36e70$f4d5f140$9c01a8c0@home.middlefinger.net> Message-ID: <3F530CA8.9030803@bangor.ac.uk> Mike Kercher wrote: > I've seen several emails come through that look like they got past Sophos, > but the filename alone caught it. For the most part, Sophos says the > attachment is infected with Sobig. Thoughts? If I understand you correctly, you're seeing attachments which you would expect to be Sobig-F. The filename rules pick them up but Sophos doesn't? I've seen a few instances like this and having quarantined them, I sent them to Sophos. They were all broken copies. I've also sometimes seen Sobig-like attachments which were in fact empty. There were quite a lot like this with Bugbear which caused them to issue the Bugbear-Dam ide. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:30:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Trend Autoupdate broken in 4.23-10 In-Reply-To: <3F529038.90001@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030901103028.066c2b40@imap.ecs.soton.ac.uk> Thanks for that. I'll put out a -11 soon with this in it. At 01:18 01/09/2003, you wrote: >Dear all, >The trend autoupdate in 4.23-10 is broken. Attached is a fixed version. > >Dan > >-- >____________________________________ > >Daniel Bird >Network & Systems Manager >St. George's Hospital Medical School >Tooting >London SW17 0RE > >P: +44 20 8725 2897 >F: +44 20 8725 3583 >E: dan@sghms.ac.uk >____________________________________ > >Hex dump: Where witches put used curses... >"#define QUESTION ((bb) || !(bb)) - Shakespeare." > > >#!/bin/sh > ># Trend Autoupdate Script. ># V0.1 Dan Bird. dbird@sghms.ac.uk ># 12/08/2003 > > >OPRINI=opr.ini.$$ >export OPRINI > ># source of IScan dat files >FTPSERV="ftp://ftp.antivirus.com/products/pattern/" > ># Get the info on new version... >echo "Checking for latest DAT version..." >wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini >NEWVER=`grep PatternVersion /tmp/opr.ini.$$ | sed s/^PatternVersion=//g | >cut -c 1-3` > ># What's out current version? >CURRENTVER=`ls /etc/iscan/* | grep lpt | tail -1 | cut -d. -f 2` > >if [ "$CURRENTVER" = "" ] >then > CURRENTVER=0 >fi >echo "Current version is : $CURRENTVER" > >fail () { > trap EXIT > echo "Test run failed -- removing bad Trend data files" > echo "$OUT" > rm -rf /etc/iscan/lpt*$NEWVER* > exit 1 >} > ># If our current one is older, download the new one!!! >if [ $CURRENTVER -lt $NEWVER ] >then > echo "Getting new DAT version : $NEWVER" > wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip > printf "Testing file for corruption...." > > DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip | grep "No errors"` > > if [ "$DATCHECK" != "" ] > then > echo "OK" > mv /tmp/lpt$NEWVER.zip /etc/iscan > printf "installing...." > cd /etc/iscan > unzip -q -o lpt$NEWVER.zip > echo "DONE" > else > echo "BAD ARCHIVE" > fi > > trap fail EXIT > CMD="/opt/trend/ISBASE/IScan.BASE/vscan -v 2>&1" > OUT=`$CMD` > case "$OUT" in > *"read pattern failed"* | \ > *"invalid pattern file"* | \ > *"pattern file not found"* | \ > *"incorrect pattern format"* | \ > *"read error"* | \ > *"out of memory"* ) > fail > ;; > esac > trap EXIT > >else > echo "DAT files are upto date" >fi >rm -f /tmp/*.zip /tmp/$OPRINI /etc/iscan/*.zip -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:34:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Never Notify Senders Of Precedence --> not working? In-Reply-To: Message-ID: <5.2.0.9.2.20030901103337.04da4c90@imap.ecs.soton.ac.uk> The contents of the spam report has nothing to do with stopping sender notifications. At 10:00 01/09/2003, you wrote: >Hello. Once again it is me. Using the latest Stable release I set: > >Never Notify Senders Of Precedence = list bulk > >I just received a Mail (even from this list) which has: > >Precedence: list > >But was marked as: > >spam, SpamAssassin (Wertung=4.1, benoetigt 4.1, FORGED_MUA_OUTLOOK 3.48, >MISSING_OUTLOOK_NAME 0.58) > > >Is there anything I setup wrongly? > >Thanks > >-d > >-- nee amata wo mitsukete soshite midoto wasrezu > domma mi mumega itakutemo soba mi iru mo > zutto...zutto...zutto > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:04:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: <3F51F743.437479E8@whidbey.com> References: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901100432.05c97680@imap.ecs.soton.ac.uk> At 14:25 31/08/2003, you wrote: >I just ran the installer and was about to update_MailScanner_conf when I >noticed >there was no MailScanner.conf.rpmnew this time. Is that a fluke, or is >there no >change between the 4.23-9 and 4.23-10 configuration files? Correct. I don't think I added any new options to -10 that weren't in -9. >Van > >Julian Field wrote: > > > Folks, > > > > I have just released a new "stable" version of MailScanner. There are many > > improvements and some fixes this time, rather more than I can easily list > > for you here, so please see the ChangeLog which is at the bottom of this > > message. > > > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:32:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-10 released In-Reply-To: References: <5.2.1.1.2.20030831114301.03769108@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901103242.04d53c90@imap.ecs.soton.ac.uk> This will be in -11 as well. At 01:47 01/09/2003, you wrote: >Hi! > > > I have just released a new "stable" version of MailScanner. There are many > > improvements and some fixes this time, rather more than I can easily list > > for you here, so please see the ChangeLog which is at the bottom of this > > message. > >Seems to run just fine! Just upgraded. > >I noticed in the spam.lists.conf that the two BAD ones are still listed: > >osirusoft / SPEWS > >Could you take those out in a upcomming package ? =) > >I dont think its wise to put them inside the standard configs anymore. > >And perhaps put in also NJABL, i am getting very good results with that >one also... > >NJABL dnsbl.njabl.org > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:17:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <3F52046A.30205@platformhosting.com> References: <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> Message-ID: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> The reason you can't find it is that it's not there. Sorry. I have been trying to come up with a decent answer to this problem myself, too. At 15:21 31/08/2003, you wrote: >Hi All, > >I'm trying to implement the Is Definately Spam feature based on a tag >[Possible Spam]in the subject ideally if this exists, MS should realise >this is definately spam, log it as such and then look for the action it >should take based on the users domain name etc.. > >How would I do this in the Is Definately Spam ruleset file? I've tried >a few combinations and looked in the examples file, but it only seems to >cover To and or From fields.. >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From david at PLATFORMHOSTING.COM Mon Sep 1 10:42:40 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> References: <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> Message-ID: <3F531490.4020009@platformhosting.com> I've managed to implement a SpamAssassin rule to do this, but it would still be great to make this something that didn't require SA. I look forward to seeing the result of your head scratching :) -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > The reason you can't find it is that it's not there. Sorry. > I have been trying to come up with a decent answer to this problem > myself, too. > > At 15:21 31/08/2003, you wrote: > >> Hi All, >> >> I'm trying to implement the Is Definately Spam feature based on a tag >> [Possible Spam]in the subject ideally if this exists, MS should realise >> this is definately spam, log it as such and then look for the action it >> should take based on the users domain name etc.. >> >> How would I do this in the Is Definately Spam ruleset file? I've tried >> a few combinations and looked in the examples file, but it only seems to >> cover To and or From fields.. >> -- >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> 1300 85 HOST >> www.platformhosting.com >> >> >> ======================================================================== >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >> ======================================================================== > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > > ======================================================================== > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform MailScanner To report SPAM forward the message to: spam@platformhosting.com To report incorrectly tagged messages: notspam@platformhosting.com Platform MailScanner - http://mailscanner.platformhosting.com/ Platform Hosting - http://www.platformhosting.com/ ======================================================================== From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:58:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Mails In-Reply-To: <3F52FAEB.2010708@urbakken.dk> Message-ID: <5.2.0.9.2.20030901105806.05c1cf60@imap.ecs.soton.ac.uk> It's putting the mail in the right place. Postfix should get kicked to request a delivery of it. Please check your mail log for any clues. At 08:53 01/09/2003, you wrote: >Hi. > >I can see, that my MailScanner does work, but it seems, that it puts >incomming mails in /var/spool/postfix/incoming: > >/var/spool/postfix/incoming/0/3 # ls -l >total 12 >drwxr-xr-x 2 postfix postfix 112 Sep 1 09:37 . >drwxr-xr-x 5 postfix postfix 120 Sep 1 09:37 .. >-rwx------ 1 postfix postfix 5541 Sep 1 08:54 03CBE2EB61 >-rwx------ 1 postfix postfix 2798 Sep 1 09:37 03CBE37A08 > >I think it should have been /var/spool/postfix.in/incoming ?. > >Am I right, and if, what should be changed in my setup ?. > >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 8.2 Proff. >Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 10:57:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Tagging the subject line of e-mail In-Reply-To: Message-ID: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> Can you give us an example of what you mean? At 04:54 01/09/2003, you wrote: >Did this ever get resolved? > >I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the subject >line modifications notices that use the curly brackets, other than if I set >"Scanned Modify Subject" , for example any violation be it a virus ,bad file >name/type receives the subject line "Warning: E-mail viruses detected", I >haven't had a spam message yet to see if that notification has also stopped >working > >from my conf file >Virus Modify Subject = yes >Virus Subject Text = {Virus?} >Filename Modify Subject = yes >Filename Subject Text = {Filename?} >Content Modify Subject = yes >Content Subject Text = {Dangerous Content?} >Spam Modify Subject = yes >Spam Subject Text = {Spam?} >High Scoring Spam Modify Subject = yes >High Scoring Spam Subject Text = {Spam?} > >running perl 5.6.0 > >regards > >ash > >On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin > wrote: > > >Mike, > > > >Thanks for responding. > > > >I'm planning on adding SpamAssassin later in the project. Is it required to > >make the system function as I want? I didn't get that from the > >documentation. They way I read the docs, SpamAssassin just improves > >MailScanner's abilities. > > > >Kevin > > > >> -----Original Message----- > >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] > >> Sent: Tuesday, August 19, 2003 1:59 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: Tagging the subject line of e-mail > >> > >> > >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! > >> You can also > >> set Log Spam = yes and watch your maillog after restarting > >> MailScanner. > >> > >> Mike > >> > >> > >> -----Original Message----- > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > >> Of Collins, Kevin > >> Sent: Tuesday, August 19, 2003 12:31 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Tagging the subject line of e-mail > >> > >> > >> Hi! > >> > >> I've just completed installing MS v4.22-5 onto a Red Hat 8 > >> machine to act as > >> my company's "SPAM Filter". First, I want to say THANKS for > >> creating such a > >> project and for making it available to the masses for free. > >> > >> A little background: > >> > >> MailScanner machine: > >> Red Hat 8.0 (fully up2dated) > >> Sendmail 8.12.8 > >> Perl 5.8.0 > >> ClamAV 0.60 (compiled from source) > >> Sendmail set to relay everything to internal Exchange Server > >> > >> Everything seems to be working fine - I've even let a few e-mails pass > >> through the machine for testing. Which is why I'm writing; I > >> now have a > >> question. > >> > >> First, of the 20 some odd messages that have passed through > >> MailScanner, it > >> has tagged 3 as SPAM and one of them as having a Virus > >> (actually it was an > >> HTML Form in the message). The "Virus" message behaved as > >> expected - the > >> e-mail was deleted and not passed on and I got a notification of the > >> deletion. But the remaining messages aren't working as I > >> expected them to > >> (I think). > >> > >> I've configured MailScanner to modify the subject line of > >> every e-mail it > >> touches to include {Scanned} at the beginning. (This is to > >> let me - and > >> everyone else - know that MS is working) In addition I want all SPAM > >> messages flagged with {Spam} as the beginning of the subject line and > >> {Virus} for those that were found to have Viruses. > >> > >> To this point, all of the e-mail coming in (save the "Virus" message > >> mentioned above) have only had the word {Scanned} pre-pended > >> to the Subject > >> Line. I've not seen the {Spam} label anywhere. Here are the > >> (I think) > >> appropriate sections of the MailScanner.conf: > >> > >> ---- > >> Scanned Modify Subject = start > >> Scanned Subject Text = {Scanned} > >> Virus Modify Subject = yes > >> Virus Subject Text = {Virus} > >> Filename Modify Subject = yes > >> Filename Subject Text = {Filename} > >> Spam Modify Subject = yes > >> Spam Subject Text = {Spam} > >> High Scoring Spam Modify Subject = yes > >> High Scoring Spam Subject Text = {Spam} > >> ---- > >> Spam Checks = yes > >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > >> .ac.uk) > >> Spam Domain List = > >> Spam Lists To Reach High Score = 5 > >> Spam List Timeout = 10 > >> Max Spam List Timeouts = 7 > >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > >> Is Definitely Spam = no > >> ---- > >> > >> >From this, is my description of how MailScanner should work valid? > >> >Have I > >> forgot to do something? What do I need to change/add/delete > >> to make it work > >> as I describe? > >> > >> Thanks in advance. > >> > >> -- > >> Kevin L. Collins, MCSE > >> Systems Manager > >> Nesbitt Engineering, Inc. > >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From slwatts at WINCKWORTHS.CO.UK Mon Sep 1 11:27:38 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: Hmm... It's a shame a generic subject checking mechanism couldn't be implemented. For instance: Create MS new config item: CheckSubject Rules = /path/to/subject.ruleset Subject.ruleset: #subject text to match action option "[definitely spam]" - /path/to/spamaction.by.domain "..JK.." sign /path/to/JK.sign.rules "..personal.." attachsig /path/to/personal.sign.rules Default sign /path/to/default.sign.rules Where spam.by.domain contains the actual action to take: TO: *@mydomain.com Delete TO: *@testdomain.com Attach, deliver And if you could have an action in the subject.ruleset like: consume whereby the search text is also removed from the subject then it would be great! So you may have: "..JK.." sign, consume /path/to/JK.sign.rules Not too sure how much sense this makes - but it would apear to kill two birds with one stone (for my requirement anyway!). But I guess it would take a fair bit or re-writing to do :-( Sam -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 01 September 2003 10:18 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Syntax for subject checking The reason you can't find it is that it's not there. Sorry. I have been trying to come up with a decent answer to this problem myself, too. At 15:21 31/08/2003, you wrote: >Hi All, > >I'm trying to implement the Is Definately Spam feature based on a tag >[Possible Spam]in the subject ideally if this exists, MS should realise >this is definately spam, log it as such and then look for the action it >should take based on the users domain name etc.. > >How would I do this in the Is Definately Spam ruleset file? I've tried >a few combinations and looked in the examples file, but it only seems >to cover To and or From fields.. >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================= >= > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com To > report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================= >= -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From mailscanner at ecs.soton.ac.uk Mon Sep 1 11:01:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Upgrade: werid problem In-Reply-To: <200309010839.h818ddt27127@camelot.blacknightsolutions.com> Message-ID: <5.2.0.9.2.20030901105854.066e2bc0@imap.ecs.soton.ac.uk> If the MailScanner.conf file hasn't changed from the previous version you had installed, then there is no need for a .rpmnew file so it won't create one. At 09:39 01/09/2003, you wrote: >Hi > >I just tried to upgrade MailScanner from the previous version to the latest >on a client's server, but the MailScanner.conf.rpmnew is not to be found >anywhere. >Any ideas? > >I ran the upgrade successfully on another server yesterday running the same >version of RH, so I am a little confused > >M > > > >######################################################### >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance to it is prohibited. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Sep 1 11:03:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking In-Reply-To: <3F531490.4020009@platformhosting.com> References: <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7822@pascal.priv.bmrb.co.uk> <1062331718.21910.92.camel@bach.kevinspicer.co.uk> <3F51FB8D.1356EFB1@whidbey.com> <200308311401.h7VE1O531429@onyx.rockstone.co.uk> <5.2.0.9.2.20030901101658.06696e70@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030901110230.05c17b70@imap.ecs.soton.ac.uk> At 10:42 01/09/2003, you wrote: >I've managed to implement a SpamAssassin rule to do this, but it would >still be great to make this something that didn't require SA. > >I look forward to seeing the result of your head scratching :) You may be able to do this with MCP. This is still in development but take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >Julian Field wrote: > >>The reason you can't find it is that it's not there. Sorry. >>I have been trying to come up with a decent answer to this problem >>myself, too. >> >>At 15:21 31/08/2003, you wrote: >> >>>Hi All, >>> >>>I'm trying to implement the Is Definately Spam feature based on a tag >>>[Possible Spam]in the subject ideally if this exists, MS should realise >>>this is definately spam, log it as such and then look for the action it >>>should take based on the users domain name etc.. >>> >>>How would I do this in the Is Definately Spam ruleset file? I've tried >>>a few combinations and looked in the examples file, but it only seems to >>>cover To and or From fields.. >>>-- >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>1300 85 HOST >>>www.platformhosting.com >>> >>> >>>======================================================================== >>> This message has been scanned for viruses and unsafe content by >>> Platform MailScanner >>> >>> To report SPAM forward the message to: spam@platformhosting.com >>> To report incorrectly tagged messages: notspam@platformhosting.com >>> >>> Platform MailScanner - http://mailscanner.platformhosting.com/ >>> Platform Hosting - http://www.platformhosting.com/ >>> >>>======================================================================== >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>======================================================================== >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >>======================================================================== >> >> > > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From michele at BLACKNIGHTSOLUTIONS.COM Mon Sep 1 11:37:12 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:41 2006 Subject: Upgrade: werid problem In-Reply-To: <5.2.0.9.2.20030901105854.066e2bc0@imap.ecs.soton.ac.uk> Message-ID: <200309011037.h81Ab7h07901@camelot.blacknightsolutions.com> > If the MailScanner.conf file hasn't changed from the previous > version you had installed, then there is no need for a > .rpmnew file so it won't create one. > Okay, but when I upgraded from version 9 to version 10 on another box it was created as there were a number of additions to the configuration options intriduced by the new release. (Now I am rather confused :-( ) ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 11:55:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649670@pascal.priv.bmrb.co.uk> > You may be able to do this with MCP. This is still in development but > take a look at > http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > Thats looking very interesting. One question, presumably this produces a report in the same manner as SA (i.e. test names but no description) so any 'describe' definitions you create will be effectively ignored (although SA may require them to be present?). If this is the case then it is a shame since it would be nice to be able to include in the report expressions such as.. "Contained profanity" "Contained the URL of a listed porn site" "Contained Bomb making instructions" etc... BTW I spotted a couple of oddities on the web page (presumably from when you renamed TCP MCP) - all in the cut n' paste section from MaiLScanner.conf. # MCP (Text Content Protection) should presumably be # MCP (Message Content Protection) and there are two mentions of TCP rather than MCP BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Sep 1 12:20:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <5.2.0.9.2.20030901121648.066fa720@imap.ecs.soton.ac.uk> Unfortunately I made a couple of mistakes in the build for 4.23-10, and have found 1 important bug in it. The 3 fixes are: - trend-autoupdate should now work properly - Removed osirusoft from the available "Spam Lists" - Fixed important logging bug that could cause MailScanner to crash If you are using the tar distribution, then the only files that have changed are trend-autoupdate, spam.lists.conf and Log.pm. If you are using either of the RPM distributions, then just update the mailscanner RPM itself, that's about all that should be needed. Download as usual from www.mailscanner.info. Really sorry folks! (This is partially why I release at weekends :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From bamcomp at YAHOO.COM Mon Sep 1 12:47:53 2003 From: bamcomp at YAHOO.COM (Brett Moss) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released In-Reply-To: <5.2.0.9.2.20030901121648.066fa720@imap.ecs.soton.ac.uk> Message-ID: <20030901114753.46877.qmail@web13802.mail.yahoo.com> hi, i get this when i try and run the update_virus_scanners manually or when run as a cron job with both 4.23-10 and 4.23-11 i am unable to find an -I switch -I: invalid switch or incorrect usage Usage: uvscan [--allole] [--analyse | --analyze] [-c | --clean] [--cleandocall] [--config file] [--dam] [-d | --dat | --data-directory] [--delete] [--exclude file] [-e | --exit-on-error] [--extlist] [--extensions EXT1[,EXT2...]] [--extra file] [--fam] [-f | --file file] [--floppya] [--floppyb] [-h | --help] [--ignore-compressed] [--ignore-links] [--load file] [--manalyse | --manalyze | --macro-heuristics] [--maxfilesize XXX] [--mime] [--mailbox] [-m | --move directory] [--noboot] [--nocomp] [--nodecrypt] [--nodoc] [--noexpire] [--norename] [--one-file-system] [--panalyse | --panalyze] [-p | --atime-preserve | --plad] [--program] [-r | --recursive | --sub] [--secure] [-s | --selected] [--summary] [-u | --unzip] [-v | --verbose] [--version] [--virus-list] [-] {file / directory} thanks, brett --- Julian Field wrote: > Unfortunately I made a couple of mistakes in the > build for 4.23-10, and > have found 1 important bug in it. > > The 3 fixes are: > - trend-autoupdate should now work properly > - Removed osirusoft from the available "Spam Lists" > - Fixed important logging bug that could cause > MailScanner to crash > > If you are using the tar distribution, then the only > files that have > changed are trend-autoupdate, spam.lists.conf and > Log.pm. > > If you are using either of the RPM distributions, > then just update the > mailscanner RPM itself, that's about all that should > be needed. > > Download as usual from www.mailscanner.info. > > Really sorry folks! (This is partially why I release > at weekends :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From bamcomp at YAHOO.COM Mon Sep 1 13:21:34 2003 From: bamcomp at YAHOO.COM (Brett Moss) Date: Thu Jan 12 21:19:41 2006 Subject: ANNOUNCE: Stable 4.23-11 released In-Reply-To: <20030901114753.46877.qmail@web13802.mail.yahoo.com> Message-ID: <20030901122134.44166.qmail@web13801.mail.yahoo.com> hello again, sorry but i had forgot to change the mcafee-wrapper from rpmnew this is what happens when working between 2 and 5 am i guess thanks again brett > i am unable to find an -I switch > > -I: invalid switch or incorrect usage __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From gerry at DORFAM.CA Mon Sep 1 15:20:58 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig.F In-Reply-To: <200309010835.h818ZS501908@onyx.rockstone.co.uk> Message-ID: On Mon, 1 Sep 2003, Antony Stone wrote: > On Monday 01 September 2003 2:36 am, Gerry Doris wrote: > > > I've noticed that ClamAV seems to be missing Sobig.F (or a variant). > > F-Prot and Trend are picking them up but ClamAV is letting them right > > through. > > Please email one of these files to my address. > > Regards, > > Antony. I'll send you the next one I get. All files currently in my quarantine directory aren't listed as virii by any of the scanners (F-Prot, Trend, or ClamAV)??? I automatically deleted them each day. I'm really confused now. Is it possible that one of these is cleaning the attachment during the scan? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From michael at NSEC.DK Mon Sep 1 15:47:35 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: Message-ID: Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael From jwilliam at KCR.UKY.EDU Mon Sep 1 16:40:20 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5.2.0.9.2.20030321143859.03ea2d40@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> Please forgive me if I've missed this post, but is there a way to look at the IP address of incoming mail and filter/blacklist it based on that? I'm getting the sobig.f from an IP EVERY minute. The campus network guys don't allow us to have any control over our router/firewall so I can't block it there. I was hoping MailScanner would yet again come to the rescue. Thanks! John --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From mailscanner at ecs.soton.ac.uk Mon Sep 1 16:40:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: References: Message-ID: <5.2.0.9.2.20030901164019.08ca1e78@imap.ecs.soton.ac.uk> Can I just confirm this is a MailWatch problem. MailScanner builds the $message->{to} list from the envelope, not the headers. At 15:47 01/09/2003, you wrote: >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 16:43:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> References: <5.1.1.5.2.20030901113034.02924d40@mail.kcr.uky.edu> Message-ID: <200309011543.h81Fhe506188@onyx.rockstone.co.uk> On Monday 01 September 2003 4:40 pm, John Williams wrote: > Please forgive me if I've missed this post, but is there a way to look at > the IP address of incoming mail and filter/blacklist it based on that? You can do this on your MTA, so it doesn't even need to get processed by MailScanner. On sendmail, the file you need is /etc/mail/access - I'm not sure about other MTAs. Antony. -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 16:45:30 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> John Williams wrote: > Please forgive me if I've missed this post, but is there a way to > look at the IP address of incoming mail and filter/blacklist it based > on that? Add it to sendmails access database. However, maybe you also have genuine email from that IP? Best way to block sobig is to use sendmail subject matching, search the archives for a set of rules. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ryanb at AACRAO.ORG Mon Sep 1 16:55:14 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:41 2006 Subject: Syntax for subject checking Message-ID: Julian, Could this be used to set specific actions for email with certain Bayes scores? Currently, I'm manually filtering and deleting all mail that scores Bayes_90 and Bayes_99 (I almost never get a false positive and I don't need to keep these messages to train Bayes). It would be great if there were a way to have MailScanner handle these messages differently. I could bump up the SpamAssassin score and have MailScanner treat these messages as high scoring spam, but this wouldn't really accomplish the same thing as not all high scoring spam is Bayes_90 or 99. By the way, I've upgraded to 4.23-11 and so far everything is working great! Ryan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 01, 2003 6:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Syntax for subject checking At 10:42 01/09/2003, you wrote: >I've managed to implement a SpamAssassin rule to do this, but it would >still be great to make this something that didn't require SA. > >I look forward to seeing the result of your head scratching :) You may be able to do this with MCP. This is still in development but take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >Julian Field wrote: > >>The reason you can't find it is that it's not there. Sorry. >>I have been trying to come up with a decent answer to this problem >>myself, too. >> >>At 15:21 31/08/2003, you wrote: >> >>>Hi All, >>> >>>I'm trying to implement the Is Definately Spam feature based on a tag >>>[Possible Spam]in the subject ideally if this exists, MS should realise >>>this is definately spam, log it as such and then look for the action it >>>should take based on the users domain name etc.. >>> >>>How would I do this in the Is Definately Spam ruleset file? I've tried >>>a few combinations and looked in the examples file, but it only seems to >>>cover To and or From fields.. >>>-- >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>1300 85 HOST >>>www.platformhosting.com >>> >>> >>>===================================================================== === >>> This message has been scanned for viruses and unsafe content by >>> Platform MailScanner >>> >>> To report SPAM forward the message to: spam@platformhosting.com >>> To report incorrectly tagged messages: notspam@platformhosting.com >>> >>> Platform MailScanner - http://mailscanner.platformhosting.com/ >>> Platform Hosting - http://www.platformhosting.com/ >>> >>>===================================================================== === >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>====================================================================== == >> This message has been scanned for viruses and unsafe content by >> Platform MailScanner >> >> To report SPAM forward the message to: spam@platformhosting.com >> To report incorrectly tagged messages: notspam@platformhosting.com >> >> Platform MailScanner - http://mailscanner.platformhosting.com/ >> Platform Hosting - http://www.platformhosting.com/ >> >>====================================================================== == >> >> > > > >======================================================================= = > This message has been scanned for viruses and unsafe content by > Platform MailScanner > > To report SPAM forward the message to: spam@platformhosting.com > To report incorrectly tagged messages: notspam@platformhosting.com > > Platform MailScanner - http://mailscanner.platformhosting.com/ > Platform Hosting - http://www.platformhosting.com/ > >======================================================================= = -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jwilliam at KCR.UKY.EDU Mon Sep 1 16:59:07 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb. co.uk> Message-ID: <5.1.1.5.2.20030901115531.0291c4a0@mail.kcr.uky.edu> At 04:45 PM 9/1/2003 +0100, you wrote: >John Williams wrote: > > Please forgive me if I've missed this post, but is there a way to > > look at the IP address of incoming mail and filter/blacklist it based > > on that? >Add it to sendmails access database. However, maybe you also have genuine >email from that IP? Best way to block sobig is to use sendmail subject >matching, search the archives for a set of rules. Thanks all! I seen to forget about sendmail and it's capabilities. I usually just leave it alone and do most things from MailScanner. I lost my mind when I came in this morning to over 1000 messages from that one ip. Sendmail is now filtering it. I might allow it again if it disappears from my mail logs. John --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 17:07:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> Message-ID: <200309011607.h81G7X506276@onyx.rockstone.co.uk> On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote: > John Williams wrote: > > Please forgive me if I've missed this post, but is there a way to > > look at the IP address of incoming mail and filter/blacklist it based > > on that? > > Add it to sendmails access database. However, maybe you also have genuine > email from that IP? Best way to block sobig is to use sendmail subject > matching, search the archives for a set of rules. Unlikely you'll get genuine mail from that IP address, because Sobig sends directly from infected client to (low priority) MX listed mail server, bypassing client's normal outbound mail server. Genuine emails from that client should go via the client's local (or ISP) mail server first, so you won't end up blocking them. Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From steve.freegard at LBSLTD.CO.UK Mon Sep 1 17:09:53 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header Message-ID: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Hi Michael, Looks like a problem specific to Sendmail - all the SQL logging routines do is use the $message->{to} variable set by MailScanner - I've just looked at the MailScanner code and it reads the 'R' line directly from the qf* file stripping off the RFC822: and <> from the addresses and isn't interested in any other headers, so Sendmail/something else must be changing the 'R' field. Regards, Steve. -----Original Message----- From: Michael Svendsen [mailto:michael@NSEC.DK] Sent: 01 September 2003 15:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problem with to-field in MIME Header Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From Kevin.Spicer at BMRB.CO.UK Mon Sep 1 17:13:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649675@pascal.priv.bmrb.co.uk> Antony Stone wrote: > Genuine emails from that client should go via the client's local (or > ISP) mail server first, so you won't end up blocking them. > Very true, (unless its an Exchange server thats infected of course!). Although I'd still advise the subject based blocking, so you block all sobig, not just the current sender. Also worth noting that many infected machines are on services where they get a dynamic IP. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Sep 1 17:27:52 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: Hi, you can block most Sobig.F mails with this Sendmail-Filter: LOCAL_CONFIG Kstorage macro LOCAL_RULESETS HX-MailScanner: $>+CheckDateXMSc D{SobigFPat}Found to be clean D{SobigFMsg}This message may contain the Sobig.F virus. SCheckDateXMSc R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1 R$* $@ OK HMessage-Id: $>CheckMessageId SCheckMessageId # Record the presence of the header R$* $: $(storage {MessageIdCheck} $@ OK $) $1 R$* $@ OK Scheck_eoh # Check the macro R$* $: < $&{MessageIdCheck} > # Clear the macro for the next message R$* $: $(storage {MessageIdCheck} $) $1 R< $+ > $@ $>ClearSobig R$* $: < $&{SobigFCheck} > R$* $: $(storage {SobigFCheck} $) $1 R< SobigF > $#error $: 553 ${SobigFMsg} R$* $@ OK SClearSobig R$* $: $(storage {SobigFCheck} $) $1 R$* $@ OK Exim ACL: acl_smtp_data = acl_check_sobig acl_check_sobig: accept hosts = : deny message = Possible Sobig.f rejected condition = ${if and{{eq{$h_x-mailscanner:}{Found to be clean}}\ {match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}} accept The idea being that Sobig-F uses a x-mailscanner header but does not provide a message ID. We are blocking most with this successfully. Regards, JP From philk at TCP.NET.UK Mon Sep 1 17:41:14 2003 From: philk at TCP.NET.UK (Phil Kendall) Date: Thu Jan 12 21:19:41 2006 Subject: Question about quarentining dangerous content? Message-ID: <2EA7D94851025446810834BA2DED5E6DE24742@adonis.tcp.net.uk> We upgraded to from 4.20-3 to 4.24.11 today. The following mail was picked up as having dangerous content: Sep 1 17:10:27 MailScanner[18581]: Content Checks: Detected HTML-specific exploits in h81GANmM026123 Sep 1 17:10:27 MailScanner[18581]: Saved infected "msg-18581-834.html" to /var/spool/MailScanner/quarantine/20030901/h81GANmM026123 The file that was quarantined was not the original message but the in fact the stored.content.message.txt We have Quarantine Infections = yes & Quarantine Whole Message = no set in the MailScanner.conf file. Is this the behaviour we should expect? Is it possible to have it so that dangerous content is quarantined & infected attachments without having to quartine the entire message? Phil Kendall Technical Systems Administrator TCP - Europacom.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030901/3cbeb3ff/attachment.html From anders.andersson at LTKALMAR.SE Mon Sep 1 17:42:03 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:41 2006 Subject: SV: blocking an email based on it's IP Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > > Antony Stone wrote: > > Genuine emails from that client should go via the client's local (or > > ISP) mail server first, so you won't end up blocking them. > > > Very true, (unless its an Exchange server thats infected of > course!). Although I'd still advise the subject based > blocking, so you block all sobig, not just the current > sender. Also worth noting that many infected machines are on > services where they get a dynamic IP. Any admin letting an exchange get infected should be blocked anyhow... just my thoughts though From gerry at DORFAM.CA Mon Sep 1 19:18:14 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig Message-ID: OK, I got another batch of these Sobig virii that ClamAV is missing and have sent one to your personal addtress as you requested (I can forward all my virii to you if you wish ). I'm sure that F-Prot was missing these earlier too but I noticed that F-Prot's data files were updated at 1:00pm EST today on my system. F-Prot is now catching them. Trend has been catching them all along. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Mon Sep 1 20:04:19 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV misses this! In-Reply-To: <200309011848.h81ImR506779@onyx.rockstone.co.uk> Message-ID: On Mon, 1 Sep 2003, Antony Stone wrote: > On Monday 01 September 2003 7:15 pm, Gerry Doris wrote: > > > OK, I got another round of those virii that ClamAV is missing. they are > > picked up by both F-Prot and Trend. I don't think that F-Prot was > > catching it earlier but my system was updated today at 1:00pm EST and > > F-Prot now finds it. > > > > I had to disable both F-Prot and Trend to get this out. ClamAV is still > > running. > > Hm. Interesting. I gues that since this was Sobig, and that's on my list > of silent viruses, you haven't received anything back from my system? > > It got picked up as Sobig.F by Bitdefender, F-Prot, Inoculan and McAfee, > which on my system means that it got missed by ClamAV, Kaspersky and NOD32 (I > run several antivirus engines on a single machine for exactly this sort of > comparison!). > > I can pull the file you sent me out of my quarantine directory, and see if it > seems to be a complete virus file (none of my A-V scanners said it was a > damaged or broken sample, so I'm assuming for now that it's real). > > I'll submit it to the ClamAV people anyway - I don't know if you're on their > mailing list, but I've just posted a proposal to maintain an independent list > of damaged or broken virus samples (which they seem reluctant to include in > the main signatures list) so that ClamAV doesn't become perceived as being > behind all the other A-V products, even though that may be because it only > identifies real viruses, and ignores broken or ineffective ones. > > Thanks for sending it, anyway. > > Antony. Thanks for your help on this Antony. I was beginning to think something had gone very wrong on my system. I've temporarily dropped off the mailing list that is sending all these virii to me (as well a ton of virus notifications from other subscribers many of whom are running MailScanner!). That mailing list depends solely on MimeDefang/ClamAV. Obviously, that is proving not to be a good idea. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 20:12:34 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: <200309011912.h81JCc506858@onyx.rockstone.co.uk> On Monday 01 September 2003 7:18 pm, Gerry Doris wrote: > OK, I got another batch of these Sobig virii that ClamAV is missing and > have sent one to your personal addtress as you requested (I can forward > all my virii to you if you wish ). Actually, that's not such a ridiculous idea as it may initially appear... One of the things (only one, mind) which I love about MailScanner is the ability to run multiple antivirus engines and get every mail scanned by all of them. On one particular system I currently have 8 A-V engines running, and I have this idea that it would be very useful to set up a mail server such as this running lots of A-V engines, scanning every email it receives, and delivering nothing but sender notifications to identify what each A-V system said about the attachments. It would be cheap (it would only be a single machine, with a single mailbox, so the lowest level of licence as far as the A-V vendors are concerned), and the only bit I haven't worked out yet technically is how to stop it being used a bit like an open relay, as it could be abused by somebody sending loads of Sobigs into it, with lots of innocent email addresses getting the resultant notifications (I couldn't use the 'Silent Viruses' list, because that would defeat its entire purpose if someone genuinely sent it a Sobig sample). Ho Hum. Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is. From kevins at BMRB.CO.UK Mon Sep 1 20:32:48 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:41 2006 Subject: ClamAV missing Sobig In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A786D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A786D@pascal.priv.bmrb.co.uk> Message-ID: <1062444772.28736.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-09-01 at 20:12, Antony Stone wrote: >It would be cheap (it would only be a single machine, with a single >mailbox, >so the lowest level of licence as far as the A-V vendors are >concerned), and >the only bit I haven't worked out yet technically is how to stop it >being >used a bit like an open relay, as it could be abused by somebody >sending >loads of Sobigs into it, with lots of innocent email addresses getting >the >resultant notifications (I couldn't use the 'Silent Viruses' list, >because >that would defeat its entire purpose if someone genuinely sent it a >Sobig >sample). Maybe the answer is not to send notifications, but instead provide a web page where people can sign in (using their email address) and see the result of every email they sent (perhaps listed by subject). My only concern is that the AV vendors may feel that you're in fact providing a service to everyone rather than the 'mailbox' you're protecting. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ryanb at AACRAO.ORG Mon Sep 1 20:43:38 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:41 2006 Subject: MailWatch: blocked files fix Message-ID: Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan From miguelk at KONSULTEX.COM.BR Mon Sep 1 22:09:21 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:41 2006 Subject: Freshclam update logging problems Message-ID: <3F53B581.4030805@konsultex.com.br> I think I discovered why clam-update.log only shows updates once in a while. What happens is that even though freshclam is running, so is the Mailscanner cron job to update Clam. Since the frequency of the Mailscanner update is much greater (per hour) than I set freshclam (every 12 hours), when freshcalm does run, it finds the database already updated and does nothing. It's very unsual for it to be the first and in those cases Mailscanner logs that the database is up to date. That explains the discrepancies between the logs on the 3 servers we run this way. I hope this helps someone that runs into this "problem". Miguel -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Antony at SOFT-SOLUTIONS.CO.UK Mon Sep 1 22:34:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:41 2006 Subject: Freshclam update logging problems In-Reply-To: <3F53B581.4030805@konsultex.com.br> References: <3F53B581.4030805@konsultex.com.br> Message-ID: <200309012134.h81LYQ507099@onyx.rockstone.co.uk> On Monday 01 September 2003 10:09 pm, Miguel Koren O'Brien de Lacy wrote: > I think I discovered why clam-update.log only shows updates once in a > while. What happens is that even though freshclam is running, so is the > Mailscanner cron job to update Clam. But the MailScanner script is just a front-end for freshclam. Why are you running both? This seems to me that it can only lead to conflicts or confusion, albeit only infrequently. I would recommend that if you are using the standard MailScanner virus update script, you do not independently run freshclam. Antony. -- The flush toilet then, as the plainest manifestation of a feedback loop, is a mythical beast - the beast of self. - Kevin Kelly, Out of Control From steve.freegard at LBSLTD.CO.UK Mon Sep 1 23:20:19 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:41 2006 Subject: MailWatch: blocked files fix Message-ID: <67D9E7698329D411936E00508B6590B902773ABE@neelix.lbsltd.co.uk> Ryan, Here is the updated SQL statement: SELECT COUNT(*) AS processed, SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END) AS virii, ROUND((SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS viriipercent, SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END) AS blockedfiles, ROUND((SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS blockedfilespercent, SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END) AS otherinfected, ROUND((SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS otherinfectedpercent, SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END) AS spam, ROUND((SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS spampercent, SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END) AS highspam, ROUND((SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS highspampercent, SUM(size) AS size FROM maillog WHERE DATE_FORMAT(timestamp, '%Y-%m-%d') = CURRENT_DATE() Kind regards, Steve. -----Original Message----- From: Bingham, Ryan To: MAILSCANNER@JISCMAIL.AC.UK Sent: 01/09/03 20:43 Subject: MailWatch: blocked files fix Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dbird at SGHMS.AC.UK Tue Sep 2 00:43:50 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: <200309011607.h81G7X506276@onyx.rockstone.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649674@pascal.priv.bmrb.co.uk> <200309011607.h81G7X506276@onyx.rockstone.co.uk> Message-ID: <3F53D9B6.5000300@sghms.ac.uk> Antony Stone wrote: >On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote: > > > >>John Williams wrote: >> >> >>>Please forgive me if I've missed this post, but is there a way to >>>look at the IP address of incoming mail and filter/blacklist it based >>>on that? >>> >>> >>Add it to sendmails access database. However, maybe you also have genuine >>email from that IP? Best way to block sobig is to use sendmail subject >>matching, search the archives for a set of rules. >> >> > >Unlikely you'll get genuine mail from that IP address, because Sobig sends >directly from infected client to (low priority) MX listed mail server, >bypassing client's normal outbound mail server. > >Genuine emails from that client should go via the client's local (or ISP) >mail server first, so you won't end up blocking them. > > Does anybody actively build lists of IP's sending out SoBig? We are currently analysing our logs hourly and then taking the top 10 offenders and putting them in an Exim blocking list, in the hope that it will take **some** load off our servers. My thought's are along the same lines of Antony's. i.e Sobig uses it's own SMTP engine so we shouldn't be seeing these IP's anyhow. Dan >Antony. > >-- > >In science, one tries to tell people >in such a way as to be understood by everyone >something that no-one ever knew before. > >In poetry, it is the exact opposite. > > - Paul Dirac > > > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/0bb5faf4/attachment.html From michael at NSEC.DK Tue Sep 2 00:46:28 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Message-ID: Hi m8 I use Postfix with MySQL/SASL/TSL Here is a snip from a queue-file: ESMTPOmichael@domain.comRdomain@mail.domain.comM Think this is the problem :) Any ideas? Best Regards Michael -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Steve Freegard Sent: Monday, September 01, 2003 6:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problem with to-field in MIME Header Hi Michael, Looks like a problem specific to Sendmail - all the SQL logging routines do is use the $message->{to} variable set by MailScanner - I've just looked at the MailScanner code and it reads the 'R' line directly from the qf* file stripping off the RFC822: and <> from the addresses and isn't interested in any other headers, so Sendmail/something else must be changing the 'R' field. Regards, Steve. -----Original Message----- From: Michael Svendsen [mailto:michael@NSEC.DK] Sent: 01 September 2003 15:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problem with to-field in MIME Header Hey m8 I have a little weird problem with the to-field in the MIME-header. In my CustomConfig.pm I have following line when using MailWatch: $tousers = join(',', @{$message->{to}}) The problem seems to be, that it takes following lines as the "to"-parameter: X-Original-To: michael@domain.com Delivered-To: domain@mail.domain.com Cause my $tousers now becomes: "michael@domain.com, domain@mailserver.domain.com" in my virtusertable I have: @domain.com domain that's why the Delivered-To is domain@.... I've also tried with: $tousers = join(',', @{$message->{touser}}) Then I get $tousers to be: "michael, domain" Any ideas? Hope to hear from you soon. Best Regards Michael -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dbird at SGHMS.AC.UK Tue Sep 2 00:49:44 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP In-Reply-To: References: Message-ID: <3F53DB18.6040102@sghms.ac.uk> Jan-Peter Koopmann wrote: >Hi, > >you can block most Sobig.F mails with this > >Sendmail-Filter: > >LOCAL_CONFIG >Kstorage macro > > > >LOCAL_RULESETS >HX-MailScanner: $>+CheckDateXMSc >D{SobigFPat}Found to be clean >D{SobigFMsg}This message may contain the Sobig.F virus. > > > >SCheckDateXMSc >R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1 >R$* $@ OK > > > >HMessage-Id: $>CheckMessageId > > > >SCheckMessageId ># Record the presence of the header >R$* $: $(storage {MessageIdCheck} $@ OK $) $1 >R$* $@ OK > > > >Scheck_eoh ># Check the macro >R$* $: < $&{MessageIdCheck} > ># Clear the macro for the next message >R$* $: $(storage {MessageIdCheck} $) $1 >R< $+ > $@ $>ClearSobig >R$* $: < $&{SobigFCheck} > >R$* $: $(storage {SobigFCheck} $) $1 >R< SobigF > $#error $: 553 ${SobigFMsg} >R$* $@ OK > > > >SClearSobig >R$* $: $(storage {SobigFCheck} $) $1 >R$* $@ OK > > > > >Exim ACL: > >acl_smtp_data = acl_check_sobig > >acl_check_sobig: > accept hosts = : > > deny message = Possible Sobig.f rejected > condition = ${if and{{eq{$h_x-mailscanner:}{Found to be >clean}}\ > >{match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}} > > > > accept > > > >The idea being that Sobig-F uses a x-mailscanner header but does not >provide a message ID. We are blocking most with this successfully. > > >Regards, > JP > > > The exim filter looks interesting, but is that likely to lead to any FP's? -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." From michael at YT-IT.COM Tue Sep 2 01:55:05 2003 From: michael at YT-IT.COM (Michael Luk) Date: Thu Jan 12 21:19:41 2006 Subject: Does MailScanner configuration error? Message-ID: I use MailScanner+Sendmail+Sophos,there are some problem happened to me now,when sending email to some domain,such as 163.com,163.net,and so on,the reciept can't recieve it at all,and system return email to sender just like below: >The original message was received at Wed, 27 Aug 2003 08:22:51 +0800 >from [218.247.37.227] > > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577)) > > ----- Transcript of session follows ----- >.... while talking to m203.163.com.: >>>> DATA ><<< 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1 (1577) >554 5.0.0 Service unavailable > >Reporting-MTA: dns; mail.X.com.cn >Arrival-Date: Wed, 27 Aug 2003 08:22:51 +0800 > >Final-Recipient: RFC822; michaelluk@163.com >Action: failed >Status: 5.2.0 >Remote-MTA: DNS; m203.163.com >Diagnostic-Code: SMTP; 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577) >Last-Attempt-Date: Wed, 27 Aug 2003 08:23:04 +0800 But,If I stop Mailscanner+Sophos,only starting sendmail,sending mail to all domain,it is all ok,why it happened??? pls help me!Thanks! From ashley at IMS.TELSTRA.COM.AU Tue Sep 2 02:48:37 2003 From: ashley at IMS.TELSTRA.COM.AU (Ash) Date: Thu Jan 12 21:19:41 2006 Subject: Tagging the subject line of e-mail In-Reply-To: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> Message-ID: <3F53F6F5.9070709@ims.telstra.com.au> Please forgive me the problem lay between the keyboard and back of chair :-(. I missed Deliver Cleaned Messages was set to no I would say this occured when I upgraded from v3.x and as we dont get many viruses I never noticed, wrote a ruleset and it all works. Have I made another mistake somewhere? the admin message is the same no matter what problem it deteced. "Warning: E-mail viruses detected" appears for every violation and doesnt actually align with the problem it detected, ie "Warning: Bad Filename detected" or Warning: Bad Filetype detected" . ash Julian Field wrote: > Can you give us an example of what you mean? > > At 04:54 01/09/2003, you wrote: > >> Did this ever get resolved? >> >> I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the >> subject >> line modifications notices that use the curly brackets, other than if >> I set >> "Scanned Modify Subject" , for example any violation be it a virus >> ,bad file >> name/type receives the subject line "Warning: E-mail viruses detected", I >> haven't had a spam message yet to see if that notification has also >> stopped >> working >> >> from my conf file >> Virus Modify Subject = yes >> Virus Subject Text = {Virus?} >> Filename Modify Subject = yes >> Filename Subject Text = {Filename?} >> Content Modify Subject = yes >> Content Subject Text = {Dangerous Content?} >> Spam Modify Subject = yes >> Spam Subject Text = {Spam?} >> High Scoring Spam Modify Subject = yes >> High Scoring Spam Subject Text = {Spam?} >> >> running perl 5.6.0 >> >> regards >> >> ash >> >> On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin >> wrote: >> >> >Mike, >> > >> >Thanks for responding. >> > >> >I'm planning on adding SpamAssassin later in the project. Is it >> required to >> >make the system function as I want? I didn't get that from the >> >documentation. They way I read the docs, SpamAssassin just improves >> >MailScanner's abilities. >> > >> >Kevin >> > >> >> -----Original Message----- >> >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >> >> Sent: Tuesday, August 19, 2003 1:59 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Re: Tagging the subject line of e-mail >> >> >> >> >> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >> >> You can also >> >> set Log Spam = yes and watch your maillog after restarting >> >> MailScanner. >> >> >> >> Mike >> >> >> >> >> >> -----Original Message----- >> >> From: MailScanner mailing list >> >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >> >> Of Collins, Kevin >> >> Sent: Tuesday, August 19, 2003 12:31 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Tagging the subject line of e-mail >> >> >> >> >> >> Hi! >> >> >> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >> >> machine to act as >> >> my company's "SPAM Filter". First, I want to say THANKS for >> >> creating such a >> >> project and for making it available to the masses for free. >> >> >> >> A little background: >> >> >> >> MailScanner machine: >> >> Red Hat 8.0 (fully up2dated) >> >> Sendmail 8.12.8 >> >> Perl 5.8.0 >> >> ClamAV 0.60 (compiled from source) >> >> Sendmail set to relay everything to internal Exchange Server >> >> >> >> Everything seems to be working fine - I've even let a few e-mails pass >> >> through the machine for testing. Which is why I'm writing; I >> >> now have a >> >> question. >> >> >> >> First, of the 20 some odd messages that have passed through >> >> MailScanner, it >> >> has tagged 3 as SPAM and one of them as having a Virus >> >> (actually it was an >> >> HTML Form in the message). The "Virus" message behaved as >> >> expected - the >> >> e-mail was deleted and not passed on and I got a notification of the >> >> deletion. But the remaining messages aren't working as I >> >> expected them to >> >> (I think). >> >> >> >> I've configured MailScanner to modify the subject line of >> >> every e-mail it >> >> touches to include {Scanned} at the beginning. (This is to >> >> let me - and >> >> everyone else - know that MS is working) In addition I want all SPAM >> >> messages flagged with {Spam} as the beginning of the subject line and >> >> {Virus} for those that were found to have Viruses. >> >> >> >> To this point, all of the e-mail coming in (save the "Virus" message >> >> mentioned above) have only had the word {Scanned} pre-pended >> >> to the Subject >> >> Line. I've not seen the {Spam} label anywhere. Here are the >> >> (I think) >> >> appropriate sections of the MailScanner.conf: >> >> >> >> ---- >> >> Scanned Modify Subject = start >> >> Scanned Subject Text = {Scanned} >> >> Virus Modify Subject = yes >> >> Virus Subject Text = {Virus} >> >> Filename Modify Subject = yes >> >> Filename Subject Text = {Filename} >> >> Spam Modify Subject = yes >> >> Spam Subject Text = {Spam} >> >> High Scoring Spam Modify Subject = yes >> >> High Scoring Spam Subject Text = {Spam} >> >> ---- >> >> Spam Checks = yes >> >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >> >> .ac.uk) >> >> Spam Domain List = >> >> Spam Lists To Reach High Score = 5 >> >> Spam List Timeout = 10 >> >> Max Spam List Timeouts = 7 >> >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >> >> Is Definitely Spam = no >> >> ---- >> >> >> >> >From this, is my description of how MailScanner should work valid? >> >> >Have I >> >> forgot to do something? What do I need to change/add/delete >> >> to make it work >> >> as I describe? >> >> >> >> Thanks in advance. >> >> >> >> -- >> >> Kevin L. Collins, MCSE >> >> Systems Manager >> >> Nesbitt Engineering, Inc. >> >> > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Tue Sep 2 03:16:17 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:41 2006 Subject: Filetype Rules Message-ID: <200309020216.h822GQr00356@ori.rl.ac.uk> Hello, according to the comment in MailScanner.conf I set Filetype Rules = i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") But then MailScanner does not start: Syntax error(s) in configuration file: Unrecognised keyword "filetyperules" at line 443 Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. Regards, Nerijus From mike at CAMAROSS.NET Tue Sep 2 04:45:14 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:41 2006 Subject: Does MailScanner configuration error? In-Reply-To: Message-ID: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> Perhaps they are looking at your headers which more than likely say "X-MailScanner: Found to be clean" Search your MailScanner.conf for that and change it to something OTHER than Found to be clean and see if that helps. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Michael Luk Sent: Monday, September 01, 2003 7:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Does MailScanner configuration error? I use MailScanner+Sendmail+Sophos,there are some problem happened to me now,when sending email to some domain,such as 163.com,163.net,and so on,the reciept can't recieve it at all,and system return email to sender just like below: >The original message was received at Wed, 27 Aug 2003 08:22:51 +0800 >from [218.247.37.227] > > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 Your message was blocked by NetEase AntiSpam+. pQwAALr4Sz/kACaC.1(1577)) > > ----- Transcript of session follows ----- >.... while talking to m203.163.com.: >>>> DATA ><<< 550 Your message was blocked by NetEase AntiSpam+. >pQwAALr4Sz/kACaC.1 (1577) >554 5.0.0 Service unavailable > >Reporting-MTA: dns; mail.X.com.cn >Arrival-Date: Wed, 27 Aug 2003 08:22:51 +0800 > >Final-Recipient: RFC822; michaelluk@163.com >Action: failed >Status: 5.2.0 >Remote-MTA: DNS; m203.163.com >Diagnostic-Code: SMTP; 550 Your message was blocked by NetEase >AntiSpam+. pQwAALr4Sz/kACaC.1(1577) >Last-Attempt-Date: Wed, 27 Aug 2003 08:23:04 +0800 But,If I stop Mailscanner+Sophos,only starting sendmail,sending mail to all domain,it is all ok,why it happened??? pls help me!Thanks! From Jan-Peter.Koopmann at SECEIDOS.DE Tue Sep 2 09:59:14 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:41 2006 Subject: blocking an email based on it's IP Message-ID: > The exim filter looks interesting, but is that likely to lead > to any FP's? Have not noticed any here or at our customers site. What system would generate an x-mailscanner header but NOT use a message-ID? I do not doubt there is a distinct possibility but I just cannot see how this would make sense. Regards, JP From mailscanner at ecs.soton.ac.uk Tue Sep 2 08:59:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Filetype Rules In-Reply-To: <200309020216.h822GQr00356@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> Check you haven't got a ConfigDefs.pl.rpmnew in /usr/lib/MailScanner/MailScanner. At 03:16 02/09/2003, you wrote: >Hello, > >according to the comment in MailScanner.conf I set >Filetype Rules = >i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") > >But then MailScanner does not start: >Syntax error(s) in configuration file: >Unrecognised keyword "filetyperules" at line 443 >Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. > >Regards, >Nerijus -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 08:56:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:41 2006 Subject: Problem with to-field in MIME Header In-Reply-To: References: <67D9E7698329D411936E00508B6590B902773ABD@neelix.lbsltd.co.uk> Message-ID: <5.2.0.9.2.20030902085539.0637f158@imap.ecs.soton.ac.uk> For reasons best known to Wietse himself, Postfix queue files are binary and not for human consumption. Bytes must have been *really* expensive when he designed his queue files. At 00:46 02/09/2003, you wrote: >Hi m8 > >I use Postfix with MySQL/SASL/TSL > >Here is a snip from a queue-file: > >ESMTPOmichael@domain.comRdomain@mail.domain.comM > >Think this is the problem :) > >Any ideas? > > > >Best Regards > >Michael > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Steve Freegard >Sent: Monday, September 01, 2003 6:10 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Problem with to-field in MIME Header > > >Hi Michael, > >Looks like a problem specific to Sendmail - all the SQL logging routines do >is use the $message->{to} variable set by MailScanner - I've just looked at >the MailScanner code and it reads the 'R' line directly from the qf* file >stripping off the RFC822: and <> from the addresses and isn't interested in >any other headers, so Sendmail/something else must be changing the 'R' >field. > >Regards, >Steve. > >-----Original Message----- >From: Michael Svendsen [mailto:michael@NSEC.DK] >Sent: 01 September 2003 15:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Problem with to-field in MIME Header > > >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Tue Sep 2 10:58:15 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:42 2006 Subject: blocking an email based on it's IP In-Reply-To: References: Message-ID: <3F5469B7.8050202@sghms.ac.uk> Jan-Peter Koopmann wrote: >>The exim filter looks interesting, but is that likely to lead >>to any FP's? >> >> > >Have not noticed any here or at our customers site. What system would >generate an x-mailscanner header but NOT use a message-ID? I do not >doubt there is a distinct possibility but I just cannot see how this >would make sense. > > Thanck, gust checking. ;-) >Regards, > JP > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/bf03551a/attachment.html From pndiku at DSMAGIC.COM Tue Sep 2 10:46:25 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:42 2006 Subject: Mailwatch 0.2 sql prob In-Reply-To: <3F4FCCF9.8060101@sghms.ac.uk> References: <3F4CBCC1.5050409@sghms.ac.uk> <1062141399.1959.3.camel@mufasa.ds.co.ug> <3F4FCCF9.8060101@sghms.ac.uk> Message-ID: <1062495985.16023.455.camel@mufasa.ds.co.ug> Just remove the line: MailScanner::Log::InfoLog("Initialising database connection database=$db_name;host=$db_host,$db_user,$db_pass"); Also, you might want to look at the new CustomConfig.pm I posted earlier. I can send it to you privately if you want. Peter On Sat, 2003-08-30 at 01:00, Daniel Bird wrote: > > Peter C. Ndikuwera wrote: > > Hi Daniel, > > > > I have a fix which is really a hack. I'm sure it's the wrong way to do > > it but it works for me. I've attached the relevant part of my > > CustomConfig.pm. > > > > Peter > > Peter / Steve, > I've tried this one and it works for me (although the DB username and > password appear in the maillog!!! ;-) > > Dan > > On Wed, 2003-08-27 at 17:14, Daniel Bird wrote: > > > > > Hi, > > > I noticed in the archives the same problem I'm having, but no solution: > > > I keep seeing this in the maillog: > > > > > > Cannot insert row: MySQL server has gone away > > > > > > I was wondering if anyone has had this problem and managed to find a fix? > > > > > > Regards > > > -- > > > ____________________________________ > > > > > > Daniel Bird > > > Network & Systems Manager > > > St. George's Hospital Medical School > > > Tooting > > > London SW17 0RE > > > > > > P: +44 20 8725 2897 > > > F: +44 20 8725 3583 > > > E: dan@sghms.ac.uk > > > ____________________________________ > > > > > > Hex dump: Where witches put used curses... > > > "#define QUESTION ((bb) || !(bb)) - Shakespeare." > > > > > > > > > __________________________________________________________________ > > > ############### > > > # SQL Logging # > > > ############### > > > > > > use DBI; > > > use Sys::Hostname; > > > > > > sub InitSQLLogging { > > > } > > > > > > sub EndSQLLogging { > > > } > > > > > > sub SQLLogging { > > > my($sth); > > > my($hostname) = hostname; > > > > > > # Modify this as necessary for your configuration > > > my($db_name) = "mailscanner"; > > > my($db_host) = "localhost"; > > > my($db_user) = "mailscanner"; > > > my($db_pass) = "mailscanner"; > > > > > > MailScanner::Log::InfoLog("Initialising database connection database=$db_name;host=$db_host,$db_user,$db_pass"); > > > > > > # Connect to the database > > > my($dbh) = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", > > > $db_user, $db_pass, > > > {PrintError => 0}); > > > > > > # Sometimes this line needs to be uncommented. Go figure > > > # MailScanner::Log::WarnLog($DBI::errstr); > > > > > > # Check if connection was successfull - if it isn't > > > # then generate a warning and continue processing. > > > if (!$dbh) { > > > MailScanner::Log::WarnLog("Unable to initialise database connection: %s", $DBI::errstr); > > > return; > > > } else { > > > # Prepare statement > > > $sth = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)") or MailScanner::Log::WarnLog($DBI::errstr); > > > } > > > > > > MailScanner::Log::InfoLog("Finished initialising database connection"); > > > my($message) = @_; > > > > > > # Don't bother trying to do an insert if no message > > > # is passed-in or if the database connection is down. > > > MailScanner::Log::InfoLog("In SQL Logging msg=$message, dbh=$dbh"); > > > return unless $message; > > > return unless defined $dbh; > > > > > > # Get rid of control chars and tidy-up SpamAssassin report > > > my $spamreport = $message->{spamreport}; > > > $spamreport =~ s/\n/ /g; > > > $spamreport =~ s/\t//g; > > > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); > > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > > > > # Also print 1 line for each report about this message. These lines > > > # contain all the info above, + the attachment filename and text of > > > # each report. > > > my($file, $text, @report_array); > > > while(($file, $text) = each %{$message->{allreports}}) { > > > $file = "the entire message" if $file eq ""; > > > # Use the sanitised filename to avoid problems caused by people forcing > > > # logging of attachment filenames which contain nasty SQL instructions. > > > $file = $message->{file2safefile}{$file} or $file; > > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > > $text =~ s/\t/ /; # and no tab characters > > > push (@report_array, $text); > > > } > > > > > > # Sanitize reports > > > my $reports = join(",",@report_array); > > > > > > # Insert the data > > > $sth->execute( > > > $timestamp, > > > $message->{id}, > > > $message->{size}, > > > $message->{from}, > > > join(',', @{$message->{to}}), > > > $message->{subject}, > > > $message->{clientip}, > > > join(',', @{$message->{archiveplaces}}), > > > $message->{isspam}, > > > $message->{ishigh}, > > > $message->{issaspam}, > > > $message->{isrblspam}, > > > $message->{spamwhitelisted}, > > > $message->{sascore}, > > > $spamreport, > > > $message->{virusinfected}, > > > $message->{nameinfected}, > > > $message->{otherinfected}, > > > $reports, > > > $hostname) > > > or MailScanner::Log::WarnLog("Cannot insert row: %s", $DBI::errstr); > > > > > > MailScanner::Log::InfoLog("Finished SQL Logging [$DBI::errstr]"); > > > > > > $dbh->disconnect if defined $dbh; > > > MailScanner::Log::InfoLog("Disconnected from the database"); > > > } > > > > > -- > ____________________________________ > > Daniel Bird > Network & Systems Manager > St. George's Hospital Medical School > Tooting > London SW17 0RE > > P: +44 20 8725 2897 > F: +44 20 8725 3583 > E: dan@sghms.ac.uk > ____________________________________ > > Hex dump: Where witches put used curses... > "#define QUESTION ((bb) || !(bb)) - Shakespeare." From anders.andersson at LTKALMAR.SE Tue Sep 2 11:16:30 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:42 2006 Subject: SV: blocking an email based on it's IP Message-ID: Unless they are using a NAT firewall then you might block their smtp-server as well..... but not likely any got that kind of config.... just a thought Does anybody actively build lists of IP's sending out SoBig? We are currently analysing our logs hourly and then taking the top 10 offenders and putting them in an Exim blocking list, in the hope that it will take **some** load off our servers. My thought's are along the same lines of Antony's. i.e Sobig uses it's own SMTP engine so we shouldn't be seeing these IP's anyhow. Dan Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/072a3e9f/attachment.html From michael at NSEC.DK Tue Sep 2 11:32:53 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:19:42 2006 Subject: Problem with to-field in MIME Header In-Reply-To: <5.2.0.9.2.20030902085539.0637f158@imap.ecs.soton.ac.uk> Message-ID: Heh, okay. So what I hear you say: "Find another MTA", right? ;-) I'm an old sendmail user, justed wanted a alternative MTA that supports virtual users and mysql. So I thought Postfix/Courier-IMAP/MySQL were a great solution. Maybe I should take a look on Exim then... :) Best Regards Michael -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, September 02, 2003 9:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problem with to-field in MIME Header For reasons best known to Wietse himself, Postfix queue files are binary and not for human consumption. Bytes must have been *really* expensive when he designed his queue files. At 00:46 02/09/2003, you wrote: >Hi m8 > >I use Postfix with MySQL/SASL/TSL > >Here is a snip from a queue-file: > >ESMTPOmichael@domain.comRdomain@mail.domain.comM > >Think this is the problem :) > >Any ideas? > > > >Best Regards > >Michael > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Steve Freegard >Sent: Monday, September 01, 2003 6:10 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Problem with to-field in MIME Header > > >Hi Michael, > >Looks like a problem specific to Sendmail - all the SQL logging routines do >is use the $message->{to} variable set by MailScanner - I've just looked at >the MailScanner code and it reads the 'R' line directly from the qf* file >stripping off the RFC822: and <> from the addresses and isn't interested in >any other headers, so Sendmail/something else must be changing the 'R' >field. > >Regards, >Steve. > >-----Original Message----- >From: Michael Svendsen [mailto:michael@NSEC.DK] >Sent: 01 September 2003 15:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Problem with to-field in MIME Header > > >Hey m8 > >I have a little weird problem with the to-field in the MIME-header. > >In my CustomConfig.pm I have following line when using MailWatch: >$tousers = join(',', @{$message->{to}}) > >The problem seems to be, that it takes following lines as the >"to"-parameter: > >X-Original-To: michael@domain.com >Delivered-To: domain@mail.domain.com > >Cause my $tousers now becomes: "michael@domain.com, >domain@mailserver.domain.com" > > >in my virtusertable I have: > >@domain.com domain > >that's why the Delivered-To is domain@.... > > >I've also tried with: $tousers = join(',', @{$message->{touser}}) > >Then I get $tousers to be: "michael, domain" > > >Any ideas? > > >Hope to hear from you soon. > > > > >Best Regards > > >Michael > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Tue Sep 2 11:29:55 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: Antony Stone wrote: > >On one particular system I currently have 8 A-V engines running, and I have >this idea that it would be very useful to set up a mail server such as this >running lots of A-V engines, scanning every email it receives, and delivering >nothing but sender notifications to identify what each A-V system said about >the attachments. You mean a computer specifically intended to piss off the innocent victims of email forgery? >the only bit I haven't worked out yet technically is how to stop it being >used a bit like an open relay, as it could be abused by somebody sending >loads of Sobigs into it, with lots of innocent email addresses getting the >resultant notifications (I couldn't use the 'Silent Viruses' list, because >that would defeat its entire purpose if someone genuinely sent it a Sobig >sample). There is *NO* *WAY* of telling the difference between forged and genuine email, except for certain specifica cases. The point of the silent viruses list is that those viruses always forge email, so they should be simply deleted. Tony. -- f.a.n.finch http://dotat.at/ FITZROY: NORTHEASTERLY 4 OR 5 INCREASING 6 OR 7 IN SOUTHEAST. THUNDERY SHOWERS. GOOD. From m.sapsed at BANGOR.AC.UK Tue Sep 2 11:57:24 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:42 2006 Subject: Does MailScanner configuration error? References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> Message-ID: <3F547794.7080707@bangor.ac.uk> Mike Kercher wrote: > Perhaps they are looking at your headers which more than likely say > "X-MailScanner: Found to be clean" > > Search your MailScanner.conf for that and change it to something OTHER than > Found to be clean and see if that helps. I thought Julian's recommendation was to change the X-MailScanner: bit rather than the body - dopey filterers may be dumping based on the presence of the header rather than what it says? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From R.A.Gardener at SHU.AC.UK Tue Sep 2 12:17:48 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:19:42 2006 Subject: Subject line tagging, verion 4.23-11 and Exim Message-ID: <00c901c37143$dc4012c0$110a130a@videoproducer> Hi, we are running version 3.35 of Exim. We are using a Sun Ultra 10 with Solaris 2.6. I upgraded to version 4.23-11 of MailScanner yesterday and seem to have lost the subject line tagging of infected messages. e.g. what was: Subject: {Virus?} the original subject now appears as just: Subject: the original subject I have checked the options that I have set in MailScanner.conf and they are still specifying that subject tagging is needed. Virus Modify Subject = yes Virus Subject Text = {Virus?} Has anyone else seen this behaviour with MailScanner 4.23-x and Exim 3.x ? Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- A non-text attachment was scrubbed... Name: Ray Gardener.vcf Type: text/x-vcard Size: 571 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/775fc94a/RayGardener.vcf From Jan-Peter.Koopmann at SECEIDOS.DE Tue Sep 2 12:20:11 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:42 2006 Subject: AW: Problem with to-field in MIME Header Message-ID: > Maybe I should take a look on Exim then... :) You should... :-) From nerijus at USERS.SOURCEFORGE.NET Tue Sep 2 12:21:41 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:42 2006 Subject: Filetype Rules In-Reply-To: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030902085854.063c9d60@imap.ecs.soton.ac.uk> Message-ID: <200309021123.h82BNj707329@mail.schetelig.lt> No. I commented that line out, and it works now, but there is still probably a bug. On Tue, 2 Sep 2003 08:59:30 +0100 Julian Field wrote: > Check you haven't got a > ConfigDefs.pl.rpmnew in /usr/lib/MailScanner/MailScanner. > > At 03:16 02/09/2003, you wrote: > >Hello, > > > >according to the comment in MailScanner.conf I set > >Filetype Rules = > >i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") > > > >But then MailScanner does not start: > >Syntax error(s) in configuration file: > >Unrecognised keyword "filetyperules" at line 443 > >Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. From davidj at IMPOL.NET Tue Sep 2 12:33:53 2003 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:19:42 2006 Subject: Filename/filetype rulesets Message-ID: Hi, I've been using MailScanner (4.22-4) with Exim (4.20) I'd like to congratulate Julian on an unbelievable product, that in my honest opinion beats most commercial products that cost ridiculous amounts of money. Anyway, what I'd like is an example on how to split the filename/filetype options into rulesets I have a specific client that wants to be able to receive all content types from a specific domain and just need an example to work with. Thanks in advance. Kind regards, David Jacobson System Architect Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/320d5af7/attachment.html From P.G.M.Peters at utwente.nl Tue Sep 2 13:50:17 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:42 2006 Subject: Does MailScanner configuration error? In-Reply-To: <3F547794.7080707@bangor.ac.uk> References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> <3F547794.7080707@bangor.ac.uk> Message-ID: On Tue, 2 Sep 2003 11:57:24 +0100, you wrote: >> Perhaps they are looking at your headers which more than likely say >> "X-MailScanner: Found to be clean" >> >> Search your MailScanner.conf for that and change it to something OTHER than >> Found to be clean and see if that helps. > >I thought Julian's recommendation was to change the X-MailScanner: bit >rather than the body - dopey filterers may be dumping based on the >presence of the header rather than what it says? I have seen bounces from this same kind of software. Because we have changed the headers I presumed this server still uses osirusoft. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Sep 2 13:59:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: Filename/filetype rulesets In-Reply-To: Message-ID: <5.2.0.9.2.20030902135549.043756e8@imap.ecs.soton.ac.uk> At 12:33 02/09/2003, you wrote: >Hi, > >I've been using MailScanner (4.22-4) with Exim (4.20) > >I'd like to congratulate Julian on an unbelievable product, that in my >honest opinion beats most commercial >products that cost ridiculous amounts of money. > >Anyway, what I'd like is an example on how to split the filename/filetype >options into rulesets > >I have a specific client that wants to be able to receive all content >types from a specific domain and just need >an example to work with. In MailScanner.conf, set Filetype Rules = /etc/MailScanner/rules/filetype.rules Filename Rules = /etc/MailScanner/rules/filename.rules In filetype.rules put From: domain.com /etc/MailScanner/filename.allowall.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf In filename.rules put From: domain.com /etc/MailScanner/filetype.allowall.rules.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf In filename.allowall.rules.conf put (separated by tabs, not spaces) allow . - - In filetype.allowall.rules.conf put (separated by tabs, not spaces) allow . - - That should do the trick. >Thanks in advance. > >Kind regards, > >David Jacobson >System Architect > >Imperial Online - The Imperial Connection > >Switchboard (+27) 11 723-8000 >Helpdesk (+27) 11 723-8181 >Mobile (+27) 83 235-0760 >Facsimile (+27) 11 454 1236 >Email davidj@impol.net > >www.imperialonline.co.za / www.imperialtoday.co.za > >Confidentiality Notice: >This communication and the information it contains are intended for the >person(s) or organisation(s) named above and for no other person(s) or >organisation(s). >The content of this communication may be confidential, legally privileged >and protected. Unauthorised use, copying or disclosure of any part of this >communication may be unlawful. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/09f30c7b/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 14:18:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: <200309021318.h82DIRc23293@agate.rockstone.co.uk> On Tuesday 02 September 2003 11:29 am, Tony Finch wrote: > Antony Stone wrote: > >On one particular system I currently have 8 A-V engines running, and I > > have this idea that it would be very useful to set up a mail server such > > as this running lots of A-V engines, scanning every email it receives, > > and delivering nothing but sender notifications to identify what each > > A-V system said about the attachments. > > You mean a computer specifically intended to piss off the innocent victims > of email forgery? No, I mean a machine specifically intended to enable people to find out what the various anti-virus products make of a particular file. The whole reason I said I couldn't see the technical way of doing this yet was because of the "innocent victim" problem. Regards, Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics From kodak at FRONTIERHOMEMORTGAGE.COM Tue Sep 2 14:24:24 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <3F530CA8.9030803@bangor.ac.uk> Message-ID: <005601c37155$86a1b7d0$0501a8c0@darkside> >I've seen a few instances like this and having quarantined them, I sent >them to Sophos. They were all broken copies. I've also sometimes seen >Sobig-like attachments which were in fact empty. There were quite a lot >like this with Bugbear which caused them to issue the Bugbear-Dam ide. Indeed, they have sent me a sbf-dam.ide that doesn't appear to have been publicly released (yet). If anyone is interested, you can email me and I'll send it along. Also, I'm sure Sophos would be happy to send it to anyone who asks. --J(K) From David.While at UCE.AC.UK Tue Sep 2 13:36:04 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: feature request Message-ID: <107DE25EC0216C45AEF670016024245F6F16@exchangea.staff.uce.ac.uk> What is the possibility of including the sending IP address in the virus lines in the log file entries? With the recent Sobig.F outbreak it would seem sensible to be able to do some automatic processing on the log files to determine the IP addresses that are sending them. My quick analysis of my log file shows that it is a few addresses sending large numbers to me. If this is possible I would then be able to add it as a feature to mailstats.pl to block persistent virus senders for a short period of time. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/3a73c4e1/attachment.html From waldner at WALDNER.PRIV.AT Tue Sep 2 14:24:45 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: Your message of "Tue, 02 Sep 2003 14:18:22 BST." <200309021318.h82DIRc23293@agate.rockstone.co.uk> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> Message-ID: <20030902132446.7932747061@fsck.waldner.priv.at> On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: >No, I mean a machine specifically intended to enable people to find out what >the various anti-virus products make of a particular file. > >The whole reason I said I couldn't see the technical way of doing this yet >was because of the "innocent victim" problem. So don't send anything back per mail, but use another channel. I can imagine the user entering the msg-id in some web-form to see the scan output. (Of course, the tradeoff would be the used diskspace and overhead for the webstuff (server and cgi et al).) cheers, &rw -- -- "Service packs" are for people who are mentally not equipped -- to keep track of patches and wouldn't know how to apply one -- anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/86e8488a/attachment.bin From ryanb at AACRAO.ORG Tue Sep 2 15:22:52 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:19:42 2006 Subject: MailWatch: blocked files fix Message-ID: Thanks Steve! I replaced the SQL statement in functions.php and it works perfectly now. Thanks again, Ryan -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, September 01, 2003 6:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailWatch: blocked files fix Ryan, Here is the updated SQL statement: SELECT COUNT(*) AS processed, SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END) AS virii, ROUND((SUM(CASE WHEN virusinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS viriipercent, SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END) AS blockedfiles, ROUND((SUM(CASE WHEN nameinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS blockedfilespercent, SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END) AS otherinfected, ROUND((SUM(CASE WHEN otherinfected>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS otherinfectedpercent, SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END) AS spam, ROUND((SUM(CASE WHEN isspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS spampercent, SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END) AS highspam, ROUND((SUM(CASE WHEN ishighspam>0 THEN 1 ELSE 0 END)/COUNT(*))*100,1) AS highspampercent, SUM(size) AS size FROM maillog WHERE DATE_FORMAT(timestamp, '%Y-%m-%d') = CURRENT_DATE() Kind regards, Steve. -----Original Message----- From: Bingham, Ryan To: MAILSCANNER@JISCMAIL.AC.UK Sent: 01/09/03 20:43 Subject: MailWatch: blocked files fix Someone recently posted a patch to CustomConfig.pm to get MailWatch to display the statistics on blocked files properly. I accidentally deleted the message and can't find it in the archives. Could someone repost it? Thanks! Ryan -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Tue Sep 2 15:27:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F6F16@exchangea.staff.uce.a c.uk> Message-ID: <5.2.0.9.2.20030902152659.04dae810@imap.ecs.soton.ac.uk> At 13:36 02/09/2003, you wrote: >What is the possibility of including the sending IP address in the virus >lines in the log file entries? Please can you give me an example of what log entries you mean. >With the recent Sobig.F outbreak it would seem sensible to be able to do >some automatic processing on the log files to determine the IP addresses >that are sending them. My quick analysis of my log file shows that it is a >few addresses sending large numbers to me. > >If this is possible I would then be able to add it as a feature to >mailstats.pl to block persistent virus senders for a short period of time. > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Sep 2 15:48:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:42 2006 Subject: sigpipe warnings in syslog In-Reply-To: <20030902142336.GA15442@imaginet.co.uk> Message-ID: Hi! > I am using Mailscanner on Debian/stable. I was previously using the > Debian package of 3.27 but about 6 months ago, installed a copy of > version 4 from the tar file. > > I have just upgraded to version 4.23-11 (from 4.21-9) and it all works > fine apart from messages in syslog everytime a new batch is processed: > > SIGPIPE received - trying new log socket > > This occurs using both the standard syslogd in Debian and syslog-ng. What version syslog-ng are you running ? I am using syslog-ng 1.5.26 and i dont see that in my logs. Bye, Raymond. From gerry at dorfam.ca Tue Sep 2 16:04:09 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: <20030902132446.7932747061@fsck.waldner.priv.at> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> <20030902132446.7932747061@fsck.waldner.priv.at> Message-ID: <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> > > On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: >>No, I mean a machine specifically intended to enable people to find out >> what >>the various anti-virus products make of a particular file. >> >>The whole reason I said I couldn't see the technical way of doing this >> yet >>was because of the "innocent victim" problem. > > So don't send anything back per mail, but use another channel. I can > imagine the user entering the msg-id in some web-form to see the scan > output. (Of course, the tradeoff would be the used diskspace and > overhead for the webstuff (server and cgi et al).) > > cheers, > &rw The problem I see is that it would end up being a great service for the virus writers. They could tweak and adjust until they ended up with a virus that wasn't detected by the majority of scanners. Gerry From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 16:10:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> References: <20030902132446.7932747061@fsck.waldner.priv.at> <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> Message-ID: <200309021510.h82FA8c23987@agate.rockstone.co.uk> On Tuesday 02 September 2003 4:04 pm, Gerry Doris wrote: > > On Tue, 02 Sep 2003 14:18:22 BST, Antony Stone writes: > > >No, I mean a machine specifically intended to enable people to find out > > > what the various anti-virus products make of a particular file. > > > The whole reason I said I couldn't see the technical way of doing this > > > yet was because of the "innocent victim" problem. > > > > So don't send anything back per mail, but use another channel. I can > > imagine the user entering the msg-id in some web-form to see the scan > > output. (Of course, the tradeoff would be the used diskspace and > > overhead for the webstuff (server and cgi et al).) > > > > cheers, > > &rw > > The problem I see is that it would end up being a great service for the > virus writers. They could tweak and adjust until they ended up with a > virus that wasn't detected by the majority of scanners. In which case we already have a sample of it and can create a ClamAV signature automatically :) ? Antony. -- I vote "no" to this proposal to form a committee to investigate whether we should or should not hold a ballot on whether to vote yet. From dot at DOTAT.AT Tue Sep 2 16:17:16 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: Message-ID: Julian Field wrote: >At 13:36 02/09/2003, you wrote: >>What is the possibility of including the sending IP address in the virus >>lines in the log file entries? > >Please can you give me an example of what log entries you mean. In amongst my ever-increasing logging patches I have the following. I haven't decided whether to log the virus name(s) as well -- that might not be a good idea with multiple virus scanners; alternatively I might want to optionally disable the logging of the output from the scanners themselves in order to reduce log volume. --- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 +++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 @@ -508,6 +508,9 @@ next unless $text; $message->{virusreports}{"$attachment"} .= $text; } + MailScanner::Log::InfoLog("Infected message %s came from %s", + $id, $message->{clientip}) + if MailScanner::Config::Value('logipaddrs'); } # And then all the report types... --- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 +++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 @@ -88,6 +88,7 @@ logfacility = syslogfacility logformtags = loghtmlformtags logobjecttags = logobjectcodebasetags +logipaddrs = loginfectedipaddresses maxdirtybytes = maxunsafebytesperscan maxdirtymessages = maxunsafemessagesperscan maxmessagesize = maximummessagesize @@ -145,6 +146,7 @@ logspam 1 no 0 yes 1 lognonspam 0 no 0 yes 1 logmessageids 0 no 0 yes 1 +logipaddrs 0 no 0 yes 1 expandtnef 1 no 0 yes 1 showscanner 0 no 0 yes 1 spamassassinautowhitelist 1 no 0 yes 1 Tony. -- f.a.n.finch http://dotat.at/ MULL OF KINTYRE TO ARDNAMURCHAN POINT: NORTHWEST BACKING SOUTHWEST 3 OR 4. CLOUDY, RAIN THEN SHOWERS, BECOMING DRY, FAIR LATER. GOOD FALLING MODERATE IN RAIN OR SHOWERS. SLIGHT. From dot at DOTAT.AT Tue Sep 2 16:17:53 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:42 2006 Subject: ClamAV missing Sobig In-Reply-To: References: Message-ID: Antony Stone wrote: > >No, I mean a machine specifically intended to enable people to find out what >the various anti-virus products make of a particular file. Use a web page. Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTHWEST TO WEST 3 OR 4 BACKING SOUTHWEST 4 OR 5 LATER. CLOUDY, RAIN THEN SHOWERS. GOOD FALLING MODERATE IN RAIN OR SHOWERS. SLIGHT INCREASING MODERATE. From peter.farago at PENSION-KEY.COM Tue Sep 2 16:19:36 2003 From: peter.farago at PENSION-KEY.COM (Peter Farago) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in Message-ID: I installed mailscanner & spamassassin under redhat 9 and tried to configure it to work with postfix. postfix-1.1.12-1 mailscanner 4.23-11 mail-spamassassin 2.55 I followed the instructions in "MailScanner Installation Guide - Postfix" postfix (2 copies) and mailscanner (many copies) both run after I do the service MailScanner start but inbound mail gets stuck in /var/spool/postfix.in/deferred. there are no errors in maillog but I don't see any mailscanner entries after the startup. It appears to not recognize the arrival of mail in the inbound queue. Any ideas on how to fix this? From errol.neal at ENHTECH.COM Tue Sep 2 16:19:13 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: Message-ID: <5.1.0.14.0.20030902104015.03c128a0@mail.enhtech.com> Hi all, My company has been using MailScanner for some time now and have been really pleased. Our primary platform for deployment is Solaris 9 on Sparc. We are going to be deploying several new severs and are pricing out the hardware for them. Since we depend on these systems and want them to be as efficient as possible, we want to target possible bottlenecks in a MailScanner system and put the capital there as opposed to just throwing money at the system. Right now what we are looking at is deploying a 2.4 Pentium IV system with IDE disks and 512MB of RAM. I personally think we should invest the money in the Disk IO and even go with Pentium III's but my employer is not so convinced. Of course everyone knows that SCSI is faster than standard IDE dieks, however is that increase in performance noticable on a MailScanner system? Is the performance on a P4 that much better than performance on a PIII? Since I do not have systems of this nature to test with I am turning to users of this software to help me invest my budget wisely to produce the best system I can. SCSI vs IDE, is the difference that noticeable? 64bit vs 32 bit, any performance gains there? Linux vs Solaris? Anybody got any ideas? PS our daily volume of mail passing through our MailScanners is somewhere in the neighborhood of 15-20K Thank you in advance, Regards, Errol U. Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 16:47:37 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Hi all, > SCSI vs IDE, is the difference that noticeable? The best I/O improvement is by making sure you've got plenty of RAM and putting the MailScanner work directory in tmpfs (not either of the mail queues though!) > Linux vs Solaris? Anybody got any ideas? Personally speaking ufs sucks and anything FS intensive struggles on Solaris (in fairness my experience is with low end machines, E250 and lower). You'll get more bang-per-buck using linux on Intel. Where Solaris excels is at the high end and I can't see why anyone would need a high end server for a mail load of only 15-20k. > > PS our daily volume of mail passing through our MailScanners is > somewhere in the neighborhood of 15-20K > For comparison I run a mail server handling a load of about 7K using a Compaq blade (800Mhz processor, IDE drive, 512M ram, running Linux) with MS, SA, DCC, Razor2, Pyzor, MailStats and MailScanner-mrtg. The main load comes when the two stats programs process the logfiles. If you've got the money for Sun hardware buy Intel and get an extra box for redundancy/ load balencing! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tyler at BELOIT.EDU Tue Sep 2 16:52:36 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:19:42 2006 Subject: caramail domain Message-ID: <5.2.0.9.0.20030902103737.00bbb2e0@beloit.edu> FYI for everyone, I have researched the caramail.com domain issue and they must now be setting up legitimate email accounts with just username@caramail.com. I have had two legitimate accounts from caramail.com that were tagged as spam. I think caramail.com should probably get removed from the spamassassin domain name list. Regardless, I will either whitelist their domain or lower the weighted score for FAKE_HELO_DOTCOM. In the long run, I hope that spamassassin will take off caramail.com from the list of Fake_helo_dtocom list since I am guessing that many other sites will be tagging them falsely as well. Tim Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From David.While at UCE.AC.UK Tue Sep 2 16:54:26 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <107DE25EC0216C45AEF670016024245F64417C@exchangea.staff.uce.ac.uk> Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- From splee at PLEXIO.COM Tue Sep 2 16:55:50 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <005601c37155$86a1b7d0$0501a8c0@darkside> References: <005601c37155$86a1b7d0$0501a8c0@darkside> Message-ID: <1062518150.366.39.camel@ralph.plexio.private> On Tue, 2003-09-02 at 06:24, Jason Balicki wrote: > >I've seen a few instances like this and having quarantined them, I sent > >them to Sophos. They were all broken copies. I've also sometimes seen > >Sobig-like attachments which were in fact empty. There were quite a lot > >like this with Bugbear which caused them to issue the Bugbear-Dam ide. > > Indeed, they have sent me a sbf-dam.ide that doesn't appear to have > been publicly released (yet). If anyone is interested, you can email me > and I'll send it along. Also, I'm sure Sophos would be happy to send > it to anyone who asks. At the height of the Sobig.F storm one of my mail servers (MS/Sophos/Exim) let through 3000+ copies of what appeared to be Sobig.F-like messages without any attachment. If there is no attachment, can Sophos still detect it? I guess there must be some other virus-like signature within the message. Stephen From dbird at SGHMS.AC.UK Tue Sep 2 16:58:48 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks References: <5.1.0.14.0.20030902104015.03c128a0@mail.enhtech.com> Message-ID: <3F54BE38.1060402@sghms.ac.uk> Errol Neal wrote: > Hi all, > > My company has been using MailScanner for some time now and have been > really pleased. Our primary platform for deployment is Solaris 9 on > Sparc. > We are going to be deploying several new severs and are pricing out the > hardware for them. Since we depend on these systems and want them to be > as efficient as possible, we want to target possible bottlenecks in a > MailScanner system and put the capital there as opposed to just throwing > money at > the system. > > Right now what we are looking at is deploying a 2.4 Pentium IV system > with > IDE disks and 512MB of RAM. I personally think we should invest the money > in the Disk IO and even go with Pentium III's but my employer is not so > convinced. Of course everyone knows that SCSI is faster than standard IDE > dieks, > however is that increase in performance noticable on a MailScanner > system? > Is the performance on a P4 that much better than performance on a > PIII? Since > I do not have systems of this nature to test with I am turning to > users of > this software to help me invest my budget wisely to produce the best > system > I can. > > SCSI vs IDE, is the difference that noticeable? In the context of MailScanner I couldn't say for definate but I very much suspect so since SCSI will perform better than IDE on the OS side ;-). Extra RAM will also do you a load of good. 64bit vs 32 bit, any performance gains there? Again, see above, but I'll leave that one for Julian. > > Linux vs Solaris? Anybody got any ideas? Whatever you're comfortable with, although the upgrade process etc with Linux is far easier. We were originally using Ultra5's about 18 months ago bet changed to linux so we could use the rpm's etc. (made life for a couple of my admin's far easier ;-) > > > PS our daily volume of mail passing through our MailScanners is somewhere > in the neighborhood of 15-20K We do that volume on each of our mailhubs (3). They are little Celeron 800's with 256Mb Ram and IDE disks. They each run MS/SA/DCC/Pyzor/Razor and 3 x virus scanners. I guess the question is how is your mail distributed? If you get a steady flow like we usually do, then this'd be OK. Having said that, with the current troughs and peaks we're seeing from viri like SoBig etc, these little fella's are starting to strugle (and occasionally fall over becoase of the load), so we're upgrading to Dual PIII 1.4Ghz with 512Mb RAM and SCSI-3 disks. These are reletively cheap (< ?1300 ext VAT) from Dell (accademic pricing) and will fly with our current load, and give us some room for growth. > > > Thank you in advance, > > > Regards, > > Errol U. Neal > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From David.While at UCE.AC.UK Tue Sep 2 17:02:47 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:42 2006 Subject: feature request Message-ID: <107DE25EC0216C45AEF670016024245F64417D@exchangea.staff.uce.ac.uk> Sep 2 15:36:24 xxxxxx MailScanner[10247]: Virus and Content Scanning: Starting ******** Sep 2 15:36:25 xxxxxxMailScanner[10247]: /var/spool/MailScanner/incoming/10247/./h82EZlKq015377/thank_you.pif: Worm.Sobig.F FOUND Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: ClamAV found 1 infections Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: Found 1 viruses Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filename Checks: Possible MS-Dos program shortcut attack (thank_you.pif) Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filetype Checks: No executables (thank_you.pif) Sep 2 15:36:25 xxxxxx MailScanner[10247]: Other Checks: Found 2 problems Ideally I would like the IP address in the line marked with *s (apologies for the line wrap (if indeed it does!) David While -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tue 02/09/2003 15:27 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: feature request At 13:36 02/09/2003, you wrote: >What is the possibility of including the sending IP address in the virus >lines in the log file entries? Please can you give me an example of what log entries you mean. >With the recent Sobig.F outbreak it would seem sensible to be able to do >some automatic processing on the log files to determine the IP addresses >that are sending them. My quick analysis of my log file shows that it is a >few addresses sending large numbers to me. > >If this is possible I would then be able to add it as a feature to >mailstats.pl to block persistent virus senders for a short period of time. > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dafydd.tomos at IMAGINET.CO.UK Tue Sep 2 15:23:36 2003 From: dafydd.tomos at IMAGINET.CO.UK (Dafydd Tomos) Date: Thu Jan 12 21:19:42 2006 Subject: sigpipe warnings in syslog Message-ID: <20030902142336.GA15442@imaginet.co.uk> Hi, First of all thanks to Julian and all the other contributors to Mailscanner, for a great piece of software. I am using Mailscanner on Debian/stable. I was previously using the Debian package of 3.27 but about 6 months ago, installed a copy of version 4 from the tar file. I have just upgraded to version 4.23-11 (from 4.21-9) and it all works fine apart from messages in syslog everytime a new batch is processed: SIGPIPE received - trying new log socket This occurs using both the standard syslogd in Debian and syslog-ng. I guess it's only a warning, but was wondering if there was a way to stop it occurring. cheers -- Dafydd Tomos Systems Administrator Gweinyddwr Systemau Imaginet Ltd http://www.imaginet.co.uk/ From jharnish at CI.GRAND-RAPIDS.MI.US Tue Sep 2 15:52:45 2003 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <221C759285B78647AEE6181FD6AF36A7078B91CD@bambi.grand-rapids.mi.us> Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/3d7768b3/attachment.html From raymond at PROLOCATION.NET Tue Sep 2 17:03:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <1062518150.366.39.camel@ralph.plexio.private> Message-ID: Hi! > > Indeed, they have sent me a sbf-dam.ide that doesn't appear to have > > been publicly released (yet). If anyone is interested, you can email me > > and I'll send it along. Also, I'm sure Sophos would be happy to send > > it to anyone who asks. > At the height of the Sobig.F storm one of my mail servers > (MS/Sophos/Exim) let through 3000+ copies of what appeared to be > Sobig.F-like messages without any attachment. If there is no attachment, > can Sophos still detect it? I guess there must be some other virus-like > signature within the message. If theres no attachment its no virus, its just crap mail =) IMHO its not to blame your virus scanner for that, but a content filter should take care of that :) I think you could better call those 'SPAM' =) Bye, Raymond. From kodak at FRONTIERHOMEMORTGAGE.COM Tue Sep 2 17:08:30 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:42 2006 Subject: What's Going on here? In-Reply-To: <1062518150.366.39.camel@ralph.plexio.private> Message-ID: <009c01c3716c$73d87c80$0501a8c0@darkside> >If there is no >attachment, >can Sophos still detect it? I don't believe so. There are two "issues" with Sobig-F. One issue is when Sobig-F sends no attachment -- not a problem, it'll get past any default checks (and will confuse the user) but no damage will be done. Your MTA may allow you to reject mail based on subject and/or other textual clues, and you may want to try that approach (not *just* subject though. :) The second is the damaged Sobig-F executable. It will not run, but may get past a scanner. If the system in question is set up to not allow any executables through you're fine. (Most likely your AV vendor has an updated signature for the damaged Sobig-F by now though, so it should be getting tagged and stripped at this point.) --J(K) From errol.neal at ENHTECH.COM Tue Sep 2 17:10:31 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co .uk> Message-ID: <5.1.0.14.0.20030902115711.03f96d18@mail.enhtech.com> At 04:47 PM 9/2/2003 +0100, you wrote: >The best I/O improvement is by making sure you've got plenty of RAM and >putting the MailScanner work directory in tmpfs (not either of the mail >queues though!) That is a bit scary for us. Unpacking messages in a memory based file system could be catastrophic. *Shudders*. Too scary to even think about it if for example, MailScanner dies and leaves a bunch of mail in the tmpfs and we unknowingly reboot the system... for us.. instant law suit. Can anyone explain how this works? Does MailScanner unpack messages 1 at a time, does it unpack all the messages bulky in this directory? >Personally speaking ufs sucks and anything FS intensive struggles on >Solaris (in fairness my experience is with low end machines, E250 and >lower). You'll get more bang-per-buck using linux on Intel. Where >Solaris excels is at the high end and I can't see why anyone would need a >high end server for a mail load of only 15-20k. We are using the lower end Netra T-1 and V Fire 100 (I think). Turning on logging increases performance dramatically. Compared against linux using XFS logging on ultra 160 drives, the performance is almost equal. >If you've got the money for Sun hardware buy Intel and get an extra box >for redundancy/ load balencing! Lower end sun models are actually quite inexpensive these days. 550MHZ cpu, 512 RAM, two nics and 40GB ide for less and 1K US is not too bad. We actually have 3 systems deployed at the moment, each system handles about 15-20K messages a day, and that varies. I guess what I am trying to achieve as I said earlier is a strategic investment of dollars into what will make the difference most dramatically. For example, if 1 gig of ram will improve the systems performance over our current 512MB Ram in a much greater way than deploying SCSI based /var/ slices, I will put my money in the RAM and stick to my IDE disks. This is what I need to know. Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 17:19:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649684@pascal.priv.bmrb.co.uk> Errol Neal wrote: > At 04:47 PM 9/2/2003 +0100, you wrote: >> The best I/O improvement is by making sure you've got plenty of RAM >> and putting the MailScanner work directory in tmpfs (not either of >> the mail queues though!) > > That is a bit scary for us. Unpacking messages in a memory based > file system could be catastrophic. *Shudders*. Too scary to even > think about it if for example, > MailScanner dies and leaves a bunch of mail in the tmpfs and we > unknowingly reboot the system... for us.. instant law suit. > Can anyone explain how this works? Does MailScanner unpack messages 1 > at a time, does it unpack all the messages bulky in this directory? No, its absolutely safe, so long as you only do this for the _work_ directory (/var/spool/MailScanner/incoming) and NOT the _queue_ directories (mqueue and mqueue.in). MailScanner never removes the queue files (even when it moves the files it actually just links them into the outgoing directory then unlinks them in the incoming directory IIRC). The MailScanner incoming directory is used to unpack batches of messages to be scanned. Should the System crash only these unpacked _copies_ of the original message will be lost, the original message will still be sitting there in mqueue.in (on a disk based filesystem) ready to be processed by MailScanner when it is restarted. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Tue Sep 2 17:29:50 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFA@pascal.priv.bmrb.co.uk> Errol Neal wrote: >> The best I/O improvement is by making sure you've got plenty of RAM >> and putting the MailScanner work directory in tmpfs (not either of >> the mail queues though!) > > Also, if one is to use the tmpfs, how large should the file system be? > number of MailScanner children * batch size (no of messages) * average mail size * margin of error tmpfs resizes automatically, but obviously you don't want to run out of RAM and start swapping. Heres a silly example... 5 children * batchsize 100 * average_size 200k [which is silly, who has many messages that size] * margin of error say 5 (cautious) = 488M And thats using stupidly large numbers!, the real figures are probably an order of magnitude or two (but allow for peaks - what happens when every mail has an attachment, like some virus storms we've had). A cautious mind would probably spec 1G of ram (but 512M would probably be okay) with that batch size. In the real world though its often worth decreasing the batch size to improve performance (which reduces the memory requirement). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Sep 2 17:44:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: Message-ID: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> Check you queue directories are set correctly in MailScanner.conf. At 16:19 02/09/2003, you wrote: >I installed mailscanner & spamassassin under redhat 9 and tried to >configure it to work with postfix. > >postfix-1.1.12-1 >mailscanner 4.23-11 >mail-spamassassin 2.55 > >I followed the instructions in "MailScanner Installation Guide - Postfix" > >postfix (2 copies) and mailscanner (many copies) both run after I do the >service MailScanner start but inbound mail gets stuck >in /var/spool/postfix.in/deferred. > >there are no errors in maillog but I don't see any mailscanner entries >after the startup. It appears to not recognize the arrival of mail in the >inbound queue. > >Any ideas on how to fix this? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Tue Sep 2 18:47:25 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com>; from peter.farago@PENSION-KEY.COM on Tue, Sep 02, 2003 at 01:18:38PM -0400 References: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Message-ID: <20030902124725.A62355@mikea.ath.cx> On Tue, Sep 02, 2003 at 01:18:38PM -0400, Peter A Farago wrote: > Se below > > At 05:44 PM 9/2/2003 +0100, you wrote: > >Check you queue directories are set correctly in MailScanner.conf. > > Incoming Queue Dir = /var/spool/postfix.in > > # Set location of outgoing mail queue. > # This can also be the filename of a ruleset. > Outgoing Queue Dir = /var/spool/postfix > > # Set where to unpack incoming messages before scanning them > Incoming Work Dir = /var/spool/MailScanner/incoming > > # Set where to store infected and message attachments (if they are kept) > # This can also be the filename of a ruleset. > Quarantine Dir = /var/spool/MailScanner/quarantine Now: o what directories does the inbound postfix instance expect to put inbound mail into; o where does the outbound postfix instance expect to get its outbound mail; o how many instances of postfix are running? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From peter.farago at PENSION-KEY.COM Tue Sep 2 19:10:51 2003 From: peter.farago at PENSION-KEY.COM (Peter A Farago) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in In-Reply-To: <20030902124725.A62355@mikea.ath.cx> References: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Message-ID: <5.2.1.1.0.20030902140504.00b357c8@pension-key.com> there are 2 instances running; inbound based on /etc/postfix.in and outbound based on /etc/postfix. postfix.in/main.cf:queue_directory = /var/spool/postfix.in postfix/main.cf:queue_directory = /var/spool/postfix is mailscanner expect to pick up the mail from /var/spool/postfix.in and delivery it to the outbound instance? I don't think this is happening because I don't see any mailscanner activity in maillog after the initial sartup. At 12:47 PM 9/2/2003 -0500, you wrote: >On Tue, Sep 02, 2003 at 01:18:38PM -0400, Peter A Farago wrote: > > Se below > > > > At 05:44 PM 9/2/2003 +0100, you wrote: > > >Check you queue directories are set correctly in MailScanner.conf. > > > > Incoming Queue Dir = /var/spool/postfix.in > > > > # Set location of outgoing mail queue. > > # This can also be the filename of a ruleset. > > Outgoing Queue Dir = /var/spool/postfix > > > > # Set where to unpack incoming messages before scanning them > > Incoming Work Dir = /var/spool/MailScanner/incoming > > > > # Set where to store infected and message attachments (if they are kept) > > # This can also be the filename of a ruleset. > > Quarantine Dir = /var/spool/MailScanner/quarantine > >Now: >o what directories does the inbound postfix instance expect to > put inbound mail into; > >o where does the outbound postfix instance expect to get > its outbound mail; > >o how many instances of postfix are running? > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin since 1964 From mike at CAMAROSS.NET Tue Sep 2 19:24:44 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <107DE25EC0216C45AEF670016024245F64417C@exchangea.staff.uce.ac.uk> Message-ID: <005b01c3717f$7b8c3f80$a91cbdcf@home.middlefinger.net> I'm getting this after upgrading to the new version: ERROR: unable to open config file: /var/www/html/mailstats/mrtg1.cfg What should be in this file? Seems like mailstats.pl used to create what it needed. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David While > Sent: Tuesday, September 02, 2003 10:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: mailstats V0.21 > > > Whoops - sorry about that - its there now. > > -----Original Message----- > From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] > Sent: Tue 02/09/2003 15:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: ANNOUNCE: mailstats V0.21 > > > Hey I went out to this site to grab .21 and it was > showing .23 as the latest but I can not download it. > > Thanks > > Joe > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Sunday, August 31, 2003 12:41 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: mailstats V0.21 > > > A few people have been asking so here it is! > > A new version of mailstats is available - the > main changes are: > > * Added support to produce list of > SpamAssassin traps triggered > * Added support for configurable message > in access file > * Added support to produce 2 mrtg config > files for better graphing > * Added support for multiple mail queue > directories > * Corrected bug in virus update notification > * Added support to restrict the output in lists. > > It can be downloaded from > http://www.while.homeunix.net/mailstats > > There > is also a discussion forum available at > http://www.while.homeunix.net/mailstats/phpBB2> / > > > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English > University of Central England > Tel: 0121 331 6211 > > ----------------------------------------------------------------- > From mike at CAMAROSS.NET Tue Sep 2 19:34:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <005b01c3717f$7b8c3f80$a91cbdcf@home.middlefinger.net> Message-ID: <005c01c37180$dbd2be40$a91cbdcf@home.middlefinger.net> Nevermind...I deleted the old mrtg.cfg and then it recreated everything. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Tuesday, September 02, 2003 1:25 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: mailstats V0.21 > > > I'm getting this after upgrading to the new version: > > ERROR: unable to open config file: /var/www/html/mailstats/mrtg1.cfg > > What should be in this file? Seems like mailstats.pl used to > create what it needed. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of David While > > Sent: Tuesday, September 02, 2003 10:54 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: ANNOUNCE: mailstats V0.21 > > > > > > Whoops - sorry about that - its there now. > > > > -----Original Message----- > > From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] > > Sent: Tue 02/09/2003 15:52 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Cc: > > Subject: Re: ANNOUNCE: mailstats V0.21 > > > > > > Hey I went out to this site to grab .21 and it was > showing .23 > > as the latest but I can not download it. > > > > Thanks > > > > Joe > > > > -----Original Message----- > > From: David While [mailto:David.While@UCE.AC.UK] > > Sent: Sunday, August 31, 2003 12:41 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: mailstats V0.21 > > > > > > A few people have been asking so here it is! > > > > A new version of mailstats is available - the main > > changes are: > > > > * Added support to produce list of > > SpamAssassin traps triggered > > * Added support for configurable message > > in access file > > * Added support to produce 2 mrtg config > > files for better graphing > > * Added support for multiple mail queue > > directories > > * Corrected bug in virus update notification > > * Added support to restrict the output in lists. > > > > It can be downloaded from > > http://www.while.homeunix.net/mailstats > > > > There > > is also a discussion forum available at > > http://www.while.homeunix.net/mailstats/phpBB2> / > > > > > > > > ----------------------------------------------------------------- > > David While > > Technical Development Manager > > Faculty of Computing, Information & English > > University of Central England > > Tel: 0121 331 6211 > > > > ----------------------------------------------------------------- > > > From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:29:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: caramail domain In-Reply-To: <5.2.0.9.0.20030902103737.00bbb2e0@beloit.edu> Message-ID: <5.2.1.1.2.20030902192902.0273d308@imap.ecs.soton.ac.uk> This is nothing to do with MailScanner. Please contact the SpamAssassin folks, as it's their setup. At 16:52 02/09/2003, you wrote: >FYI for everyone, > I have researched the caramail.com domain issue and they must now be >setting up legitimate email accounts with just username@caramail.com. I >have had two legitimate accounts from caramail.com that were tagged as >spam. I think caramail.com should probably get removed from the >spamassassin domain name list. Regardless, I will either whitelist their >domain or lower the weighted score for FAKE_HELO_DOTCOM. In the long run, >I hope that spamassassin will take off caramail.com from the list of >Fake_helo_dtocom list since I am guessing that many other sites will be >tagging them falsely as well. > Tim > > > > >Tim Tyler >Network Engineer - Beloit College >tyler@beloit.edu -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:39:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649684@pascal.priv.bmrb. co.uk> Message-ID: <5.2.1.1.2.20030902193547.0261a728@imap.ecs.soton.ac.uk> At 17:19 02/09/2003, you wrote: >Errol Neal wrote: > > At 04:47 PM 9/2/2003 +0100, you wrote: > >> The best I/O improvement is by making sure you've got plenty of RAM > >> and putting the MailScanner work directory in tmpfs (not either of > >> the mail queues though!) > > > > That is a bit scary for us. Unpacking messages in a memory based > > file system could be catastrophic. *Shudders*. Too scary to even > > think about it if for example, > > MailScanner dies and leaves a bunch of mail in the tmpfs and we > > unknowingly reboot the system... for us.. instant law suit. > > Can anyone explain how this works? Does MailScanner unpack messages 1 > > at a time, does it unpack all the messages bulky in this directory? > >No, its absolutely safe, so long as you only do this for the _work_ >directory (/var/spool/MailScanner/incoming) and NOT the _queue_ >directories (mqueue and mqueue.in). MailScanner never removes the queue >files (even when it moves the files it actually just links them into the >outgoing directory then unlinks them in the incoming directory IIRC). The >MailScanner incoming directory is used to unpack batches of messages to be >scanned. Should the System crash only these unpacked _copies_ of the >original message will be lost, the original message will still be sitting >there in mqueue.in (on a disk based filesystem) ready to be processed by >MailScanner when it is restarted. Just to confirm this, the above explanation is absolutely correct. There is no critical data ever stored in the MailScanner/incoming directory. Furthermore, MailScanner never takes responsibility for any message, there is always either the original in mqueue.in or the finished version in mqueue or both. There is no situation in which the message is in neither queue. You can safely pull the plug on MailScanner at any time, you will not lose any mail, even if you do use tmpfs for MailScanner/incoming. As for the size of tmpfs, the usual maximum figure is half your physical RAM. But as it expands and contracts as needed, you are best leaving it to the operating system to manage. It's better at adjusting it than you are. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Sep 2 19:34:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:42 2006 Subject: feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F64417D@exchangea.staff.uce .ac.uk> Message-ID: <5.2.1.1.2.20030902193310.02727fe8@imap.ecs.soton.ac.uk> At 17:02 02/09/2003, you wrote: >Sep 2 15:36:24 xxxxxx MailScanner[10247]: Virus and Content Scanning: >Starting >******** Sep 2 15:36:25 xxxxxxMailScanner[10247]: >/var/spool/MailScanner/incoming/10247/./h82EZlKq015377/thank_you.pif: >Worm.Sobig.F FOUND That bit of code is the virus scanner output parser. It knows nothing about individual messages at all, so it can't log the client IP. Sorry. >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: ClamAV found 1 >infections >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: Found 1 viruses >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filename Checks: Possible >MS-Dos program shortcut attack (thank_you.pif) >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Filetype Checks: No executables >(thank_you.pif) >Sep 2 15:36:25 xxxxxx MailScanner[10247]: Other Checks: Found 2 problems > >Ideally I would like the IP address in the line marked with *s (apologies >for the line wrap (if indeed it does!) > >David While > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tue 02/09/2003 15:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: feature request > > > > At 13:36 02/09/2003, you wrote: > >What is the possibility of including the sending IP address in > the virus > >lines in the log file entries? > > Please can you give me an example of what log entries you mean. > > > >With the recent Sobig.F outbreak it would seem sensible to be > able to do > >some automatic processing on the log files to determine the IP > addresses > >that are sending them. My quick analysis of my log file shows > that it is a > >few addresses sending large numbers to me. > > > >If this is possible I would then be able to add it as a feature to > >mailstats.pl to block persistent virus senders for a short > period of time. > > > >----------------------------------------------------------------- > >David While > >Technical Development Manager > >Faculty of Computing, Information & English > >University of Central England > >Tel: 0121 331 6211 > >----------------------------------------------------------------- > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From joshua.hirsh at PARTNERSOLUTIONS.CA Tue Sep 2 20:06:24 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:42 2006 Subject: mail stuck in postfix.in Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5ABE@eqmail1.efni.vpn> Hi Peter, It sounds like your MailScanner installation is looking in the wrong directory. For postfix, you should make sure that "Incoming Queue Dir" is set to /var/spool/postfix.in/deferred in /etc/MailScanner/MailScanner.conf. Regards, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From TGFurnish at HERFF-JONES.COM Tue Sep 2 20:39:24 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> Seems like a straightforward question but I just want to make sure I'm not missing something before I deploy. For our next phase of testing I want to have mailscanner start handling all the mail for several of our high-volume, many-user domains, but I only want a small subset of those users to actually be part of the testing - email for everyone else ought to be untouched (at least as far as a user is likely to notice). What is the proper / best way of doing that? So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've also configured the MTA (sendmail) to split messages with multiple recipients into one message per recipient. The rulesets look like so: To: testuser@testdomain.com yes FromOrTo: default no I also set "Scanned Modify Subject" to a similar ruleset. Anything else I'm missing and should turn off for non-test users before I deploy? -- Trever From Antony at SOFT-SOLUTIONS.CO.UK Tue Sep 2 20:43:17 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj-int> Message-ID: <200309021943.h82JhNc24927@agate.rockstone.co.uk> On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > For our next phase of testing I want to have mailscanner start handling all > the mail for several of our high-volume, many-user domains, but I only want > a small subset of those users to actually be part of the testing - email > for everyone else ought to be untouched (at least as far as a user is > likely to notice). What is the proper / best way of doing that? > > So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've > also configured the MTA (sendmail) to split messages with multiple > recipients into one message per recipient. The rulesets look like so: > > To: testuser@testdomain.com yes > FromOrTo: default no > > I also set "Scanned Modify Subject" to a similar ruleset. > > Anything else I'm missing and should turn off for non-test users before I > deploy? Ensure that "Non Spam Actions" says something sensible for the non-test users. Antony. -- Windows: just another pane in the glass. From mike at CAMAROSS.NET Tue Sep 2 20:50:52 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <200309021943.h82JhNc24927@agate.rockstone.co.uk> Message-ID: <000001c3718b$84465320$a91cbdcf@home.middlefinger.net> Sounds like he's on the right track overall. I'd attribute that to Julian's straightforward and "simple" wording of the MailScanner.conf entries. A new user can have MailScanner up and running in a matter of minutes...even with rulesets! Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Antony Stone > Sent: Tuesday, September 02, 2003 2:43 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Turn off all possible message changes for some users? > > > On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > > > For our next phase of testing I want to have mailscanner start > > handling all the mail for several of our high-volume, many-user > > domains, but I only want a small subset of those users to > actually be > > part of the testing - email for everyone else ought to be untouched > > (at least as far as a user is likely to notice). What is > the proper / > > best way of doing that? > > > > So far I've turned "Virus Scanning" and "Spam Checks" into > rulesets. > > I've also configured the MTA (sendmail) to split messages with > > multiple recipients into one message per recipient. The > rulesets look > > like so: > > > > To: testuser@testdomain.com yes > > FromOrTo: default no > > > > I also set "Scanned Modify Subject" to a similar ruleset. > > > > Anything else I'm missing and should turn off for non-test users > > before I deploy? > > Ensure that "Non Spam Actions" says something sensible for > the non-test users. > > Antony. > > -- > > Windows: just another pane in the glass. > From TGFurnish at HERFF-JONES.COM Tue Sep 2 20:57:28 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:42 2006 Subject: Turn off all possible message changes for some users? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C079E@inex1.herffjones.hj-int> So far MS has been a joy to work with. I do wish there were some sort of doc (besides the source) that listed the exact sequence in which various checks happen and what the next step is for each possible outcome of a check - ie a flow chart of MailScanner message processing that answers questions like: - "Which virus scanner gets the message first?" - "If running multiple virus scanners, does the second scanner get the first message after the first scanner has processed the whole batch or just that message?" - "If a message is marked as spam via a RBL list, does it still get passed to spamassassin?" ...and the one for my particular situation: "If 'Virus Scanning' and 'Spam Checks' are both 'no', then do the filename rules still get applied?" Then again, maybe such a doc is already there and I've just missed it. :-) > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Tuesday, September 02, 2003 2:51 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Turn off all possible message changes for some users? > > > Sounds like he's on the right track overall. I'd attribute > that to Julian's > straightforward and "simple" wording of the MailScanner.conf > entries. A new > user can have MailScanner up and running in a matter of > minutes...even with > rulesets! > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Antony Stone > > Sent: Tuesday, September 02, 2003 2:43 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Turn off all possible message changes for some users? > > > > > > On Tuesday 02 September 2003 8:39 pm, Furnish, Trever G wrote: > > > > > For our next phase of testing I want to have mailscanner start > > > handling all the mail for several of our high-volume, many-user > > > domains, but I only want a small subset of those users to > > actually be > > > part of the testing - email for everyone else ought to be > untouched > > > (at least as far as a user is likely to notice). What is > > the proper / > > > best way of doing that? > > > > > > So far I've turned "Virus Scanning" and "Spam Checks" into > > rulesets. > > > I've also configured the MTA (sendmail) to split messages with > > > multiple recipients into one message per recipient. The > > rulesets look > > > like so: > > > > > > To: testuser@testdomain.com yes > > > FromOrTo: default no > > > > > > I also set "Scanned Modify Subject" to a similar ruleset. > > > > > > Anything else I'm missing and should turn off for non-test users > > > before I deploy? > > > > Ensure that "Non Spam Actions" says something sensible for > > the non-test users. > > > > Antony. > > > > -- > > > > Windows: just another pane in the glass. > > > From llasad1 at yahoo.com Tue Sep 2 21:17:49 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:42 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <20030902201749.7637.qmail@web41411.mail.yahoo.com> Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/5a6815ff/attachment.html From zabriskw at ITECH.NET Tue Sep 2 21:18:59 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:42 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902201749.7637.qmail@web41411.mail.yahoo.com> Message-ID: <00dc01c3718f$71cedbf0$0c02a8c0@itech.dom> Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/7dda3b1c/attachment.html From postmaster at mdh.se Tue Sep 2 21:28:26 2003 From: postmaster at mdh.se (MailScanner) Date: Thu Jan 12 21:19:43 2006 Subject: Varning: E-post fel upptäckt Message-ID: <200309022028.h82KSQ3v009911@dahlsten.mdh.se> Vår viruskontroll har blivit aktiverad p.g.a. ett meddelande ni skickat:- To: anette.mansson@mdh.se Subject: Re: That movie Date: Tue Sep 2 22:28:26 2003 En eller flera av bilagorna är på listan av icke accepterade bilagor för denna domän och kommer inte bli levererade till mottagaren. Försök att byta namn på filerna eller skicka filerna i "zip" format för att undvika att bilagorna inte blir levererade. Viruskontrollen sa detta om meddelandet: Rapport: Shortcuts to MS-Dos programs are very dangerous in email (details.pif) -- Mailscanner Virusskanner f÷r E-post www.mailscanner.info From: "MailScanner" To: mailscanner@ecs.soton.ac.uk Subject: Warning: E-mail viruses detected X-MailScanner: generated Our virus detector has just been triggered by a message you sent:- To: anette.mansson@mdh.se Subject: Re: That movie Date: Tue Sep 2 22:28:26 2003 One or more of the attachments are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files or putting them into a "zip" file to avoid this constraint. The virus detector said this about the message: Report: Shortcuts to MS-Dos programs are very dangerous in email (details.pif) -- MailScanner Email Virus Scanner www.mailscanner.info From zabriskw at ITECH.NET Tue Sep 2 21:31:42 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902202951.39010.qmail@web41402.mail.yahoo.com> Message-ID: <00f301c37191$3892d790$0c02a8c0@itech.dom> That same problem has happened to me numerous times. Unfortunately there is not a solution from what I have found. Try restarting MailScanner. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:29 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote: Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. -------------------------------------------------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/4ef0d89a/attachment.html From lists at TRCINTL.COM Tue Sep 2 21:35:48 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: I too have seen that problem several times. I wouldn't say it is often, but I have seen it. That same problem has happened to me numerous times. Unfortunately there is not a solution from what I have found. Try restarting MailScanner. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:29 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote: Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. ---------------------------------------------------------------------------- ---- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ---------------------------------------------------------------------------- ---- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From raymond at PROLOCATION.NET Tue Sep 2 21:36:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <00f301c37191$3892d790$0c02a8c0@itech.dom> Message-ID: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. From llasad1 at yahoo.com Tue Sep 2 21:45:14 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <20030902204514.12907.qmail@web41411.mail.yahoo.com> I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote:Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ae658e96/attachment.html From raymond at PROLOCATION.NET Tue Sep 2 21:45:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. From zabriskw at ITECH.NET Tue Sep 2 21:46:48 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902204514.12907.qmail@web41411.mail.yahoo.com> Message-ID: <010601c37193$54d089f0$0c02a8c0@itech.dom> I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/12f981f3/attachment.html From zabriskw at ITECH.NET Tue Sep 2 21:47:28 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: Message-ID: <010c01c37193$6c700e00$0c02a8c0@itech.dom> Im running the latest stable version of MS also using SpamAssasin. No Virus scanning. ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in > Hi! > > > > That same problem has happened to me numerous times. Unfortunately > > > there is not a solution from what I have found. Try restarting > > > MailScanner. > > > If numerous people see this it really must be a problem. Julian i also > > reported that one, i iknow its most likely hard to find, but is there a > > way we can track/trace that ? > > Could we have a look at version numbers and scanners installed, perhaps we > can pinpoint things ? > > I am running latest MS with f-prot ... > > Bye, > Raymond. > From llasad1 at yahoo.com Tue Sep 2 21:49:17 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <20030902204917.55528.qmail@web41408.mail.yahoo.com> I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any virus protection becuase my internal mail server scans all incoming and outgoing mail for viruses. Raymond Dijkxhoorn wrote:Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/526ecceb/attachment.html From mike at CAMAROSS.NET Tue Sep 2 21:53:36 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902204514.12907.qmail@web41411.mail.yahoo.com> Message-ID: <001e01c37194$48124040$640ba8c0@home.middlefinger.net> You don't, by chance, still have Osirusoft defined in your config, do you? You might also try lowering the number of messages per batch from 100 down to 30 or so and see if you can spot a bottleneck there. It might also help to enable Debug'ing of MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Tuesday, September 02, 2003 3:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From raymond at PROLOCATION.NET Tue Sep 2 21:53:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <001e01c37194$48124040$640ba8c0@home.middlefinger.net> Message-ID: Mike, > You don't, by chance, still have Osirusoft defined in your config, do you? > You might also try lowering the number of messages per batch from 100 down > to 30 or so and see if you can spot a bottleneck there. It might also help > to enable Debug'ing of MailScanner. I tried everything :) Batches are small, but it keeps locking up, told Julian but i guess its hard to find whats going on in situations like this. And no, removed Osirusoft as soon as i saw timeouts on that, and not even using SA on the boxes. Bye, Raymond. From raymond at PROLOCATION.NET Tue Sep 2 22:05:25 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <002b01c37195$3186a7c0$640ba8c0@home.middlefinger.net> Message-ID: Hi Mike, > An extra check sure wouldn't hurt on the MS box! If you don't want to spend > money on it, give ClamAV a shot at initial detection anyway :) > I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any > virus protection becuase my internal mail server scans all incoming and > outgoing mail for viruses. IF! all is going like normal i am also scanning with Clam, but with the current load thats not really smart :) Bye, Raymond. From kevins at BMRB.CO.UK Tue Sep 2 22:02:14 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A78C2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A78C2@pascal.priv.bmrb.co.uk> Message-ID: <1062536537.30875.9.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-02 at 21:53, Mike Kercher wrote: >You don't, by chance, still have Osirusoft defined in your config, do >You might also try lowering the number of messages per batch from 100 >down >to 30 or so and see if you can spot a bottleneck there. It might also >help >to enable Debug'ing of MailScanner. Other suggestions along similar lines Turn off Bayes, Autowhitelisting (should be off already) and set skip_rbl_checks in spam.assassin.prefs.conf. Then try restarting MailScanner. Also turn off razor, pyzor and dcc in that file (if you use them). If this helps re-enable them one at a time until the problem recurs. settings in spam.assassin.prefs.conf (these are for SA 2.6 but presumably the same for 2.55) skip_rbl_checks 1 use_dcc 0 use pyzor 0 use razor2 0 use_bayes 0 in MailScanner.conf SpamAssassin Auto Whitelist = no Also, if you have any virus scanner installed - EVEN IF YOU ARE NOT USING IT! make sure you don't have upgrade_virus_scanners in /etc/cron.hourly. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Tue Sep 2 22:11:03 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <002c01c37196$b80eb2f0$640ba8c0@home.middlefinger.net> OS and version? I run MS/SA/Sophos on multiple RHAS, RH7.2 and RH7.3 boxes with no failures yet. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Tuesday, September 02, 2003 3:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Mike, > You don't, by chance, still have Osirusoft defined in your config, do > you? You might also try lowering the number of messages per batch from > 100 down to 30 or so and see if you can spot a bottleneck there. It > might also help to enable Debug'ing of MailScanner. I tried everything :) Batches are small, but it keeps locking up, told Julian but i guess its hard to find whats going on in situations like this. And no, removed Osirusoft as soon as i saw timeouts on that, and not even using SA on the boxes. Bye, Raymond. From llasad1 at YAHOO.COM Tue Sep 2 22:16:30 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <010601c37193$54d089f0$0c02a8c0@itech.dom> Message-ID: <20030902211630.15844.qmail@web41405.mail.yahoo.com> It seems to be kicking in after restarting MS a few times, but it seems to stop after about a few minutes. I have been restarting but this can't be the solution. Thanks for the suggestions. Kris Zabriskie wrote:I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/9b9d9102/attachment.html From errol.neal at ENHTECH.COM Tue Sep 2 17:16:02 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:43 2006 Subject: System Bottlenecks In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADF9@pascal.priv.bmrb.co .uk> Message-ID: <5.1.0.14.0.20030902121510.0421cdd8@mail.enhtech.com> >The best I/O improvement is by making sure you've got plenty of RAM and >putting the MailScanner work directory in tmpfs (not either of the mail >queues though!) Also, if one is to use the tmpfs, how large should the file system be? Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From raymond at PROLOCATION.NET Tue Sep 2 22:18:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <002c01c37196$b80eb2f0$640ba8c0@home.middlefinger.net> Message-ID: Hi! > I run MS/SA/Sophos on multiple RHAS, RH7.2 and RH7.3 boxes with no failures > yet. RH9 on two of the boxes. Bye, Raymond. From mike at CAMAROSS.NET Tue Sep 2 17:24:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: System Bottlenecks In-Reply-To: <5.1.0.14.0.20030902115711.03f96d18@mail.enhtech.com> Message-ID: <003e01c3716e$b278d370$a91cbdcf@home.middlefinger.net> Julian would have to confirm, but I believe that sendmail keeps a copy of the email until it has been successfully delivered (assuming you don't have supersafe disabled). I refer quite often to my Sendmail Performance Tuning book and still learn new stuff all the time. Although the newer IDE drives are close to SCSI in speed, the performance of SCSI drives comes from the on-board CPU of the SCSI controller. On IDE systems, the disk subsystem has to use the system CPU for processing. All of my mail servers are PIII-800 and below with at least a gig of RAM. I host email for several law firms and have never lost an email yet and I do use a tmpfs for the workdir. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Errol Neal > Sent: Tuesday, September 02, 2003 11:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: System Bottlenecks > > > At 04:47 PM 9/2/2003 +0100, you wrote: > >The best I/O improvement is by making sure you've got plenty > of RAM and > >putting the MailScanner work directory in tmpfs (not either > of the mail > >queues though!) > > That is a bit scary for us. Unpacking messages in a memory > based file system could be catastrophic. *Shudders*. Too > scary to even think about it if for example, MailScanner dies > and leaves a bunch of mail in the tmpfs and we unknowingly > reboot the system... for us.. instant law suit. Can anyone > explain how this works? Does MailScanner unpack messages 1 at > a time, does it unpack all the messages bulky in this directory? > > >Personally speaking ufs sucks and anything FS intensive struggles on > >Solaris (in fairness my experience is with low end machines, > E250 and > >lower). You'll get more bang-per-buck using linux on Intel. Where > >Solaris excels is at the high end and I can't see why anyone > would need > >a high end server for a mail load of only 15-20k. > > We are using the lower end Netra T-1 and V Fire 100 (I > think). Turning on logging increases performance > dramatically. Compared against linux using XFS logging on > ultra 160 drives, the performance is almost equal. > > >If you've got the money for Sun hardware buy Intel and get > an extra box > >for redundancy/ load balencing! > > Lower end sun models are actually quite inexpensive these > days. 550MHZ cpu, 512 RAM, two nics and 40GB ide for less and > 1K US is not too bad. > > We actually have 3 systems deployed at the moment, each > system handles about 15-20K messages a day, and that varies. > I guess what I am trying to achieve as I said earlier is a > strategic investment of dollars into what will make the > difference most dramatically. For example, if 1 gig of ram > will improve the systems performance over our current 512MB > Ram in a much greater way than deploying SCSI based /var/ > slices, I will put my money in the RAM and stick to my IDE > disks. This is what I need to know. > > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > From raymond at PROLOCATION.NET Tue Sep 2 22:19:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902211630.15844.qmail@web41405.mail.yahoo.com> Message-ID: Hi! > It seems to be kicking in after restarting MS a few times, but it seems > to stop after about a few minutes. I have been restarting but this > can't be the solution. Thanks for the suggestions. Doing the same at the moment. The strage this is when i even do a service MS reload it seems to speed it up allready. But after a few batches it seems either terrible slow or completely frozen. Julian! :) Bye, Raymond. From raymond at PROLOCATION.NET Tue Sep 2 22:23:35 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <000801c37198$38ea9050$0c02a8c0@itech.dom> Message-ID: Hi! > Keep going! It eventually will kick off again. If you tail the log, > you will notice (if you experiencing the same problem I have), that > MailScanner will grab a handful of mail (like 100 messages), and nothing > is done with them. If you see the RBLs going, then you know it is > working, or if it is passing it off to SA (if it is being ran). Check > in mqueue.in and see if there is a core dump file. I noticed one on > mine. Blow it away. I have no idea what it does, but it was huge and I > wanted it out of there. The only thing I can tell ya is, dont answer > the phone (people will start complaining) and just keep restarting MS. Hahahaha ok. Bye, Raymond. From steve.douglas at SBIINCORPORATED.COM Tue Sep 2 17:32:34 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FC61@mail.gardenbotanika.com> I have not yet ever performed an update. I am using 4.22.xx on RedHat v9 via RPM with the latest f-prot. I know there is an entry on just performing the RPM update, but is there anything you might recommend on the side that I back first and an extra precaution before running the new RPM? I already have the rules and .conf files backed up. Thank you. SD :-) > -----Original Message----- > From: Brett Moss [mailto:bamcomp@YAHOO.COM] > Sent: Monday, September 01, 2003 7:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > hello again, > sorry but i had forgot to change the mcafee-wrapper > from rpmnew > this is what happens when working between 2 and 5 am i > guess > thanks again > brett > > > i am unable to find an -I switch > > > > -I: invalid switch or incorrect usage > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com From kevins at BMRB.CO.UK Tue Sep 2 22:32:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A78C8@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A78C8@pascal.priv.bmrb.co.uk> Message-ID: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Sep 2 21:27:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:43 2006 Subject: Turn off all possible message changes for some users? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B71@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030902212650.038eec68@imap.ecs.soton.ac.uk> At 20:39 02/09/2003, you wrote: >Seems like a straightforward question but I just want to make sure I'm not >missing something before I deploy. > >For our next phase of testing I want to have mailscanner start handling all >the mail for several of our high-volume, many-user domains, but I only want >a small subset of those users to actually be part of the testing - email for >everyone else ought to be untouched (at least as far as a user is likely to >notice). What is the proper / best way of doing that? > >So far I've turned "Virus Scanning" and "Spam Checks" into rulesets. I've >also configured the MTA (sendmail) to split messages with multiple >recipients into one message per recipient. The rulesets look like so: > >To: testuser@testdomain.com yes >FromOrTo: default no > >I also set "Scanned Modify Subject" to a similar ruleset. > >Anything else I'm missing and should turn off for non-test users before I >deploy? Virus Scanning and Spam Checks should do the trick, -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at prolocation.net Tue Sep 2 22:48:40 2003 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902214753.55490.qmail@web41414.mail.yahoo.com> Message-ID: Hi! > Kevin Spicer wrote:On Tue, 2003-09-02 at 22:16, lester lasad wrote: > >It seems to be kicking in after restarting MS a few times, but it seems > >to stop after about a few minutes. I have been restarting but this > >can't be the solution. Thanks for the suggestions. Sure, no problem at all. Bye, Raymond. From llasad1 at YAHOO.COM Tue Sep 2 22:47:53 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> Message-ID: <20030902214753.55490.qmail@web41414.mail.yahoo.com> question, I have a secondary MS server, there are a few emails that our VP's need with attachments. Once I locate these emails in /var/spool/mqueue.in can I copy them to to the other servers mqueue.in? Never done it, if anyone has I would like to know (and how did you do it?) Kevin Spicer wrote:On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/9079cb02/attachment.html From peter.farago at PENSION-KEY.COM Tue Sep 2 18:18:38 2003 From: peter.farago at PENSION-KEY.COM (Peter A Farago) Date: Thu Jan 12 21:19:43 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> Se below At 05:44 PM 9/2/2003 +0100, you wrote: >Check you queue directories are set correctly in MailScanner.conf. Incoming Queue Dir = /var/spool/postfix.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/postfix # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine From llasad1 at yahoo.com Tue Sep 2 21:29:51 2003 From: llasad1 at yahoo.com (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <00dc01c3718f$71cedbf0$0c02a8c0@itech.dom> Message-ID: <20030902202951.39010.qmail@web41402.mail.yahoo.com> This is the last batch I saw in /var/log/maillog, everything else is just queueing up. Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Found 2628 messages waiting Sep 2 15:30:54 pcalaklx01 MailScanner[2285]: New Batch: Forwarding 100 unscanned messages, 17285623 bytes MailScanner is running PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 2257 root 15 0 11012 10M 7120 S 14.3 2.1 0:35 MailScanner Kris Zabriskie wrote:Check to see when the last time MailScanner took a load of messages to scan. Is MailScanner still running? ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:17 PM Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Mail is currently being accepted and queued but it is not being relayed to my internal mail server. I have not made any changes and this started occurring roughly around 1300 CDT. I have checked /var/log/messages and maillog and I am not finding anything in there that is pointing to the problem (I am fairly new to MailScanner, set it up and haven't had to many problems because it has been very stable) I am able to ping and telnet to port 25 from my MailScanner box to my internal server, but the message just queues up and is never delivered. Thanks in advance for your assistance and time. I haven't posted here in quite awhile, if you need addtional info please let me know. Thanks again. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/b7b1b94f/attachment.html From mike at CAMAROSS.NET Tue Sep 2 22:00:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902204917.55528.qmail@web41408.mail.yahoo.com> Message-ID: <002b01c37195$3186a7c0$640ba8c0@home.middlefinger.net> An extra check sure wouldn't hurt on the MS box! If you don't want to spend money on it, give ClamAV a shot at initial detection anyway :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Tuesday, September 02, 2003 3:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I am running MS 4.21-9, with spamassassin 2.50-3. I am not running any virus protection becuase my internal mail server scans all incoming and outgoing mail for viruses. Raymond Dijkxhoorn wrote: Hi! > > That same problem has happened to me numerous times. Unfortunately > > there is not a solution from what I have found. Try restarting > > MailScanner. > If numerous people see this it really must be a problem. Julian i also > reported that one, i iknow its most likely hard to find, but is there a > way we can track/trace that ? Could we have a look at version numbers and scanners installed, perhaps we can pinpoint things ? I am running latest MS with f-prot ... Bye, Raymond. Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From zabriskw at ITECH.NET Tue Sep 2 22:21:49 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in References: <20030902211630.15844.qmail@web41405.mail.yahoo.com> Message-ID: <000801c37198$38ea9050$0c02a8c0@itech.dom> Keep going! It eventually will kick off again. If you tail the log, you will notice (if you experiencing the same problem I have), that MailScanner will grab a handful of mail (like 100 messages), and nothing is done with them. If you see the RBLs going, then you know it is working, or if it is passing it off to SA (if it is being ran). Check in mqueue.in and see if there is a core dump file. I noticed one on mine. Blow it away. I have no idea what it does, but it was huge and I wanted it out of there. The only thing I can tell ya is, dont answer the phone (people will start complaining) and just keep restarting MS. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 5:16 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in It seems to be kicking in after restarting MS a few times, but it seems to stop after about a few minutes. I have been restarting but this can't be the solution. Thanks for the suggestions. Kris Zabriskie wrote: I have rebooted numerous times, and it will not fix it. Keep restarting MailScanner. EVENTUALLY it will kick in. No telling how may times though. ----- Original Message ----- From: lester lasad To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, September 02, 2003 4:45 PM Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in I have restarted MailScanner and restarted the the OS as well. Still no luck. Thanks for any suggestions. I'm kinda in a bind here routing up to 15 -20 K messages per day. Raymond Dijkxhoorn wrote: Hi! > That same problem has happened to me numerous times. Unfortunately > there is not a solution from what I have found. Try restarting > MailScanner. If numerous people see this it really must be a problem. Julian i also reported that one, i iknow its most likely hard to find, but is there a way we can track/trace that ? Bye, Raymond. -------------------------------------------------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ------------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ffb17ae7/attachment.html From m.sapsed at BANGOR.AC.UK Tue Sep 2 18:28:11 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:43 2006 Subject: Does MailScanner configuration error? References: <000801c37104$9ee10220$640ba8c0@home.middlefinger.net> <3F547794.7080707@bangor.ac.uk> Message-ID: <3F54D32B.8050704@bangor.ac.uk> Peter Peters wrote: > On Tue, 2 Sep 2003 11:57:24 +0100, you wrote: >>>Perhaps they are looking at your headers which more than likely say >>>"X-MailScanner: Found to be clean" >>> >>>Search your MailScanner.conf for that and change it to something OTHER than >>>Found to be clean and see if that helps. >> >>I thought Julian's recommendation was to change the X-MailScanner: bit >>rather than the body - dopey filterers may be dumping based on the >>presence of the header rather than what it says? > > I have seen bounces from this same kind of software. Because we have > changed the headers I presumed this server still uses osirusoft. But surely then the e-mails would bounce whether he had MailScanner turned off or on wouldn't they? The impression I got of the original problem was that the bounces were caused by something which MailScanner adds to the messages. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From waldner at WALDNER.PRIV.AT Tue Sep 2 18:18:01 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:19:43 2006 Subject: ClamAV missing Sobig In-Reply-To: Your message of "Tue, 02 Sep 2003 11:04:09 EDT." <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> References: <200309021318.h82DIRc23293@agate.rockstone.co.uk> <20030902132446.7932747061@fsck.waldner.priv.at> <57940.129.80.22.133.1062515049.squirrel@tiger.dorfam.ca> Message-ID: <20030902171813.6C9BC47082@fsck.waldner.priv.at> On Tue, 02 Sep 2003 11:04:09 EDT, Gerry Doris writes: >The problem I see is that it would end up being a great service for the >virus writers. They could tweak and adjust until they ended up with a >virus that wasn't detected by the majority of scanners. You think they don't do that already? cheers, &rw -- -- "I'm not proud. We really haven't done everything we could to protect -- our customers. Our products just aren't engineered for security." -- - Brian Valentine, senior vice-president in charge of MS's -- Windows development. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/ec74978f/attachment.bin From m.sapsed at BANGOR.AC.UK Tue Sep 2 18:42:34 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:43 2006 Subject: What's Going on here? References: <005601c37155$86a1b7d0$0501a8c0@darkside> <1062518150.366.39.camel@ralph.plexio.private> Message-ID: <3F54D68A.2020006@bangor.ac.uk> Stephen Lee wrote: > At the height of the Sobig.F storm one of my mail servers > (MS/Sophos/Exim) let through 3000+ copies of what appeared to be > Sobig.F-like messages without any attachment. If there is no attachment, > can Sophos still detect it? I guess there must be some other virus-like > signature within the message. No. Sophos will only detect Sobig-F if it's given a non-damaged executable attachment to look at. If you want to block Sobig messages which don't have the proper attachments then you need to look at sendmail/exim rules (as in the archive) or spamassassin rules. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From jharnish at CI.GRAND-RAPIDS.MI.US Tue Sep 2 19:03:53 2003 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapids.mi.us> What can I do to assist in getting mcafee AV support in mailstats? -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Tuesday, September 02, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: mailstats V0.21 Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/a11d6729/attachment.html From TGFurnish at HERFF-JONES.COM Tue Sep 2 23:24:21 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A1@inex1.herffjones.hj-int> You really ought to start a separate thread for separate questions - this has little to do with mail being stuck in the incoming queue. Having said that, you don't need a secondary server - you just need to move the messages from the incoming queue to the outgoing queue. In a typical redhat+sendmail install that means that you move the message from /var/spool/mqueue.in to /var/spool/mqueue. Where are you going to get the original message though? By the time your "special user" can identify the message for you, it's already been delivered. It sounds like you want to quarantine the messages (as queue files) and enable the quarantine cleaning cron job. -t. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Tuesday, September 02, 2003 4:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in question, I have a secondary MS server, there are a few emails that our VP's need with attachments. Once I locate these emails in /var/spool/mqueue.in can I copy them to to the other servers mqueue.in? Never done it, if anyone has I would like to know (and how did you do it?) Kevin Spicer wrote: On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/782223f3/attachment.html From gerry at DORFAM.CA Wed Sep 3 02:27:39 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:43 2006 Subject: Small typo in f-prot-autoupdate Message-ID: Julian there is a small typo in the f-prot-autoupdate script that prevents logging status to /var/log/maillog. Here's the code segment where I added the open Syslog line right after alarm 0 ... if ($@) { if ($@ =~ /timeout/) { # We timed out! CleanTempDir(); &UnlockFProt(); alarm 0; } } else { alarm 0; Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": "F-Prot did not need updating."); } -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From ashley at IMS.TELSTRA.COM.AU Wed Sep 3 03:47:17 2003 From: ashley at IMS.TELSTRA.COM.AU (Ash) Date: Thu Jan 12 21:19:43 2006 Subject: Tagging the subject line of e-mail In-Reply-To: <3F53F6F5.9070709@ims.telstra.com.au> References: <5.2.0.9.2.20030901105651.05c09ba0@imap.ecs.soton.ac.uk> <3F53F6F5.9070709@ims.telstra.com.au> Message-ID: <3F555635.3000301@ims.telstra.com.au> Found the file MailScanner/etc/reports/en/languages.conf and changed NoticeSubject to "Warning: E-mail problem detected" also NoticeHeading to "The following e-mail messages were found to have problems in them" ash Ash wrote: > Please forgive me the problem lay between the keyboard and back of chair > :-(. I missed Deliver Cleaned Messages was set to no I would say this > occured when I upgraded from v3.x and as we dont get many viruses I > never noticed, wrote a ruleset and it all works. > > Have I made another mistake somewhere? the admin message is the same no > matter what problem it deteced. "Warning: E-mail viruses detected" > appears for every violation and doesnt actually align with the problem > it detected, ie "Warning: Bad Filename detected" or Warning: Bad > Filetype detected" . > > ash > > Julian Field wrote: > >> Can you give us an example of what you mean? >> >> At 04:54 01/09/2003, you wrote: >> >>> Did this ever get resolved? >>> >>> I just upgraded from 4.21-9 to 4.23-10 and nolonger get any of the >>> subject >>> line modifications notices that use the curly brackets, other than if >>> I set >>> "Scanned Modify Subject" , for example any violation be it a virus >>> ,bad file >>> name/type receives the subject line "Warning: E-mail viruses >>> detected", I >>> haven't had a spam message yet to see if that notification has also >>> stopped >>> working >>> >>> from my conf file >>> Virus Modify Subject = yes >>> Virus Subject Text = {Virus?} >>> Filename Modify Subject = yes >>> Filename Subject Text = {Filename?} >>> Content Modify Subject = yes >>> Content Subject Text = {Dangerous Content?} >>> Spam Modify Subject = yes >>> Spam Subject Text = {Spam?} >>> High Scoring Spam Modify Subject = yes >>> High Scoring Spam Subject Text = {Spam?} >>> >>> running perl 5.6.0 >>> >>> regards >>> >>> ash >>> >>> On Wed, 20 Aug 2003 07:41:27 -0400, Collins, Kevin >>> wrote: >>> >>> >Mike, >>> > >>> >Thanks for responding. >>> > >>> >I'm planning on adding SpamAssassin later in the project. Is it >>> required to >>> >make the system function as I want? I didn't get that from the >>> >documentation. They way I read the docs, SpamAssassin just improves >>> >MailScanner's abilities. >>> > >>> >Kevin >>> > >>> >> -----Original Message----- >>> >> From: Mike Kercher [mailto:mike@CAMAROSS.NET] >>> >> Sent: Tuesday, August 19, 2003 1:59 PM >>> >> To: MAILSCANNER@JISCMAIL.AC.UK >>> >> Subject: Re: Tagging the subject line of e-mail >>> >> >>> >> >>> >> Are you using SpamAssassin? If not, I'd HIGHLY recommend it! >>> >> You can also >>> >> set Log Spam = yes and watch your maillog after restarting >>> >> MailScanner. >>> >> >>> >> Mike >>> >> >>> >> >>> >> -----Original Message----- >>> >> From: MailScanner mailing list >>> >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >>> >> Of Collins, Kevin >>> >> Sent: Tuesday, August 19, 2003 12:31 PM >>> >> To: MAILSCANNER@JISCMAIL.AC.UK >>> >> Subject: Tagging the subject line of e-mail >>> >> >>> >> >>> >> Hi! >>> >> >>> >> I've just completed installing MS v4.22-5 onto a Red Hat 8 >>> >> machine to act as >>> >> my company's "SPAM Filter". First, I want to say THANKS for >>> >> creating such a >>> >> project and for making it available to the masses for free. >>> >> >>> >> A little background: >>> >> >>> >> MailScanner machine: >>> >> Red Hat 8.0 (fully up2dated) >>> >> Sendmail 8.12.8 >>> >> Perl 5.8.0 >>> >> ClamAV 0.60 (compiled from source) >>> >> Sendmail set to relay everything to internal Exchange Server >>> >> >>> >> Everything seems to be working fine - I've even let a few e-mails >>> pass >>> >> through the machine for testing. Which is why I'm writing; I >>> >> now have a >>> >> question. >>> >> >>> >> First, of the 20 some odd messages that have passed through >>> >> MailScanner, it >>> >> has tagged 3 as SPAM and one of them as having a Virus >>> >> (actually it was an >>> >> HTML Form in the message). The "Virus" message behaved as >>> >> expected - the >>> >> e-mail was deleted and not passed on and I got a notification of the >>> >> deletion. But the remaining messages aren't working as I >>> >> expected them to >>> >> (I think). >>> >> >>> >> I've configured MailScanner to modify the subject line of >>> >> every e-mail it >>> >> touches to include {Scanned} at the beginning. (This is to >>> >> let me - and >>> >> everyone else - know that MS is working) In addition I want all SPAM >>> >> messages flagged with {Spam} as the beginning of the subject line and >>> >> {Virus} for those that were found to have Viruses. >>> >> >>> >> To this point, all of the e-mail coming in (save the "Virus" message >>> >> mentioned above) have only had the word {Scanned} pre-pended >>> >> to the Subject >>> >> Line. I've not seen the {Spam} label anywhere. Here are the >>> >> (I think) >>> >> appropriate sections of the MailScanner.conf: >>> >> >>> >> ---- >>> >> Scanned Modify Subject = start >>> >> Scanned Subject Text = {Scanned} >>> >> Virus Modify Subject = yes >>> >> Virus Subject Text = {Virus} >>> >> Filename Modify Subject = yes >>> >> Filename Subject Text = {Filename} >>> >> Spam Modify Subject = yes >>> >> Spam Subject Text = {Spam} >>> >> High Scoring Spam Modify Subject = yes >>> >> High Scoring Spam Subject Text = {Spam} >>> >> ---- >>> >> Spam Checks = yes >>> >> Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >>> >> .ac.uk) >>> >> Spam Domain List = >>> >> Spam Lists To Reach High Score = 5 >>> >> Spam List Timeout = 10 >>> >> Max Spam List Timeouts = 7 >>> >> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >>> >> Is Definitely Spam = no >>> >> ---- >>> >> >>> >> >From this, is my description of how MailScanner should work valid? >>> >> >Have I >>> >> forgot to do something? What do I need to change/add/delete >>> >> to make it work >>> >> as I describe? >>> >> >>> >> Thanks in advance. >>> >> >>> >> -- >>> >> Kevin L. Collins, MCSE >>> >> Systems Manager >>> >> Nesbitt Engineering, Inc. >>> >> >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support From chocobofrank at HOTMAIL.COM Wed Sep 3 05:29:29 2003 From: chocobofrank at HOTMAIL.COM (Frank Cheong) Date: Thu Jan 12 21:19:43 2006 Subject: Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 Message-ID: Recently, I have just installed MailScanner, Perl 5.8.0 and all related components according to the mailscanner installation guide onto my Solaris 8 machine. I cannot start the /opt/MailScanner/lib/sophos-autoupdate which I found that whenever the module call the syslog function (e.g. syslog.openlog) It will then try to connect to the syslog server on my localhost while it failed with the below message : "Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.0/sun4-solaris/Socket.pm line 373." What is the problem ? I have tried to telnet localhost 514 which is the syslog port and the following message reported Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. I also checked that the below line is inside /etc/service syslog 514/udp Can I assume my solaris syslog configuration ok and it is the problem of the perl installation instead ? From christo at AFGLASS.CO.ZA Wed Sep 3 07:31:11 2003 From: christo at AFGLASS.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:43 2006 Subject: Newbie question related to file type filters Message-ID: <000801c371e5$1fbceb30$660210ac@christo> Hi I only configured my MS server last week and it works fine. Spam dropped by about 90% OK My question. By default MS blocks all Executable and Media file types from the filetype.rules.conf file. How can I setup a MS rule to let through these files only for certain email addresses and let the others be blocked. One small rule file example will be enough Thanx -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/e79a4373/attachment.html From llasad1 at YAHOO.COM Tue Sep 2 23:18:40 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062538338.31636.4.camel@bach.kevinspicer.co.uk> Message-ID: <20030902221840.68651.qmail@web41415.mail.yahoo.com> Kevin, I took your suggestion and all new mail seems to be coming in OK, the problem is that I copied one of the emails out of mqueue.in into mqueue but it does not route. It's just stuck, all other new mail that comes in routes with no problems. any suggestions? Kevin Spicer wrote: On Tue, 2003-09-02 at 22:16, lester lasad wrote: >It seems to be kicking in after restarting MS a few times, but it seems >to stop after about a few minutes. I have been restarting but this >can't be the solution. Thanks for the suggestions. Are you running the very latest MailScanner? IIRC there is a bug in the Denial of Service Protection Code which has just been fixed (I think Julian posted a patch to the list, as nows not the time to be upgrading!) If you get desperate, you said you weren't virus scanning with MS, just turn MS off, start up sendmail (the regular standalone way) and dump the contents of mqueue.in into mqueue [mail & spam is better than no mail, just]. Then have another shot with MS when its quieter (if theres a particular message causing problems this would also get it out of the system.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/a1a421fd/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 3 08:05:33 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:43 2006 Subject: Please update your email address... Message-ID: <07053388524134@radgametools.com> We're sorry, but the RAD general email addresses have changed recently (to slow the flood of spam ). Please use one of these addresses instead: Sales: sales1@radgametools.com RAD Video Tools Support: support1@radgametools.com Bink SDK Support: bink1@radgametools.com Miles SDK Support: miles1@radgametools.com Granny SDK Support: granny1@radgametools.com Pixomatic SDK Support: pixo1@radgametools.com Smacker SDK Support: smack1@radgametools.com Webmaster: webmaster1@radgametools.com Sorry for the inconvenience and thanks for your support! RAD Game Tools From raymond at PROLOCATION.NET Tue Sep 2 23:25:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030902221840.68651.qmail@web41415.mail.yahoo.com> Message-ID: Hi! > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into mqueue > but it does not route. It's just stuck, all other new mail that comes > in routes with no problems. any suggestions? If you ONLY put that one file in your queue, and restart MS, what do you see happening ? do you see MS defcuntioning ? Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 08:38:15 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 08:41:52 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649687@pascal.priv.bmrb.co.uk> lester lasad wrote: > question, I have a secondary MS server, there are a few emails that > our VP's need with attachments. Once I locate these emails in > /var/spool/mqueue.in can I copy them to to the other servers > mqueue.in? Never done it, if anyone has I would like to know (and > how did you do it?) Although this would probably work you shouldn't generally do it because sendmail generates queue names using the time and process id. This means that by copying mails between systems you could break the guarantee of queue file name uniqueness (that said it is only a small risk, as you would have to have a sendmail process with the same PID on both systems at the time the mail was originally recieved.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From David.While at UCE.AC.UK Wed Sep 3 08:33:35 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:43 2006 Subject: ANNOUNCE: mailstats V0.21 Message-ID: <107DE25EC0216C45AEF670016024245F64417E@exchangea.staff.uce.ac.uk> It should already be there - simply set your Scanner to mcafee David While -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 19:03 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 What can I do to assist in getting mcafee AV support in mailstats? -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Tuesday, September 02, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: mailstats V0.21 Whoops - sorry about that - its there now. -----Original Message----- From: Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Sent: Tue 02/09/2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: ANNOUNCE: mailstats V0.21 Hey I went out to this site to grab .21 and it was showing .23 as the latest but I can not download it. Thanks Joe -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Sunday, August 31, 2003 12:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats V0.21 A few people have been asking so here it is! A new version of mailstats is available - the main changes are: * Added support to produce list of SpamAssassin traps triggered * Added support for configurable message in access file * Added support to produce 2 mrtg config files for better graphing * Added support for multiple mail queue directories * Corrected bug in virus update notification * Added support to restrict the output in lists. It can be downloaded from http://www.while.homeunix.net/mailstats There is also a discussion forum available at http://www.while.homeunix.net/mailstats/phpBB2/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- From llasad1 at YAHOO.COM Wed Sep 3 08:58:31 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> Message-ID: <20030903075831.49203.qmail@web41402.mail.yahoo.com> Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/7102d155/attachment.html From llasad1 at YAHOO.COM Wed Sep 3 08:59:49 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649686@pascal.priv.bmrb.co.uk> Message-ID: <20030903075949.41965.qmail@web41410.mail.yahoo.com> Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/80219789/attachment.html From raymond at PROLOCATION.NET Wed Sep 3 09:00:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903075831.49203.qmail@web41402.mail.yahoo.com> Message-ID: Hi! > To be honest all I have ever used is mailscanner, I am not famaliar > with configuring sendmail on it's own. I have been at this all night > with no luck. I have restarted MS many times with minimal success. I > have tried changing my routing table to route to a different internal > server to verify it's not a problem with the host I normally connect > with and have the same problems. This is very frustrating, I've got > about 2000 message still stuck in the queue, they are getting delivered > but at a very slow rate. Users don't like to see email from customers > that are 2 days late. If you have any more suggestions, I'd appreciate > it. I see the same behaviour, it is like MS tries to chew a long time on some messages. I allready tried to lower the TNEF timeout to see it thats causing it. Julian, would it be ok to send in the batches that seem to terribly slow down MS ? Perhaps the string in the Sobig virus wasnt the only thing they planned :) Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 09:11:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/55111e4c/attachment.html From raymond at PROLOCATION.NET Wed Sep 3 09:17:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:43 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Message-ID: Hi! > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? On my box for example i had a queue of 1000 that would not run, it let it processing and it took 40 minutes to get them done. In the same time, by other box, same specs, took allmost 10.000 messages, without any problem. Bye, Raymond. From llasad1 at YAHOO.COM Wed Sep 3 09:29:44 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADFB@pascal.priv.bmrb.co.uk> Message-ID: <20030903082944.59630.qmail@web41404.mail.yahoo.com> This is for incoming mail. On average I receive 15-20 thousand incoming emails a day. Right now I have roughly 2000 messages in the queue, so MS has been routing mail but it is very slow. Doesn't seem to want to catch up. "Spicer, Kevin" wrote: Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/77b30866/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 09:35:32 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> lester lasad wrote: > This is for incoming mail. On average I receive 15-20 thousand > incoming emails a day. Right now I have roughly 2000 messages in the > queue, so MS has been routing mail but it is very slow. Doesn't seem > to want to catch up. Which queue? How many in mqueue How many in mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From eja at URBAKKEN.DK Wed Sep 3 09:35:25 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. Message-ID: <3F55A7CD.8000401@urbakken.dk> I have installed MailScanner on my RedHat 9.0 server here. I have went through the install instruction many times, and found that I have doen all the mentioned changes. Even that I get some errors. Many of them are maybe selfexplaining, and I can see whats wrong, but another thing is how to do the things, that brings the errors to an end. Can some of you maybe help me?. Here's the sample of /var/log/maillog: Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted configuration directory name: /etc/postfix.in Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for filter:100 in 0.4 seconds, 4940 bytes. Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: linux-bounces+eja=urbakken.dk@lists.samba.org(100): unable to execute /usr/sbin/postdrop -r: Success Sep 3 10:27:21 gateway postfix/pipe[7677]: 3299A1BFCB: to=, relay=ccfilter, delay=2, status=bounced (service unavailable. Command output: postdrop: error: untrusted configuration directory name: /etc/postfix.in postdrop: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf sendm ail: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name sendmail: fatal: linux-bounces+eja=urbakken.dk@lists.samba.org(100) : unable to execute /usr/sbin/postdrop -r: Success ) Sep 3 08:27:21 gateway postfix/cleanup[7676]: BCA181BFCF: message-id=<20030903082721.BCA181BFCF@gateway.urbakken.dk> Sep 3 08:27:21 gateway postfix/nqmgr[3122]: BCA181BFCF: from=<>, size=7460, nrcpt=1 (queue active) Sep 3 08:27:22 gateway postfix/nqmgr[3122]: BCA181BFCF: to=, relay=none, delay=0, status=deferred (deferred transport) Sep 3 10:27:22 gateway MailScanner[3753]: New Batch: Scanning 1 messages, 7595 bytes Sep 3 10:27:22 gateway MailScanner[3753]: Virus and Content Scanning: Starting Sep 3 10:27:22 gateway MailScanner[3753]: Uninfected: Delivered 1 messages Sep 3 04:27:22 gateway postfix/nqmgr[3181]: 223385A5B8: from=<>, size=7584, nrcpt=1 (queue active) Sep 3 04:27:25 gateway postfix/smtp[7704]: 223385A5B8: to=, relay=dp.samba.org[66.70.73.150], delay=4, status=sent (25 -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From llasad1 at YAHOO.COM Wed Sep 3 09:49:33 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> Message-ID: <20030903084933.57527.qmail@web41414.mail.yahoo.com> "Spicer, Kevin" wrote: Which queue? All are in the mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. Tried running your commands and received the following: > service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] > mv /var/spool/mqueue.in/* /var/spool/mqueue sh: line 1: /bin/mv: Argument list too long > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/6be47ef6/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:48:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903084933.57527.qmail@web41414.mail.yahoo.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Morning all, Appears you are all having a similar problem. Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. What does your maillog say is happening? grep MailScanner /var/log/maillog | tail -70 What processes are running? ps ax | grep -i mail What have you changed from your previously-working system? At 09:49 03/09/2003, you wrote: >"Spicer, Kevin" wrote: > >Which queue? > >All are in the mqueue.in > >As I said, if you're happy to bypass MailScanner to get the mail delivered >follow the instructions below. > >Tried running your commands and received the following: > > > service MailScanner stop > >Shutting down MailScanner daemons: > >MailScanner: [ OK ] > >incoming sendmail: [ OK ] > >outgoing sendmail: [ OK ] > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > "Spicer, Kevin" wrote: > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > RedHat syntax) > > > > service MailScanner stop [wait for all MailScanner > > processes to disappear after running this before moving on] mv > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > [restart Mailscanner toprocess any newly arriving messages, see if it > > copes] sendmail -q > > > > [this last command will take a very long time to complete as it will > > attempt to deliver each mesasge in the queue, with your backlog this > > could be a considerable period of time] > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:49:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. In-Reply-To: <3F55A7CD.8000401@urbakken.dk> Message-ID: <5.2.0.9.2.20030903094925.04237aa8@imap.ecs.soton.ac.uk> Start by killing spamd. service spamd stop service spamassassin stop chkconfig spamd off chkconfig spamassassin off At 09:35 03/09/2003, you wrote: >I have installed MailScanner on my RedHat 9.0 server here. I have went >through the install instruction many times, and found that I have doen >all the mentioned changes. Even that I get some errors. Many of them are >maybe selfexplaining, and I can see whats wrong, but another thing is >how to do the things, that brings the errors to an end. > >Can some of you maybe help me?. > >Here's the sample of /var/log/maillog: > >Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted >configuration directory name: /etc/postfix.in >Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify >"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf >Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for >filter:100 in 0.4 seconds, 4940 bytes. >Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature >end-of-input from /usr/sbin/postdrop -r while reading input attribute name >Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: >linux-bounces+eja=urbakken.dk@lists.samba.org(100): unable to execute >/usr/sbin/postdrop -r: Success >Sep 3 10:27:21 gateway postfix/pipe[7677]: 3299A1BFCB: >to=, relay=ccfilter, delay=2, status=bounced (service >unavailable. Command output: postdrop: >error: untrusted configuration directory name: /etc/postfix.in postdrop: >fatal: specify "alternate_config_directories = /etc/postfix.in" in >/etc/postfix/main.cf sendm >ail: warning: premature end-of-input from /usr/sbin/postdrop -r while >reading input attribute name sendmail: fatal: >linux-bounces+eja=urbakken.dk@lists.samba.org(100) >: unable to execute /usr/sbin/postdrop -r: Success ) >Sep 3 08:27:21 gateway postfix/cleanup[7676]: BCA181BFCF: >message-id=<20030903082721.BCA181BFCF@gateway.urbakken.dk> >Sep 3 08:27:21 gateway postfix/nqmgr[3122]: BCA181BFCF: from=<>, >size=7460, nrcpt=1 (queue active) >Sep 3 08:27:22 gateway postfix/nqmgr[3122]: BCA181BFCF: >to=, relay=none, delay=0, >status=deferred (deferred transport) >Sep 3 10:27:22 gateway MailScanner[3753]: New Batch: Scanning 1 >messages, 7595 bytes >Sep 3 10:27:22 gateway MailScanner[3753]: Virus and Content Scanning: >Starting >Sep 3 10:27:22 gateway MailScanner[3753]: Uninfected: Delivered 1 messages >Sep 3 04:27:22 gateway postfix/nqmgr[3181]: 223385A5B8: from=<>, >size=7584, nrcpt=1 (queue active) >Sep 3 04:27:25 gateway postfix/smtp[7704]: 223385A5B8: >to=, >relay=dp.samba.org[66.70.73.150], delay=4, status=sent (25 > >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 8.2 Proff. >Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:54:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Newbie question related to file type filters In-Reply-To: <000801c371e5$1fbceb30$660210ac@christo> Message-ID: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> See my postings from yesterday or the day before that include the work "filetype.rules.conf". You'll find them in the archive. At 07:31 03/09/2003, you wrote: >Hi > >I only configured my MS server last week and it works fine. Spam dropped >by about 90% > >OK My question. > >By default MS blocks all Executable and Media file types from the >filetype.rules.conf file. How can I setup a MS rule to let through these >files only for certain email addresses and let the others be blocked. One >small rule file example will be enough > >Thanx > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for >their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:53:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Small typo in f-prot-autoupdate In-Reply-To: Message-ID: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Thanks for that. Fixed. At 02:27 03/09/2003, you wrote: >Julian there is a small typo in the f-prot-autoupdate script that prevents >logging status to /var/log/maillog. Here's the code segment where I added >the open Syslog line right after alarm 0 ... > > >if ($@) { > if ($@ =~ /timeout/) { > # We timed out! > CleanTempDir(); > &UnlockFProt(); > alarm 0; > } >} else { > alarm 0; > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > "F-Prot did not need updating."); >} > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 09:50:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: mail stuck in postfix.in In-Reply-To: <5.2.1.1.0.20030902131754.00b357c8@pension-key.com> References: <5.2.0.9.2.20030902174407.04c0f8d8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903095019.046667b8@imap.ecs.soton.ac.uk> At 18:18 02/09/2003, you wrote: >Se below > >At 05:44 PM 9/2/2003 +0100, you wrote: >>Check you queue directories are set correctly in MailScanner.conf. > >Incoming Queue Dir = /var/spool/postfix.in Incoming Queue Dir = /var/spool/postfix.in/deferred ># Set location of outgoing mail queue. ># This can also be the filename of a ruleset. >Outgoing Queue Dir = /var/spool/postfix Outgoing Queue Dir = /var/spool/postfix/incoming ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/MailScanner/incoming > ># Set where to store infected and message attachments (if they are kept) ># This can also be the filename of a ruleset. >Quarantine Dir = /var/spool/MailScanner/quarantine -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From max.gaspari at MERCATONEUNO.NET Wed Sep 3 10:21:28 2003 From: max.gaspari at MERCATONEUNO.NET (Max Gaspari) Date: Thu Jan 12 21:19:44 2006 Subject: Errors. In-Reply-To: <3F55A7CD.8000401@urbakken.dk> References: <3F55A7CD.8000401@urbakken.dk> Message-ID: <14170.80.17.111.244.1062580888.squirrel@wm.mercatoneuno.net> > I have installed MailScanner on my RedHat 9.0 server here. I have went > through the install instruction many times, and found that I have doen > all the mentioned changes. Even that I get some errors. Many of them are > maybe selfexplaining, and I can see whats wrong, but another thing is Insert in /etc/postfix/main.cf, at the end row ... alternate_config_directories = /etc/postfix.in probably you don't have postfix chroot check also the permission of /var/spool/postfix.in and /etc/postfix > Sep 3 10:27:19 gateway postfix/postdrop[7682]: error: untrusted > configuration directory name: /etc/postfix.in > Sep 3 10:27:19 gateway postfix/postdrop[7682]: fatal: specify > "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf > Sep 3 10:27:20 gateway spamd[7681]: clean message (1.0/5.0) for > filter:100 in 0.4 seconds, 4940 bytes. > Sep 3 10:27:20 gateway postfix/sendmail[7680]: warning: premature > end-of-input from /usr/sbin/postdrop -r while reading input attribute name > Sep 3 10:27:20 gateway postfix/sendmail[7680]: fatal: Bye From raymond at PROLOCATION.NET Wed Sep 3 11:02:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: Hi! > Appears you are all having a similar problem. > Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. I upgraded to -11 right away once it waqs released, still going on. > What does your maillog say is happening? > grep MailScanner /var/log/maillog | tail -70 > What processes are running? > ps ax | grep -i mail > > What have you changed from your previously-working system? Uh, nothing ? There is nothing else on the box, only MS. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Sep 3 11:10:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903111029.03ed06e8@imap.ecs.soton.ac.uk> Please run both of the commands and send me the output. At 11:02 03/09/2003, you wrote: >Hi! > > > Appears you are all having a similar problem. > > Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. > >I upgraded to -11 right away once it waqs released, still going on. > > > What does your maillog say is happening? > > grep MailScanner /var/log/maillog | tail -70 > > > What processes are running? > > ps ax | grep -i mail > > > > What have you changed from your previously-working system? > >Uh, nothing ? There is nothing else on the box, only MS. > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Sep 3 11:58:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903111029.03ed06e8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Please run both of the commands and send me the output. Okay ;) But currently they are not having backlog, i think i'd rather send you the zip with files they are stuck on. I tested the zip on 3 of my boxes and all go into slow-otion-mode once i put them in the queue. > > > What does your maillog say is happening? > > > grep MailScanner /var/log/maillog | tail -70 We have remote logging, but lets see :) [root@fallback vmx10]# grep MailScanner maillog-20030903 | tail -90 Sep 3 12:55:50 vmx10 MailScanner[11992]: Virus and Content Scanning: Starting Sep 3 12:55:50 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:55:52 vmx10 MailScanner[13124]: New Batch: Found 52 messages waiting Sep 3 12:55:52 vmx10 MailScanner[13124]: New Batch: Scanning 17 messages, 54364 bytes Sep 3 12:55:52 vmx10 MailScanner[13124]: Spam Checks: Starting Sep 3 12:55:53 vmx10 MailScanner[11768]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:53 vmx10 MailScanner[11768]: Content Checks: Detected and will convert HTML message to plain text in h83AtYPm010512 Sep 3 12:55:54 vmx10 MailScanner[16332]: New Batch: Found 66 messages waiting Sep 3 12:55:54 vmx10 MailScanner[16332]: New Batch: Scanning 14 messages, 811789 bytes Sep 3 12:55:54 vmx10 MailScanner[16332]: Spam Checks: Starting Sep 3 12:55:54 vmx10 MailScanner[16150]: Uninfected: Delivered 1 messages Sep 3 12:55:54 vmx10 MailScanner[12645]: Uninfected: Delivered 2 messages Sep 3 12:55:54 vmx10 MailScanner[16150]: New Batch: Found 64 messages waiting Sep 3 12:55:54 vmx10 MailScanner[16150]: New Batch: Scanning 3 messages, 11209 bytes Sep 3 12:55:54 vmx10 MailScanner[16150]: Spam Checks: Starting Sep 3 12:55:54 vmx10 MailScanner[10261]: Uninfected: Delivered 2 messages Sep 3 12:55:54 vmx10 MailScanner[11768]: Uninfected: Delivered 7 messages Sep 3 12:55:54 vmx10 MailScanner[10513]: Uninfected: Delivered 1 messages Sep 3 12:55:54 vmx10 MailScanner[10513]: New Batch: Found 58 messages waiting Sep 3 12:55:54 vmx10 MailScanner[10513]: New Batch: Scanning 2 messages, 462948 bytes Sep 3 12:55:54 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:55:55 vmx10 MailScanner[10513]: Virus and Content Scanning: Starting Sep 3 12:55:55 vmx10 MailScanner[16150]: Virus and Content Scanning: Starting Sep 3 12:55:56 vmx10 MailScanner[13124]: Virus and Content Scanning: Starting Sep 3 12:55:57 vmx10 MailScanner[12831]: New Batch: Found 83 messages waiting Sep 3 12:55:57 vmx10 MailScanner[12831]: New Batch: Scanning 25 messages, 100283 bytes Sep 3 12:55:57 vmx10 MailScanner[12831]: Spam Checks: Starting Sep 3 12:55:57 vmx10 MailScanner[15550]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:57 vmx10 MailScanner[15550]: Content Checks: Detected and will convert HTML message to plain text in h83AtiPl010762 Sep 3 12:55:58 vmx10 MailScanner[16332]: Virus and Content Scanning: Starting Sep 3 12:55:58 vmx10 MailScanner[12208]: New Batch: Found 97 messages waiting Sep 3 12:55:58 vmx10 MailScanner[12208]: New Batch: Scanning 14 messages, 53689 bytes Sep 3 12:55:58 vmx10 MailScanner[12208]: Spam Checks: Starting Sep 3 12:55:59 vmx10 MailScanner[13788]: Uninfected: Delivered 3 messages Sep 3 12:55:59 vmx10 MailScanner[10513]: Content Checks: Need to convert HTML to plain text in 1 messages Sep 3 12:55:59 vmx10 MailScanner[10513]: Content Checks: Detected and will convert HTML message to plain text in h83AtcPp010603 Sep 3 12:55:59 vmx10 MailScanner[13788]: New Batch: Found 96 messages waiting Sep 3 12:55:59 vmx10 MailScanner[13788]: New Batch: Scanning 2 messages, 7482 bytes Sep 3 12:55:59 vmx10 MailScanner[13788]: Spam Checks: Starting Sep 3 12:55:59 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Detected and will convert HTML message to plain text in h83AtoPm010872 Sep 3 12:56:00 vmx10 MailScanner[16150]: Content Checks: Detected and will convert HTML message to plain text in h83AtWPq010476 Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Detected and will convert HTML message to plain text in h83AtXPq010487 Sep 3 12:56:01 vmx10 MailScanner[13788]: Content Checks: Detected and will convert HTML message to plain text in h83AtrPn010901 Sep 3 12:56:02 vmx10 MailScanner[12831]: Virus and Content Scanning: Starting Sep 3 12:56:02 vmx10 MailScanner[12208]: Virus and Content Scanning: Starting Sep 3 12:56:04 vmx10 MailScanner[15550]: Uninfected: Delivered 5 messages Sep 3 12:56:04 vmx10 MailScanner[11992]: Uninfected: Delivered 4 messages Sep 3 12:56:04 vmx10 MailScanner[11992]: New Batch: Found 142 messages waiting Sep 3 12:56:04 vmx10 MailScanner[11992]: New Batch: Scanning 57 messages, 221554 bytes Sep 3 12:56:04 vmx10 MailScanner[11992]: Spam Checks: Starting Sep 3 12:56:04 vmx10 MailScanner[10513]: Uninfected: Delivered 2 messages Sep 3 12:56:04 vmx10 MailScanner[10513]: New Batch: Found 140 messages waiting Sep 3 12:56:04 vmx10 MailScanner[10513]: New Batch: Scanning 1 messages, 3789 bytes Sep 3 12:56:04 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:56:04 vmx10 MailScanner[16150]: Uninfected: Delivered 3 messages Sep 3 12:56:05 vmx10 MailScanner[10261]: New Batch: Found 143 messages waiting Sep 3 12:56:05 vmx10 MailScanner[10261]: New Batch: Scanning 3 messages, 25005 bytes Sep 3 12:56:05 vmx10 MailScanner[10261]: Spam Checks: Starting Sep 3 12:56:05 vmx10 MailScanner[10513]: Virus and Content Scanning: Starting Sep 3 12:56:05 vmx10 MailScanner[11768]: New Batch: Found 145 messages waiting Sep 3 12:56:05 vmx10 MailScanner[11768]: New Batch: Scanning 2 messages, 33156 bytes Sep 3 12:56:05 vmx10 MailScanner[11768]: Spam Checks: Starting Sep 3 12:56:05 vmx10 MailScanner[10261]: Virus and Content Scanning: Starting Sep 3 12:56:05 vmx10 MailScanner[11768]: Virus and Content Scanning: Starting Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Detected and will convert HTML message to plain text in h83AtdPl010629 Sep 3 12:56:07 vmx10 MailScanner[14541]: Content Checks: Detected and will convert HTML message to plain text in h83AtcPm010603 Sep 3 12:56:07 vmx10 MailScanner[16578]: New Batch: Found 159 messages waiting Sep 3 12:56:07 vmx10 MailScanner[16578]: New Batch: Scanning 15 messages, 415000 bytes Sep 3 12:56:07 vmx10 MailScanner[16578]: Spam Checks: Starting Sep 3 12:56:08 vmx10 MailScanner[13788]: Uninfected: Delivered 2 messages Sep 3 12:56:08 vmx10 MailScanner[13788]: New Batch: Found 155 messages waiting Sep 3 12:56:08 vmx10 MailScanner[13788]: New Batch: Scanning 1 messages, 362618 bytes Sep 3 12:56:08 vmx10 MailScanner[13788]: Spam Checks: Starting Sep 3 12:56:09 vmx10 MailScanner[13788]: Virus and Content Scanning: Starting Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Need to convert HTML to plain text in 2 messages Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Detected and will convert HTML message to plain text in h83AtsPp010924 Sep 3 12:56:10 vmx10 MailScanner[10261]: Content Checks: Detected and will convert HTML message to plain text in h83AtdPn010628 Sep 3 12:56:12 vmx10 MailScanner[16578]: Virus and Content Scanning: Starting Sep 3 12:56:14 vmx10 MailScanner[10513]: Uninfected: Delivered 1 messages Sep 3 12:56:14 vmx10 MailScanner[10513]: New Batch: Found 169 messages waiting Sep 3 12:56:14 vmx10 MailScanner[10513]: New Batch: Scanning 18 messages, 821417 bytes Sep 3 12:56:14 vmx10 MailScanner[10513]: Spam Checks: Starting Sep 3 12:56:15 vmx10 MailScanner[16150]: New Batch: Found 168 messages waiting Sep 3 12:56:15 vmx10 MailScanner[16150]: New Batch: Scanning 1 messages, 190027 bytes Sep 3 12:56:15 vmx10 MailScanner[16150]: Spam Checks: Starting Sep 3 12:56:15 vmx10 MailScanner[16150]: Virus and Content Scanning: Starting [root@fallback vmx10]# > > > What processes are running? > > > ps ax | grep -i mail [root@vmx10 mqueue]# ps ax | grep -i mail 3060 ? S 0:58 sendmail: accepting connections 3065 ? S 0:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue 3071 ? S 0:00 sendmail: Queue runner@00:05:00 for /var/spool/mqueue 3089 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13109 ? S 0:00 sendmail: server qn-212-58-177-65.quicknet.nl [212.58.177.65] cmd read 15643 ? S 0:00 sendmail: server qn-212-127-170-234.quicknet.nl [212.127.170.234] cmd read 17522 ? S 0:01 sendmail: server qn-213-73-202-23.quicknet.nl [213.73.202.23] cmd read 17529 ? S 0:00 sendmail: server qn-212-127-128-210.quicknet.nl [212.127.128.210] cmd read 19948 ? S 0:00 sendmail: server [62.65.190.67] cmd read 20729 ? S 0:00 sendmail: server qn-212-127-128-210.quicknet.nl [212.127.128.210] cmd read 20909 ? S 0:00 sendmail: server 200-206-188-107.dsl.telesp.net.br [200.206.188.107] cmd read 23868 ? S 0:00 sendmail: h8391LPl023868 noba.nl [194.109.53.73]: DATA 27339 ? S 0:00 sendmail: h8397VPl027339 ecnwall.ecn.nl [130.112.251.6]: DATA 29707 ? S 0:00 sendmail: h839C0Pl029707 ecnwall.ecn.nl [130.112.251.6]: DATA 29767 ? S 0:00 sendmail: h839C6Pl029767 ecnwall.ecn.nl [130.112.251.6]: DATA 31644 ? S 0:00 sendmail: h839FcPn031644 qn-213-73-165-143.quicknet.nl [213.73.165.143]: DATA 32512 ? S 0:00 sendmail: h839GxPl032512 qn-212-58-177-65.quicknet.nl [212.58.177.65]: DATA 1252 ? S 0:03 sendmail: h839J9Pm001252 qn-212-127-192-40.quicknet.nl [212.127.192.40]: DATA 2110 ? S 0:00 sendmail: h839LBPl002110 qn-212-127-198-40.quicknet.nl [212.127.198.40]: DATA 7518 ? S 0:00 sendmail: h839UwPl007518 pD9EB7AC9.dip.t-dialin.net [217.235.122.201]: DATA 11199 ? S 0:00 sendmail: h839buPl011199 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 12706 ? S 0:00 sendmail: h839eQPl012706 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 14007 ? S 0:00 sendmail: server smtp1.versatel.com [62.58.16.73] cmd read 19003 ? S 0:00 sendmail: h839p1Pl019003 qn-212-58-177-65.quicknet.nl [212.58.177.65]: DATA 20124 ? S 0:00 sendmail: server [219.234.162.82] cmd read 25734 ? S 0:00 sendmail: server qn-212-127-177-74.quicknet.nl [212.127.177.74] cmd read 26390 ? S 0:00 sendmail: h83A1RPl026390 user-ae99ee.user.msu.edu [35.11.245.183]: DATA 32560 ? S 0:00 sendmail: h83A9cPl032560 qn-212-127-177-74.quicknet.nl [212.127.177.74]: DATA 313 ? S 0:00 sendmail: server [65.89.167.20] cmd read 896 ? S 0:00 sendmail: server mailserver.kadaster.nl [145.77.103.3] cmd read 4117 ? S 0:00 sendmail: server p508794FB.dip.t-dialin.net [80.135.148.251] cmd read 6086 ? S 0:00 sendmail: server c213-89-202-106.cm-upc.chello.se [213.89.202.106] cmd read 8400 ? S 0:00 sendmail: server qn-212-127-177-74.quicknet.nl [212.127.177.74] cmd read 10176 ? S 0:00 sendmail: server h31.122.114.64.cablerocket.net [64.114.122.31] (may be forged) cmd read 10261 ? S 8:46 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 10285 ? S 0:00 sendmail: h83ALJPl010285 qn-212-58-184-161.quicknet.nl [212.58.184.161]: DATA 10513 ? D 7:43 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 11768 ? S 6:43 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 11992 ? R 7:20 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12208 ? R 7:36 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12645 ? R 6:33 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 12831 ? D 5:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13124 ? D 7:11 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 13788 ? R 6:54 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 14541 ? R 7:51 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 14721 ? S 0:00 sendmail: server h31.122.114.64.cablerocket.net [64.114.122.31] (may be forged) cmd read 15550 ? D 6:49 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16150 ? S 5:54 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16332 ? R 6:07 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16578 ? D 6:12 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 16745 ? S 0:00 sendmail: h83ARwPl016745 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 21752 ? S 0:00 sendmail: h83AX4Pl021752 qn-213-73-214-107.quicknet.nl [213.73.214.107]: DATA 24361 ? S 0:00 sendmail: h83AZaPl024361 qn-212-127-131-211.quicknet.nl [212.127.131.211]: DATA 29830 ? S 0:00 sendmail: server smtpzilla5.xs4all.nl [194.109.127.141] cmd read 31223 ? D 0:00 sendmail: ./h830glL0006017 smartrelay.multikabel.net.: client DATA 354 31955 ? S 0:00 sendmail: server mail4.wehkamp.nl [194.151.96.131] cmd read 32059 ? S 0:00 sendmail: server mail2.wehkamp.nl [194.151.96.3] cmd read 32464 ? S 0:00 sendmail: server pcp01847262pcs.southk01.tn.comcast.net [68.47.244.85] cmd read 2916 ? S 0:00 sendmail: ./h833GNTW014802 from queue 3681 ? S 0:00 sendmail: h83AmOPl003681 pcp02513789pcs.towson01.md.comcast.net [68.34.1.178]: DATA 4049 ? S 0:00 sendmail: h83AmnPl004049 qn-213-73-190-117.quicknet.nl [213.73.190.117]: DATA 5476 ? S 0:00 sendmail: h83AoJPm005476 qn-213-73-178-9.quicknet.nl [213.73.178.9]: DATA 5896 ? S 0:00 sendmail: h83AoiPl005896 qn-213-73-159-189.quicknet.nl [213.73.159.189]: DATA 6063 ? S 0:00 sendmail: h83AouPl006063 qn-212-58-180-54.quicknet.nl [212.58.180.54]: DATA 6211 ? S 0:00 sendmail: h83Ap5Pl006211 qn-213-73-165-143.quicknet.nl [213.73.165.143]: DATA 7186 ? S 0:00 sendmail: h83Aq4Pn007186 qn-213-73-240-147.quicknet.nl [213.73.240.147]: DATA 7683 ? S 0:00 sendmail: h83AqYPl007683 dslam152-237-59-62.adsl.zonnet.nl [62.59.237.152]: DATA 7694 ? D 0:00 sendmail: ./h837AAPl025670 smartrelay.multikabel.net.: client DATA 354 7710 ? S 0:00 sendmail: h83AqaPn007710 qn-213-73-130-45.quicknet.nl [213.73.130.45]: DATA 8667 ? S 0:00 sendmail: h83ArbPl008667 qn-213-73-219-235.quicknet.nl [213.73.219.235]: DATA 9260 ? S 0:00 sendmail: h83AsDPl009260 qn-212-58-178-197.quicknet.nl [212.58.178.197]: DATA 9372 ? S 0:00 sendmail: h83AsPPl009372 mail2.mindef.nl [217.169.231.203]: DATA 11443 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11477 ? S 0:00 sendmail: h83AuLPl011477 [61.42.121.78]: DATA 11646 ? S 0:00 sendmail: server smtpzilla1.xs4all.nl [194.109.127.137] cmd read 11658 ? S 0:00 sendmail: server ms3.zion4.com [216.128.86.2] cmd read 11774 ? S 0:00 sendmail: server qn-212-127-154-61.quicknet.nl [212.127.154.61] cmd read 11800 ? R 0:00 sendmail: smartrelay.multikabel.net.: idle 11868 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11933 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 11997 ? S 0:00 sendmail: h83AvOPl011997 adsl-63-198-190-123.dsl.snfc21.pacbell.net [63.198.190.123]: DATA 12002 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12003 ? S 0:00 sendmail: h83AvPPl012003 adsl-200-105-142-34.acelerate.com [200.105.142.34]: DATA 12027 ? S 0:00 sendmail: h83AvQPl012027 [210.212.244.7]: DATA 12032 ? S 0:00 sendmail: h83AvQPl012032 mx69.ofmx6.com [216.128.76.69]: MAIL FROM 12067 ? S 0:00 sendmail: h83AvUPl012067 xs195-241-221-127.dial.tiscali.nl [195.241.221.127]: DATA 12097 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12106 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12107 ? S 0:00 sendmail: h83AvVPl012107 qn-213-73-227-243.quicknet.nl [213.73.227.243]: DATA 12113 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12161 ? S 0:00 sendmail: server alb-24-195-174-246.nycap.rr.com [24.195.174.246] cmd read 12162 ? S 0:00 sendmail: ./h83AjAIG000736 from queue 12163 ? D 0:00 sendmail: smartrelay.multikabel.net.: idle 12165 ? S 0:00 sendmail: startup with 200.49.41.226 12170 ? D 0:00 /usr/sbin/sendmail -qIh83AuWPl011560 -qIh83AuKPm011457 -qIh83AuUPl011544 -qIh83AuWPl011564 -qIh83AuYPl011568 -qIh83AuVPl011554 -qIh83AuXPl011566 -qIh83AuWPl011558 -qIh83AuTPm011532 12177 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12210 ? S 0:00 sendmail: server qn-213-73-183-65.quicknet.nl [213.73.183.65] cmd read 12221 ? S 0:00 sendmail: server dns1.abc.com.py [200.61.117.238] cmd read 12226 ? D 0:00 /usr/sbin/sendmail -qIh83AvUPl012066 12228 ? D 0:00 /usr/sbin/sendmail -qIh83AuZPn011571 -qIh83AucPl011606 -qIh83AubPl011595 -qIh83AuSPl011520 -qIh83AubPl011601 -qIh83AuaPl011587 -qIh83AuaPl011581 -qIh83AuZPl011576 -qIh83AuaPl011584 -qIh83AuZPl011579 -qIh83AuaPl011588 -qIh83AubPl011600 -qIh83AucPl011602 12229 ? S 0:00 sendmail: h83AvgPl012229 [66.154.20.110]: DATA 12231 ? D 0:00 /usr/sbin/sendmail -qIh83AuqPm011716 -qIh83Av6Pl011861 -qIh83Av9Pl011918 -qIh83Av8Pl011914 -qIh83Av5Pl011857 -qIh83Av7Pl011895 -qIh83Av7Pl011909 -qIh83ApxPl007099 -qIh83Av8Pl011917 12235 ? S 0:00 sendmail: h83AvgPl012235 qn-213-73-152-24.quicknet.nl [213.73.152.24]: DATA 12239 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12240 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12241 ? D 0:00 sendmail: running queue: /var/spool/mqueue 12244 pts/1 S 0:00 grep -i mail 12246 ? R 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf [root@vmx10 mqueue]# Bye, Raymond. From kylist at SHCORP.COM Wed Sep 3 14:02:24 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903084933.57527.qmail@web41414.mail.yahoo.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649689@pascal.priv.bmrb.co.uk> <20030903084933.57527.qmail@web41414.mail.yahoo.com> Message-ID: <36591.10.10.1.71.1062594144.squirrel@webmailtest.shcorp.com> lester lasad said: > > > "Spicer, Kevin" wrote: > Which queue? > > All are in the mqueue.in > > As I said, if you're happy to bypass MailScanner to get the mail > delivered follow the instructions below. > > Tried running your commands and received the following: > >> service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >> mv /var/spool/mqueue.in/* /var/spool/mqueue > > sh: line 1: /bin/mv: Argument list too long Here's a trick to get around this: stop mailscanner as above (stop sendmail service) /etc/init.d/sendmail stop mv /var/spool/mqueue /var/spool/mqueue.old mv /var/spool/mqueue.in /var/spool/mqueue mv /var/spool/mqueue.old /var/spool/mqueue.in (start sendmail service) /etc/init.d/sendmail start Now sendmail should grab *everything* in the folder you just renamed to mqueue and deliver it. -- Kurt Yoder Sport & Health network administrator From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 14:09:20 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649696@pascal.priv.bmrb.co.uk> > mv /var/spool/mqueue /var/spool/mqueue.old > mv /var/spool/mqueue.in /var/spool/mqueue > mv /var/spool/mqueue.old /var/spool/mqueue.in > Or simply... find /var/spool/mqueue.in -exec mv {} /var/spool/mqueue ';' either way make sure you stop sendmail while doing this or you could get empty messages delivered. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From zfajfr at krnap.cz Wed Sep 3 14:17:11 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/c3c0856b/attachment.jpe From Kevin.Spicer at BMRB.CO.UK Wed Sep 3 14:32:38 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649697@pascal.priv.bmrb.co.uk> Zdenek Fajfr wrote: > Hi all, > I have a little problem with the spam action "forward". Please don't post html messages to mailing lists - especially those with images, particularly background images. Wasting bandwidth and disk storage is what we have users for ;) Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From chris at TRUDEAU.ORG Wed Sep 3 14:30:38 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work References: Message-ID: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/9554181e/attachment.jpe From Janssen at RZ.UNI-FRANKFURT.DE Wed Sep 3 14:29:51 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: On Wed, 3 Sep 2003, Raymond Dijkxhoorn wrote: > > Please run both of the commands and send me the output. > > > > What processes are running? > > > > ps ax | grep -i mail > > [root@vmx10 mqueue]# ps ax | grep -i mail [snip sendmail procs] > qn-212-58-184-161.quicknet.nl [212.58.184.161]: DATA > 10513 ? D 7:43 /usr/bin/perl -I/usr/lib/MailScanner "D" means "uninterruptable sleep" (while doing I/O). This is bad. You can't even kill those processes with -9 Option (you shouldn't use kill -9 with MS anyway...). In case the "D" state lasts long it's very bad. Those processes are idle waiting for disk I/O. ps -C MailScanner o pid,wchan strace -p ls -l /proc//fd/ might give further information what's going wrong (1: full name of the wait channel; 2: last system call yet in process; 3: open filedescriptors). This should work well on GNU/Linux Systems. regards Michael From zfajfr at krnap.cz Wed Sep 3 14:42:11 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Message-ID: I tried it without bounce flag with the same results. I also tried to put there just Spam Actions = forward postmaster@krnap.cz High Scoring Spam Actions = forward postmaster@krnap.cz with no success Zdenek -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Trudeau Sent: Wednesday, September 03, 2003 3:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam Action "Forward" doesn't work I may be wrong, but I believe if you bounce a message, the system treats that message as if it weren't received therefore does nothing more with it...Try removing the bounce from your config, restarting mailscanner and see if that makes a difference. CT ----- Original Message ----- From: Zden?k Fajfr To: MAILSCANNER@JISCMAIL.AC.UK Sent: Wednesday, September 03, 2003 9:17 AM Subject: Spam Action "Forward" doesn't work Hi all, I have a little problem with the spam action "forward". Here are the two lines from MailScanner.conf dealing with spam actions: Spam Actions = store forward postmaster@krnap.cz bounce High Scoring Spam Actions = store forward postmaster@krnap.cz bounce I just modified the suggested default values. Unfortunately NO forwarding occurs!!! Here is what MailScanner writes into mail logfile for every caught spam message: Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, 101903 bytes Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 actions are bounce,store,forward,postmaster@krnap.cz Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce to sales@defsol.se The message is apparently bounced back to sender, it is also stored in quarantine but what about forwarding to postmaster? It's essential for me to know what messages have been marked as spam to be able to recognize false positives and take appropriate actions (changes in configuration, let the recipients know etc.) Could anybody help me where did I go wrong in configuration? I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav antivirus on Linux Mandrake 9.1 Thanks a lot for any help Z. Fajfr BTW: I regard MailScanner as an amazing piece of software, for it is very powerful, and yet relatively easy to configure (compare to clamav-milter, and especially Amavis) *********************************************** Zdenek Fajfr Department of Informatics & GIS The Krkonose Mts. National Park Adm. Dobrovskeho 3 54311 Vrchlabi Czech Republic The Heart of Europe *********************************************** Tel: (+420) 499 456 232, 737 225 439 Fax: (+420) 499 456 216, 499 422 095 E-mail: zfajfr@krnap.cz, zfajfr@click.cz Web: http://www.krnap.cz *********************************************** From zfajfr at krnap.cz Wed Sep 3 14:42:45 2003 From: zfajfr at krnap.cz (=?iso-8859-2?Q?Zden=ECk_Fajfr?=) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649697@pascal.priv.bmrb.co.uk> Message-ID: sorry for the html format in my message Z. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Spicer, Kevin Sent: Wednesday, September 03, 2003 3:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam Action "Forward" doesn't work Zdenek Fajfr wrote: > Hi all, > I have a little problem with the spam action "forward". Please don't post html messages to mailing lists - especially those with images, particularly background images. Wasting bandwidth and disk storage is what we have users for ;) Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From joan.bryan at KCL.AC.UK Wed Sep 3 14:41:59 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: References: Message-ID: Hi Bad news I'm afraid. We've just upgraded to MailScanner 4.23-11 and viruses are still slipping through. Admittedly our server is still under load. Thanks for any help. Joan On Fri, 29 Aug 2003 03:16:47 +0100 Brian Hoy wrote: > Hi all, > > Thanks to everyone for their comments and advice. It is very much > appreciated. And especially to Julian for finding and fixing the problem so > quickly! > > Our sendmail config does have the load settings configured that many of you > mentioned, but still the mail was flowing in! The input queue was growing > faster than Mailscanner could scan it, and the problem just kept compounding. > > The reason is that the "load average" stats are not always a good measure of > the real stress that the machine is under. If a machine is heavily using > swap space, then the disks and motherboard I/O bandwidth are being consumed > (and CPU also if the disks are ATA, rather than SCSI), yet no useful work is > being done. > > If a process is waiting on a page fault, I do not think that it is placed in > the OS's run queue until the page is loaded (and another page swapped out - > still more disk I/O!). If this is true then the load average does not > increase, yet the machine is clearly starting to struggle with the load. > This is what happened to us the other day. > > If you want to experiment with this idea, compile this C program: > > // Compile with gcc -o vm_tester vm_tester.c > // > #include > #include > > #define NUM_PASSES 10 > #define MB_TO_ALLOC 128 > #define BYTES_TO_ALLOC (MB_TO_ALLOC * 1024*1024) > > int main(void) > { > char *mem; > int pass, r, c; > > if ((mem = (char *) malloc(BYTES_TO_ALLOC)) == NULL) > { > printf("malloc() failed"); > exit(-1); > } > > for (pass=0; pass { > for (c=0; c<4096; c++) > { > for (r=0; r { > mem[r*4096 + c]++; > } > } > } > > return 0; > } > > // ----------------------------------------------- > > It allocates 128M of RAM, and increments bytes in a way that generates as > many page faults as possible. As an initial suggestion, run as many of > these programs as needed to consume all your RAM and watch your other > processes struggle to get a slice of the CPU. BTW, don't do this on a > production server, or try to consume more memory than your total VM - you > have been warned! > > Use top and vmstat to watch things. If you start running more of these > programs, then you find that the load average does not increase that much, > but your disks are flat out, and machine responsiveness goes right out the > window (esp on ATA disks). > > I still think my suggestion (in my first post) for an "unfair" way of > selecting messages for scanning under "high load" has merit. When our mail > gateway was stressed out the other day, I was using strace to monitor the > system calls in the MailScanner processes, and they were spending 5-30mins > just doing the stat() calls before locking messages for scanning. > > When you machine is really overloaded, let's do anything to concentrate the > meagre available resources on clearing the queue in the most expedient fashion. > > Perhaps "high load" can be determined by the length of the input queue > (rather than the misleading system load average), and be user configurable. > > For example, if the input queue has in excess of 1000 messages waiting, peel > off any 30 for scanning. Ensure that no other MailScanner process evaluates > the length of the queue until a user configurable time has passed (15 > mins?). I know this is easier said than done, but I think it really would > help when the machine is steaming up shit creek. > > Another thought....Sendmail names all it's df and qf files, such that an > alphabetical listing is sorted by ascending time order too! If the other > MTAs are the same, then perhaps this fact could be used to remove all the > stat()s and still meet the fairness algorithm? > > Comments anyone? > > Regards, > Brian ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From mailscanner at ecs.soton.ac.uk Wed Sep 3 14:53:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> Message-ID: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> And you are restarting/reloading MailScanner after you change the conf file? At 14:42 03/09/2003, you wrote: >I tried it without bounce flag with the same results. I also tried to put >there just > >Spam Actions = forward postmaster@krnap.cz >High Scoring Spam Actions = forward postmaster@krnap.cz > >with no success > > >Zdenek > > > > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf >Of Chris Trudeau >Sent: Wednesday, September 03, 2003 3:31 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam Action "Forward" doesn't work > > >I may be wrong, but I believe if you bounce a message, the system treats >that message as if it weren't received therefore does nothing more with >it...Try removing the bounce from your config, restarting mailscanner and >see if that makes a difference. > >CT > >----- Original Message ----- >From: Zden?k Fajfr >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Wednesday, September 03, 2003 9:17 AM >Subject: Spam Action "Forward" doesn't work > > >Hi all, >I have a little problem with the spam action "forward". Here are the two >lines from MailScanner.conf dealing with spam actions: > >Spam Actions = store forward postmaster@krnap.cz bounce >High Scoring Spam Actions = store forward postmaster@krnap.cz bounce > >I just modified the suggested default values. Unfortunately NO forwarding >occurs!!! > >Here is what MailScanner writes into mail logfile for every caught spam >message: > >Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >101903 bytes >Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >(skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, >MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY >0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, >RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 >actions are bounce,store,forward,postmaster@krnap.cz >Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce >to sales@defsol.se > >The message is apparently bounced back to sender, it is also stored in >quarantine but what about forwarding to postmaster? It's essential for me to >know what messages have been marked as spam to be able to recognize false >positives and take appropriate actions (changes in configuration, let the >recipients know etc.) >Could anybody help me where did I go wrong in configuration? > >I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav >antivirus on Linux Mandrake 9.1 > >Thanks a lot for any help > >Z. Fajfr > >BTW: I regard MailScanner as an amazing piece of software, for it is very >powerful, and yet relatively easy to configure (compare to clamav-milter, >and especially Amavis) > > > >*********************************************** >Zdenek Fajfr >Department of Informatics & GIS >The Krkonose Mts. National Park Adm. >Dobrovskeho 3 >54311 Vrchlabi >Czech Republic >The Heart of Europe >*********************************************** >Tel: (+420) 499 456 232, 737 225 439 >Fax: (+420) 499 456 216, 499 422 095 >E-mail: zfajfr@krnap.cz, zfajfr@click.cz >Web: http://www.krnap.cz >*********************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 14:52:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: References: Message-ID: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> Please can you double and triple check that you have the correct version of SweepViruses.pm. Please pwd ls -l SweepViruses.pm sum SweepViruses.pm and mail me the output. At 14:41 03/09/2003, you wrote: >Hi > >Bad news I'm afraid. We've just upgraded to MailScanner 4.23-11 and >viruses are still slipping through. Admittedly our server is still >under load. > >Thanks for any help. > >Joan > > > >On Fri, 29 Aug 2003 03:16:47 +0100 Brian Hoy >wrote: > > > Hi all, > > > > Thanks to everyone for their comments and advice. It is very much > > appreciated. And especially to Julian for finding and fixing the > problem so > > quickly! > > > > Our sendmail config does have the load settings configured that many of you > > mentioned, but still the mail was flowing in! The input queue was growing > > faster than Mailscanner could scan it, and the problem just kept > compounding. > > > > The reason is that the "load average" stats are not always a good > measure of > > the real stress that the machine is under. If a machine is heavily using > > swap space, then the disks and motherboard I/O bandwidth are being consumed > > (and CPU also if the disks are ATA, rather than SCSI), yet no useful > work is > > being done. > > > > If a process is waiting on a page fault, I do not think that it is > placed in > > the OS's run queue until the page is loaded (and another page swapped out - > > still more disk I/O!). If this is true then the load average does not > > increase, yet the machine is clearly starting to struggle with the load. > > This is what happened to us the other day. > > > > If you want to experiment with this idea, compile this C program: > > > > // Compile with gcc -o vm_tester vm_tester.c > > // > > #include > > #include > > > > #define NUM_PASSES 10 > > #define MB_TO_ALLOC 128 > > #define BYTES_TO_ALLOC (MB_TO_ALLOC * 1024*1024) > > > > int main(void) > > { > > char *mem; > > int pass, r, c; > > > > if ((mem = (char *) malloc(BYTES_TO_ALLOC)) == NULL) > > { > > printf("malloc() failed"); > > exit(-1); > > } > > > > for (pass=0; pass > { > > for (c=0; c<4096; c++) > > { > > for (r=0; r > { > > mem[r*4096 + c]++; > > } > > } > > } > > > > return 0; > > } > > > > // ----------------------------------------------- > > > > It allocates 128M of RAM, and increments bytes in a way that generates as > > many page faults as possible. As an initial suggestion, run as many of > > these programs as needed to consume all your RAM and watch your other > > processes struggle to get a slice of the CPU. BTW, don't do this on a > > production server, or try to consume more memory than your total VM - you > > have been warned! > > > > Use top and vmstat to watch things. If you start running more of these > > programs, then you find that the load average does not increase that much, > > but your disks are flat out, and machine responsiveness goes right out the > > window (esp on ATA disks). > > > > I still think my suggestion (in my first post) for an "unfair" way of > > selecting messages for scanning under "high load" has merit. When our mail > > gateway was stressed out the other day, I was using strace to monitor the > > system calls in the MailScanner processes, and they were spending 5-30mins > > just doing the stat() calls before locking messages for scanning. > > > > When you machine is really overloaded, let's do anything to concentrate the > > meagre available resources on clearing the queue in the most expedient > fashion. > > > > Perhaps "high load" can be determined by the length of the input queue > > (rather than the misleading system load average), and be user configurable. > > > > For example, if the input queue has in excess of 1000 messages waiting, > peel > > off any 30 for scanning. Ensure that no other MailScanner process > evaluates > > the length of the queue until a user configurable time has passed (15 > > mins?). I know this is easier said than done, but I think it really would > > help when the machine is steaming up shit creek. > > > > Another thought....Sendmail names all it's df and qf files, such that an > > alphabetical listing is sorted by ascending time order too! If the other > > MTAs are the same, then perhaps this fact could be used to remove all the > > stat()s and still meet the fairness algorithm? > > > > Comments anyone? > > > > Regards, > > Brian > >---------------------- >Joan Bryan >Unix Systems Administrator >Information Systems >Telephone: +44 (0) 20 7848 2671 >mailto:joan.bryan@kcl.ac.uk -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 3 15:07:25 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <200309031407.h83E7GM15445@camelot.blacknightsolutions.com> I know this was discussed some time back, but sifting through older mail I can't see a clear answer. Which version / license of F-Prot should be used for MailScanner on *nix ? ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From joan.bryan at KCL.AC.UK Wed Sep 3 15:26:21 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:44 2006 Subject: It seems that viruses CAN slip through MailScanner under high load! In-Reply-To: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030903145054.046aac30@imap.ecs.soton.ac.uk> Message-ID: <200309031421.h83ELN3T012177@angelo.kcl.ac.uk> Message-ID: Priority: NORMAL X-Mailer: Execmail for Win32 5.1.1 Build (10) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" On Wed, 3 Sep 2003 14:52:33 +0100 Julian Field wrote: > Please can you double and triple check that you have the correct version of > SweepViruses.pm. > Please > pwd /usr/local/MailScanner/lib/MailScanner > ls -l SweepViruses.pm -rwxr-xr-x 1 root root 68070 Aug 28 12:30 SweepViruses.pm > sum SweepViruses.pm 49919 133 SweepViruses.pm I have just corrected a probable misconfiguration on my part in MailScanner.conf in that the number of Unscanned messages per scan was higher than the Unsafe messages per scan. I've had no reported problems since 3pm. Thanks for your help. Joan From chris at TRUDEAU.ORG Wed Sep 3 15:34:29 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Security/Policy question References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <008f01c37228$7bb45520$5702010a@mscore.trusecure.net> This has likely already been discussed, but I can't quite piece together the rules logic and MTA components required to actually do this...I'm thinking its part of "domain specific white/blacklisting" in the CustomerConfig.pm, but I'm not sure. Conside the following scenario: I have a mailscanner system providing service for several domains as a gateway. I would like to block email originating from any location OTHER than my assigned next hop mail gateways which has a sender address of that protected domain. See WEAK ASCII below: example.com MS mail server Gateway Internet | | | ----------------------------------------- so any mail that comes from the Internet with a sender domain of example.com should be blocked. Any ideas MTA is postfix. CT From david at PLATFORMHOSTING.COM Wed Sep 3 15:40:52 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> References: <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <3F55FD74.60007@platformhosting.com> Julian, I have noticed a similar thing, forward just doesn't seem to work for me either. -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > And you are restarting/reloading MailScanner after you change the conf > file? > > At 14:42 03/09/2003, you wrote: > >> I tried it without bounce flag with the same results. I also tried to put >> there just >> >> Spam Actions = forward postmaster@krnap.cz >> High Scoring Spam Actions = forward postmaster@krnap.cz >> >> with no success >> >> >> Zdenek >> >> >> >> >> >> >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf >> Of Chris Trudeau >> Sent: Wednesday, September 03, 2003 3:31 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Spam Action "Forward" doesn't work >> >> >> I may be wrong, but I believe if you bounce a message, the system treats >> that message as if it weren't received therefore does nothing more with >> it...Try removing the bounce from your config, restarting mailscanner and >> see if that makes a difference. >> >> CT >> >> ----- Original Message ----- >> From: Zden?k Fajfr >> To: MAILSCANNER@JISCMAIL.AC.UK >> Sent: Wednesday, September 03, 2003 9:17 AM >> Subject: Spam Action "Forward" doesn't work >> >> >> Hi all, >> I have a little problem with the spam action "forward". Here are the two >> lines from MailScanner.conf dealing with spam actions: >> >> Spam Actions = store forward postmaster@krnap.cz bounce >> High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >> >> I just modified the suggested default values. Unfortunately NO forwarding >> occurs!!! >> >> Here is what MailScanner writes into mail logfile for every caught spam >> message: >> >> Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >> 101903 bytes >> Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >> Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >> 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >> (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK >> 3.48, >> MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, >> MIME_MISSING_BOUNDARY >> 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME >> 0.82, >> RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message >> h83CkgIb019316 >> actions are bounce,store,forward,postmaster@krnap.cz >> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) >> Bounce >> to sales@defsol.se >> >> The message is apparently bounced back to sender, it is also stored in >> quarantine but what about forwarding to postmaster? It's essential for >> me to >> know what messages have been marked as spam to be able to recognize false >> positives and take appropriate actions (changes in configuration, let the >> recipients know etc.) >> Could anybody help me where did I go wrong in configuration? >> >> I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and >> Clamav >> antivirus on Linux Mandrake 9.1 >> >> Thanks a lot for any help >> >> Z. Fajfr >> >> BTW: I regard MailScanner as an amazing piece of software, for it is very >> powerful, and yet relatively easy to configure (compare to clamav-milter, >> and especially Amavis) >> >> >> >> *********************************************** >> Zdenek Fajfr >> Department of Informatics & GIS >> The Krkonose Mts. National Park Adm. >> Dobrovskeho 3 >> 54311 Vrchlabi >> Czech Republic >> The Heart of Europe >> *********************************************** >> Tel: (+420) 499 456 232, 737 225 439 >> Fax: (+420) 499 456 216, 499 422 095 >> E-mail: zfajfr@krnap.cz, zfajfr@click.cz >> Web: http://www.krnap.cz >> *********************************************** > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mailscanner at ecs.soton.ac.uk Wed Sep 3 15:38:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <3F55FD74.60007@platformhosting.com> References: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> Which MTA are you using? It appears to work on my sendmail setup. At 15:40 03/09/2003, you wrote: >Julian, > >I have noticed a similar thing, forward just doesn't seem to work for me >either. > >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > >Julian Field wrote: > >>And you are restarting/reloading MailScanner after you change the conf file? >>At 14:42 03/09/2003, you wrote: >> >>>I tried it without bounce flag with the same results. I also tried to put >>>there just >>> >>>Spam Actions = forward postmaster@krnap.cz >>>High Scoring Spam Actions = forward postmaster@krnap.cz >>> >>>with no success >>> >>> >>>Zdenek >>> >>> >>> >>> >>> >>> >>>-----Original Message----- >>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf >>>Of Chris Trudeau >>>Sent: Wednesday, September 03, 2003 3:31 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Spam Action "Forward" doesn't work >>> >>> >>>I may be wrong, but I believe if you bounce a message, the system treats >>>that message as if it weren't received therefore does nothing more with >>>it...Try removing the bounce from your config, restarting mailscanner and >>>see if that makes a difference. >>> >>>CT >>> >>>----- Original Message ----- >>>From: Zden?k Fajfr >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Sent: Wednesday, September 03, 2003 9:17 AM >>>Subject: Spam Action "Forward" doesn't work >>> >>> >>>Hi all, >>>I have a little problem with the spam action "forward". Here are the two >>>lines from MailScanner.conf dealing with spam actions: >>> >>>Spam Actions = store forward postmaster@krnap.cz bounce >>>High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >>> >>>I just modified the suggested default values. Unfortunately NO forwarding >>>occurs!!! >>> >>>Here is what MailScanner writes into mail logfile for every caught spam >>>message: >>> >>>Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >>>101903 bytes >>>Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >>>Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >>>192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >>>(skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK 3.48, >>>MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, MIME_MISSING_BOUNDARY >>>0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME 0.82, >>>RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam messages >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 >>>actions are bounce,store,forward,postmaster@krnap.cz >>>Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) Bounce >>>to sales@defsol.se >>> >>>The message is apparently bounced back to sender, it is also stored in >>>quarantine but what about forwarding to postmaster? It's essential for me to >>>know what messages have been marked as spam to be able to recognize false >>>positives and take appropriate actions (changes in configuration, let the >>>recipients know etc.) >>>Could anybody help me where did I go wrong in configuration? >>> >>>I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 and Clamav >>>antivirus on Linux Mandrake 9.1 >>> >>>Thanks a lot for any help >>> >>>Z. Fajfr >>> >>>BTW: I regard MailScanner as an amazing piece of software, for it is very >>>powerful, and yet relatively easy to configure (compare to clamav-milter, >>>and especially Amavis) >>> >>> >>> >>>*********************************************** >>>Zdenek Fajfr >>>Department of Informatics & GIS >>>The Krkonose Mts. National Park Adm. >>>Dobrovskeho 3 >>>54311 Vrchlabi >>>Czech Republic >>>The Heart of Europe >>>*********************************************** >>>Tel: (+420) 499 456 232, 737 225 439 >>>Fax: (+420) 499 456 216, 499 422 095 >>>E-mail: zfajfr@krnap.cz, zfajfr@click.cz >>>Web: http://www.krnap.cz >>>*********************************************** > > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > >======================================================================== > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 15:41:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited In-Reply-To: <200309031407.h83E7GM15445@camelot.blacknightsolutions.com> Message-ID: <5.2.0.9.2.20030903154050.04683c20@imap.ecs.soton.ac.uk> At 15:07 03/09/2003, you wrote: >I know this was discussed some time back, but sifting through older mail I >can't see a clear answer. > >Which version / license of F-Prot should be used for MailScanner on *nix ? They say you need to license the mail server version. You only actually need any features that are in the desktop/workstation version. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From errol.neal at ENHTECH.COM Wed Sep 3 15:51:58 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT Message-ID: <5.1.0.14.0.20030903104929.02d889e0@mail.enhtech.com> Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I mean other than just setting the scores to 0 for all OSI related rules. Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From steve.freegard at LBSLTD.CO.UK Wed Sep 3 16:07:39 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT Message-ID: <67D9E7698329D411936E00508B6590B902773ACB@neelix.lbsltd.co.uk> Hey Errol, I'm using the following in spam.assassin.prefs.conf: score RCVD_IN_OSIRUSOFT_COM 0 score X_OSIRU_DUL 0 score X_OSIRU_DUL_FH 0 score X_OSIRU_OPEN_RELAY 0 score X_OSIRU_SPAMWARE_SITE 0 score X_OSIRU_SPAM_SRC 0 Kind regards, Steve. -----Original Message----- From: Errol Neal [mailto:errol.neal@ENHTECH.COM] Sent: 03 September 2003 15:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Disabling OSIRUSOFT Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I mean other than just setting the scores to 0 for all OSI related rules. Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From chris at TRUDEAU.ORG Wed Sep 3 16:07:33 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Disabling OSIRUSOFT References: <5.1.0.14.0.20030903104929.02d889e0@mail.enhtech.com> Message-ID: <00c601c3722d$1a6de3d0$5702010a@mscore.trusecure.net> the SA mailing list had a number of posts over the last week or so about this...but try this: Make the following lines in your /usr/share/spamassassin/50_scores.cf reflect these changes: score RCVD_IN_OSIRUSOFT_COM 0.0 score X_OSIRU_DUL 0.0 score X_OSIRU_DUL_FH 0.0 score X_OSIRU_OPEN_RELAY 0.0 score X_OSIRU_SPAMWARE_SITE 0.0 score X_OSIRU_SPAM_SRC 0.0 CT ----- Original Message ----- From: "Errol Neal" To: Sent: Wednesday, September 03, 2003 10:51 AM Subject: Disabling OSIRUSOFT > Since the demise of OSIRUSOFT, is their a way to tell SA not to use it? I > mean other than just setting the scores to 0 for all OSI related rules. > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax From david at PLATFORMHOSTING.COM Wed Sep 3 16:13:25 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <004701c3721f$90690460$5702010a@mscore.trusecure.net> <5.2.0.9.2.20030903145303.03fa9370@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030903153748.0478d3c8@imap.ecs.soton.ac.uk> Message-ID: <3F560515.6060006@platformhosting.com> Sendmail with MS 4.22-5 -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Julian Field wrote: > Which MTA are you using? It appears to work on my sendmail setup. > > At 15:40 03/09/2003, you wrote: > >> Julian, >> >> I have noticed a similar thing, forward just doesn't seem to work for >> me either. >> >> -- >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> 1300 85 HOST >> www.platformhosting.com >> >> Julian Field wrote: >> >>> And you are restarting/reloading MailScanner after you change the >>> conf file? >>> At 14:42 03/09/2003, you wrote: >>> >>>> I tried it without bounce flag with the same results. I also tried >>>> to put >>>> there just >>>> >>>> Spam Actions = forward postmaster@krnap.cz >>>> High Scoring Spam Actions = forward postmaster@krnap.cz >>>> >>>> with no success >>>> >>>> >>>> Zdenek >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>> Behalf >>>> Of Chris Trudeau >>>> Sent: Wednesday, September 03, 2003 3:31 PM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: Re: Spam Action "Forward" doesn't work >>>> >>>> >>>> I may be wrong, but I believe if you bounce a message, the system >>>> treats >>>> that message as if it weren't received therefore does nothing more with >>>> it...Try removing the bounce from your config, restarting >>>> mailscanner and >>>> see if that makes a difference. >>>> >>>> CT >>>> >>>> ----- Original Message ----- >>>> From: Zden?k Fajfr >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Sent: Wednesday, September 03, 2003 9:17 AM >>>> Subject: Spam Action "Forward" doesn't work >>>> >>>> >>>> Hi all, >>>> I have a little problem with the spam action "forward". Here are the >>>> two >>>> lines from MailScanner.conf dealing with spam actions: >>>> >>>> Spam Actions = store forward postmaster@krnap.cz bounce >>>> High Scoring Spam Actions = store forward postmaster@krnap.cz bounce >>>> >>>> I just modified the suggested default values. Unfortunately NO >>>> forwarding >>>> occurs!!! >>>> >>>> Here is what MailScanner writes into mail logfile for every caught spam >>>> message: >>>> >>>> Sep 3 14:46:44 ns MailScanner[18921]: New Batch: Scanning 2 messages, >>>> 101903 bytes >>>> Sep 3 14:46:44 ns MailScanner[18921]: Spam Checks: Starting >>>> Sep 3 14:46:52 ns MailScanner[18921]: Message h83CkgIb019316 from >>>> 192.168.248.153 (sales@defsol.se) to ns.krnap.cz is spam, SpamAssassin >>>> (skore=10.5, vyzaduje 5, DATE_IN_PAST_96_XX 1.63, FORGED_MUA_OUTLOOK >>>> 3.48, >>>> MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.35, >>>> MIME_MISSING_BOUNDARY >>>> 0.16, MISSING_MIMEOLE 0.50, MSG_ID_ADDED_BY_MTA_3 0.67, NO_REAL_NAME >>>> 0.82, >>>> RAZOR2_CHECK 2.06, RCVD_IN_OSIRUSOFT_COM 0.55) >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Checks: Found 1 spam >>>> messages >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message >>>> h83CkgIb019316 >>>> actions are bounce,store,forward,postmaster@krnap.cz >>>> Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: (SpamAssassin) >>>> Bounce >>>> to sales@defsol.se >>>> >>>> The message is apparently bounced back to sender, it is also stored in >>>> quarantine but what about forwarding to postmaster? It's essential >>>> for me to >>>> know what messages have been marked as spam to be able to recognize >>>> false >>>> positives and take appropriate actions (changes in configuration, >>>> let the >>>> recipients know etc.) >>>> Could anybody help me where did I go wrong in configuration? >>>> >>>> I use MailScanner-4.23-11 with sendmail 8.12.9, SpamAssassin 2.55 >>>> and Clamav >>>> antivirus on Linux Mandrake 9.1 >>>> >>>> Thanks a lot for any help >>>> >>>> Z. Fajfr >>>> >>>> BTW: I regard MailScanner as an amazing piece of software, for it is >>>> very >>>> powerful, and yet relatively easy to configure (compare to >>>> clamav-milter, >>>> and especially Amavis) >>>> >>>> >>>> >>>> *********************************************** >>>> Zdenek Fajfr >>>> Department of Informatics & GIS >>>> The Krkonose Mts. National Park Adm. >>>> Dobrovskeho 3 >>>> 54311 Vrchlabi >>>> Czech Republic >>>> The Heart of Europe >>>> *********************************************** >>>> Tel: (+420) 499 456 232, 737 225 439 >>>> Fax: (+420) 499 456 216, 499 422 095 >>>> E-mail: zfajfr@krnap.cz, zfajfr@click.cz >>>> Web: http://www.krnap.cz >>>> *********************************************** ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From joshua.hirsh at PARTNERSOLUTIONS.CA Wed Sep 3 16:24:09 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:44 2006 Subject: Spam Action "Forward" doesn't work Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AC4@eqmail1.efni.vpn> I haven't run into any issues with forward as an action. Perhaps the only difference for me is that I still deliver the spam, but forward it to another address as well. MS 4.23-11 and Postfix 2.0.13. Cheers, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From Kevin_Miller at CI.JUNEAU.AK.US Wed Sep 3 16:45:01 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <08146035CA49D6119A36009027AC822A0264E6DF@CITY-EXCH-NTS> F-Prot says the email version. I bought a license last spring when it was still just $300 a whack. Now it's based on users and quite expensive IMHO. On my secondary mail server I installed F-Secure (and clam). The F-Secure people were willing to work with me pricewise. You might contact them and see what they'll do for you. F-Prot didn't seem to want to. Next spring when the F-Prot license runs out, I'll roll that machine to F-Secure as well... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Michele Neylon:: Blacknight Solutions >[mailto:michele@BLACKNIGHTSOLUTIONS.COM] >Sent: Wednesday, September 03, 2003 6:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: F-prot revisited > > >I know this was discussed some time back, but sifting through >older mail I >can't see a clear answer. > >Which version / license of F-Prot should be used for >MailScanner on *nix ? > > > >######################################################### >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance to it is prohibited. > From christo at AFGLASS.CO.ZA Wed Sep 3 16:48:20 2003 From: christo at AFGLASS.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:44 2006 Subject: Newbie question related to file type filters In-Reply-To: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> Message-ID: <00c301c37232$cd151cb0$660210ac@christo> Thanx I got the post. Only subscribed today. Please Help with following. In the example below In filetype.allowall.rules.conf put (separated by tabs, not spaces) allow . - - How can I block executables and allow media files. What is each 'field' representing. The . 1st - and second - Thanx -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, September 03, 2003 10:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Newbie question related to file type filters See my postings from yesterday or the day before that include the work "filetype.rules.conf". You'll find them in the archive. At 07:31 03/09/2003, you wrote: >Hi > >I only configured my MS server last week and it works fine. Spam >dropped by about 90% > >OK My question. > >By default MS blocks all Executable and Media file types from the >filetype.rules.conf file. How can I setup a MS rule to let through >these files only for certain email addresses and let the others be >blocked. One small rule file example will be enough > >Thanx > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. Mailscanner thanks >transtec Computers for their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From lists at TRCINTL.COM Wed Sep 3 16:51:17 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: What is the price for F-Secure? Looking at their web site, I see a server version for nix's that is under $300.00. Is that the F-Secure product that others are using? If so, I may go that route unless anyone can recomend against it. >F-Prot says the email version. I bought a license last spring when it was >still just $300 a whack. Now it's based on users and quite expensive >IMHO. On my secondary mail server I installed F-Secure (and clam). The F- >Secure people were willing to work with me pricewise. You might contact >them and see what they'll do for you. F-Prot didn't seem to want to. >Next spring when the F-Prot license runs out, I'll roll that machine to F- >Secure as well... >...Kevin >------------------- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Michele Neylon:: Blacknight Solutions >[mailto:michele@BLACKNIGHTSOLUTIONS.COM] >Sent: Wednesday, September 03, 2003 6:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: F-prot revisited > > >I know this was discussed some time back, but sifting through older >mail I can't see a clear answer. > >Which version / license of F-Prot should be used for MailScanner on >*nix ? > > > >######################################################### >This message (and any attachment) is intended only for the recipient >and may contain confidential and/or privileged material. If you have >received this in error, please contact the sender and delete this >message immediately. Disclosure, copying or other action taken in >respect of this email or in reliance to it is prohibited. > From eja at URBAKKEN.DK Wed Sep 3 17:03:43 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:44 2006 Subject: Errors Message-ID: <3F5610DF.4050903@urbakken.dk> Julian !. Thanks for the reply. I did what you suggested, but had no luck. Will try to search the Clarkconnect for infos on my Clarkconnect version and MailScanner. The Clarkconnect server is installled on the RedHat 9.0 version. Sorry for interfering. P.S.The reason I do reply as I do is, that I haven't received the mail from you via e-mail. I looked into the archive_list, and found the reply. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From hciss at HCIWS.COM Wed Sep 3 17:03:41 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:19:44 2006 Subject: Feature Wish, IP Pool Warning Message-ID: <042c01c37234$f26902e0$7801a8c0@matthew> Sobig.x lies about its from email address so I have it setup as silent. But what I would like is if it email me a warning to the postmaster account ONLY if the source IP is in one the IP pools I own. This way I can look in my PPP logs, see who had that IP at that time and drop them an email or call. Matt From greg at NET1PLUS.COM Wed Sep 3 17:34:35 2003 From: greg at NET1PLUS.COM (Greg) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? Message-ID: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> I've searched the docs, user list and search engines but was unable to locate any information on wether or not it is possible to adjust the settings for DoS attacks. I have a user that sends out a number of emails to his clients all at once and they are getting bounced as a virus with a report of: "Denial of Service attack in message!" Is there any way to tweak this setting or disable it entirely? Regards Greg Caron Systems Administrator NET1Plus Internet Services From chris at TRUDEAU.ORG Wed Sep 3 17:48:25 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? References: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <010501c3723b$32023bf0$5702010a@mscore.trusecure.net> Is it possible this is an MTA setting. I don't think the message you are seeing is gnerated by MailScanner. Which MTA are you using and specifically what is the error? CT ----- Original Message ----- From: "Greg" To: Sent: Wednesday, September 03, 2003 12:34 PM Subject: Denial Of Service Threshold? > I've searched the docs, user list and search engines but was unable to > locate any information on wether or not it is possible to adjust the > settings for DoS attacks. I have a user that sends out a number of emails > to his clients all at once and they are getting bounced as a virus with a > report of: "Denial of Service attack in message!" > > Is there any way to tweak this setting or disable it entirely? > > Regards > > Greg Caron > Systems Administrator > NET1Plus Internet Services From greg at NET1PLUS.COM Wed Sep 3 17:58:55 2003 From: greg at NET1PLUS.COM (Greg) Date: Thu Jan 12 21:19:44 2006 Subject: Denial Of Service Threshold? In-Reply-To: <010501c3723b$32023bf0$5702010a@mscore.trusecure.net> References: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <5.1.0.14.2.20030903125535.0315e350@pop3.net1plus.com> We are using Sendmail 8.11.6 on RH 7.3. The bounces contain the text: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Any infected parts of the message (the entire message) have not been delivered. This message is simply to warn you that your computer system MAY have a virus present and should be checked. The virus detector said this about the message: Report: Denial of Service attack in message! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Which uses one of the MS templates. Is it possible that MS is receiving this back from sendmail and just inserted the sendmail response into the MS bounce template? Thanks At 12:48 PM 9/3/2003 -0400, you wrote: >Is it possible this is an MTA setting. > >I don't think the message you are seeing is gnerated by MailScanner. > >Which MTA are you using and specifically what is the error? > >CT > >----- Original Message ----- >From: "Greg" >To: >Sent: Wednesday, September 03, 2003 12:34 PM >Subject: Denial Of Service Threshold? > > > > I've searched the docs, user list and search engines but was unable to > > locate any information on wether or not it is possible to adjust the > > settings for DoS attacks. I have a user that sends out a number of emails > > to his clients all at once and they are getting bounced as a virus with a > > report of: "Denial of Service attack in message!" > > > > Is there any way to tweak this setting or disable it entirely? > > > > Regards > > > > Greg Caron > > Systems Administrator > > NET1Plus Internet Services Greg Caron Systems Administrator NET1Plus Internet Services From evertjan at VANRAMSELAAR.NL Wed Sep 3 18:28:16 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:19:44 2006 Subject: SIGPIPE received - trying new log socket Message-ID: <2512.10.10.0.101.1062610096.squirrel@intranet> I just upgraded to MailScanner 4.23-11. Now I am getting the line 'SIGPIPE received - trying new log socket' in my logfile during every batch: Sep 3 19:14:58 ram3 sendmail[6764]: h83HEv6O006764: from=, size=5334, class=-60, nrcpts=1, msgid=<20030903165456.OKK Q4763.pop015.verizon.net@localhost>, proto=ESMTP, daemon=MTA, relay=abc [1.2.3.4] Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, 5887 bytes Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log socket Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, 5887 bytes Sep 3 19:14:58 ram3 MailScanner[4002]: Spam Checks: Starting Sep 3 19:15:01 ram3 MailScanner[4002]: Virus and Content Scanning: Starting Sep 3 19:15:02 ram3 MailScanner[4002]: Uninfected: Delivered 1 messages Sep 3 19:15:02 ram3 sendmail[6794]: h83HEv6O006764: to=, delay=00:00:05, xdelay=00:00:00, mailer=local, pri=230127, dsn=2.0.0, sta t=Sent Is this something serious? Redhat 8.0 Sendmail 8.12.8 MailScanner 4.23-11 MailWatch 0.2 syslogd 1.4.1 -- Evert Jan van Ramselaar Van Ramselaar Info Tech From bob.jones at USG.EDU Wed Sep 3 19:56:39 2003 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:19:44 2006 Subject: virus update scripts. Message-ID: <3F563967.9040908@usg.edu> Hey all, a couple things here. First is with the mcafee-autoupdate script in the latest release. What is this extra.dat file it tries to download and complains about when it's not there? Second, there is a problem with the update_virus_scanners on Solaris. The grep you have uses the -e flag, and unless you happen to have /usr/xpg4/bin first in your path you'll be out of luck. I've fixed this by adding the following right below the LOCKFILE declaration: OS=`uname` if [ ${OS} = SunOS ]; then echo "Found OS" GREP=/usr/xpg4/bin/grep else GREP=grep fi And then changing the subsequent grep to ${GREP}. Adding this should fix Solaris systems without breaking any systems that aren't already broken. -- Thanks, Bob Jones From mike at ZANKER.ORG Wed Sep 3 19:57:26 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:44 2006 Subject: MailScanner with Exim Message-ID: <105478843.1062619046@jemima.zanker.org> Hi, I recently changed from MailScanner/Sendmail to MailScanner/Exim. The whole process was really straightforward thanks to the installation guide for MS/Exim. Everything is working fine but I have noticed a very large number of files building up in /var/spool/exim.in/msglog. Each one contains a single log entry for the reception of the message referenced by the filename. Is it usual for these files to be produced? If so, how are others dealing with them - cron job to delete them every day? Thanks in advance, -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner at ELKNET.NET Wed Sep 3 20:17:33 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:44 2006 Subject: F-prot revisited Message-ID: <200309031917.h83JHUr02416@ori.rl.ac.uk> To be able to sleep with an easy conscience at night, I was looking at an extrememly expensive license from F-Prot based upon the number of customer mailboxes I had. Since I do not charge my customers for filtering, I had no way to recoup my expenses. Also note that the F-Prot liscense is 'per year', and not a one time cost. While F-Prot's $29 Linux workstation version is all you technically need to run with MailScanner, per F-Prot, you would be in violation of their license. Their expensive 'per user' mail server version contains a whole bunch of extra utilities and stuff you would never use, but to meet their license agreement, that's the version you have to purchase. Back a couple of months ago, Computer Associates (CA) had contacted Julian regarding their license, and Julian posted it on the list. I liked what I saw, and I supplied Jullian with a licensed copy so he could add support for their product, e-Trust, to MailScanner. The product works great, and is very cost effective. The license will run you around $129 per year, and for that price you get a license to install the product on any 5 hosts, including Windows and Linux servers, workstations, PocketPC PDAs, Groupwise servers, Exchange servers; all versions are included in the box. The 5 node license is the smallest they sell, but at $129 total, I think that's a very good price compared to what I was looking at. For those of us with many users, and that want to run legally, I'm not aware of a lower priced commercial solution. I do of course also run ClamAV as my second scanner, which is GPL and therfore is free. I just was not comfortable running with only Clam, I like running both a commercial scanner and an Open Source one. -Alan >F-Prot says the email version. I bought a license last spring when it was >still just $300 a whack. Now it's based on users and quite expensive IMHO. >On my secondary mail server I installed F-Secure (and clam). The F-Secure >people were willing to work with me pricewise. You might contact them and >see what they'll do for you. F-Prot didn't seem to want to. Next spring >when the F-Prot license runs out, I'll roll that machine to F-Secure as >well... > >....Kevin From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:18:47 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:44 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> > mv /var/spool/mqueue.in/* /var/spool/mqueue > sh: line 1: /bin/mv: Argument list too long That just means there are two many files in the directory to do them all at once - the "*" is getting expanded to all the filenames. Try this instead: for file in `find /var/spool/mqueue.in -type f`; do mv $file /var/spool/mqueue done Be sure you get the quotes right aound the find command - they're "backticks", ie backwards apostrophes, not double-quotes or apostrophes. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in "Spicer, Kevin" wrote: Which queue? All are in the mqueue.in As I said, if you're happy to bypass MailScanner to get the mail delivered follow the instructions below. Tried running your commands and received the following: > service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] > mv /var/spool/mqueue.in/* /var/spool/mqueue sh: line 1: /bin/mv: Argument list too long > > "Spicer, Kevin" wrote: > Can you confirm whether email had completely stopped, or whether > MailScanner just wasn't keeping up with the queue? > > If you want to bypass MailScanner to clear the backlog... (assuming > RedHat syntax) > > service MailScanner stop [wait for all MailScanner > processes to disappear after running this before moving on] mv > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > [restart Mailscanner toprocess any newly arriving messages, see if it > copes] sendmail -q > > [this last command will take a very long time to complete as it will > attempt to deliver each mesasge in the queue, with your backlog this > could be a considerable period of time] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/1f6c5c0b/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:26:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A5@inex1.herffjones.hj-int> Whenever you say "queue" on this list, you should stop and remember to write either "incoming queue" or "outbound queue" instead. Do you mean you have 2000 messages in the incoming queue? If so, then yes MailScanner still has to work on them, but if you mean that you have 2000 in the outgoing queue, then MailScanner is already completely out of the picture for those messages. Mail in the outbound queue is entirely handled by your MTA. If you are seeing backlogs there, then you need to figure out whether it's normal or a real problem. If you have mail sitting in the outbound queue destined for domains you do not control, then that may very well be normal -- mail gets defered when servers are down, DNS has problems, etc. If the mail stuck in the queue is destined for a domain you control, then you need to figure out why it's not going out immediately. If you are using sendmail and you want to process just those messages in the outbound queue that are destined for your domain, then instead of sendmail -q, use sendmail -qRyourdomain.com. That will process only those messages with "yourdomain.com" in the recipient line of the message. Note that if you aren't splitting messages into one-per-recipient then this may still include messages bound for other domains (ie you have a message with two recipients, one local, one remote) and may therefore take a while. You can see what a sendmail process is doing at any given time - just look at it's process listing in the long output format of ps. The only tedious part is identifying the sendmail process you're interested in. If you're using -qR you can look for that... ps auxww | grep 'sendmail -qR' -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in This is for incoming mail. On average I receive 15-20 thousand incoming emails a day. Right now I have roughly 2000 messages in the queue, so MS has been routing mail but it is very slow. Doesn't seem to want to catch up. "Spicer, Kevin" wrote: Can you confirm whether email had completely stopped, or whether MailScanner just wasn't keeping up with the queue? If you want to bypass MailScanner to clear the backlog... (assuming RedHat syntax) service MailScanner stop [wait for all MailScanner processes to disappear after running this before moving on] mv /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start [restart Mailscanner toprocess any newly arriving messages, see if it copes] sendmail -q [this last command will take a very long time to complete as it will attempt to deliver each mesasge in the queue, with your backlog this could be a considerable period of time] -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: 03 September 2003 08:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! ! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/70979a4b/attachment.html From lists at TRCINTL.COM Wed Sep 3 20:27:28 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner Message-ID: Sorry if this is a stupid question, but how can I determine what version of MailScanner I currently have installed? From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:28:07 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> > Hi! > > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > On my box for example i had a queue of 1000 that would not > run, it let it > processing and it took 40 minutes to get them done. In the > same time, by > other box, same specs, took allmost 10.000 messages, without > any problem. > > Bye, > Raymond. If those were messages in the outbound queue destined for local addresses, I'd say that's definitely a problem outside the scope of MailScanner. If they're in the outbound queue destined for remote addresses, I'd say it's still not related to MailScanner and it may not indicate a problem at all. Of course, if you mean they were sitting in the incoming queue, then that's probably MailScanner... :-) From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:29:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7F@inex1.herffjones.hj-int> More suggestions? Perhaps this would be a good time to check out http://www.mailscanner.biz/ ? :-) -t. -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Wednesday, September 03, 2003 3:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail Not Routing, stuck in /var/spool/mqueue.in Kevin, To be honest all I have ever used is mailscanner, I am not famaliar with configuring sendmail on it's own. I have been at this all night with no luck. I have restarted MS many times with minimal success. I have tried changing my routing table to route to a different internal server to verify it's not a problem with the host I normally connect with and have the same problems. This is very frustrating, I've got about 2000 message still stuck in the queue, they are getting delivered but at a very slow rate. Users don't like to see email from customers that are 2 days late. If you have any more suggestions, I'd appreciate it. "Spicer, Kevin" wrote: lester lasad wrote: > Kevin, > I took your suggestion and all new mail seems to be coming in OK, the > problem is that I copied one of the emails out of mqueue.in into > mqueue but it does not route. It's just stuck, all other new mail > that comes in routes with no problems. any suggestions? Do you have both df and qf files for that? Maybe the mail itself is what has caused your problem? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this e! mail or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. _____ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/beb93956/attachment.html From kevins at BMRB.CO.UK Wed Sep 3 20:30:27 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7913@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7913@pascal.priv.bmrb.co.uk> Message-ID: <1062617432.26526.0.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:27, Kyle Harris wrote: Sorry if this is a stupid question, but how can I determine what version of MailScanner I currently have installed? grep for the word 'version' in your mail log BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From cslyon at NETSVCS.COM Wed Sep 3 20:33:59 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn Message-ID: So, I have been reading the FAQ and also the past posts but have a little confusion that I need to resolve. Just to give a little back ground, I have a lot of users who all have issues with e-mail that is being marked as spam or not being marked as spam. So, I think the answer to this is to have them forward the messages to an unattended mailbox that will autowhitelist or autoblacklist the sender. Is that what sa-learn is all about? So, if I create a spam and non-spam account on server and use the sa-learn to check the messages that my users forward to these accounts, if something was marked as spam and is not, further messages will not be marked again? Conversely, if I have a message that is spam but not marked, I can forward that to spam and it will be marked as spam the next message that comes in from that sender? How does it work, based on content I would assume or does it work by the domain? Also, what happens with stuff being forwarded from different mail clients like outlook? Can anybody shed some light on this one? From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:43:35 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B80@inex1.herffjones.hj-int> I'm wondering what the proper way is (assuming there is one) to whitelist email from this mailing list. The senders are individuals and the recipient is me... So what goes in the whitelist? -t. From joshua.hirsh at PARTNERSOLUTIONS.CA Wed Sep 3 20:46:12 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5ACE@eqmail1.efni.vpn> All list traffic originates from the SMTP server smtp.jiscmail.ac.uk [130.246.192.48], and the 'MAIL FROM:' is set as owner-mailscanner@JISCMAIL.AC.UK. Assuming the whitelists check one of these instead of the message headers, either of them should work. Cheers, -- Joshua Hirsh Systems Administration Partner Solutions/ING Canada 455, avenue Saint-Joseph Saint-Hyacinthe, Quebec J2S 8K8 (450) 778-9580 ext. 3798 joshua.hirsh@partnersolutions.ca From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 3 20:53:35 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: <1062617432.26526.0.camel@bach.kevinspicer.co.uk> Message-ID: <200309031951.h83JpcaM013363@lancelot.blacknightsolutions.com> Or tail the log after you do a restart :P (I had to ask this a while back too ) Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: 03 September 2003 20:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What version of MailScanner > > On Wed, 2003-09-03 at 20:27, Kyle Harris wrote: > > Sorry if this is a stupid question, but how can I determine > what version of MailScanner I currently have installed? > > grep for the word 'version' in your mail log > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > > From TGFurnish at HERFF-JONES.COM Wed Sep 3 20:54:56 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? {Scanned by HJ MS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B81@inex1.herffjones.hj-int> Thanks. Of course that assumes that: - the address of the list server won't change and - spammers won't use that address as their own. But I suppose that's the crux of why spam is a problem to begin with, so it'll have to do. :-) Thanks again. > -----Original Message----- > From: Hirsh, Joshua [mailto:joshua.hirsh@PARTNERSOLUTIONS.CA] > Sent: Wednesday, September 03, 2003 2:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: How to whitelist the mailscanner mailing list? > {Scanned by > HJMS} > > > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk > [130.246.192.48], and the 'MAIL FROM:' is set as > owner-mailscanner@JISCMAIL.AC.UK. > > Assuming the whitelists check one of these instead of the > message headers, > either of them should work. > > > Cheers, > > -- > Joshua Hirsh > Systems Administration > Partner Solutions/ING Canada > 455, avenue Saint-Joseph > Saint-Hyacinthe, Quebec J2S 8K8 > (450) 778-9580 ext. 3798 > joshua.hirsh@partnersolutions.ca > From KCollins at NESBITTENGINEERING.COM Wed Sep 3 20:54:13 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives Message-ID: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.local> I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's not. What's worse is that I'm getting mails identified that are on my whitelist. Is there anyway that I can prevent this from happening? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:03:35 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07A6@inex1.herffjones.hj-int> You're close - but sa-learn doesn't update whitelists or blacklists - it just trains the Bayesian filtering engine, which identifies patterns in spam and uses them to recognize future spam. SpamAssassin passes messages to the Bayesian engine and gets a score for each message, just as it does for its other rules. This score just becomes part of the cumulative score for the message. There's a FAQ entry on how to set up a script to automatically run sa-learn - sounds like you already found that. If you have trouble getting it to work, ask for help again. Besides the bayesian filtering, you can also whitelist and blacklist senders but I would hesitate to recommend automating that process - I can imagine users blindly forwarding spam from the sobig virus to an address that would automatically blacklist the sender, which would be a bad thing since sobig is likely to come "from" someone who regularly emails you. HTH, Trever > -----Original Message----- > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 2:34 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} > > > So, I have been reading the FAQ and also the past posts but > have a little > confusion that I need to resolve. Just to give a little back > ground, I have > a lot of users who all have issues with e-mail that is being > marked as spam > or not being marked as spam. So, I think the answer to this > is to have them > forward the messages to an unattended mailbox that will > autowhitelist or > autoblacklist the sender. Is that what sa-learn is all about? > > > So, if I create a spam and non-spam account on server and use > the sa-learn > to check the messages that my users forward to these > accounts, if something > was marked as spam and is not, further messages will not be > marked again? > Conversely, if I have a message that is spam but not marked, > I can forward > that to spam and it will be marked as spam the next message > that comes in > from that sender? > > > How does it work, based on content I would assume or does it > work by the > domain? Also, what happens with stuff being forwarded from > different mail > clients like outlook? > > > Can anybody shed some light on this one? > From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:07:46 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Denial Of Service Threshold? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B83@inex1.herffjones.hj-int> Not much help from me, but perhaps this is related to checking for the "zip of death", a highly-nested zip file. http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0211&L=mailscanner&P=R38632&I =-1 -t. > -----Original Message----- > From: Greg [mailto:greg@NET1PLUS.COM] > Sent: Wednesday, September 03, 2003 11:59 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Denial Of Service Threshold? > > > We are using Sendmail 8.11.6 on RH 7.3. The bounces contain the text: > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Any infected parts of the message (the entire message) have > not been delivered. > > This message is simply to warn you that your computer system > MAY have a > virus present and should be checked. > > The virus detector said this about the message: > Report: Denial of Service attack in message! > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > Which uses one of the MS templates. Is it possible that MS is > receiving this > back from sendmail and just inserted the sendmail response into the MS > bounce template? > > Thanks > > > At 12:48 PM 9/3/2003 -0400, you wrote: > >Is it possible this is an MTA setting. > > > >I don't think the message you are seeing is gnerated by MailScanner. > > > >Which MTA are you using and specifically what is the error? > > > >CT > > > >----- Original Message ----- > >From: "Greg" > >To: > >Sent: Wednesday, September 03, 2003 12:34 PM > >Subject: Denial Of Service Threshold? > > > > > > > I've searched the docs, user list and search engines but > was unable to > > > locate any information on wether or not it is possible to > adjust the > > > settings for DoS attacks. I have a user that sends out a > number of emails > > > to his clients all at once and they are getting bounced > as a virus with a > > > report of: "Denial of Service attack in message!" > > > > > > Is there any way to tweak this setting or disable it entirely? > > > > > > Regards > > > > > > Greg Caron > > > Systems Administrator > > > NET1Plus Internet Services > > > Greg Caron > Systems Administrator > NET1Plus Internet Services > From raymond at PROLOCATION.NET Wed Sep 3 21:09:29 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> Message-ID: Hi! > I'd say that's definitely a problem outside the scope of MailScanner. If > they're in the outbound queue destined for remote addresses, I'd say it's > still not related to MailScanner and it may not indicate a problem at all. No =) Its about the incomming queue. Outgoing is a smart relay host so all flow out pretty fast normally. > Of course, if you mean they were sitting in the incoming queue, then that's > probably MailScanner... :-) Yes it is. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 21:09:56 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: What version of MailScanner In-Reply-To: Message-ID: Hi! > Sorry if this is a stupid question, but how can I determine what version of > MailScanner I currently have installed? What about looking in your logs ? Its telling when you start it up. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 21:15:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.local> Message-ID: Hi! > I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's > not. What's worse is that I'm getting mails identified that are on my > whitelist. > > Is there anyway that I can prevent this from happening? Did you disable the Osirusoft lists ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Sep 3 21:18:08 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> Message-ID: <1062620289.27350.17.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:33, Chris Lyon wrote: >So, I have been reading the FAQ and also the past posts but have a >little >confusion that I need to resolve. Just to give a little back ground, I >have >a lot of users who all have issues with e-mail that is being marked as >spam >or not being marked as spam. So, I think the answer to this is to have >them >forward the messages to an unattended mailbox that will autowhitelist >or >autoblacklist the sender. Is that what sa-learn is all about? Not quite sa-learn is for tuning the Bayes classifier, this doesn't whitelist or blacklist anything - it tokenises the mail content and store a probability of each token appearing in a spam or ham mail. This is then used to determine the probability of future message being spam or ham. >So, if I create a spam and non-spam account on server and use the >sa-learn >to check the messages that my users forward to these accounts, if >something >was marked as spam and is not, further messages will not be marked >again? No, it reduces the probability associated with the tokens which appear in a mail. Auto white/blacklists are a bad idea - search for autowhitelist in the archives for a discussion. You can best improve the accuracy by adding DCC, razor2 and pyzor, and by letting SA do RBL checks rather than MailScanner. I found that the majority of my false positives came from a very few sources. Mainly clients of one particular department which has several customers in Asia & Africa using dodgy ISP's I added some SA rules assigning a negative score to the names of that departments products, which helped. >How does it work, based on content I would assume or does it work by >the >domain? Also, what happens with stuff being forwarded from different >mail >clients like outlook? Outlook is v bad at forwarding messages unaltered. I got round this by using the attachment option in MS (which also allowed me to add some info for users). Then using a script I found online to strip the original message from the attachment. I strongly recommend getting a good handle on how SA works (by reading the docs - particulary the Mail::SpamAssassin::Conf docs and about Bayes) before trying to tune it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Sep 3 21:23:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7919@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7919@pascal.priv.bmrb.co.uk> Message-ID: <1062620620.26136.22.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:46, Hirsh, Joshua wrote: > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk >[130.246.192.48], and the 'MAIL FROM:' is set as >owner-mailscanner@JISCMAIL.AC.UK. > Assuming the whitelists check one of these instead of the message >headers, >either of them should work. They do. I'd recommend whitelisting the From: owner-mailscanner@JISCMAIL.AC.UK rather than by IP (since the IP presumably could change without warning. Just one question, are you getting false positives from the list? I don't think I've ever seen one. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkettler at EVI-INC.COM Wed Sep 3 21:21:50 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760D2A@magellan.nesbitt.loca l> Message-ID: <5.2.1.1.0.20030903161737.01825688@xanadu.evi-inc.com> At 03:54 PM 9/3/2003 -0400, Collins, Kevin wrote: >I'm having trouble with MS + Spamassassin identifying mail as SPAM when it's >not. What's worse is that I'm getting mails identified that are on my >whitelist. > >Is there anyway that I can prevent this from happening? 1) what versions of SA and MS are you running? 2) when you say the mails are "on my whitelist" what _exactly_ do you mean. What specific config lines did you add, and to which product. There's about 8 different ways to whitelist a message between spamassassin and mailscanner, and not all of them work exactly as you might think. In particular, SA's "whitelist_to" feature does not work for messages which are BCC'ed or resent to someone. SA only gets to look at the message and is not told what user is really getting the message, it can only get clues from the message headers. From kevins at BMRB.CO.UK Wed Sep 3 21:25:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: False Positives In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A791C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A791C@pascal.priv.bmrb.co.uk> Message-ID: <1062620730.26136.24.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 20:54, Collins, Kevin wrote: >I'm having trouble with MS + Spamassassin identifying mail as SPAM when >it's >not. What's worse is that I'm getting mails identified that are on my >whitelist. Could you post header examples and the relevent parts of your whitelist? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From llasad1 at YAHOO.COM Wed Sep 3 21:31:10 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <20030903203110.63606.qmail@web41406.mail.yahoo.com> I am running MailScanner 4.21-9 The maillog is just queueing up the messages, it is routing but not a a good rate (bad performance). I would run the command but the server that was having problems is not up, switched over to another server. Same as above for the second output request. I have not changed anything Julian Field wrote: Morning all, Appears you are all having a similar problem. Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. What does your maillog say is happening? grep MailScanner /var/log/maillog | tail -70 What processes are running? ps ax | grep -i mail What have you changed from your previously-working system? At 09:49 03/09/2003, you wrote: >"Spicer, Kevin" wrote: > >Which queue? > >All are in the mqueue.in > >As I said, if you're happy to bypass MailScanner to get the mail delivered >follow the instructions below. > >Tried running your commands and received the following: > > > service MailScanner stop > >Shutting down MailScanner daemons: > >MailScanner: [ OK ] > >incoming sendmail: [ OK ] > >outgoing sendmail: [ OK ] > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > "Spicer, Kevin" wrote: > > Can you confirm whether email had completely stopped, or whether > > MailScanner just wasn't keeping up with the queue? > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > RedHat syntax) > > > > service MailScanner stop [wait for all MailScanner > > processes to disappear after running this before moving on] mv > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > [restart Mailscanner toprocess any newly arriving messages, see if it > > copes] sendmail -q > > > > [this last command will take a very long time to complete as it will > > attempt to deliver each mesasge in the queue, with your backlog this > > could be a considerable period of time] > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/48598dd4/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:34:07 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: How to whitelist the mailscanner mailing list? {Scanned by HJ MS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B89@inex1.herffjones.hj-int> > Just one question, are you getting false positives from the list? I > don't think I've ever seen one. Nope - just pondering the process for future reference. I'm only just now starting to deploy to actual users and I'll be surprised if no one askes for some mailing list to be whitelisted soon. -t. > -----Original Message----- > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Sent: Wednesday, September 03, 2003 3:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: How to whitelist the mailscanner mailing list? > {Scanned by > HJMS} > > > On Wed, 2003-09-03 at 20:46, Hirsh, Joshua wrote: > > > All list traffic originates from the SMTP server smtp.jiscmail.ac.uk > >[130.246.192.48], and the 'MAIL FROM:' is set as > >owner-mailscanner@JISCMAIL.AC.UK. > > > Assuming the whitelists check one of these instead of the message > >headers, > >either of them should work. > > They do. I'd recommend whitelisting the > From: owner-mailscanner@JISCMAIL.AC.UK > rather than by IP (since the IP presumably could change > without warning. > > Just one question, are you getting false positives from the list? I > don't think I've ever seen one. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From rfabara at NOVADEVICES.COM Wed Sep 3 21:43:59 2003 From: rfabara at NOVADEVICES.COM (DIEGO NOVA) Date: Thu Jan 12 21:19:45 2006 Subject: What is this? Never heard of scanner 'clamav'! Message-ID: <013401c3725c$1a439420$0d01a8c0@rfabara> My email server don?t work !!! In my maillog : Sep 3 15:43:49 inet3 MailScanner[30205]: Using locktype = flock Sep 3 15:43:49 inet3 MailScanner[30205]: New Batch: Scanning 3 messages, 8688 bytes Sep 3 15:43:50 inet3 MailScanner[30205]: Virus and Content Scanning: Starting Sep 3 15:43:50 inet3 MailScanner[30205]: Never heard of scanner 'clamav'! Why ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/9d8be8f5/attachment.html From cslyon at NETSVCS.COM Wed Sep 3 21:45:46 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G wrote: >You're close - but sa-learn doesn't update whitelists or blacklists - it >just trains the Bayesian filtering engine, which identifies patterns in spam >and uses them to recognize future spam. SpamAssassin passes messages to the >Bayesian engine and gets a score for each message, just as it does for its >other rules. This score just becomes part of the cumulative score for the >message. > >There's a FAQ entry on how to set up a script to automatically run sa-learn >- sounds like you already found that. If you have trouble getting it to >work, ask for help again. > So it is just based on the content of the message. So, if something doesn't look right in the message, give it to sa-learn and it will learn from that e-mail. >Besides the bayesian filtering, you can also whitelist and blacklist senders >but I would hesitate to recommend automating that process - I can imagine >users blindly forwarding spam from the sobig virus to an address that would >automatically blacklist the sender, which would be a bad thing since sobig >is likely to come "from" someone who regularly emails you. > The issue that I am having is that I have a bunch of users 500+ that forward spam or non-spam to e-mail accounts that needed to be manualy processed. (Management choice unfortunately) So, what if the user forwards a mail to an account to get that sender whitelisted? >HTH, >Trever > >> -----Original Message----- >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 2:34 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} >> >> >> So, I have been reading the FAQ and also the past posts but >> have a little >> confusion that I need to resolve. Just to give a little back >> ground, I have >> a lot of users who all have issues with e-mail that is being >> marked as spam >> or not being marked as spam. So, I think the answer to this >> is to have them >> forward the messages to an unattended mailbox that will >> autowhitelist or >> autoblacklist the sender. Is that what sa-learn is all about? >> >> >> So, if I create a spam and non-spam account on server and use >> the sa-learn >> to check the messages that my users forward to these >> accounts, if something >> was marked as spam and is not, further messages will not be >> marked again? >> Conversely, if I have a message that is spam but not marked, >> I can forward >> that to spam and it will be marked as spam the next message >> that comes in >> from that sender? >> >> >> How does it work, based on content I would assume or does it >> work by the >> domain? Also, what happens with stuff being forwarded from >> different mail >> clients like outlook? >> >> >> Can anybody shed some light on this one? >> From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:25:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: virus update scripts. In-Reply-To: <3F563967.9040908@usg.edu> Message-ID: <5.2.1.1.2.20030903212112.036edc60@imap.ecs.soton.ac.uk> At 19:56 03/09/2003, you wrote: >Hey all, a couple things here. First is with the mcafee-autoupdate >script in the latest release. What is this extra.dat file it tries to >download and complains about when it's not there? I'll leave that one to Tony Finch as he wrote that script. > Second, there is a >problem with the update_virus_scanners on Solaris. The grep you have >uses the -e flag, and unless you happen to have /usr/xpg4/bin first in >your path you'll be out of luck. I've fixed this by adding the >following right below the LOCKFILE declaration: > >OS=`uname` >if [ ${OS} = SunOS ]; then > echo "Found OS" > GREP=/usr/xpg4/bin/grep >else > GREP=grep >fi > >And then changing the subsequent grep to ${GREP}. Adding this should >fix Solaris systems without breaking any systems that aren't already broken. Good idea. >-- >Thanks, >Bob Jones -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:10:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Denial Of Service Threshold? In-Reply-To: <5.1.0.14.2.20030903123133.03139ee0@pop3.net1plus.com> Message-ID: <5.2.1.1.2.20030903210845.0365f7e8@imap.ecs.soton.ac.uk> MailScanner generates this when the virus scanner does not complete in a reasonable time (the timeout is configurable in MailScanner.conf) or else it fails with something like a segfault. Try scanning his attachments by hand after they have been quarantined and see why the virus scanner doesn't terminate nicely. At 17:34 03/09/2003, you wrote: >I've searched the docs, user list and search engines but was unable to >locate any information on wether or not it is possible to adjust the >settings for DoS attacks. I have a user that sends out a number of emails >to his clients all at once and they are getting bounced as a virus with a >report of: "Denial of Service attack in message!" > >Is there any way to tweak this setting or disable it entirely? > >Regards > >Greg Caron >Systems Administrator >NET1Plus Internet Services -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:12:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: SIGPIPE received - trying new log socket In-Reply-To: <2512.10.10.0.101.1062610096.squirrel@intranet> Message-ID: <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> At 18:28 03/09/2003, you wrote: >I just upgraded to MailScanner 4.23-11. Now I am getting the line 'SIGPIPE >received - trying new log socket' in my logfile during every batch: > >Sep 3 19:14:58 ram3 sendmail[6764]: h83HEv6O006764: from=, >size=5334, class=-60, nrcpts=1, msgid=<20030903165456.OKK >Q4763.pop015.verizon.net@localhost>, proto=ESMTP, daemon=MTA, relay=abc >[1.2.3.4] >Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, >5887 bytes >Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log >socket >Sep 3 19:14:58 ram3 MailScanner[4002]: New Batch: Scanning 1 messages, >5887 bytes >Sep 3 19:14:58 ram3 MailScanner[4002]: Spam Checks: Starting >Sep 3 19:15:01 ram3 MailScanner[4002]: Virus and Content Scanning: Starting >Sep 3 19:15:02 ram3 MailScanner[4002]: Uninfected: Delivered 1 messages >Sep 3 19:15:02 ram3 sendmail[6794]: h83HEv6O006764: to=, >delay=00:00:05, xdelay=00:00:00, mailer=local, pri=230127, dsn=2.0.0, sta >t=Sent > >Is this something serious? No. You aren't using syslog-ng are you? If all else fails, find the logging statement in Log.pm and comment it out if it's a pain. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:06:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Newbie question related to file type filters In-Reply-To: <00c301c37232$cd151cb0$660210ac@christo> References: <5.2.0.9.2.20030903095427.03ee97c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030903210338.0365f6a8@imap.ecs.soton.ac.uk> At 16:48 03/09/2003, you wrote: >Thanx I got the post. Only subscribed today. > >Please Help with following. >In the example below > >In filetype.allowall.rules.conf put (separated by tabs, not spaces) >allow . - - > >How can I block executables and allow media files. Read filetype.rules.conf and comment out the rules you don't like. >What is each 'field' representing. The . 1st - and second - The "." is the pattern to match against the filename. A "." means any single character. So this is bound to match against any filename as it just requires the filename to have at least 1 character in it. The "-" signs in "allow" rules are just placeholders. In "deny" rules they are the strings that are put in the log/sysadmin notices, and the reports that are sent to the users. >Thanx > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, September 03, 2003 10:55 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Newbie question related to file type filters > > >See my postings from yesterday or the day before that include the work >"filetype.rules.conf". You'll find them in the archive. > >At 07:31 03/09/2003, you wrote: > >Hi > > > >I only configured my MS server last week and it works fine. Spam > >dropped by about 90% > > > >OK My question. > > > >By default MS blocks all Executable and Media file types from the > >filetype.rules.conf file. How can I setup a MS rule to let through > >these files only for certain email addresses and let the others be > >blocked. One small rule file example will be enough > > > >Thanx > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. Mailscanner thanks > >transtec Computers for their support. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for their support. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for their support. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:34:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C07A6@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030903213144.036e4e08@imap.ecs.soton.ac.uk> The other thing to remember is that, based on the scores from the other rules, it auto-learns from very spammy and very non-spammy messages. So most of the time you don't need to train it manually at all, it will do it on its own. However, you may also want to have some sort of "spam" and "notspam" mailboxes which get processed by sa-learn. Search the archives for "sa-learn --mbox" or "sa-learn -mbox" and you'll find my scripts to do it all for you. At 21:03 03/09/2003, you wrote: >You're close - but sa-learn doesn't update whitelists or blacklists - it >just trains the Bayesian filtering engine, which identifies patterns in spam >and uses them to recognize future spam. SpamAssassin passes messages to the >Bayesian engine and gets a score for each message, just as it does for its >other rules. This score just becomes part of the cumulative score for the >message. > >There's a FAQ entry on how to set up a script to automatically run sa-learn >- sounds like you already found that. If you have trouble getting it to >work, ask for help again. > >Besides the bayesian filtering, you can also whitelist and blacklist senders >but I would hesitate to recommend automating that process - I can imagine >users blindly forwarding spam from the sobig virus to an address that would >automatically blacklist the sender, which would be a bad thing since sobig >is likely to come "from" someone who regularly emails you. > >HTH, >Trever > > > -----Original Message----- > > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > > Sent: Wednesday, September 03, 2003 2:34 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} > > > > > > So, I have been reading the FAQ and also the past posts but > > have a little > > confusion that I need to resolve. Just to give a little back > > ground, I have > > a lot of users who all have issues with e-mail that is being > > marked as spam > > or not being marked as spam. So, I think the answer to this > > is to have them > > forward the messages to an unattended mailbox that will > > autowhitelist or > > autoblacklist the sender. Is that what sa-learn is all about? > > > > > > So, if I create a spam and non-spam account on server and use > > the sa-learn > > to check the messages that my users forward to these > > accounts, if something > > was marked as spam and is not, further messages will not be > > marked again? > > Conversely, if I have a message that is spam but not marked, > > I can forward > > that to spam and it will be marked as spam the next message > > that comes in > > from that sender? > > > > > > How does it work, based on content I would assume or does it > > work by the > > domain? Also, what happens with stuff being forwarded from > > different mail > > clients like outlook? > > > > > > Can anybody shed some light on this one? > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:41:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903203110.63606.qmail@web41406.mail.yahoo.com> References: <5.2.0.9.2.20030903094622.03f92df0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030903213804.036edda0@imap.ecs.soton.ac.uk> At 21:31 03/09/2003, you wrote: >I am running MailScanner 4.21-9 This means that it isn't a problem with the latest release, 4.21 is from back in June. Is it processing all the messages in the queue with each new batch, or are you getting the maillog reporting that it found a large number of messages waiting, but then only started scanning a few of them? In that case, it's because a lot of the messages are still being delivered to you. If you could actually submit a chunk of your log showing what (if anything) is happening, then I can try to see what's going on. >The maillog is just queueing up the messages, it is routing but not a a >good rate (bad performance). I would run the command but the server that >was having problems is not up, switched over to another server. > >Same as above for the second output request. > >I have not changed anything > >Julian Field wrote: >Morning all, > >Appears you are all having a similar problem. >Are you running 4.23-11 or 4.23-10? If -10 then upgrade to -11. > >What does your maillog say is happening? >grep MailScanner /var/log/maillog | tail -70 > >What processes are running? >ps ax | grep -i mail > >What have you changed from your previously-working system? > > >At 09:49 03/09/2003, you wrote: > > > >"Spicer, Kevin" wrote: > > > >Which queue? > > > >All are in the mqueue.in > > > >As I said, if you're happy to bypass MailScanner to get the mail delivered > >follow the instructions below. > > > >Tried running your commands and received the following: > > > > > service MailScanner stop > > > >Shutting down MailScanner daemons: > > > >MailScanner: [ OK ] > > > >incoming sendma! il: [ OK ] > > > >outgoing sendmail: [ OK ] > > > > > mv /var/spool/mqueue.in/* /var/spool/mqueue > > > >sh: line 1: /bin/mv: Argument list too long > > > > > > > > > > > > > > "Spicer, Kevin" wrote: > > > Can you confirm whether email had completely stopped, or whether > > > MailScanner just wasn't keeping up with the queue? > > > > > > If you want to bypass MailScanner to clear the backlog... (assuming > > > RedHat syntax) > > > > > > service MailScanner stop [wait for all MailScanner > > > processes to disappear after running this before moving on] mv > > > /var/spool/mqueue.in/* /var/spool/mqueue service MailScanner start > > > [restart Mailscanner toprocess any newly arriving messages, see if it > > > copes] sendmail -q > > > > > > [this last command will take a very long time to complete as it will > > > attempt to deliver e! ach mesasge in the queue, with your backlog this > > > could be a considerable period of time] > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > > > > >Do you Yahoo!? > >Yahoo! > >SiteBuilder - Free, easy-to-use web site! design software > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >Do you Yahoo!? >Yahoo! >SiteBuilder - Free, easy-to-use web site design software -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:37:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <8FFC76593085ED4A80D3601BC41EFCDF8E1B7E@inex1.herffjones.hj-int> Message-ID: <5.2.1.1.2.20030903213653.036946a8@imap.ecs.soton.ac.uk> At 21:09 03/09/2003, you wrote: >Hi! > > > I'd say that's definitely a problem outside the scope of MailScanner. If > > they're in the outbound queue destined for remote addresses, I'd say it's > > still not related to MailScanner and it may not indicate a problem at all. > >No =) Its about the incomming queue. Outgoing is a smart relay host so all >flow out pretty fast normally. > > > Of course, if you mean they were sitting in the incoming queue, then that's > > probably MailScanner... :-) > >Yes it is. I have tried out a complete batch of mail someone sent me, and it processed it perfectly happily on my system. It just gently chugged through it, no holdups at all. So I still cannot reproduce this problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 3 21:48:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:45 2006 Subject: What is this? Never heard of scanner 'clamav'! In-Reply-To: <013401c3725c$1a439420$0d01a8c0@rfabara> Message-ID: <5.2.1.1.2.20030903214716.036846d0@imap.ecs.soton.ac.uk> At 21:43 03/09/2003, you wrote: >My email server don?t work !!! > >In my maillog : > > >Sep 3 15:43:49 inet3 MailScanner[30205]: Using locktype = flock > >Sep 3 15:43:49 inet3 MailScanner[30205]: New Batch: Scanning 3 messages, >8688 bytes > >Sep 3 15:43:50 inet3 MailScanner[30205]: Virus and Content Scanning: Starting > >Sep 3 15:43:50 inet3 MailScanner[30205]: Never heard of scanner 'clamav'! > >Why ? Have you done anything to /etc/MailScanner/virus.scanners.conf? Or changed the setting of Virus Scanner Definitions = in your MailScanner.conf file? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Sep 3 21:53:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.1.1.2.20030903213653.036946a8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Yes it is. > > I have tried out a complete batch of mail someone sent me, and it processed > it perfectly happily on my system. It just gently chugged through it, no > holdups at all. So I still cannot reproduce this problem. Clear, most likely hard to find anyway.... there are several people with this problem, i guess you could have a look on one of the boxes :) I was hopeing it would be reproducable with the batch i sended in. Bye, Raymond. From vanhorn at whidbey.com Wed Sep 3 21:55:07 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn References: <5C0296D26910694BB9A9BBFC577E7AB0015A7917@pascal.priv.bmrb.co.uk> <1062620289.27350.17.camel@bach.kevinspicer.co.uk> Message-ID: <3F56552B.63C1A308@whidbey.com> Kevin Spicer wrote: > You can best improve the accuracy by adding DCC, razor2 and pyzor, and > by letting SA do RBL checks rather than MailScanner. I've always had MailScanner handling the RBL, is there really a performance or accuracy issue here? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From llasad1 at YAHOO.COM Wed Sep 3 21:55:23 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <36591.10.10.1.71.1062594144.squirrel@webmailtest.shcorp.com> Message-ID: <20030903205523.86738.qmail@web41409.mail.yahoo.com> Just to refresh, Mail was in the incoming queue only /var/spool/mqueue.in. Mail was routing but at a very slow pace (not at it's normal rate). I am running MS 4.21-9 and also using spamassassin 2.55-1. I have been using this setup since January 3rd, of 2003 with no problems. I have of course upgraded the packages along the way. No changes have been made to the server in the recent past, it has been running with no problems. Thankfully, I had a secondary SMTP server that I moved into the Primary spot. I am using the same versions of MailScanner and spamassassin on that server. Mail has been routing fine all day after changing the servers around. I used Kurt Yoders suggestions below which helped in clearing up the queue on the other server. Thanks for all of your suggestions and assistance!!! If you need more info please let me know. Kurt Yoder wrote: lester lasad said: > > > "Spicer, Kevin" wrote: > Which queue? > > All are in the mqueue.in > > As I said, if you're happy to bypass MailScanner to get the mail > delivered follow the instructions below. > > Tried running your commands and received the following: > >> service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >> mv /var/spool/mqueue.in/* /var/spool/mqueue > > sh: line 1: /bin/mv: Argument list too long Here's a trick to get around this: stop mailscanner as above (stop sendmail service) /etc/init.d/sendmail stop mv /var/spool/mqueue /var/spool/mqueue.old mv /var/spool/mqueue.in /var/spool/mqueue mv /var/spool/mqueue.old /var/spool/mqueue.in (start sendmail service) /etc/init.d/sendmail start Now sendmail should grab *everything* in the folder you just renamed to mqueue and deliver it. -- Kurt Yoder Sport & Health network administrator --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/0ef60b8f/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 3 21:57:24 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1B8A@inex1.herffjones.hj-int> > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 3:46 PM > > The issue that I am having is that I have a bunch of users 500+ that > forward spam or non-spam to e-mail accounts that needed to be manualy > processed. (Management choice unfortunately) I would think having 500 users do anything is overkill. :-) > So, what if the user forwards a mail to an account to get that sender > whitelisted? As I said, sa-learn doesn't impact whitelists or blacklists at all. If you want to do that you'll have to script up something else. Again though, almost certainly not a safe idea. > -----Original Message----- > From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > Sent: Wednesday, September 03, 2003 3:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Training the bayesian engine and sa-learn > {Scanned by HJMS} > > > On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G JONES.COM> wrote: > > >You're close - but sa-learn doesn't update whitelists or > blacklists - it > >just trains the Bayesian filtering engine, which identifies > patterns in > spam > >and uses them to recognize future spam. SpamAssassin passes > messages to > the > >Bayesian engine and gets a score for each message, just as > it does for its > >other rules. This score just becomes part of the cumulative > score for the > >message. > > > >There's a FAQ entry on how to set up a script to > automatically run sa-learn > >- sounds like you already found that. If you have trouble > getting it to > >work, ask for help again. > > > > So it is just based on the content of the message. So, if > something doesn't > look right in the message, give it to sa-learn and it will > learn from that > e-mail. > > >Besides the bayesian filtering, you can also whitelist and blacklist > senders > >but I would hesitate to recommend automating that process - > I can imagine > >users blindly forwarding spam from the sobig virus to an > address that would > >automatically blacklist the sender, which would be a bad > thing since sobig > >is likely to come "from" someone who regularly emails you. > > > The issue that I am having is that I have a bunch of users 500+ that > forward spam or non-spam to e-mail accounts that needed to be manualy > processed. (Management choice unfortunately) > > So, what if the user forwards a mail to an account to get that sender > whitelisted? > > > > >HTH, > >Trever > > > >> -----Original Message----- > >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] > >> Sent: Wednesday, September 03, 2003 2:34 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Training the bayesian engine and sa-learn > {Scanned by HJMS} > >> > >> > >> So, I have been reading the FAQ and also the past posts but > >> have a little > >> confusion that I need to resolve. Just to give a little back > >> ground, I have > >> a lot of users who all have issues with e-mail that is being > >> marked as spam > >> or not being marked as spam. So, I think the answer to this > >> is to have them > >> forward the messages to an unattended mailbox that will > >> autowhitelist or > >> autoblacklist the sender. Is that what sa-learn is all about? > >> > >> > >> So, if I create a spam and non-spam account on server and use > >> the sa-learn > >> to check the messages that my users forward to these > >> accounts, if something > >> was marked as spam and is not, further messages will not be > >> marked again? > >> Conversely, if I have a message that is spam but not marked, > >> I can forward > >> that to spam and it will be marked as spam the next message > >> that comes in > >> from that sender? > >> > >> > >> How does it work, based on content I would assume or does it > >> work by the > >> domain? Also, what happens with stuff being forwarded from > >> different mail > >> clients like outlook? > >> > >> > >> Can anybody shed some light on this one? > >> > From raymond at PROLOCATION.NET Wed Sep 3 21:59:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.1.1.2.20030903213804.036edda0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >I am running MailScanner 4.21-9 > > This means that it isn't a problem with the latest release, 4.21 is from > back in June. Last night i downgraded to 4.22 on one of my boxes, a pain since i had some of the new features running but that didnt help either, and indeed, if 4.21 also does it it seems there is some new thing thats doing it. Like we had way back also ... > Is it processing all the messages in the queue with each new batch, or are > you getting the maillog reporting that it found a large number of messages > waiting, but then only started scanning a few of them? In that case, it's > because a lot of the messages are still being delivered to you. No, in my case it was like this: 12 workers, 70 messages. 8 worders got 8 x 70. Those would not come out the queue. I monitored those exact files, they stayed very very long, as in 50 minutes or so. The other workers were processing new messages and that went ok, so it seems some were stuck. The 8 other workers seemed more or less frozen. With the very few workers left the system went crazy on backlog making it only worse... I didnt use any RBL checking or SA so its only the virus scanner and the filename stuff. I also cut down the TNEF timeout to 30 seconds... > If you could actually submit a chunk of your log showing what (if anything) > is happening, then I can try to see what's going on. You can have all my logs, only thing is they are around 180 Meg daily for each server. But its not showing anything strange, those batches just take DAMN long to end up, but eventually they do... Thanks, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 22:01:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903205523.86738.qmail@web41409.mail.yahoo.com> Message-ID: Hi! > Just to refresh, Mail was in the incoming queue only > /var/spool/mqueue.in. Mail was routing but at a very slow pace (not at > it's normal rate). I am running MS 4.21-9 and also using spamassassin > 2.55-1. I have been using this setup since January 3rd, of 2003 with no > problems. I have of course upgraded the packages along the way. No > changes have been made to the server in the recent past, it has been > running with no problems. What OS/Version ? RH9 ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Sep 3 22:18:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7933@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7933@pascal.priv.bmrb.co.uk> Message-ID: <1062623921.26526.29.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 21:55, G. Armour Van Horn wrote: >Kevin Spicer wrote: >> You can best improve the accuracy by adding DCC, razor2 and pyzor, and >> by letting SA do RBL checks rather than MailScanner. >I've always had MailScanner handling the RBL, is there really a >performance >or accuracy issue here? Not _really_, I guess its personal choice. The thrust of what I was trying to say was that if the poster was getting false positives from SA letting SA do the RBL checks will increase the scores for many spams increasing the differentiation in scores between spam and ham. I should have added that there may be a need to tune the thresholds in this case. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From cslyon at NETSVCS.COM Wed Sep 3 22:27:12 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:45 2006 Subject: Training the bayesian engine and sa-learn {Scanned by HJMS} Message-ID: On Wed, 3 Sep 2003 15:57:24 -0500, Furnish, Trever G wrote: >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 3:46 PM >> >> The issue that I am having is that I have a bunch of users 500+ that >> forward spam or non-spam to e-mail accounts that needed to be manualy >> processed. (Management choice unfortunately) > >I would think having 500 users do anything is overkill. :-) > Believe me, I wish that I didn't have that overkill, headache, pain in the A!@ problem. The issue is I don't want to do the work and as we put more MailScanners in, then the workload gets greater. >> So, what if the user forwards a mail to an account to get that sender >> whitelisted? > >As I said, sa-learn doesn't impact whitelists or blacklists at all. If you >want to do that you'll have to script up something else. Again though, >almost certainly not a safe idea. > So, sa-learn won't do the whitelist or blacklist but I can get write a perl script to get that done. So, grep the sender and put that into the whitelist file. Seems an easy way to do it and if it creates problems for the users, they created it so I won't feel so bad until I am made to fix it. That is another issue. >> -----Original Message----- >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> Sent: Wednesday, September 03, 2003 3:46 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: Training the bayesian engine and sa-learn >> {Scanned by HJMS} >> >> >> On Wed, 3 Sep 2003 15:03:35 -0500, Furnish, Trever G > JONES.COM> wrote: >> >> >You're close - but sa-learn doesn't update whitelists or >> blacklists - it >> >just trains the Bayesian filtering engine, which identifies >> patterns in >> spam >> >and uses them to recognize future spam. SpamAssassin passes >> messages to >> the >> >Bayesian engine and gets a score for each message, just as >> it does for its >> >other rules. This score just becomes part of the cumulative >> score for the >> >message. >> > >> >There's a FAQ entry on how to set up a script to >> automatically run sa-learn >> >- sounds like you already found that. If you have trouble >> getting it to >> >work, ask for help again. >> > >> >> So it is just based on the content of the message. So, if >> something doesn't >> look right in the message, give it to sa-learn and it will >> learn from that >> e-mail. >> >> >Besides the bayesian filtering, you can also whitelist and blacklist >> senders >> >but I would hesitate to recommend automating that process - >> I can imagine >> >users blindly forwarding spam from the sobig virus to an >> address that would >> >automatically blacklist the sender, which would be a bad >> thing since sobig >> >is likely to come "from" someone who regularly emails you. >> > >> The issue that I am having is that I have a bunch of users 500+ that >> forward spam or non-spam to e-mail accounts that needed to be manualy >> processed. (Management choice unfortunately) >> >> So, what if the user forwards a mail to an account to get that sender >> whitelisted? >> >> >> >> >HTH, >> >Trever >> > >> >> -----Original Message----- >> >> From: Chris Lyon [mailto:cslyon@NETSVCS.COM] >> >> Sent: Wednesday, September 03, 2003 2:34 PM >> >> To: MAILSCANNER@JISCMAIL.AC.UK >> >> Subject: Training the bayesian engine and sa-learn >> {Scanned by HJMS} >> >> >> >> >> >> So, I have been reading the FAQ and also the past posts but >> >> have a little >> >> confusion that I need to resolve. Just to give a little back >> >> ground, I have >> >> a lot of users who all have issues with e-mail that is being >> >> marked as spam >> >> or not being marked as spam. So, I think the answer to this >> >> is to have them >> >> forward the messages to an unattended mailbox that will >> >> autowhitelist or >> >> autoblacklist the sender. Is that what sa-learn is all about? >> >> >> >> >> >> So, if I create a spam and non-spam account on server and use >> >> the sa-learn >> >> to check the messages that my users forward to these >> >> accounts, if something >> >> was marked as spam and is not, further messages will not be >> >> marked again? >> >> Conversely, if I have a message that is spam but not marked, >> >> I can forward >> >> that to spam and it will be marked as spam the next message >> >> that comes in >> >> from that sender? >> >> >> >> >> >> How does it work, based on content I would assume or does it >> >> work by the >> >> domain? Also, what happens with stuff being forwarded from >> >> different mail >> >> clients like outlook? >> >> >> >> >> >> Can anybody shed some light on this one? >> >> >> From dan at OXNARDSD.ORG Wed Sep 3 22:11:58 2003 From: dan at OXNARDSD.ORG (Dan Kubilos) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered Message-ID: Been bashing my head in. My boss is Peeved. I am want to convert html to text by default. Boss and other vips receive a newsletter that I need to leave untouched. I am using rulesets but am missing something. Full header of newsletter as delivered is ***** From henker at S-H-COM.DE Wed Sep 3 22:20:10 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:19:45 2006 Subject: F-prot revisited In-Reply-To: <200309031917.h83JHUr02416@ori.rl.ac.uk> References: <200309031917.h83JHUr02416@ori.rl.ac.uk> Message-ID: On Wed, 3 Sep 2003, Alan Fiebig wrote: > While F-Prot's $29 Linux workstation version is all you technically need > to run with MailScanner, per F-Prot, you would be in violation of their > license. Their expensive 'per user' mail server version contains a whole But they don't sell the command line version for servers ! They just sell bigger products - and we don't need that, we use MailScanner. It's really disappointing looking for quotes on products from all the vendors I have looked at. We just need a command line scanner, nothing else. Last week, a Panda sales rep called me because I dl'ed the trial version. They could NOT tell me what the price for the final thing was ! They went on with "how many users you have, how many mboxes ?" - geez, I don't count my users` mboxes every day. And the funny thing in their trial is that it prints "FREEWARE" when running - in a recent comparison of Linux virus scanners, it was also mentioned "Freeware" in the German computer magazine "c't" lately. I told Panda their product is useless if it does not include automatic signature updates. > liked what I saw, and I supplied Jullian with a licensed copy so he > could add support for their product, e-Trust, to MailScanner. Even on the CA page, I didn't see a final price for the product I need, but maybe at that time I was already too tired after trying to find a price. Maybe all MailScanner users should unite and buy licences together, I'm sure we would get a discount :) Regards, Steffan From kevins at BMRB.CO.UK Wed Sep 3 22:46:54 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> Message-ID: <1062625614.26526.34.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-03 at 22:11, Dan Kubilos wrote: >Been bashing my head in. My boss is Peeved. >I am want to convert html to text by default. >Boss and other vips receive a newsletter that I need to leave >untouched. I >am using rulesets but am missing something. Probably the envelope details differ from those in the headers. Grep your maillog for the messageID to find the address to use in your ruleset. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Steve.Swaney at FSL.com Wed Sep 3 22:40:57 2003 From: Steve.Swaney at FSL.com (Stephen Swaney) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <1062625257.2403.91.camel@speedy> I'm starting to suspect that something besides MailScanner may be the cause of this mysterious problem. We have a new install of MailScanner that has been chugging nicely along since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: Found ***** messages waiting" started creeping rapidly up. until it reached about 15,000 around 2:00 PM. I've been closely monitoring this server since Sunday and it's never had more than 200 messages queued before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was chugging nicely along until today. We're now dropping the queue about 2,000 messages per hour by routing outbound email through another gateway. I can't do a lot of log diagnosis on the system right now because The load is a bit high and I don't want to disrupt the cleanup. I just think it's strange that all of the sudden so many of us are experiencing the same problem with different versions of MailScanner. Only thing new in my systems logs is the reporting of: Report: ClamAV: patch.exe contains Worm.Dumaru Which started about the same time as the queue backup. From the web: "Dumaru is a mass mailing worm, uses e-mail addresses collected from htm, wab, html, dbx, tbb, abd files to distribute infected messages. Dumaru worm arrives as an e-mail attachment. The infected attachment name will be "patch.exe"." Can't see why this would cause a problem if we're stopping it, but it's the only apparent anomaly in the logs. Any ideas? Steve Stephen Swaney President Fortress Systems, Ltd. www.FSL.com Steve.Swaney@FSL.com Phone: 202 338-1670 Fax:202 448-2969 U.S. Toll Free Phone and Fax: 877 746-6636 -- This message has been scanned for viruses and dangerous content by MailScanner and Sophos Anti-Virus at Fortress Systems.com and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030903/c58908f8/attachment.html From COMBSTM at APPSTATE.EDU Wed Sep 3 22:54:13 2003 From: COMBSTM at APPSTATE.EDU (T. Combs) Date: Thu Jan 12 21:19:45 2006 Subject: Leaving Email Unaltered In-Reply-To: "Your message dated Wed, 03 Sep 2003 22:46:54 +0100" <1062625614.26526.34.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A793A@pascal.priv.bmrb.co.uk> Message-ID: <01L08J8RMW6K9S446E@appstate.edu> > >Boss and other vips receive a newsletter that I need to leave > >untouched. I > >am using rulesets but am missing something. > Probably the envelope details differ from those in the headers. Grep > your maillog for the messageID to find the address to use in your > ruleset. The envelope address is usually in the Return-Path: header. The return is *@sbl.cc which is probably not equal to *@*.sbl.cc I would make this change and test again. -- Combstm@appstate.edu Appalachian State University (828)262-6297 Information Technology Services FAX: (828)262-2236 From raymond at PROLOCATION.NET Wed Sep 3 23:07:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner with Exim In-Reply-To: <105478843.1062619046@jemima.zanker.org> Message-ID: Hi! > I recently changed from MailScanner/Sendmail to MailScanner/Exim. The > whole process was really straightforward thanks to the installation > guide for MS/Exim. Everything is working fine but I have noticed a very > large number of files building up in /var/spool/exim.in/msglog. Each > one contains a single log entry for the reception of the message > referenced by the filename. > > Is it usual for these files to be produced? If so, how are others > dealing with them - cron job to delete them every day? I wrote a little HOW-TO a few days ago, wil submit it on the website also. What you need it in there also, have a look: HOW-TO migrate from Sendmail to Exim with a MailScanner setup. 23 August 2003. By Raymond Dijkxhoorn, Prolocation. raymond@prolocation.net / www.prolocation.net This dokument can be used as guideline when you want to migrate from Sendmail to Exim but allready have MailScanner installed. Its a guideline for a RPM installed box, but most likely pretty easy to follow for other installations also. Download the latest Exim 4.x package from ftp.exim.org. The one we used was the RPM install, but the package itselfs is pretty simple to build. Version used when making this dokument was Exim 4.22 Stop your running MailScanner setup. Make sure cron isnt restarting it. service MailScanner stop (service crond stop) Install the Exim RPMs rpm -Uvh exim-4.22-1_10.rh9.i386.rpm exim-perl-4.22-1_10.rh9.i386.rpm Now we need to change the MailScanner.conf, these are the changed we did: Run As User = exim Run As Group = exim Incoming Queue Dir = /var/spool/exim.in/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim These are about the changes you need, be sure to check the split spool settings. Now make the needed dirs: mkdir /var/spool/exim.in mkdir /var/spool/exim.in/input Link the exim msglog dirs so the msglog mechanism exim uses wont break. ln -s /var/spool/exim/msglog /var/spool/exim.in/msglog On busy systems you could disable the use of the msglog dirs, this will save on disk io. You can do this in your exim config no_message_logs Alter the rights of the dir so exim can write chown exim.exim /var/spool/exim.in -R The next part is for people who also installed SpamAssasin, we had SA running with Pyzor, Razor and DCC installed. Since exim is running as user exim, and the test also are executed as exim you have to 'save' your old settings. Move the old dirs to /var/spool/exim, the exim homedirectory... .pyzor .razor .spamassassin Chown them to exim.exim, and you are set. If you had the bayes files elsewhere then dont forget to chown those also to exim.exim. There is a nice install dokument on the MailScanner Exim install, so for that part, goto: http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml We used the 'One Exim configuration file' part of that dokument. Dont forget the crontab for Exim that cycles the logs and cleans up the hints databases, also mentioned on the same page. YOu now only need to configure exim with your site specific settings. The config file is located in /etc/exim When migrating from sendmail you most likely had a relay-domains file and a mailertable file, you can simple use this to replace that within exim. domainlist relay_to_domains = /etc/exim/relay-domains mailertable_router: driver = manualroute domains = ! +local_domains route_data = ${lookup{$domain}lsearch{/etc/exim/mailertable}} transport = remote_smtp You need to alter the format of the files a little, exim takes the list like for the mailertable, the relay-domains i had unchanged After you are done with the exim config you should not forget to change /etc/sysconfig/mailscanner You also have to tell there you switched over to exim. My config is called exim4.conf so i changed that also in that same file. You might need to remove the MS lock files in /tmp, they are most likely having the wrong owners also. Just delete them, MS will recreate them. Thats about it. You can now have a try and startup MailScanner again, with your fresh Exim installation. service MailScanner start (service crond start) If you have things like MailScanner-MRTG installed, look carefully if that wont break anything. Good luck migrating. Bye, Raymond. From raymond at PROLOCATION.NET Wed Sep 3 23:10:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <1062625257.2403.91.camel@speedy> Message-ID: Hi! > I'm starting to suspect that something besides MailScanner may be the > cause of this mysterious problem. > > We have a new install of MailScanner that has been chugging nicely along > since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: > Found ***** messages waiting" started creeping rapidly up. until it > reached about 15,000 around 2:00 PM. I've been closely monitoring this > server since Sunday and it's never had more than 200 messages queued > before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was > chugging nicely along until today. I am suspecting this all along, but will be hard for Julian to catch this since it seems hard to reproduce at his end. The strange thing is that i was able to reproduce it with the zip i sended Julian on two other boxes also... Bye, Raymond From SJCJonker at SJC.NL Wed Sep 3 23:22:57 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <3F5669C1.4050501@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Although I don't have the problem (or haven't encountered it yet) I saw a few times RH9. Within RH9 I have seen a few perl scripts (AutoRPM comes to mind) not running correctly. This was fixed by bypassing the internationalization, although I'm running on the "default" en_US.UTF-8 "language". For autorpm it was fixed by putting LC_ALL=C in the script. Maybe Raymond, you could try the batch you have problems with after you modified the /etc/init.d/MailScanner (or equiv) to include the export LC_ALL=C statement. It's a long shot from my side, as I said I haven't encountered the issue yet. But it's worth a try. P.S. I have not checked/don't know where to look if and how changing the internationalization for MS & SA could have an effect on the functioning of both. Raymond Dijkxhoorn said the following on 09/03/2003 10:53 PM: | Hi! | | |>>Yes it is. |> |>I have tried out a complete batch of mail someone sent me, and it processed |>it perfectly happily on my system. It just gently chugged through it, no |>holdups at all. So I still cannot reproduce this problem. | | | Clear, most likely hard to find anyway.... there are several people with | this problem, i guess you could have a look on one of the boxes :) | | I was hopeing it would be reproducable with the batch i sended in. | | Bye, | Raymond. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/VmnBjU9r45tKnOARApkjAJ9TXjt8tjhkIF209Ien2rQMVl4JygCfaGU7 QaGYXpx30gwp8YBvoEU3T6I= =paOE -----END PGP SIGNATURE----- From keith at MIDNIGHTHAX.COM Wed Sep 3 23:42:27 2003 From: keith at MIDNIGHTHAX.COM (Keith Edmunds) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> Message-ID: <20030903234227.6b0ee26a.keith@midnighthax.com> On Wed, 3 Sep 2003 14:18:47 -0500 "Furnish, Trever G" wrote: > for file in `find /var/spool/mqueue.in -type f`; > do > mv $file /var/spool/mqueue > done > > Be sure you get the quotes right aound the find command - they're > "backticks", ie backwards apostrophes, not double-quotes or > apostrophes. There's nothing wrong in what you have written at all, but sometimes it is easier for others to read if you use the alternative syntax: for file in $(find /var/spool/mqueue.in -type f); do mv $file /var/spool/mqueue done - saves all that hassle with precisely _which_ key is the backtick. -- Keith Edmunds From brose at MED.WAYNE.EDU Wed Sep 3 23:46:26 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and Warning Messages Message-ID: Am I correct in what I'm seeing? When MailScanner creates the warning messages is it dropping the message into mqueue.in? I've been watching queues and I was surprised to see them in mqueue.in since I would have thought it would drop them in mqueue. If it's placed in mqueue.in wouldn't that be more work since mailscanner is scanning that message on the next pass? -=Bobby From keith at MIDNIGHTHAX.COM Wed Sep 3 23:51:22 2003 From: keith at MIDNIGHTHAX.COM (Keith Edmunds) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner+PostFix In-Reply-To: <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> References: <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <20030903235122.346637f5.keith@midnighthax.com> On Sun, 31 Aug 2003 11:19:35 +0100 Julian Field wrote: > I would advise you look at Exim instead. Due to the structure of > Postfix, MailScanner has to do a heck of a lot more i/o than it does > when working with sendmail or Exim, so it's not very efficient. The > body of every message has to be copied between queues, as opposed to > just linked and deleted as it does with sendmail and Exim. > > Postfix has a (deservedly) good reputation, it's just that its > internal design doesn't fit with MailScanner very well. Is it fair to say that the duplicate mail problem with Postfix is unlikely to be resolved in the near future? Don't get me wrong, I'm not knocking either MS or Postfix, I just want to know! I use Postfix on a number of installations and I think I'm faced with the choice of: a) migrating to, say, exim or b) putting up with the duplicate mails If I'm wrong, correction would be welcomed. Is it likely that there will ever be a tighter integration between Postfix and MS which would work around these issues? Thanks, Keith From raymond at PROLOCATION.NET Wed Sep 3 23:52:18 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and Warning Messages In-Reply-To: Message-ID: Hi! > Am I correct in what I'm seeing? When MailScanner creates the warning > messages is it dropping the message into mqueue.in? I've been watching > queues and I was surprised to see them in mqueue.in since I would have > thought it would drop them in mqueue. If it's placed in mqueue.in > wouldn't that be more work since mailscanner is scanning that message on > the next pass? Thats the way it works yes, pretty safe :) Julian, to avoid wasting valuable resources would it be possible to make it configurable where to place them ? In the outgoing queue would be better. But on the other hand i can imagine you dont want to write the message itself but let a local process handle that. Since queue files differ for each mailer. Bye, Raymond. From brose at MED.WAYNE.EDU Thu Sep 4 00:00:07 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: Mailscanner and SpamChecks Message-ID: Another question, I noticed that even if Spam Checks is off, the logs still say spam checks. I know that that comes from the log spam option, but the MS processes are still running thru the spam check subroutines in MessageBatch. Granted it's really not doing the checks, I was still wondering why it just doesn't skip the spam/ham routines altogether and go straight to virus checking when spam checks is off. We had routing issues today and got dumped on when it came back up so I've been staring at queues and logs all day. I'd turned off the spam checks to clear the queues faster and it just couldn't go fast enough for me. ;-) From brose at MED.WAYNE.EDU Thu Sep 4 00:02:53 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request Message-ID: Is it possible to have MailScanner note the Sender IP in the logs for a message that it finds a virus on. That'll make it easier to pull out the people that are pounding the heck out of MailScanner so that the can just just be blocked entirely. -=Bobby From raymond at PROLOCATION.NET Thu Sep 4 00:19:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: Hi! > Is it possible to have MailScanner note the Sender IP in the logs for a > message that it finds a virus on. That'll make it easier to pull out > the people that are pounding the heck out of MailScanner so that the can > just just be blocked entirely. # Include the full headers of each message in the notices sent to the local # system administrators? # This can also be the filename of a ruleset. Notices Include Full Headers = yes Bye, Raymond. From brose at MED.WAYNE.EDU Thu Sep 4 00:44:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner feature request Message-ID: You can't run a report on that easily enough. If the IP address is in the log, then maybe David's mailstats can grab it so that you can see the virus guys. I can even see his autoblocker function using it. -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Wednesday, September 03, 2003 7:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner feature request Hi! > Is it possible to have MailScanner note the Sender IP in the logs for > a message that it finds a virus on. That'll make it easier to pull > out the people that are pounding the heck out of MailScanner so that > the can just just be blocked entirely. # Include the full headers of each message in the notices sent to the local # system administrators? # This can also be the filename of a ruleset. Notices Include Full Headers = yes Bye, Raymond. From Steve.Swaney at FSL.com Thu Sep 4 05:12:58 2003 From: Steve.Swaney at FSL.com (Stephen Swaney) Date: Thu Jan 12 21:19:45 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <1062648778.2403.207.camel@speedy> Stopping spamassassin RBL checks solved the problem here. in spam.assassin.prefs.conf skip_rbl_checks 1 Pyzor, Razoor and DCC all appear to be fine. It looks like this started around 11:00 AM EDT. Steve Steve.Swaney@FSL.com On Wed, 2003-09-03 at 18:10, Raymond Dijkxhoorn wrote: > Hi! > > > I'm starting to suspect that something besides MailScanner may be the > > cause of this mysterious problem. > > > > We have a new install of MailScanner that has been chugging nicely along > > since Sunday. All of the sudden between 10 & 11 AM EDT the "New Batch: > > Found ***** messages waiting" started creeping rapidly up. until it > > reached about 15,000 around 2:00 PM. I've been closely monitoring this > > server since Sunday and it's never had more than 200 messages queued > > before. It's no powerhouse, a 1 GHz Pentium with 512 MB RAM but it was > > chugging nicely along until today. > > I am suspecting this all along, but will be hard for Julian to catch this > since it seems hard to reproduce at his end. > > The strange thing is that i was able to reproduce it with the zip i > sended Julian on two other boxes also... > > Bye, > Raymond -- This message has been scanned for viruses and dangerous content by MailScanner and Sophos Anti-Virus at Fortress Systems.com and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/b23fd019/attachment.html From mike at ZANKER.ORG Thu Sep 4 06:04:26 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:45 2006 Subject: MailScanner with Exim In-Reply-To: References: Message-ID: <141898312.1062655466@jemima.zanker.org> On 04 September 2003 00:07 +0200 Raymond Dijkxhoorn wrote: > I wrote a little HOW-TO a few days ago, wil submit it on the website > also. What you need it in there also, have a look: Thank you Raymond, that certainly does answer my question. I had done everything you mention *except* linking the msglog directories! Regards, Mike. From evertjan at VANRAMSELAAR.NL Thu Sep 4 06:08:44 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:19:45 2006 Subject: SIGPIPE received - trying new log socket In-Reply-To: <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> References: <2512.10.10.0.101.1062610096.squirrel@intranet> <5.2.1.1.2.20030903211154.03648e28@imap.ecs.soton.ac.uk> Message-ID: <48349.194.151.195.222.1062652124.squirrel@mail.vanramselaar.nl> Julian Field said: >>Sep 3 19:14:58 ram3 MailScanner[4002]: SIGPIPE received - trying new log >>socket >>Is this something serious? > > No. You aren't using syslog-ng are you? Nope. Just the standard syslogd. > If all else fails, find the logging statement in Log.pm and comment it out > if it's a pain. Well I was just curious if something was wrong, because I had never seen it before the last MS upgrade. Thanks for pointing out I don't have to worry... :o) -- Evert Jan van Ramselaar Van Ramselaar Info Tech From zfajfr at krnap.cz Thu Sep 4 06:28:23 2003 From: zfajfr at krnap.cz (Zdenek Fajfr) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5AC4@eqmail1.efni.vpn> Message-ID: Well, the thing is that I don't want to deliver spam to users any more; I just want to be able to check the spam occasionally for false positives. So thought I could pick up the spam, deliver it to one common e-mail address (me) passing it through a filtering rule in Outlook to separate it from ordinary mail and storing it in folder called 'SPAM'. I wonder way the log records say Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 actions are bounce,store,forward,postmaster@krnap.cz !?!?!? One would expect there ....forward postmaster@krnap.cz (e.g. without the comma) or forward(postmaster@krnap.cz) or maybe forward "postmaster@krnap.cz". I tried to enclose the email address in (double) quotes - no success either. I'm running out of ideas Z. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Hirsh, Joshua > Sent: Wednesday, September 03, 2003 5:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam Action "Forward" doesn't work > > > I haven't run into any issues with forward as an action. Perhaps the only > difference for me is that I still deliver the spam, but forward it to > another address as well. > > MS 4.23-11 and Postfix 2.0.13. > > > Cheers, > > -- > Joshua Hirsh > Systems Administration > Partner Solutions/ING Canada > 455, avenue Saint-Joseph > Saint-Hyacinthe, Quebec J2S 8K8 > (450) 778-9580 ext. 3798 > joshua.hirsh@partnersolutions.ca From danieltan at shopnsave.com.sg Thu Sep 4 06:40:15 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Message-ID: <015b01c372a7$04caa480$3900a8c0@Daniel> i thought the f-prot autoupdate script comes with f-prot software by itslef? check-updates.pl??? Julian, have you solved the mcp error yet? am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch or by manually entering it by hand. Daniel ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, September 03, 2003 4:53 PM Subject: Re: Small typo in f-prot-autoupdate Thanks for that. Fixed. At 02:27 03/09/2003, you wrote: >Julian there is a small typo in the f-prot-autoupdate script that prevents >logging status to /var/log/maillog. Here's the code segment where I added >the open Syslog line right after alarm 0 ... > > >if ($@) { > if ($@ =~ /timeout/) { > # We timed out! > CleanTempDir(); > &UnlockFProt(); > alarm 0; > } >} else { > alarm 0; > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > "F-Prot did not need updating."); >} > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:23:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate In-Reply-To: <015b01c372a7$04caa480$3900a8c0@Daniel> References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904092143.0435d010@imap.ecs.soton.ac.uk> At 06:40 04/09/2003, you wrote: >i thought the f-prot autoupdate script comes with f-prot software by itslef? >check-updates.pl??? Their script doesn't do the locking required to ensure that MailScanner doesn't try to start up f-prot while it is half way through updating. If MailScanner tried to use f-prot while the update was actually in progress, there is a chance that it would break and let viruses through. So my script does the same as theirs but with some locking added to do ths. >Julian, have you solved the mcp error yet? >am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch >or by manually entering it by hand. Haven't had a chance to get near that yet. MCP isn't ready for mass public consumption anyway so I'm not too bothered. Also, MCP will still scan text and HTML sections of messages without the patch. >Daniel > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, September 03, 2003 4:53 PM >Subject: Re: Small typo in f-prot-autoupdate > > >Thanks for that. Fixed. > >At 02:27 03/09/2003, you wrote: > >Julian there is a small typo in the f-prot-autoupdate script that prevents > >logging status to /var/log/maillog. Here's the code segment where I added > >the open Syslog line right after alarm 0 ... > > > > > >if ($@) { > > if ($@ =~ /timeout/) { > > # We timed out! > > CleanTempDir(); > > &UnlockFProt(); > > alarm 0; > > } > >} else { > > alarm 0; > > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > > "F-Prot did not need updating."); > >} > > > >-- > >Gerry > > > >"The lyfe so short, the craft so long to learne" Chaucer > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:08:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <20030903234227.6b0ee26a.keith@midnighthax.com> References: <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> <8FFC76593085ED4A80D3601BC41EFCDF0C07A4@inex1.herffjones.hj-int> Message-ID: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> I have just fixed one server which was suffering from this exact problem. It was processing messages, but very slowly. I'm not saying this will work for everyone, but it fixed it for me just now. Make sure your spam.assassin.prefs.conf contains these lines score RCVD_IN_OSIRUSOFT_COM 0.0 score X_OSIRU_OPEN_RELAY 0.0 score X_OSIRU_DUL 0.0 score X_OSIRU_SPAM_SRC 0.0 score X_OSIRU_SPAMWARE_SITE 0.0 score X_OSIRU_DUL_FH 0.0 Please let us know if that helps. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:15:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mailscanner and Warning Messages In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904091333.03fbc888@imap.ecs.soton.ac.uk> At 23:52 03/09/2003, you wrote: > > Am I correct in what I'm seeing? When MailScanner creates the warning > > messages is it dropping the message into mqueue.in? I've been watching > > queues and I was surprised to see them in mqueue.in since I would have > > thought it would drop them in mqueue. If it's placed in mqueue.in > > wouldn't that be more work since mailscanner is scanning that message on > > the next pass? > >Thats the way it works yes, pretty safe :) Julian, to avoid wasting >valuable resources would it be possible to make it configurable where to >place them ? In the outgoing queue would be better. But on the other hand >i can imagine you dont want to write the message itself but let a local >process handle that. Since queue files differ for each mailer. It should be configurable already. See MailScanner.conf: # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/lib/sendmail Now I've never tried it, but I don't see why you shouldn't be able to say Sendmail = /usr/lib/sendmail -OQueueDirectory=/var/spool/mqueue but I still prefer to scan messages I just created, in case something nasty happens. I never have seen anything nasty happen here, but that's just because I haven't been imaginative to create the scenario :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:18:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner+PostFix In-Reply-To: <20030903235122.346637f5.keith@midnighthax.com> References: <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904091555.06503168@imap.ecs.soton.ac.uk> At 23:51 03/09/2003, you wrote: >On Sun, 31 Aug 2003 11:19:35 +0100 >Julian Field wrote: > > > I would advise you look at Exim instead. Due to the structure of > > Postfix, MailScanner has to do a heck of a lot more i/o than it does > > when working with sendmail or Exim, so it's not very efficient. The > > body of every message has to be copied between queues, as opposed to > > just linked and deleted as it does with sendmail and Exim. > > > > Postfix has a (deservedly) good reputation, it's just that its > > internal design doesn't fit with MailScanner very well. > >Is it fair to say that the duplicate mail problem with Postfix is >unlikely to be resolved in the near future? It's going to take a fair bit of analysis to find what's wrong, and I don't have *any* free time at the moment, my day job (http://www.ecs.soton.ac.uk/~jkf/myjob.html) is really hectic at the moment as we get everything organised for the students' arrival in a few weeks time. Maybe some time in October I might have time. > Don't get me wrong, I'm not >knocking either MS or Postfix, I just want to know! I use Postfix on a >number of installations and I think I'm faced with the choice of: > >a) migrating to, say, exim or >b) putting up with the duplicate mails -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 09:49:10 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have just fixed one server which was suffering from this exact problem. > It was processing messages, but very slowly. Hmm... good! =) > I'm not saying this will work for everyone, but it fixed it for me just now. > Make sure your spam.assassin.prefs.conf contains these lines > > score RCVD_IN_OSIRUSOFT_COM 0.0 > score X_OSIRU_OPEN_RELAY 0.0 > score X_OSIRU_DUL 0.0 > score X_OSIRU_SPAM_SRC 0.0 > score X_OSIRU_SPAMWARE_SITE 0.0 > score X_OSIRU_DUL_FH 0.0 Allthough i am not using SA in my setup currently. But its good you have seen it happen also on your end. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 09:51:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904090731.06503168@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> At 09:49 04/09/2003, you wrote: >Hi! > > > I have just fixed one server which was suffering from this exact problem. > > It was processing messages, but very slowly. > >Hmm... good! =) > > > I'm not saying this will work for everyone, but it fixed it for me just > now. > > Make sure your spam.assassin.prefs.conf contains these lines > > > > score RCVD_IN_OSIRUSOFT_COM 0.0 > > score X_OSIRU_OPEN_RELAY 0.0 > > score X_OSIRU_DUL 0.0 > > score X_OSIRU_SPAM_SRC 0.0 > > score X_OSIRU_SPAMWARE_SITE 0.0 > > score X_OSIRU_DUL_FH 0.0 > >Allthough i am not using SA in my setup currently. But its good you have >seen it happen also on your end. But it may well be a completely different problem in your case. The thing is, it appears to have just started affecting people running a) various different versions of MailScanner b) on various different platforms c) it was never a problem before some very recent change in circumstances This really points to it being a problem outside of MailScanner, as otherwise people would have surely noticed it before? The biggest changes in circumstances recently are the arrival of some very virulent worms and the death of osirusoft. If you are 100% sure you aren't ever checking osirusoft, then that leaves the worms. I can't see exactly what they might be causing, but they are putting a lot of stress on many networks, and I imagine that DNS servers as well as mail servers are seeing significantly more load than before, due to all the delivery-time DNS lookups that are done by the MTAs. From what you say, we are talking about at least 2 different problems, yours and the one I have just seen. Maybe there are more than 2? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From danieltan at shopnsave.com.sg Thu Sep 4 10:10:52 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:19:46 2006 Subject: Small typo in f-prot-autoupdate References: <5.2.0.9.2.20030903095336.03f582b8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904092143.0435d010@imap.ecs.soton.ac.uk> Message-ID: <008401c372c4$70cac800$3900a8c0@Daniel> i'm sorry but how do i get the script? it is not included in the installation? what is the filename? ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, September 04, 2003 4:23 PM Subject: Re: Small typo in f-prot-autoupdate At 06:40 04/09/2003, you wrote: >i thought the f-prot autoupdate script comes with f-prot software by itslef? >check-updates.pl??? Their script doesn't do the locking required to ensure that MailScanner doesn't try to start up f-prot while it is half way through updating. If MailScanner tried to use f-prot while the update was actually in progress, there is a chance that it would break and let viruses through. So my script does the same as theirs but with some locking added to do ths. >Julian, have you solved the mcp error yet? >am using SA 2.55 and only PerMsgStatus.pm don't work either by using patch >or by manually entering it by hand. Haven't had a chance to get near that yet. MCP isn't ready for mass public consumption anyway so I'm not too bothered. Also, MCP will still scan text and HTML sections of messages without the patch. >Daniel > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, September 03, 2003 4:53 PM >Subject: Re: Small typo in f-prot-autoupdate > > >Thanks for that. Fixed. > >At 02:27 03/09/2003, you wrote: > >Julian there is a small typo in the f-prot-autoupdate script that prevents > >logging status to /var/log/maillog. Here's the code segment where I added > >the open Syslog line right after alarm 0 ... > > > > > >if ($@) { > > if ($@ =~ /timeout/) { > > # We timed out! > > CleanTempDir(); > > &UnlockFProt(); > > alarm 0; > > } > >} else { > > alarm 0; > > Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); ****** > > Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.": > > "F-Prot did not need updating."); > >} > > > >-- > >Gerry > > > >"The lyfe so short, the craft so long to learne" Chaucer > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by Email Virus Scanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From raymond at PROLOCATION.NET Thu Sep 4 10:17:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> Message-ID: Hi! > But it may well be a completely different problem in your case. > > The thing is, it appears to have just started affecting people running > a) various different versions of MailScanner > b) on various different platforms > c) it was never a problem before some very recent change in circumstances Could be. > This really points to it being a problem outside of MailScanner, as > otherwise people would have surely noticed it before? The biggest changes > in circumstances recently are the arrival of some very virulent worms and > the death of osirusoft. If you are 100% sure you aren't ever checking I personally have a feeling its the format of some messages, perhaps some messages that are causing delays due to the way they are builded ? TNEF stuff ect ect. I can imagine a lot of things that direction. Even if i disable RBL and not run SA at all it seems to happen. I have it also on a server (new one) where SA isnt even installed. Or perhaps a virus, but still ... > From what you say, we are talking about at least 2 different problems, > yours and the one I have just seen. Maybe there are more than 2? Could be, but its a pain to live with. =) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 10:18:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904094612.074fd1a0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Without login access to somebody's machine which is *reliably* suffering from this problem, I'm a bit stuck. At 10:17 04/09/2003, you wrote: >Hi! > > > But it may well be a completely different problem in your case. > > > > The thing is, it appears to have just started affecting people running > > a) various different versions of MailScanner > > b) on various different platforms > > c) it was never a problem before some very recent change in circumstances > >Could be. > > > This really points to it being a problem outside of MailScanner, as > > otherwise people would have surely noticed it before? The biggest changes > > in circumstances recently are the arrival of some very virulent worms and > > the death of osirusoft. If you are 100% sure you aren't ever checking > >I personally have a feeling its the format of some messages, perhaps some >messages that are causing delays due to the way they are builded ? TNEF >stuff ect ect. I can imagine a lot of things that direction. Even if i >disable RBL and not run SA at all it seems to happen. I have it also on a >server (new one) where SA isnt even installed. > >Or perhaps a virus, but still ... > > > From what you say, we are talking about at least 2 different problems, > > yours and the one I have just seen. Maybe there are more than 2? > >Could be, but its a pain to live with. =) > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 10:26:44 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Without login access to somebody's machine which is *reliably* suffering > from this problem, I'm a bit stuck. If it was happening _right now_ i would -love- to give a login, but it isnt. One of the other people who is suffering from this wanting to give Julian a login for looking into this ? Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 10:26:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904101820.075085e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904102320.0756b728@imap.ecs.soton.ac.uk> One of the things you could do to track it is this: In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter print STDERR "Got to point 1\n"; statements through it (obviously changing the number). Then set "Debug = yes" and you should see this output. If it is pausing horribly at some particular stage of processing a batch, then this should show it up. Leave all the spam checks disabled if you can, these take quite a long time anyway. And check your /etc/sysconfig/i18n has no mention of "utf8" in it. That's important. At 10:26 04/09/2003, you wrote: >Hi! > > > Without login access to somebody's machine which is *reliably* suffering > > from this problem, I'm a bit stuck. > >If it was happening _right now_ i would -love- to give a login, but it >isnt. > >One of the other people who is suffering from this wanting to give Julian >a login for looking into this ? > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 11:44:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner+PostFix ---- try this In-Reply-To: <5.2.0.9.2.20030904091555.06503168@imap.ecs.soton.ac.uk> References: <20030903235122.346637f5.keith@midnighthax.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5C0296D26910694BB9A9BBFC577E7AB0015A77F7@pascal.priv.bmrb.co.uk> <1062245470.23305.36.camel@bach.kevinspicer.co.uk> <3F50C9F9.21E2DBAD@whidbey.com> <5.2.1.1.2.20030831111641.02730b38@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904114353.076b6a38@imap.ecs.soton.ac.uk> Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; At 09:18 04/09/2003, you wrote: >At 23:51 03/09/2003, you wrote: >>On Sun, 31 Aug 2003 11:19:35 +0100 >>Julian Field wrote: >> >> > I would advise you look at Exim instead. Due to the structure of >> > Postfix, MailScanner has to do a heck of a lot more i/o than it does >> > when working with sendmail or Exim, so it's not very efficient. The >> > body of every message has to be copied between queues, as opposed to >> > just linked and deleted as it does with sendmail and Exim. >> > >> > Postfix has a (deservedly) good reputation, it's just that its >> > internal design doesn't fit with MailScanner very well. >> >>Is it fair to say that the duplicate mail problem with Postfix is >>unlikely to be resolved in the near future? > >It's going to take a fair bit of analysis to find what's wrong, and I don't >have *any* free time at the moment, my day job >(http://www.ecs.soton.ac.uk/~jkf/myjob.html) is really hectic at the moment >as we get everything organised for the students' arrival in a few weeks time. > >Maybe some time in October I might have time. > >> Don't get me wrong, I'm not >>knocking either MS or Postfix, I just want to know! I use Postfix on a >>number of installations and I think I'm faced with the choice of: >> >>a) migrating to, say, exim or >>b) putting up with the duplicate mails > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Sep 4 13:22:17 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: Feature Wish, IP Pool Warning In-Reply-To: Message-ID: Matt wrote: >Sobig.x lies about its from email address so I have it setup as silent. But >what I would like is if it email me a warning to the postmaster account ONLY >if the source IP is in one the IP pools I own. This way I can look in my >PPP logs, see who had that IP at that time and drop them an email or call. Look at the "Send Notices" option in MailScanner.conf. It can be a ruleset, which can match on the IP address of the sending host. (I don't know if it works for silent viruses...) Tony. -- f.a.n.finch http://dotat.at/ DOVER WIGHT: EAST VEERING SOUTHEAST 3 OR 4. FAIR. GOOD.. From dot at DOTAT.AT Thu Sep 4 13:25:07 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: "Rose, Bobby" wrote: >Is it possible to have MailScanner note the Sender IP in the logs for a >message that it finds a virus on. That'll make it easier to pull out >the people that are pounding the heck out of MailScanner so that the can >just just be blocked entirely. Try this patch which I posted recently, and add to MailScanner.conf Log Infected IP Addresses = yes --- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 +++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 @@ -508,6 +508,9 @@ next unless $text; $message->{virusreports}{"$attachment"} .= $text; } + MailScanner::Log::InfoLog("Infected message %s came from %s", + $id, $message->{clientip}) + if MailScanner::Config::Value('logipaddrs'); } # And then all the report types... --- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 +++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 @@ -88,6 +88,7 @@ logfacility = syslogfacility logformtags = loghtmlformtags logobjecttags = logobjectcodebasetags +logipaddrs = loginfectedipaddresses maxdirtybytes = maxunsafebytesperscan maxdirtymessages = maxunsafemessagesperscan maxmessagesize = maximummessagesize @@ -145,6 +146,7 @@ logspam 1 no 0 yes 1 lognonspam 0 no 0 yes 1 logmessageids 0 no 0 yes 1 +logipaddrs 0 no 0 yes 1 expandtnef 1 no 0 yes 1 showscanner 0 no 0 yes 1 spamassassinautowhitelist 1 no 0 yes 1 Tony. -- f.a.n.finch http://dotat.at/ LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. From dot at DOTAT.AT Thu Sep 4 13:33:03 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: Message-ID: Bob Jones wrote: >Hey all, a couple things here. First is with the mcafee-autoupdate >script in the latest release. What is this extra.dat file it tries to >download and complains about when it's not there? Sorry that was a cockup on my part -- some experimental code for getting emergency dat files between a virus outbreak and a full dat file update escaped. My current version of the script is below. Tony. -- f.a.n.finch http://dotat.at/ BISCAY: EASTERLY BECOMING CYCLONIC THEN WESTERLY 3 OR 4. THUNDERY SHOWERS. MODERATE OR GOOD. #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.38 2003/09/04 12:27:27 fanf2 Exp $ # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run # uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) # and it will still look for the dat files here. If uvscan's library # dependencies can be found in a standard place (e.g. /usr/local/lib) # then you don't need a wrapper script to set LD_LIBRARY_PATH before # running it. # # The dat files are installed in a subdirectory of $DATDIR named # according to their version number, with symlinks from $PREFIX into # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. # defaults OPTS="" PREFIX=/opt/uvscan FTPDIR=http://download.nai.com/products/datfiles/4.x/nai/ # handle the command line usage () { echo "usage: $0 [-dfrtv] [prefix]" echo " -d delete old files" echo " -f force update" echo " -r show README" echo " -t timestamp output" echo " -v verbose" echo " prefix uvscan installation directory" exit 1 } case $# in 0|1|2) : ok ;; *) usage ;; esac for arg in "$@" do case $arg in -*) OPTS=$arg ;; /*) PREFIX=$arg ;; *) usage ;; esac done case $OPTS in *[!-dfrtv]*) usage esac option () { case $OPTS in -*$1*) eval $2=yes ;; *) eval $2=no ;; esac } option d DELETE option f FORCE option r README option t TIME option v VERBOSE case $FORCE in yes) VERBOSE=yes esac # set up paths PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin export PATH DATDIR=$PREFIX/datfiles SUBDIR=datfiles/current LINK=$PREFIX/$SUBDIR # wrapper functions for echo etc. timestamp () { case $TIME in yes) date "+%Y-%m-%d %H:%M:%S " esac } say () { case $VERBOSE in yes) echo "`timestamp`$*" esac } run () { say "> $*" "$@" } say Starting $0 say DELETE=$DELETE say FORCE=$FORCE say README=$README say TIME=$TIME say VERBOSE=$VERBOSE say PREFIX=$PREFIX if [ ! -h $LINK ] then INIT=yes VERBOSE=yes say Initial setup of $0 run mkdir -p $DATDIR fi run cd $DATDIR # version number pattern MATCH="[0-9][0-9][0-9][0-9]" # work out latest dat version CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" say "> $CMD" if eval "$CMD" then VERSION=`cat update.ini | sed "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` else cat update.err VERSION=UNKNOWN fi run rm -f update.* badversion () { VERBOSE=yes say "Failed to get McAfee datfile update from $FTPDIR" say "FTP version number \"$VERSION\" $*" run exit 1 } # check the format of the version number case $VERSION in $MATCH) : ok ;; *) badversion does not match "$MATCH" ;; esac # already got it? if [ -d $VERSION ] then case $FORCE in yes) say Forced removal of $VERSION run rm -rf $VERSION ;; *) say Already have $VERSION run exit 0 ;; esac fi # work out installed dat version PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` # check new version is actually newer if [ $PREVIOUS -gt $VERSION ] then badversion older than installed $PREVIOUS fi VERBOSE=yes say Installed dat file is $PREVIOUS say Latest dat file is $VERSION # protect against failure fail () { trap EXIT echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR run rm -rf $VERSION run exit 1 } trap fail EXIT # fetch and extract dat files TARFILE=dat-$VERSION.tar run mkdir $VERSION run cd $VERSION run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE # verify the contents CMD="uvscan --version --dat ." say "> $CMD" OUT=`$CMD 2>&1` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail esac # protection not needed now trap '' EXIT echo "$OUT" say Update OK # show information on this update? case $README in yes) run sed 's/[[:cntrl:]]//g 1,/^====================/d /^====================/,/^NEW VIRUSES DETECTED/d /^UNDERSTANDING VIRUS NAMES/,$d s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap run rm -f *.diz *.exe *.ini *.lst *.tar *.txt # do remaining part of initial setup case $INIT in yes) for file in *.dat do run rm -f $PREFIX/$file run ln -s $SUBDIR/$file $PREFIX/$file done esac # update the current version link run rm -f $LINK run ln -s $VERSION $LINK # maybe delete old dat files case $DELETE in yes) run cd $DATDIR run rm -rf $PREVIOUS esac say Completed OK run exit 0 # done From Janssen at RZ.UNI-FRANKFURT.DE Thu Sep 4 14:31:16 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: On Wed, 3 Sep 2003, Raymond Dijkxhoorn wrote: > Clear, most likely hard to find anyway.... there are several people with > this problem, i guess you could have a look on one of the boxes :) Hello Raymond, you've already send us the output of ps during a bad-performance event. This ps-output has stated somewhat clearly that you are suffering more or less sever disk IO problems: from 108 processes were 23 in "D" state. In case these processes are longer than a moment in "D" state this is (one part of) your problem. In case these processes are just for short moment in "D" state, you've got much to much of them anyway. I don't know how to debug/improve your disk situation, but this seems to me of more need, than to debug MS ;-) Is all this "MS performs badly" just a Sobig-F story? Take 20% more Mails (and dubble Bytes) and the server went slow. Michael From raymond at PROLOCATION.NET Thu Sep 4 14:37:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: Hi! > you've already send us the output of ps during a bad-performance event. > This ps-output has stated somewhat clearly that you are suffering more > or less sever disk IO problems: > > from 108 processes were 23 in "D" state. In case these processes are > longer than a moment in "D" state this is (one part of) your problem. Yes. But mainly caused by the 'loop'. The same ammount of mails on the other box dont have this problem. I surely want to take for granted its IO, but i really wonder why its not on the other box also, taking the exact same ammount of mails and bytes. They are load balanced behind an Alteon... We also do log parsing, and when this is happening we also see MS scanning more mails then come in (number of bytes) so MS is scanning some batches over and over. Or perhaps i am missing something, but normally that ammount should be pretty equal. > In case these processes are just for short moment in "D" state, you've > got much to much of them anyway. I don't know how to debug/improve your > disk situation, but this seems to me of more need, than to debug MS ;-) Could be, but i still think its not only io related. Sure, io shows up bad when this is happening, but perhaps this is only the result, not the cause. And yes, when its going on its like a snowball. > Is all this "MS performs badly" just a Sobig-F story? Take 20% more > Mails (and dubble Bytes) and the server went slow. We block Sobig on the MTA allready, so no, its not Sobig, we reject subjects... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:45:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904144523.07700098@imap.ecs.soton.ac.uk> When I ran your new version, I get this: > uvscan --version --dat . uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open shared object file: No such file or directory Fetch or test failed -- removing bad McAfee data files At 13:33 04/09/2003, you wrote: >Bob Jones wrote: > >Hey all, a couple things here. First is with the mcafee-autoupdate > >script in the latest release. What is this extra.dat file it tries to > >download and complains about when it's not there? > >Sorry that was a cockup on my part -- some experimental code for getting >emergency dat files between a virus outbreak and a full dat file update >escaped. My current version of the script is below. > >Tony. >-- >f.a.n.finch http://dotat.at/ >BISCAY: EASTERLY BECOMING CYCLONIC THEN WESTERLY 3 OR 4. THUNDERY SHOWERS. >MODERATE OR GOOD. > > > >#!/bin/sh -e ># ># Update the McAfee data files. ># ># $Cambridge: hermes/build/bin/uvscan-update,v 1.38 2003/09/04 12:27:27 >fanf2 Exp $ > ># $PREFIX is the directory where the uvscan binary is (NOT a symlink to ># the binary), which is where it looks for its dat files. You may run ># uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) ># and it will still look for the dat files here. If uvscan's library ># dependencies can be found in a standard place (e.g. /usr/local/lib) ># then you don't need a wrapper script to set LD_LIBRARY_PATH before ># running it. ># ># The dat files are installed in a subdirectory of $DATDIR named ># according to their version number, with symlinks from $PREFIX into ># the subdirectory via a current link. The current link is updated ># without locking on the assumption that this is sufficiently unlikely ># to cause a problem. > ># defaults >OPTS="" >PREFIX=/opt/uvscan >FTPDIR=http://download.nai.com/products/datfiles/4.x/nai/ > ># handle the command line >usage () { > echo "usage: $0 [-dfrtv] [prefix]" > echo " -d delete old files" > echo " -f force update" > echo " -r show README" > echo " -t timestamp output" > echo " -v verbose" > echo " prefix uvscan installation directory" > exit 1 >} >case $# in >0|1|2) : ok > ;; >*) usage > ;; >esac >for arg in "$@" >do > case $arg in > -*) OPTS=$arg > ;; > /*) PREFIX=$arg > ;; > *) usage > ;; > esac >done >case $OPTS in >*[!-dfrtv]*) > usage >esac >option () { > case $OPTS in > -*$1*) eval $2=yes > ;; > *) eval $2=no > ;; > esac >} >option d DELETE >option f FORCE >option r README >option t TIME >option v VERBOSE >case $FORCE in >yes) VERBOSE=yes >esac > ># set up paths >PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin >export PATH >DATDIR=$PREFIX/datfiles >SUBDIR=datfiles/current >LINK=$PREFIX/$SUBDIR > ># wrapper functions for echo etc. >timestamp () { > case $TIME in > yes) date "+%Y-%m-%d %H:%M:%S " > esac >} >say () { > case $VERBOSE in > yes) echo "`timestamp`$*" > esac >} >run () { > say "> $*" > "$@" >} >say Starting $0 >say DELETE=$DELETE >say FORCE=$FORCE >say README=$README >say TIME=$TIME >say VERBOSE=$VERBOSE >say PREFIX=$PREFIX > >if [ ! -h $LINK ] >then > INIT=yes > VERBOSE=yes > say Initial setup of $0 > run mkdir -p $DATDIR >fi >run cd $DATDIR > ># version number pattern >MATCH="[0-9][0-9][0-9][0-9]" > ># work out latest dat version >CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" >say "> $CMD" >if eval "$CMD" >then > VERSION=`cat update.ini | sed > "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` >else > cat update.err > VERSION=UNKNOWN >fi >run rm -f update.* > >badversion () { > VERBOSE=yes > say "Failed to get McAfee datfile update from $FTPDIR" > say "FTP version number \"$VERSION\" $*" > run exit 1 >} > ># check the format of the version number >case $VERSION in >$MATCH) : ok > ;; >*) badversion does not match "$MATCH" > ;; >esac > ># already got it? >if [ -d $VERSION ] >then > case $FORCE in > yes) say Forced removal of $VERSION > run rm -rf $VERSION > ;; > *) say Already have $VERSION > run exit 0 > ;; > esac >fi > ># work out installed dat version >PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` > ># check new version is actually newer >if [ $PREVIOUS -gt $VERSION ] >then > badversion older than installed $PREVIOUS >fi > >VERBOSE=yes > >say Installed dat file is $PREVIOUS >say Latest dat file is $VERSION > ># protect against failure >fail () { > trap EXIT > echo "$OUT" > say Fetch or test failed -- removing bad McAfee data files > run cd $DATDIR > run rm -rf $VERSION > run exit 1 >} >trap fail EXIT > ># fetch and extract dat files >TARFILE=dat-$VERSION.tar >run mkdir $VERSION >run cd $VERSION >run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE >run tar xvf $TARFILE > ># verify the contents >CMD="uvscan --version --dat ." >say "> $CMD" >OUT=`$CMD 2>&1` >case "$OUT" in >*"Missing or invalid DAT"* | \ >*"Data file not found"* | \ >*"Removal datafile clean.dat not found"* | \ >*"Unable to remove viruses"* ) > fail >esac > ># protection not needed now >trap '' EXIT > >echo "$OUT" >say Update OK > ># show information on this update? >case $README in >yes) run sed 's/[[:cntrl:]]//g > 1,/^====================/d > /^====================/,/^NEW VIRUSES DETECTED/d > /^UNDERSTANDING VIRUS NAMES/,$d > s/^/# /;/@MM/s/$/ <--/' readme.txt >esac ># remove some crap >run rm -f *.diz *.exe *.ini *.lst *.tar *.txt > ># do remaining part of initial setup >case $INIT in >yes) for file in *.dat > do > run rm -f $PREFIX/$file > run ln -s $SUBDIR/$file $PREFIX/$file > done >esac > ># update the current version link >run rm -f $LINK >run ln -s $VERSION $LINK > ># maybe delete old dat files >case $DELETE in >yes) run cd $DATDIR > run rm -rf $PREVIOUS >esac > >say Completed OK >run exit 0 > ># done -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:40:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904144025.075d8980@imap.ecs.soton.ac.uk> If that does just what you are looking for, I'll add it into the main code. At 13:25 04/09/2003, you wrote: >"Rose, Bobby" wrote: > >Is it possible to have MailScanner note the Sender IP in the logs for a > >message that it finds a virus on. That'll make it easier to pull out > >the people that are pounding the heck out of MailScanner so that the can > >just just be blocked entirely. > >Try this patch which I posted recently, and add to MailScanner.conf > Log Infected IP Addresses = yes > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 >@@ -508,6 +508,9 @@ > next unless $text; > $message->{virusreports}{"$attachment"} .= $text; > } >+ MailScanner::Log::InfoLog("Infected message %s came from %s", >+ $id, $message->{clientip}) >+ if MailScanner::Config::Value('logipaddrs'); > } > > # And then all the report types... >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 >@@ -88,6 +88,7 @@ > logfacility = syslogfacility > logformtags = loghtmlformtags > logobjecttags = logobjectcodebasetags >+logipaddrs = loginfectedipaddresses > maxdirtybytes = maxunsafebytesperscan > maxdirtymessages = maxunsafemessagesperscan > maxmessagesize = maximummessagesize >@@ -145,6 +146,7 @@ > logspam 1 no 0 yes 1 > lognonspam 0 no 0 yes 1 > logmessageids 0 no 0 yes 1 >+logipaddrs 0 no 0 yes 1 > expandtnef 1 no 0 yes 1 > showscanner 0 no 0 yes 1 > spamassassinautowhitelist 1 no 0 yes 1 > > >Tony. >-- >f.a.n.finch http://dotat.at/ >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 14:54:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> At 14:37 04/09/2003, you wrote: >Hi! > > > you've already send us the output of ps during a bad-performance event. > > This ps-output has stated somewhat clearly that you are suffering more > > or less sever disk IO problems: > > > > from 108 processes were 23 in "D" state. In case these processes are > > longer than a moment in "D" state this is (one part of) your problem. > >Yes. But mainly caused by the 'loop'. The same ammount of mails on the >other box dont have this problem. I surely want to take for granted its >IO, but i really wonder why its not on the other box also, taking the >exact same ammount of mails and bytes. They are load balanced behind an >Alteon... > >We also do log parsing, and when this is happening we also see MS scanning >more mails then come in (number of bytes) so MS is scanning some batches >over and over. Or perhaps i am missing something, but normally that >ammount should be pretty equal. Note the PIDs of the mailscanner processes and see if they keep changing. You should have "Max Children+1" processes that keep the same PID for long periods of time. If they keep changing, then you've got something that is crashing MS. But that would also keep producing "Starting" messages. What virus scanner are you using? Sophossavi by any chance? > > In case these processes are just for short moment in "D" state, you've > > got much to much of them anyway. I don't know how to debug/improve your > > disk situation, but this seems to me of more need, than to debug MS ;-) > >Could be, but i still think its not only io related. Sure, io shows up bad >when this is happening, but perhaps this is only the result, not the >cause. And yes, when its going on its like a snowball. > > > Is all this "MS performs badly" just a Sobig-F story? Take 20% more > > Mails (and dubble Bytes) and the server went slow. > >We block Sobig on the MTA allready, so no, its not Sobig, we reject >subjects... > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Thu Sep 4 15:03:33 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request Message-ID: <107DE25EC0216C45AEF670016024245F6F1B@exchangea.staff.uce.ac.uk> Certainly does - I'm just testing out a new version of mailstats which makes use of this to add the sending IP address to teh access table. Once I'm happy I'll release it so that you can protect against teh Sobig.F onslaught! I think the initial release will simply use the same system as spam emails although in future release I will add separate configuration so that the message in the access file is different for viruses as well as allowing different times for the IP to stay blocked. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 04 September 2003 14:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner feature request If that does just what you are looking for, I'll add it into the main code. At 13:25 04/09/2003, you wrote: >"Rose, Bobby" wrote: > >Is it possible to have MailScanner note the Sender IP in the logs for a > >message that it finds a virus on. That'll make it easier to pull out > >the people that are pounding the heck out of MailScanner so that the can > >just just be blocked entirely. > >Try this patch which I posted recently, and add to MailScanner.conf > Log Infected IP Addresses = yes > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 >@@ -508,6 +508,9 @@ > next unless $text; > $message->{virusreports}{"$attachment"} .= $text; > } >+ MailScanner::Log::InfoLog("Infected message %s came from %s", >+ $id, $message->{clientip}) >+ if MailScanner::Config::Value('logipaddrs'); > } > > # And then all the report types... >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 >@@ -88,6 +88,7 @@ > logfacility = syslogfacility > logformtags = loghtmlformtags > logobjecttags = logobjectcodebasetags >+logipaddrs = loginfectedipaddresses > maxdirtybytes = maxunsafebytesperscan > maxdirtymessages = maxunsafemessagesperscan > maxmessagesize = maximummessagesize >@@ -145,6 +146,7 @@ > logspam 1 no 0 yes 1 > lognonspam 0 no 0 yes 1 > logmessageids 0 no 0 yes 1 >+logipaddrs 0 no 0 yes 1 > expandtnef 1 no 0 yes 1 > showscanner 0 no 0 yes 1 > spamassassinautowhitelist 1 no 0 yes 1 > > >Tony. >-- >f.a.n.finch http://dotat.at/ >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Sep 4 15:12:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >We also do log parsing, and when this is happening we also see MS scanning > >more mails then come in (number of bytes) so MS is scanning some batches > >over and over. Or perhaps i am missing something, but normally that > >ammount should be pretty equal. > > Note the PIDs of the mailscanner processes and see if they keep changing. > You should have "Max Children+1" processes that keep the same PID for long > periods of time. If they keep changing, then you've got something that is > crashing MS. But that would also keep producing "Starting" messages. > > What virus scanner are you using? Sophossavi by any chance? I'll have a look on that if its happening again. From what i saw it was a few that remained stabil, and a couple kept restarting with a new pid. I am running with f-prot, and upgraded to the new one last night, perhaps that helped, we'll see. I'll post as soon as i find something new. Bye, Raymond From dot at DOTAT.AT Thu Sep 4 15:13:52 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: Julian Field wrote: > >When I ran your new version, I get this: > > uvscan --version --dat . >uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open >shared object file: No such file or directory >Fetch or test failed -- removing bad McAfee data files That's a problem with your McAfee installation -- I assume that the virus scanner library can be found by ld.so, e.g. via a symlink in /usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate ldconfig fu. Tony. -- f.a.n.finch http://dotat.at/ CAPE WRATH TO RATTRAY HEAD INCLUDING ORKNEY: SOUTH 3 OR 4, OCCASIONALLY 5. MAINLY FAIR. MAINLY GOOD. SLIGHT IN THE SOUTHEAST, MODERATE IN THE NORTHWEST. From rabollinger at COMCAST.NET Thu Sep 4 15:50:54 2003 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request References: <5.2.0.9.2.20030904144025.075d8980@imap.ecs.soton.ac.uk> Message-ID: <01d101c372f3$f1d6a020$8b030180@elliottturbo.com> Ideally, the same line would include a list of the sins committed by that email, similar to the nice summary you get from Spam Assassin with "Log Spam = yes". In fact, it'd be nice to mimic that format as well. Something along the lines of: Message h84ETLA12220 from 205.169.164.67 (a@b.com) to c.com is infected, McAfee (W32/Sobig.f@MM) Given that, I'd happily elimenate all of the other messages logged regarding the virus scanning process except while debugging. ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, September 04, 2003 9:40 AM Subject: Re: MailScanner feature request > If that does just what you are looking for, I'll add it into the main code. > > At 13:25 04/09/2003, you wrote: > >"Rose, Bobby" wrote: > > >Is it possible to have MailScanner note the Sender IP in the logs for a > > >message that it finds a virus on. That'll make it easier to pull out > > >the people that are pounding the heck out of MailScanner so that the can > > >just just be blocked entirely. > > > >Try this patch which I posted recently, and add to MailScanner.conf > > Log Infected IP Addresses = yes > > > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 > >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 > >@@ -508,6 +508,9 @@ > > next unless $text; > > $message->{virusreports}{"$attachment"} .= $text; > > } > >+ MailScanner::Log::InfoLog("Infected message %s came from %s", > >+ $id, $message->{clientip}) > >+ if MailScanner::Config::Value('logipaddrs'); > > } > > > > # And then all the report types... > >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 > >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 > >@@ -88,6 +88,7 @@ > > logfacility = syslogfacility > > logformtags = loghtmlformtags > > logobjecttags = logobjectcodebasetags > >+logipaddrs = loginfectedipaddresses > > maxdirtybytes = maxunsafebytesperscan > > maxdirtymessages = maxunsafemessagesperscan > > maxmessagesize = maximummessagesize > >@@ -145,6 +146,7 @@ > > logspam 1 no 0 yes 1 > > lognonspam 0 no 0 yes 1 > > logmessageids 0 no 0 yes 1 > >+logipaddrs 0 no 0 yes 1 > > expandtnef 1 no 0 yes 1 > > showscanner 0 no 0 yes 1 > > spamassassinautowhitelist 1 no 0 yes 1 > > > > > >Tony. > >-- > >f.a.n.finch http://dotat.at/ > >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 15:45:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: <107DE25EC0216C45AEF670016024245F6F1B@exchangea.staff.uce.a c.uk> Message-ID: <5.2.0.9.2.20030904154446.076009b8@imap.ecs.soton.ac.uk> Added. I haven't add a new config option for it though, I'm just logging it anyway. It didn't seem worth the overhead of doing a config variable check for every report in every message. At 15:03 04/09/2003, you wrote: >Certainly does - I'm just testing out a new version of mailstats which >makes use of this to add the sending IP address to teh access table. >Once I'm happy I'll release it so that you can protect against teh >Sobig.F onslaught! > >I think the initial release will simply use the same system as spam >emails although in future release I will add separate configuration so >that the message in the access file is different for viruses as well as >allowing different times for the IP to stay blocked. >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 >----------------------------------------------------------------- > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 04 September 2003 14:41 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner feature request > > >If that does just what you are looking for, I'll add it into the main >code. > >At 13:25 04/09/2003, you wrote: > >"Rose, Bobby" wrote: > > >Is it possible to have MailScanner note the Sender IP in the logs for >a > > >message that it finds a virus on. That'll make it easier to pull out > > >the people that are pounding the heck out of MailScanner so that the >can > > >just just be blocked entirely. > > > >Try this patch which I posted recently, and add to MailScanner.conf > > Log Infected IP Addresses = yes > > > >--- SweepViruses.pm 4 Jul 2003 19:13:31 -0000 1.10 > >+++ SweepViruses.pm 26 Aug 2003 10:03:53 -0000 1.11 > >@@ -508,6 +508,9 @@ > > next unless $text; > > $message->{virusreports}{"$attachment"} .= $text; > > } > >+ MailScanner::Log::InfoLog("Infected message %s came from %s", > >+ $id, $message->{clientip}) > >+ if MailScanner::Config::Value('logipaddrs'); > > } > > > > # And then all the report types... > >--- ConfigDefs.pl 25 Jul 2003 10:09:00 -0000 1.13 > >+++ ConfigDefs.pl 26 Aug 2003 10:03:53 -0000 1.14 > >@@ -88,6 +88,7 @@ > > logfacility = syslogfacility > > logformtags = loghtmlformtags > > logobjecttags = logobjectcodebasetags > >+logipaddrs = loginfectedipaddresses > > maxdirtybytes = maxunsafebytesperscan > > maxdirtymessages = maxunsafemessagesperscan > > maxmessagesize = maximummessagesize > >@@ -145,6 +146,7 @@ > > logspam 1 no 0 yes 1 > > lognonspam 0 no 0 yes 1 > > logmessageids 0 no 0 yes 1 > >+logipaddrs 0 no 0 yes 1 > > expandtnef 1 no 0 yes 1 > > showscanner 0 no 0 yes 1 > > spamassassinautowhitelist 1 no 0 yes 1 > > > > > >Tony. > >-- > >f.a.n.finch http://dotat.at/ > >LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 15:39:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: <5.2.0.9.2.20030904153853.0406a068@imap.ecs.soton.ac.uk> At 15:13 04/09/2003, you wrote: >Julian Field wrote: > > > >When I ran your new version, I get this: > > > uvscan --version --dat . > >uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open > >shared object file: No such file or directory > >Fetch or test failed -- removing bad McAfee data files > >That's a problem with your McAfee installation -- I assume that the >virus scanner library can be found by ld.so, e.g. via a symlink in >/usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate >ldconfig fu. But mcafee-wrapper doesn't require any of that, so people won't have done it to get MailScanner working. Any chance you could use mcafee-wrapper in your script rather than call uvscan directly please? Then it's a more real test that MailScanner can drive uvscan with the new files. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Thu Sep 4 15:43:10 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: Not sure if this will help or not, but I have noticed MailScanner on my backup/test server hanging. An strace of the process showed nothing. But ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes database files opened. This is running MailScanner version 4.22-5 and SpamAssassin version 2.54. The strange thing is that MailScanner had been hung for over a day! I would have thought that MailScanner would have timed out SpamAssassin by then. Killing MailScanner and restarting would fix the problem for a while, then it would happen again. I know that some people who are having this problem are not using SpamAssassin, but perhaps there is a problem in the time out code for SpamAssassin or Virus Checking? I'm not complaining. My main MailScanner server is working, and I set "use_bayes 0" on my backup, and that seemed to clear its problem. The backup is a 233 MHz with 128 Mb of ram, and has other functions besides scanning email, so it is taxed when MailScanner scans email. Anyways, maybe this helps - if not, just ignore. Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, September 04, 2003 5:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > /var/spool/mqueue.in > > > One of the things you could do to track it is this: > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > print STDERR "Got to point 1\n"; > statements through it (obviously changing the number). Then > set "Debug = > yes" and you should see this output. If it is pausing horribly at some > particular stage of processing a batch, then this should show > it up. Leave > all the spam checks disabled if you can, these take quite a > long time anyway. > > And check your /etc/sysconfig/i18n has no mention of "utf8" > in it. That's > important. > > At 10:26 04/09/2003, you wrote: > >Hi! > > > > > Without login access to somebody's machine which is > *reliably* suffering > > > from this problem, I'm a bit stuck. > > > >If it was happening _right now_ i would -love- to give a > login, but it > >isnt. > > > >One of the other people who is suffering from this wanting > to give Julian > >a login for looking into this ? > > > >Bye, > >Raymond. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From brose at MED.WAYNE.EDU Thu Sep 4 16:00:45 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:46 2006 Subject: Mailscanner and SpamChecks Message-ID: Also, in light of the ongoing mass-mailing viruses, wouldn't it be better if the virus and content checks ran before the spam checks so that the spam check routines have less messages to look at? Doesn't make sense to spam check messages with a banned attachment types or virus if they're to be dropped or quaranteened later. -----Original Message----- From: Rose, Bobby Sent: Wednesday, September 03, 2003 7:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner and SpamChecks Another question, I noticed that even if Spam Checks is off, the logs still say spam checks. I know that that comes from the log spam option, but the MS processes are still running thru the spam check subroutines in MessageBatch. Granted it's really not doing the checks, I was still wondering why it just doesn't skip the spam/ham routines altogether and go straight to virus checking when spam checks is off. We had routing issues today and got dumped on when it came back up so I've been staring at queues and logs all day. I'd turned off the spam checks to clear the queues faster and it just couldn't go fast enough for me. ;-) From s.kelly at ayrcoll.ac.uk Thu Sep 4 16:10:41 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: References: Message-ID: <200309041610.42011.s.kelly@ayrcoll.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Using MailScanner 4.22-5, sendmail 8-12-7 (patched) on SuSE 8.2 pro with SA 2.55 On Thursday 04 September 2003 6:28 am, Zdenek Fajfr wrote: > Well, the thing is that I don't want to deliver spam to users any more; I > just want to be able to check the spam occasionally for false positives. So > thought I could pick up the spam, deliver it to one common e-mail address > (me) passing it through a filtering rule in Outlook to separate it from > ordinary mail and storing it in folder called 'SPAM'. > > I wonder way the log records say > > Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 > actions are bounce,store,forward,postmaster@krnap.cz > > !?!?!? > > One would expect there ....forward postmaster@krnap.cz (e.g. without the > comma) or forward(postmaster@krnap.cz) or maybe forward > "postmaster@krnap.cz". > I tried to enclose the email address in (double) quotes - no success > either. > > I'm running out of ideas I turned on forwarding for SPAM to check if it was working here, and I have had SPAM for other users forwarded to me. The only thing I did was to add the keyword forward and my email address to the end of the SPAM actions list which already contained attachment deliver. Hope this helps someone. Regards, Shane > - -- Shane Kelly Network Infrastructure Manager 01292 293577 (Direct line) Actual Newspaper Headlines: Killer Sentenced to Die for Second Time in 10 Years -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/V1Xx/thVM7mR0ZYRAqSCAJ4jJmww8WywBYqx3oOEHTyuEBPdsACgkgmJ CdKaRWiXdjvN87eJ7zd100k= =n3MJ -----END PGP SIGNATURE----- From anders.andersson at LTKALMAR.SE Thu Sep 4 16:22:14 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:46 2006 Subject: SV: virus update scripts. Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > >Julian Field wrote: > > > > > >When I ran your new version, I get this: > > > > uvscan --version --dat . > > >uvscan: error while loading shared libraries: > liblnxfv.so.4: cannot > > >open shared object file: No such file or directory Fetch or test > > >failed -- removing bad McAfee data files > > > >That's a problem with your McAfee installation -- I assume that the > >virus scanner library can be found by ld.so, e.g. via a symlink in > >/usr/local/lib or LD_LIBRARY_PATH in your environment or appropriate > >ldconfig fu. > > But mcafee-wrapper doesn't require any of that, so people > won't have done it to get MailScanner working. Any chance you > could use mcafee-wrapper in your script rather than call > uvscan directly please? Then it's a more real test that > MailScanner can drive uvscan with the new files. Oh, you mean you dont need the lib files to use mcafee with mailscanner. I always just assumed you need them, hmmm, but I will keep them so I can do an uvsvan -- version to make its up2date. I learns new things all day.... why the hell cant I learn perl then *sniff* :) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From christo at IT4AFRICA.CO.ZA Thu Sep 4 16:21:49 2003 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:46 2006 Subject: Strange Problem Mail dissapear Message-ID: <017301c372f8$44780cc0$660210ac@christo> Since I upgraded to the latest MS strange things happens on my mail server. Mail are sent from my smaller mail server and according to it the mail is send sucessfully. But I get no trace of that mail on my server. I looked in the log and nothing there. All worked fine until yesterday when I updated MS. Any suggestions? Christo Bezuidenhout Disclaimer ---------------- This message and any attachment/s are confidential and intended solely for the addressee. If you have received this message in error, please notify AG Industries Limited immediately. Any unauthorised use, alteration or dissemination is prohibited. Whilst every effort has been made to ensure no viruses are present in this e-mail and/or attachments, we strongly recommend that you subject this e-mail and attachment/s to your own virus checking procedures prior to opening. AG Industries Limited accepts no liability whatsoever for any loss, whether direct, indirect or consequential, arising from information made available and actions resulting there from. Messages sent via this medium may be subject to delays, non-delivery and unauthorised alteration. Any recipient of an unacceptable communication, a chain letter or offensive material of any nature is requested to report it to Postmaster@ag-industries.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/013dc4d3/attachment.html From randyf at SIBERNET.COM Thu Sep 4 16:35:20 2003 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Sep 2003, Julian Field wrote: > > What virus scanner are you using? Sophossavi by any chance? > This statement concerns me (as it might to other Sophossavi users). Is there something that you might want to share? ---- Randy From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:45:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> I have just seen one of my servers hang, due to the Bayes database getting corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it printed millions of error messages about a "partial write (number of 665)". Presumably there was supposed to be a number before "of", which is supposed to increment but doesn't. I switched off Bayes (use_bayes 0) to work around the problem. What's the chance there are some messages out there which are capable of causing Bayes corruption due to them containing strange characters/strings? Has anyone suffered this problem who is using SA 2.60rc3? At 15:43 04/09/2003, you wrote: >Not sure if this will help or not, but I have noticed MailScanner on my >backup/test server hanging. An strace of the process showed nothing. But >ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes >database files opened. This is running MailScanner version 4.22-5 and >SpamAssassin version 2.54. > >The strange thing is that MailScanner had been hung for over a day! I would >have thought that MailScanner would have timed out SpamAssassin by then. >Killing MailScanner and restarting would fix the problem for a while, then >it would happen again. I know that some people who are having this problem >are not using SpamAssassin, but perhaps there is a problem in the time out >code for SpamAssassin or Virus Checking? > >I'm not complaining. My main MailScanner server is working, and I set >"use_bayes 0" on my backup, and that seemed to clear its problem. The >backup is a 233 MHz with 128 Mb of ram, and has other functions besides >scanning email, so it is taxed when MailScanner scans email. > >Anyways, maybe this helps - if not, just ignore. > >Jason > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Thursday, September 04, 2003 5:26 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > /var/spool/mqueue.in > > > > > > One of the things you could do to track it is this: > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > > print STDERR "Got to point 1\n"; > > statements through it (obviously changing the number). Then > > set "Debug = > > yes" and you should see this output. If it is pausing horribly at some > > particular stage of processing a batch, then this should show > > it up. Leave > > all the spam checks disabled if you can, these take quite a > > long time anyway. > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > in it. That's > > important. > > > > At 10:26 04/09/2003, you wrote: > > >Hi! > > > > > > > Without login access to somebody's machine which is > > *reliably* suffering > > > > from this problem, I'm a bit stuck. > > > > > >If it was happening _right now_ i would -love- to give a > > login, but it > > >isnt. > > > > > >One of the other people who is suffering from this wanting > > to give Julian > > >a login for looking into this ? > > > > > >Bye, > > >Raymond. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:47:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Spam Action "Forward" doesn't work In-Reply-To: <200309041610.42011.s.kelly@ayrcoll.ac.uk> References: Message-ID: <5.2.0.9.2.20030904164659.04273108@imap.ecs.soton.ac.uk> At 16:10 04/09/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi, > Using MailScanner 4.22-5, sendmail 8-12-7 (patched) on SuSE 8.2 pro > with SA 2.55 > >On Thursday 04 September 2003 6:28 am, Zdenek Fajfr wrote: > > Well, the thing is that I don't want to deliver spam to users any more; I > > just want to be able to check the spam occasionally for false positives. So > > thought I could pick up the spam, deliver it to one common e-mail address > > (me) passing it through a filtering rule in Outlook to separate it from > > ordinary mail and storing it in folder called 'SPAM'. > > > > I wonder way the log records say > > > > Sep 3 14:46:52 ns MailScanner[18921]: Spam Actions: message h83CkgIb019316 > > actions are bounce,store,forward,postmaster@krnap.cz > > > > !?!?!? > > > > One would expect there ....forward postmaster@krnap.cz (e.g. without the > > comma) or forward(postmaster@krnap.cz) or maybe forward > > "postmaster@krnap.cz". > > I tried to enclose the email address in (double) quotes - no success > > either. > > > > I'm running out of ideas > >I turned on forwarding for SPAM to check if it was working here, and I have >had SPAM for other users forwarded to me. The only thing I did was to add the >keyword forward and my email address to the end of the SPAM actions list >which already contained attachment deliver. >The log entry "bounce,store,forward,postmaster@krnap.cz" is correct, >there's nothing wrong with that. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Sep 4 16:54:18 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: virus update scripts. In-Reply-To: References: Message-ID: Julian Field wrote: >At 15:13 04/09/2003, you wrote: >> >>That's a problem with your McAfee installation -- I assume that the >>virus scanner library can be found by ld.so > >But mcafee-wrapper doesn't require any of that, so people won't have done >it to get MailScanner working. >Any chance you could use mcafee-wrapper in your script rather than call >uvscan directly please? >Then it's a more real test that MailScanner can drive uvscan with the new >files. Unfortunately the wrapper script explicitly specifies the active dat file directory, so it's incompatible with my update script because that specifies a different dat file directory. I can add a couple of lines to set LD_LIBRARY_PATH, but I believe that's the wrong fix because properly installed programs should be runnable from a normal environment. It also fails to deal with things like the Red Hat 9 incompatibility, as does the standard wrapper. (My MailScanner setup runs uvscan directly, and this kind of problem is fixed by my uvscan package.) Tony. -- f.a.n.finch http://dotat.at/ LUNDY: EASTERLY VEERING SOUTHERLY 3 OR 4. FAIR. GOOD. From dot at DOTAT.AT Thu Sep 4 16:56:29 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: Message-ID: Julian Field wrote: >Added. >I haven't add a new config option for it though, I'm just logging it >anyway. It didn't seem worth the overhead of doing a config variable check >for every report in every message. Ah, that's a shame. Part of the reason I made it configurable was so that I could tell MailScanner to only log about infected machines on our network, to make it easier to get information for our CERT team. Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTH TO SOUTHWEST 5 OR 6 GRADUALLY DECREASING 3 OR 4 LOCALLY 5. RAIN SOON SPREADING FROM THE WEST, PERHAPS HEAVY AT TIMES. GOOD DECREASING MODERATE OR GOOD. MODERATE OR ROUGH. From Kevin at MICA.NET Thu Sep 4 17:08:41 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? Message-ID: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> We have a linux box set up as a spam/virus relay server that is relaying mail for multiple domains. Currently, I have it configured to simply mark spam and then deliver the messages, since that's how I like it. I personally have a problem with a machine making a decision about what mail I should and shouldn't get, since no program is 100% perfect and I don't want to lose any real mail. However, we are considering relaying more domains thru this box for some other customers, and some of them would rather not ever see the spam, and have it just stopped @ the server (apparently they're not concerned about losing real mail, since we've explained that to them and they didn't seem to think it was an issue..). So anyway, what I'm wondering is if it is possible with MailScanner / Spamassassin to have MailScanner perform different actions depending on what domain the mail is intended for. From what I gather from the config file, it looks like you just have one config file, which affects any mail that runs thru the MailScanner on that machine. Am I correct in this thinking, or is it possible to have different configs for different domains? thx k -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/5dbf6733/attachment.html From mailscanner at ecs.soton.ac.uk Thu Sep 4 16:49:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> At 16:35 04/09/2003, you wrote: >On Thu, 4 Sep 2003, Julian Field wrote: > > > > > What virus scanner are you using? Sophossavi by any chance? > > > > This statement concerns me (as it might to other Sophossavi users). Is >there something that you might want to share? Try switching to sophos instead of sophossavi, just to see if that's where the problem lies. Do you get any log entries about reinitialising (or just initialising) the savi library? You should get one when MS starts up a child process, and possibly 1 when a sophos-autoupdate happens. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From randyf at SIBERNET.COM Thu Sep 4 17:23:58 2003 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904145144.07705cd0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030904164835.042c6348@imap.ecs.soton.ac.uk> Message-ID: I have been using Sophossavi since I upgraded to MS4, and havn't noticed any descrete problems. However, in the last week I have seen a significant drop in virus notifications on one of the servers I maintain. Could be that this domain has been well protected such as it's users aren't infected, and that other users that have these users in their address books have been well protected. Could also be because we are not catching all the viruses (though I would expect that someone inside would have either been infected, or would have found an attempted infection). So my question is more on the line of if I should be concerned that the Sophossavi implementation, though faster, might not protect as well (and I would much prefer slower and secure over faster and not)? Is there something I could turn on to make sure that things are functioning correctly? ---- Randy On Thu, 4 Sep 2003, Julian Field wrote: > At 16:35 04/09/2003, you wrote: > >On Thu, 4 Sep 2003, Julian Field wrote: > > > > > > > > What virus scanner are you using? Sophossavi by any chance? > > > > > > > This statement concerns me (as it might to other Sophossavi users). Is > >there something that you might want to share? > > Try switching to sophos instead of sophossavi, just to see if that's where > the problem lies. Do you get any log entries about reinitialising (or just > initialising) the savi library? You should get one when MS starts up a > child process, and possibly 1 when a sophos-autoupdate happens. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From jase at SENSIS.COM Thu Sep 4 17:38:49 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in Message-ID: For me, it would not surprise me if the bayes database was corrupt. I've used that box for many different tests. I can wipe out the database. But shouldn't MailScanner time out SpamAssassin if it takes too long? I have SpamAssassin Timeout = 70 Max SpamAssassin Timeouts = 20 but MailScanner was hanging for hours. Jason > I have just seen one of my servers hang, due to the Bayes > database getting > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > printed millions of error messages about a "partial write (number of > 665)". Presumably there was supposed to be a number before > "of", which is > supposed to increment but doesn't. I switched off Bayes > (use_bayes 0) to > work around the problem. > > What's the chance there are some messages out there which are > capable of > causing Bayes corruption due to them containing strange > characters/strings? > Has anyone suffered this problem who is using SA 2.60rc3? > > At 15:43 04/09/2003, you wrote: > >Not sure if this will help or not, but I have noticed > MailScanner on my > >backup/test server hanging. An strace of the process showed > nothing. But > >ls -l /proc//fd/ showed that it had some of the > SpamAssassin bayes > >database files opened. This is running MailScanner version > 4.22-5 and > >SpamAssassin version 2.54. > > > >The strange thing is that MailScanner had been hung for over > a day! I would > >have thought that MailScanner would have timed out > SpamAssassin by then. > >Killing MailScanner and restarting would fix the problem for > a while, then > >it would happen again. I know that some people who are > having this problem > >are not using SpamAssassin, but perhaps there is a problem > in the time out > >code for SpamAssassin or Virus Checking? > > > >I'm not complaining. My main MailScanner server is working, > and I set > >"use_bayes 0" on my backup, and that seemed to clear its > problem. The > >backup is a 233 MHz with 128 Mb of ram, and has other > functions besides > >scanning email, so it is taxed when MailScanner scans email. > > > >Anyways, maybe this helps - if not, just ignore. > > > >Jason > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, September 04, 2003 5:26 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > /var/spool/mqueue.in > > > > > > > > > One of the things you could do to track it is this: > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" > and scatter > > > print STDERR "Got to point 1\n"; > > > statements through it (obviously changing the number). Then > > > set "Debug = > > > yes" and you should see this output. If it is pausing > horribly at some > > > particular stage of processing a batch, then this should show > > > it up. Leave > > > all the spam checks disabled if you can, these take quite a > > > long time anyway. > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > in it. That's > > > important. > > > > > > At 10:26 04/09/2003, you wrote: > > > >Hi! > > > > > > > > > Without login access to somebody's machine which is > > > *reliably* suffering > > > > > from this problem, I'm a bit stuck. > > > > > > > >If it was happening _right now_ i would -love- to give a > > > login, but it > > > >isnt. > > > > > > > >One of the other people who is suffering from this wanting > > > to give Julian > > > >a login for looking into this ? > > > > > > > >Bye, > > > >Raymond. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at LISTS.COM.AR Thu Sep 4 17:43:06 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:46 2006 Subject: File Command Message-ID: <3F57416A.20941.1DC53159@localhost> Hi people, a quick one: in the default MailScanner.conf (from the tar 4.23-11 distro) I have the following: # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = #/usr/bin/file Now, that "#" just before /usr/bin/file, does it imply the command is commented out and won't be executed? or is it required? I can't figure this out just by browsing the code and I as I haven't finished configuration, I hoped someone answered before I try it out. TIA -- Mariano Absatz El Baby ---------------------------------------------------------- Don't worry about the world coming to an end today.It's already tomorrow in Australia. -- Charles Schulz From sbreen at CSPOTMAIL.COM Thu Sep 4 17:48:06 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. Message-ID: <3F576CC6.7030103@cspotmail.com> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz Pentium 3 with 256MB ram and a 256MB swap. The server will run for 24hours then die. The problem only started after installing MailScanner. I have mailscanner configured not to stop spam and with 3 child procs running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for virus scanning. Any ideas why MailScanner seems to be dying? I set the auto restart config value to 10480 seconds also. -- Stephen Breen c:Spot InterWorks From jase at SENSIS.COM Thu Sep 4 18:08:41 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner delivering attachments that it shouldn't? Message-ID: On Tuesday, I had a user get the Gibe virus. McAfee and ClamAV both caught the virus, and both the Filename and Filetype checks caught the attachment too. But it appears that since McAfee was able to clean the attachment, the cleaned version was delivered. I do have "Deliver Cleaned Messages = yes" for the user who got the virus, but I would think that the Filename and Filetype rules would override this. Otherwise, someone can get by the Filename and Filetype checks by sending the file infected with a virus which can be cleaned. Here is the log: Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus and Content Scanning: Starting Sep 2 15:58:27 dimstar2 MailScanner[28583]: McAfee said "/var/spool/MailScanner/incoming/28583/19uHII-0001E4-00/update134.exe" Sep 2 15:58:27 dimstar2 MailScanner[28583]: McAfee said " Found the W32/Gibe.gen@MM virus !!!" Sep 2 15:58:27 dimstar2 MailScanner[28583]: /19uHII-0001E4-00/update134.exe Found the W32/Gibe.gen@MM virus !!! Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: McAfee found 1 infections Sep 2 15:58:27 dimstar2 MailScanner[28583]: /var/spool/MailScanner/incoming/28583/./19uHII-0001E4-00/update134.exe: Worm.Gibe.B FOUND Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: ClamAV found 1 infections Sep 2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: Found 1 viruses Sep 2 15:58:28 dimstar2 MailScanner[28583]: Filename Checks: Windows/DOS Executable (update134.exe) Sep 2 15:58:28 dimstar2 MailScanner[28583]: Filetype Checks: No executables (update134.exe) Sep 2 15:58:28 dimstar2 MailScanner[28583]: Other Checks: Found 2 problems Sep 2 15:58:28 dimstar2 MailScanner[28583]: Saved entire message to /var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00 Sep 2 15:58:28 dimstar2 MailScanner[28583]: Saved infected "update134.exe" to /var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00 Sep 2 15:58:28 dimstar2 MailScanner[28583]: Cleaned: Delivered 1 cleaned messages Sep 2 15:58:28 dimstar2 MailScanner[28583]: Sender Warnings: Delivered 1 warnings to virus senders I'm using MailScanner version 4.22-5. Jason From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 4 18:30:38 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? In-Reply-To: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> References: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> Message-ID: <200309041730.h84HUf529249@onyx.rockstone.co.uk> On Thursday 04 September 2003 5:08 pm, Kevin Hanser wrote: > So anyway, what I'm wondering is if it is possible with MailScanner / > Spamassassin to have MailScanner perform different actions depending on > what domain the mail is intended for. /opt/MailScanner/etc/rules Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:10:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: File Command In-Reply-To: <3F57416A.20941.1DC53159@localhost> Message-ID: <5.2.1.1.2.20030904180923.02714158@imap.ecs.soton.ac.uk> At 17:43 04/09/2003, you wrote: >Hi people, > >a quick one: in the default MailScanner.conf (from the tar 4.23-11 distro) I >have the following: > ># Where the "file" command is installed. ># This is used for checking the content type of files, regardless of their ># filename. ># To disable Filetype checking, set this value to blank. >File Command = #/usr/bin/file > >Now, that "#" just before /usr/bin/file, does it imply the command is >commented out and won't be executed? or is it required? As the line above "File Command" says, setting it to blank disables filetype checking. The "#" at the start of /usr/bin/file comments out the rest of the line, leaving the value blank. This therefore disables filetype checking. Just ignore everything after a "#" and it will be obvious :-) >I can't figure this out just by browsing the code and I as I haven't finished >configuration, I hoped someone answered before I try it out. > >TIA > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Don't worry about the world coming to an end today.It's already tomorrow in >Australia. -- Charles Schulz -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:11:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <3F576CC6.7030103@cspotmail.com> Message-ID: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Does the RAM in use gradually creep up, or does it suddenly go to 100%? At 17:48 04/09/2003, you wrote: >I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >Pentium 3 with 256MB ram and a 256MB swap. The server will run for >24hours then die. The problem only started after installing MailScanner. >I have mailscanner configured not to stop spam and with 3 child procs >running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >virus scanning. Any ideas why MailScanner seems to be dying? I set the >auto restart config value to 10480 seconds also. > >-- >Stephen Breen >c:Spot InterWorks -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:09:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: different actions for different domains? In-Reply-To: <8B699873CEBA3543926B467E76808232034839@sol.hq.mica.net> Message-ID: <5.2.1.1.2.20030904180851.02688168@imap.ecs.soton.ac.uk> Please read the docs in /etc/MailScanner/rules. At 17:08 04/09/2003, you wrote: >We have a linux box set up as a spam/virus relay server that is relaying >mail for multiple domains. Currently, I have it configured to simply mark >spam and then deliver the messages, since that's how I like it. I >personally have a problem with a machine making a decision about what mail >I should and shouldn't get, since no program is 100% perfect and I don't >want to lose any real mail. However, we are considering relaying more >domains thru this box for some other customers, and some of them would >rather not ever see the spam, and have it just stopped @ the server >(apparently they're not concerned about losing real mail, since we've >explained that to them and they didn't seem to think it was an issue..). > >So anyway, what I'm wondering is if it is possible with MailScanner / >Spamassassin to have MailScanner perform different actions depending on >what domain the mail is intended for. From what I gather from the config >file, it looks like you just have one config file, which affects any mail >that runs thru the MailScanner on that machine. Am I correct in this >thinking, or is it possible to have different configs for different domains? > >thx > >k -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:04:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.1.1.2.20030904180257.02687ac0@imap.ecs.soton.ac.uk> At 17:38 04/09/2003, you wrote: >For me, it would not surprise me if the bayes database was corrupt. I've >used that box for many different tests. I can wipe out the database. But >shouldn't MailScanner time out SpamAssassin if it takes too long? I have > >SpamAssassin Timeout = 70 >Max SpamAssassin Timeouts = 20 > >but MailScanner was hanging for hours. Yes, the timeout should still happen. Also, I have found the bug in SA 2.55 that was causing this problem and it has been fixed in 2.60rc3. As I advised earlier, please can you add some debugging messages (print STDERR "blah blah blah\n";) to sub WorkForHours in /usr/sbin/MailScanner and try running it in debug mode. That may help show which bit is running slowly. > > I have just seen one of my servers hang, due to the Bayes > > database getting > > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > > printed millions of error messages about a "partial write (number of > > 665)". Presumably there was supposed to be a number before > > "of", which is > > supposed to increment but doesn't. I switched off Bayes > > (use_bayes 0) to > > work around the problem. > > > > What's the chance there are some messages out there which are > > capable of > > causing Bayes corruption due to them containing strange > > characters/strings? > > Has anyone suffered this problem who is using SA 2.60rc3? > > > > At 15:43 04/09/2003, you wrote: > > >Not sure if this will help or not, but I have noticed > > MailScanner on my > > >backup/test server hanging. An strace of the process showed > > nothing. But > > >ls -l /proc//fd/ showed that it had some of the > > SpamAssassin bayes > > >database files opened. This is running MailScanner version > > 4.22-5 and > > >SpamAssassin version 2.54. > > > > > >The strange thing is that MailScanner had been hung for over > > a day! I would > > >have thought that MailScanner would have timed out > > SpamAssassin by then. > > >Killing MailScanner and restarting would fix the problem for > > a while, then > > >it would happen again. I know that some people who are > > having this problem > > >are not using SpamAssassin, but perhaps there is a problem > > in the time out > > >code for SpamAssassin or Virus Checking? > > > > > >I'm not complaining. My main MailScanner server is working, > > and I set > > >"use_bayes 0" on my backup, and that seemed to clear its > > problem. The > > >backup is a 233 MHz with 128 Mb of ram, and has other > > functions besides > > >scanning email, so it is taxed when MailScanner scans email. > > > > > >Anyways, maybe this helps - if not, just ignore. > > > > > >Jason > > > > > > > -----Original Message----- > > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Sent: Thursday, September 04, 2003 5:26 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > > /var/spool/mqueue.in > > > > > > > > > > > > One of the things you could do to track it is this: > > > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" > > and scatter > > > > print STDERR "Got to point 1\n"; > > > > statements through it (obviously changing the number). Then > > > > set "Debug = > > > > yes" and you should see this output. If it is pausing > > horribly at some > > > > particular stage of processing a batch, then this should show > > > > it up. Leave > > > > all the spam checks disabled if you can, these take quite a > > > > long time anyway. > > > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > > in it. That's > > > > important. > > > > > > > > At 10:26 04/09/2003, you wrote: > > > > >Hi! > > > > > > > > > > > Without login access to somebody's machine which is > > > > *reliably* suffering > > > > > > from this problem, I'm a bit stuck. > > > > > > > > > >If it was happening _right now_ i would -love- to give a > > > > login, but it > > > > >isnt. > > > > > > > > > >One of the other people who is suffering from this wanting > > > > to give Julian > > > > >a login for looking into this ? > > > > > > > > > >Bye, > > > > >Raymond. > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 4 18:07:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:46 2006 Subject: MailScanner feature request In-Reply-To: References: Message-ID: <5.2.1.1.2.20030904180551.027d3298@imap.ecs.soton.ac.uk> At 16:56 04/09/2003, you wrote: >Julian Field wrote: > >Added. > >I haven't add a new config option for it though, I'm just logging it > >anyway. It didn't seem worth the overhead of doing a config variable check > >for every report in every message. > >Ah, that's a shame. Part of the reason I made it configurable was so that >I could tell MailScanner to only log about infected machines on our network, >to make it easier to get information for our CERT team. Most people (I suspect) don't need that fine control over logging output such as this, and every config option I add creates more overhead. So if it's a line that is likely to get called a lot, I like to keep it as simple as possible. But mostly, I was feeling lazy and didn't want to write the docs etc that are needed for another config option. Maybe I'll rethink now I'm not in the office (v. hectic there). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sbreen at CSPOTMAIL.COM Thu Sep 4 18:44:15 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Message-ID: <3F5779EF.30205@cspotmail.com> The ram seems to at least be 100% used in a hour or two. Then it starts in on the swap file and that takes the rest of the day to fill up then the server dies (well gets really slow and takes for ever to do anything). Julian Field wrote: > Does the RAM in use gradually creep up, or does it suddenly go to 100%? > > At 17:48 04/09/2003, you wrote: > >> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >> 24hours then die. The problem only started after installing MailScanner. >> I have mailscanner configured not to stop spam and with 3 child procs >> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >> virus scanning. Any ideas why MailScanner seems to be dying? I set the >> auto restart config value to 10480 seconds also. >> >> -- >> Stephen Breen >> c:Spot InterWorks > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From tristanr at CI.GRANDJCT.CO.US Thu Sep 4 18:35:48 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:19:46 2006 Subject: Why anti-virus software is not enough... (Link to white-paper) Message-ID: Why anti-virus software is not enough: The urgent need for server-based email content checking http://www.trojanscan.com/mailsecurity/wpcontentchecking.htm "This white paper explains why anti-virus software alone is not enough to protect your organization against the current and future onslaught of computer viruses. Examining the different kinds of email attacks that threaten today's organizations, this paper describes the need for a solid server-based content-checking gateway to safeguard your business against email viruses and attacks." Isn't it nice to know that MailScanner already provides the protection described in the white paper Tristan Rhodes Information Systems (970) 244-1530 tristanr@ci.grandjct.co.us City of Grand Junction From miguelk at KONSULTEX.COM.BR Thu Sep 4 18:49:27 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> Message-ID: <3F577B27.70402@konsultex.com.br> Stephen; This comment is based on the assumprion that you have the satandard kernel that came with it. My previous server (2 months ago) was running RH 7.1 and all was fine as long as I did not bother it too much with new software, more processes, etc. Early this year I upgraded php, apache, snort, Perl and some other things (not Mailscanner, though) which I can't remember right now. Since then it also had lapses when it started just dying. Mine would run form about 1 or 2 weeks. The basic problem with that kernel is that the virtual memory process killer (the OOM killer) sometimes makes a mistake and kills the kernel. That happened in my case because the new processes ate up more ram than before and made the OOM act more often. Your case, though may be different. I would suggest a kernel update o a distribution update, if you can do that. Miguel Julian Field wrote: > Does the RAM in use gradually creep up, or does it suddenly go to 100%? > > At 17:48 04/09/2003, you wrote: > >> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >> 24hours then die. The problem only started after installing MailScanner. >> I have mailscanner configured not to stop spam and with 3 child procs >> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >> virus scanning. Any ideas why MailScanner seems to be dying? I set the >> auto restart config value to 10480 seconds also. >> >> -- >> Stephen Breen >> c:Spot InterWorks > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From sbreen at CSPOTMAIL.COM Thu Sep 4 18:57:13 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <3F577B27.70402@konsultex.com.br> References: <5.2.1.1.2.20030904181129.02617dc8@imap.ecs.soton.ac.uk> <3F577B27.70402@konsultex.com.br> Message-ID: <3F577CF9.90509@cspotmail.com> Hi, thanks for the suggestion I will try a kernel update from 2.4.20-18.7 (which im running now) to 2.4.20-20.7 but a distrobution update for the mail server is a high priority of on our list. I really like MailScanner and it has been catching 500+ viruses a day so far with ClamAV and would really like to continue running it if possible. Steve Miguel Koren O'Brien de Lacy wrote: > Stephen; > > This comment is based on the assumprion that you have the satandard > kernel that came with it. My previous server (2 months ago) was > running RH 7.1 and all was fine as long as I did not bother it too > much with new software, more processes, etc. Early this year I > upgraded php, apache, snort, Perl and some other things (not > Mailscanner, though) which I can't remember right now. Since then it > also had lapses when it started just dying. Mine would run form about > 1 or 2 weeks. The basic problem with that kernel is that the virtual > memory process killer (the OOM killer) sometimes makes a mistake and > kills the kernel. That happened in my case because the new processes > ate up more ram than before and made the OOM act more often. Your > case, though may be different. I would suggest a kernel update o a > distribution update, if you can do that. > > Miguel > > Julian Field wrote: > >> Does the RAM in use gradually creep up, or does it suddenly go to 100%? >> >> At 17:48 04/09/2003, you wrote: >> >>> I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >>> Pentium 3 with 256MB ram and a 256MB swap. The server will run for >>> 24hours then die. The problem only started after installing >>> MailScanner. >>> I have mailscanner configured not to stop spam and with 3 child procs >>> running, MailScanner v 4.23-11 RPM install. I have been using ClamAV >>> for >>> virus scanning. Any ideas why MailScanner seems to be dying? I set the >>> auto restart config value to 10480 seconds also. >>> >>> -- >>> Stephen Breen >>> c:Spot InterWorks >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> > > > -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From greyhair at GREYHAIR.NET Thu Sep 4 19:02:27 2003 From: greyhair at GREYHAIR.NET (Mr. Greyhair) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. Message-ID: <200309041802.h84I2Ru31436@localhost.greyhair.net> have you seen what is using up the RAM? Did you use 'top' to see the hogs? Is this machine *only* for Email, no other programs running (like apache, tomcat, etc)? Is buying more ram an option (newegg.com!)? Stephen Breen wrote .. > I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz > Pentium 3 with 256MB ram and a 256MB swap. The server will run for > 24hours then die. The problem only started after installing MailScanner. > I have mailscanner configured not to stop spam and with 3 child procs > running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for > virus scanning. Any ideas why MailScanner seems to be dying? I set the > auto restart config value to 10480 seconds also. > > -- > Stephen Breen > c:Spot InterWorks From sbreen at CSPOTMAIL.COM Thu Sep 4 19:08:06 2003 From: sbreen at CSPOTMAIL.COM (Stephen Breen) Date: Thu Jan 12 21:19:46 2006 Subject: Server dies with 100% RAM and swap file use. In-Reply-To: <200309041802.h84I2Ru31436@localhost.greyhair.net> References: <200309041802.h84I2Ru31436@localhost.greyhair.net> Message-ID: <3F577F86.6050302@cspotmail.com> The machine is a email server, it runs apache for openwebmail no java! a ram upgrade is a option (as in its on the way pretty soon here). I still dont see why all the ram/swap would disappear. Mr. Greyhair wrote: >have you seen what is using up the RAM? Did you use 'top' to see the hogs? Is this machine *only* for Email, no other programs running (like apache, tomcat, etc)? Is buying more ram an option (newegg.com!)? > >Stephen Breen wrote .. > > >>I'm running MailScanner from an RPM install on Red Hat 7.1 on a 800mghz >>Pentium 3 with 256MB ram and a 256MB swap. The server will run for >>24hours then die. The problem only started after installing MailScanner. >>I have mailscanner configured not to stop spam and with 3 child procs >>running, MailScanner v 4.23-11 RPM install. I have been using ClamAV for >>virus scanning. Any ideas why MailScanner seems to be dying? I set the >>auto restart config value to 10480 seconds also. >> >>-- >>Stephen Breen >>c:Spot InterWorks >> >> -- Stephen Breen c:Spot InterWorks 916-231-0602 http://www.mycspot.com From mailscanner at LISTS.COM.AR Thu Sep 4 20:30:32 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:46 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F2E3688.31037.1E036E@localhost> References: <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> Message-ID: <3F5768A8.15429.1E5E7D97@localhost> Hi Julian, I know I wrote this a month ago, but I couldn't lay my hands on a spare server... I upgraded one of the production servers to MailScanner 4.23-11 today and I'm getting the same results. I think all the McAfee reports are disappearing from $message->{allreports} somehow... I think this 'cause I modified the SQL loggin' routines to get a plain text log in real time and I only see filename reports there, never a virus report... Here's a log sample with the current version of MailScanner: Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 bytes Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- 11/var/incoming/24018/130309/message.zip Found the W32/ Mimail@MM virus !!! Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 infections Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- 1.txt Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- 1.txt Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages You can see that McAfee does find the virus (and logs it), but lastly, it says it delivered the message 'cause it was uninfected El 4 Aug 2003 a las 10:33, Mariano Absatz escribi?: > These are a couple of production servers, I'll see if I can find a spare > machine, set everything up and tell you later today. > > El 3 Aug 2003 a las 21:53, Julian Field escribi?: > > > Can you confirm that this is still a problem with the latest MailScanner > > please? > > > > I can't immediately see why it would do this. > > > > If this is still a problem, then it's obviously something I need to take a > > look at urgently. > > > > At 01:26 02/08/2003, you wrote: > > >I know, I know... my mailer decide to use base64 no matter I told it > > >otherwise... well, the log excerpts are at > > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > > > > > >Thanx. > > > > > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > > > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > > > > > For every test I put the relevant log lines from syslog (luckily > > > enough, the > > > > trafic was so low, that every test message passed thru mailscanner as a > > > > complete batch). > > > > > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > > > equivalent > > > > to the mysql log (generated by &AlerceLogging, that is a modified > > > version of > > > > SQLLogging that doesn't do any SQL). > > > > > > > > Finally, the relevant MailScanner header lines in the received message. > > > > > > > > > >-- > > >Mariano Absatz > > >El Baby > > >---------------------------------------------------------- > > >Always remember you're unique, just like everyone else. > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > The instructions said to use Windows 98 or better, > so I installed GNU/Linux 2.4. -- Mariano Absatz El Baby ---------------------------------------------------------- Lottery: A tax on people who are bad at math. From dh at UPTIME.AT Thu Sep 4 20:34:35 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:46 2006 Subject: OT: Osirusoft and no mail passed.. explanations.. Message-ID: ... It's interesting how free resources can become almost critical resources to various businesses. This week, we saw Osirusoft pull the plug on its DNSBL spam blacklist service. What's interesting is that Osirusoft ended by adding an open wildcard to the blacklist service, essentially causing *every* system to appear to be in the blacklist and thus be prevented from sending e-mail. Admins who used the Osirusoft DNSBL found their machines refusing to pass e-mail, even to itself in some situations! The moral to this story: Review your external dependencies and prepare contingency plans should one of those dependant relationships immediately be severed. http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0202.html Until next week, ... from teh sans newsletter -d - "Deep into that darkness peering, long I stood there wondering, fearing, - Doubting, dreaming dreams no mortal ever dared to dream to dream before.." Edgar Allen Poe - The Raven -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/7c3e725b/PGP.bin From Kevin at MICA.NET Thu Sep 4 20:39:47 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:19:47 2006 Subject: different actions for different domains? Message-ID: <8B699873CEBA3543926B467E7680823203483F@sol.hq.mica.net> Awesome! Just what I was looking for, guess I need to RTFM a little more closely next time :) Thanx! k -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 13:09 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: different actions for different domains? Please read the docs in /etc/MailScanner/rules. At 17:08 04/09/2003, you wrote: >We have a linux box set up as a spam/virus relay server that is >relaying mail for multiple domains. Currently, I have it configured to From mailscanner at ecs.soton.ac.uk Thu Sep 4 20:40:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F5768A8.15429.1E5E7D97@localhost> References: <3F2E3688.31037.1E036E@localhost> <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> Are you using a path containing any links in your MailScanner.conf. You possibly have /app/mailScanner/var/incoming as your working directory? As it says in the conf file, you *must* use the real path, particularly with mcafee. At 20:30 04/09/2003, you wrote: >Hi Julian, > >I know I wrote this a month ago, but I couldn't lay my hands on a spare >server... I upgraded one of the production servers to MailScanner 4.23-11 >today and I'm getting the same results. > >I think all the McAfee reports are disappearing from $message->{allreports} >somehow... I think this 'cause I modified the SQL loggin' routines to get a >plain text log in real time and I only see filename reports there, never a >virus report... > >Here's a log sample with the current version of MailScanner: > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 >bytes >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- >11/var/incoming/24018/130309/message.zip Found the W32/ >Mimail@MM virus !!! >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 >infections >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- >1.txt >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- >1.txt >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > >You can see that McAfee does find the virus (and logs it), but lastly, it >says it delivered the message 'cause it was uninfected > >El 4 Aug 2003 a las 10:33, Mariano Absatz escribi?: > > > These are a couple of production servers, I'll see if I can find a spare > > machine, set everything up and tell you later today. > > > > El 3 Aug 2003 a las 21:53, Julian Field escribi?: > > > > > Can you confirm that this is still a problem with the latest MailScanner > > > please? > > > > > > I can't immediately see why it would do this. > > > > > > If this is still a problem, then it's obviously something I need to > take a > > > look at urgently. > > > > > > At 01:26 02/08/2003, you wrote: > > > >I know, I know... my mailer decide to use base64 no matter I told it > > > >otherwise... well, the log excerpts are at > > > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > > > > > > > >Thanx. > > > > > > > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > > > > > > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > > > > > > > For every test I put the relevant log lines from syslog (luckily > > > > enough, the > > > > > trafic was so low, that every test message passed thru > mailscanner as a > > > > > complete batch). > > > > > > > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > > > > equivalent > > > > > to the mysql log (generated by &AlerceLogging, that is a modified > > > > version of > > > > > SQLLogging that doesn't do any SQL). > > > > > > > > > > Finally, the relevant MailScanner header lines in the received > message. > > > > > > > > > > > > >-- > > > >Mariano Absatz > > > >El Baby > > > >---------------------------------------------------------- > > > >Always remember you're unique, just like everyone else. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > > > > -- > > Mariano Absatz > > El Baby > > ---------------------------------------------------------- > > The instructions said to use Windows 98 or better, > > so I installed GNU/Linux 2.4. > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Lottery: A tax on people who are bad at math. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Thu Sep 4 20:54:38 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> References: <3F5768A8.15429.1E5E7D97@localhost> Message-ID: <3F576E4E.7587.1E749019@localhost> F#&k it! You're right... and I _had_ read that before (long time before), but once I did a test and I thought it worked 'cause I saw the message from mcafee saying that if found the virus... Then I used symlinks to do smooth upgrades... well it seems I'll have to remember to edit the incoming working directory... Thanx a lot, Julian! El 4 Sep 2003 a las 20:40, Julian Field escribi?: > Are you using a path containing any links in your MailScanner.conf. > You possibly have /app/mailScanner/var/incoming as your working directory? > As it says in the conf file, you *must* use the real path, particularly > with mcafee. > > At 20:30 04/09/2003, you wrote: > >Hi Julian, > > > >I know I wrote this a month ago, but I couldn't lay my hands on a spare > >server... I upgraded one of the production servers to MailScanner 4.23-11 > >today and I'm getting the same results. > > > >I think all the McAfee reports are disappearing from $message->{allreports} > >somehow... I think this 'cause I modified the SQL loggin' routines to get a > >plain text log in real time and I only see filename reports there, never a > >virus report... > > > >Here's a log sample with the current version of MailScanner: > > > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 > >bytes > >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting > >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting > >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- > >11/var/incoming/24018/130309/message.zip Found the W32/ > >Mimail@MM virus !!! > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 > >infections > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- > >1.txt > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- > >1.txt > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip > >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 > >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > > > >You can see that McAfee does find the virus (and logs it), but lastly, it > >says it delivered the message 'cause it was uninfected > > -- Mariano Absatz El Baby ---------------------------------------------------------- I don't suffer from insanity. I enjoy every minute of it. From mailscanner at ecs.soton.ac.uk Thu Sep 4 21:03:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F576E4E.7587.1E749019@localhost> References: <5.2.1.1.2.20030904203853.03ce1db8@imap.ecs.soton.ac.uk> <3F5768A8.15429.1E5E7D97@localhost> Message-ID: <5.2.1.1.2.20030904210224.03bb4470@imap.ecs.soton.ac.uk> Or else just keep the incoming directory somewhere outside the distribution, e.g. /var/spool/MailScanner/incoming. At 20:54 04/09/2003, you wrote: >F#&k it! >You're right... and I _had_ read that before (long time before), but once I >did a test and I thought it worked 'cause I saw the message from mcafee >saying that if found the virus... > >Then I used symlinks to do smooth upgrades... well it seems I'll have to >remember to edit the incoming working directory... > >Thanx a lot, Julian! > >El 4 Sep 2003 a las 20:40, Julian Field escribi?: > > > Are you using a path containing any links in your MailScanner.conf. > > You possibly have /app/mailScanner/var/incoming as your working directory? > > As it says in the conf file, you *must* use the real path, particularly > > with mcafee. > > > > At 20:30 04/09/2003, you wrote: > > >Hi Julian, > > > > > >I know I wrote this a month ago, but I couldn't lay my hands on a spare > > >server... I upgraded one of the production servers to MailScanner 4.23-11 > > >today and I'm getting the same results. > > > > > >I think all the McAfee reports are disappearing from > $message->{allreports} > > >somehow... I think this 'cause I modified the SQL loggin' routines to > get a > > >plain text log in real time and I only see filename reports there, never a > > >virus report... > > > > > >Here's a log sample with the current version of MailScanner: > > > > > >Sep 4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 > > >bytes > > >Sep 4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting > > >Sep 4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting > > >Sep 4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23- > > >11/var/incoming/24018/130309/message.zip Found the W32/ > > >Mimail@MM virus !!! > > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 > > >infections > > >Sep 4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018- > > >1.txt > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018- > > >1.txt > > >Sep 4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip > > >Sep 4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into > 1563661 > > >Sep 4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages > > > > > >You can see that McAfee does find the virus (and logs it), but lastly, it > > >says it delivered the message 'cause it was uninfected > > > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >I don't suffer from insanity. I enjoy every minute of it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve.douglas at SBIINCORPORATED.COM Thu Sep 4 21:31:54 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/c0d856bd/SteveDouglas.obj From KShortt at AZERTY.COM Thu Sep 4 21:23:55 2003 From: KShortt at AZERTY.COM (Shortt, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: Razor per user? Message-ID: <210DF55DED65B547896F728FB057F3B201CB4DD4@seaver.ussco.com> Can Razor be implemented on a per user basis? ie....I am able to archive email on per user basis. Will MailScanner give me the same functionality with Razor? -k From lindsay at pa.net Thu Sep 4 21:43:37 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:19:47 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in In-Reply-To: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904163814.04dc7a58@imap.ecs.soton.ac.uk> Message-ID: <200309041643.37759.lindsay@pa.net> On Thursday 04 September 2003 11:45, you wrote: > I have just seen one of my servers hang, due to the Bayes database getting > corrupt. If I set "Debug = yes" and "Debug SpamAssassin = yes" then it > printed millions of error messages about a "partial write (number of > 665)". Presumably there was supposed to be a number before "of", which is > supposed to increment but doesn't. I switched off Bayes (use_bayes 0) to > work around the problem. > > What's the chance there are some messages out there which are capable of > causing Bayes corruption due to them containing strange characters/strings? > Has anyone suffered this problem who is using SA 2.60rc3? I see this rather frequently w/ SA 2.54. To fix, I stop MailScanner, destroy the bayes db's and restart. I have not tried 2.60rc3 yet though. So if anything, I second what you saw w/ the stuck bayes db's on SA 2.54. > > At 15:43 04/09/2003, you wrote: > >Not sure if this will help or not, but I have noticed MailScanner on my > >backup/test server hanging. An strace of the process showed nothing. But > >ls -l /proc//fd/ showed that it had some of the SpamAssassin bayes > >database files opened. This is running MailScanner version 4.22-5 and > >SpamAssassin version 2.54. > > > >The strange thing is that MailScanner had been hung for over a day! I > > would have thought that MailScanner would have timed out SpamAssassin by > > then. Killing MailScanner and restarting would fix the problem for a > > while, then it would happen again. I know that some people who are > > having this problem are not using SpamAssassin, but perhaps there is a > > problem in the time out code for SpamAssassin or Virus Checking? > > > >I'm not complaining. My main MailScanner server is working, and I set > >"use_bayes 0" on my backup, and that seemed to clear its problem. The > >backup is a 233 MHz with 128 Mb of ram, and has other functions besides > >scanning email, so it is taxed when MailScanner scans email. > > > >Anyways, maybe this helps - if not, just ignore. > > > >Jason > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, September 04, 2003 5:26 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] Mail Not Routing, stuck in > > > /var/spool/mqueue.in > > > > > > > > > One of the things you could do to track it is this: > > > > > > In /usr/sbin/MailScanner, look for the "sub WorkForHours" and scatter > > > print STDERR "Got to point 1\n"; > > > statements through it (obviously changing the number). Then > > > set "Debug = > > > yes" and you should see this output. If it is pausing horribly at some > > > particular stage of processing a batch, then this should show > > > it up. Leave > > > all the spam checks disabled if you can, these take quite a > > > long time anyway. > > > > > > And check your /etc/sysconfig/i18n has no mention of "utf8" > > > in it. That's > > > important. > > > > > > At 10:26 04/09/2003, you wrote: > > > >Hi! > > > > > > > > > Without login access to somebody's machine which is > > > > > > *reliably* suffering > > > > > > > > from this problem, I'm a bit stuck. > > > > > > > >If it was happening _right now_ i would -love- to give a > > > > > > login, but it > > > > > > >isnt. > > > > > > > >One of the other people who is suffering from this wanting > > > > > > to give Julian > > > > > > >a login for looking into this ? > > > > > > > >Bye, > > > >Raymond. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support From hmkash at ARL.ARMY.MIL Thu Sep 4 21:54:20 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner+PostFix ---- try this Message-ID: <229A346E44379140A59A48951B56E0C07A7E32@ARLABML01.DS.ARL.ARMY.MIL> For me this seemed to cause lots of messages to get stuck in the incoming deferred queue. There would be 200 or so messages in the queue, but Mailscanner would only process 1 or 2 messages in each batch. Once I removed the patch, it immediately processed all of the queued messages in batches of 30. Howard -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 6:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4704 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/34cb70b6/smime.bin From mike at CAMAROSS.NET Thu Sep 4 21:59:47 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Razor per user? In-Reply-To: <210DF55DED65B547896F728FB057F3B201CB4DD4@seaver.ussco.com> Message-ID: <000701c37327$79f51710$640ba8c0@home.middlefinger.net> I think the only way you could do this would be to either enable or disable spam checks totally (via ruleset) for a user since SpamAssassin uses razor/pyzor/dcc...not MailScanner itself. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Shortt, Kevin Sent: Thursday, September 04, 2003 3:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Razor per user? Can Razor be implemented on a per user basis? ie....I am able to archive email on per user basis. Will MailScanner give me the same functionality with Razor? -k From mike at CAMAROSS.NET Thu Sep 4 22:01:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Message-ID: <000d01c37327$c8672eb0$640ba8c0@home.middlefinger.net> Are you using any DNSBL's at the MTA? This is usually caused by the SMTP session being terminated before it is completed. This could be a network issue from a legit host or the connection being dropped because you reject it. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Douglas Sent: Thursday, September 04, 2003 3:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail log syntax question I have the following: RedHat 9 MailScanner-4.23-11 DCC Razor2 Pentium4 1.8mhz 1 GB RAM 70 GB HDD In reviewing the mail logs I noticed syntax as noted "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA." What does this mean? From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 4 22:04:56 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:47 2006 Subject: Mail log syntax question In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> References: <3963522F0E71474CB14C0FF54A6914F70142FC9F@mail.gardenbotanika.com> Message-ID: <200309042105.h84L50530048@onyx.rockstone.co.uk> On Thursday 04 September 2003 9:31 pm, Steve Douglas wrote: > I have the following: > > Pentium4 1.8mhz !? :) > In reviewing the mail logs I noticed syntax as noted "did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA." What does this mean? Probably means somebody port scanned TCP 25 on your mail server. This message means a TCP connection was opened but no command was received from the client. Antony. -- Normal people think "if it ain't broke, don't fix it". Engineers think "if it ain't broke, it doesn't have enough features yet". From mike at CAMAROSS.NET Thu Sep 4 22:41:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: <200309042105.h84L50530048@onyx.rockstone.co.uk> Message-ID: <003501c3732d$3f27ee90$640ba8c0@home.middlefinger.net> an increase in hits from Infinite-Monkeys today? I even went to their site and checked my IP's because mail between my own servers was being tagged as spam. RBL checks: h84E8AA13025 found in Infinite-Monkeys Mike From raymond at PROLOCATION.NET Thu Sep 4 22:44:57 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: <003501c3732d$3f27ee90$640ba8c0@home.middlefinger.net> Message-ID: Hi! > an increase in hits from Infinite-Monkeys today? I even went to their site > and checked my IP's because mail between my own servers was being tagged as > spam. > > RBL checks: h84E8AA13025 found in Infinite-Monkeys No really, for today: 5702 spamcop.net 4484 NJABL 4459 Easynet-DNSBL 2551 RFC-IGNORANT-POSTMASTER 2527 RFC-IGNORANT-ABUSE 1970 Infinite-Monkeys 1746 spamhaus.org 1533 Easynet-Proxies 1291 Easynet-Dynablock 880 RFC-IGNORANT-DSN 697 RFC-IGNORANT-WHOIS 188 ORDB-RBL Did they list your netblock ? Bye, Raymond. From mike at CAMAROSS.NET Thu Sep 4 23:15:40 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Has anyone else noticed... In-Reply-To: Message-ID: <004d01c37332$13815d30$640ba8c0@home.middlefinger.net> My netblock was NOT listed and the site said it had never been listed. Got the same response for several other IP's I checked that had been tagged as Spam for a hit on Monkeys.com. None of them had been listed ever. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, September 04, 2003 4:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Has anyone else noticed... Hi! > an increase in hits from Infinite-Monkeys today? I even went to their > site and checked my IP's because mail between my own servers was being > tagged as spam. > > RBL checks: h84E8AA13025 found in Infinite-Monkeys No really, for today: 5702 spamcop.net 4484 NJABL 4459 Easynet-DNSBL 2551 RFC-IGNORANT-POSTMASTER 2527 RFC-IGNORANT-ABUSE 1970 Infinite-Monkeys 1746 spamhaus.org 1533 Easynet-Proxies 1291 Easynet-Dynablock 880 RFC-IGNORANT-DSN 697 RFC-IGNORANT-WHOIS 188 ORDB-RBL Did they list your netblock ? Bye, Raymond. From sevans at FOUNDATION.SDSU.EDU Fri Sep 5 00:36:19 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner and Exchange Message-ID: <95B481BA6D181A4685081D263BF9A13A195E9C@mail.foundation.sdsu.edu> Has anyone found a way to have MailScanner protect messages sent between Exchange users? I've been trying to come up with a way for every message that is sent to be routed through our MailScanner boxes, even if the message is sent between two users on the same Exchange server. Steve Evans SDSU Foundation From TGFurnish at HERFF-JONES.COM Fri Sep 5 00:37:37 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:47 2006 Subject: Mail Not Routing, stuck in /var/spool/mqueue.in {Scanned by H JMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BA0@inex1.herffjones.hj-int> > -----Original Message----- > From: Keith Edmunds [mailto:keith@MIDNIGHTHAX.COM] > > - saves all that hassle with precisely _which_ key is the backtick. Um, was that supposed to be a curly brace or a paren? ;^) Just kidding. Good point - thanks. -- Trever From anders.andersson at LTKALMAR.SE Fri Sep 5 00:50:43 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:47 2006 Subject: SV: MailScanner and Exchange Message-ID: As far as i know it doesnt sound like anything exchange would do... maybe if you come up with a routing rule but I think it would skip that. That would mean defeating the hole purpose of using that kind of database they use. I guess in small invorment it would be ok but not if you wanna keep the database afficient. The cheapest way to protect would probably be bying a licence from CA. Cant compare to Antigen but at least you would have a virusscanner running your exchange computer for about 100$ or so. I cant say for exch2k but I doubt its possibel, dosnt sound like something MS even would try to make possible, though I might be wrong. > -----Ursprungligt meddelande----- > Fr?n: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > Skickat: den 5 september 2003 01:36 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: MailScanner and Exchange > > > Has anyone found a way to have MailScanner protect messages > sent between Exchange users? I've been trying to come up > with a way for every message that is sent to be routed > through our MailScanner boxes, even if the message is sent > between two users on the same Exchange server. > > Steve Evans > SDSU Foundation > From errol.neal at ENHTECH.COM Fri Sep 5 01:47:18 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner Error Message-ID: <5.1.0.14.0.20030904195130.042fccf0@mail.enhtech.com> Hi all, I just had a problem with my MailScanner that I fixed. I think this should be added to the FAQ or something because the fix to the problem was not very apparent... I am running MailScanner-4.22-4 on Solaris9 Sparc. The problem I ran into was when my system had just came back from a reboot, I was unable to start the MailScanner. It exited with this error: length is 0, should be 4 at Socket.pm which was directed at the Socket.pm file in my perl Installation. I did a search in the MailScanner archives and located this: " From: Frank Cheong Subject: Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 Recently, I have just installed MailScanner, Perl 5.8.0 and all related components according to the mailscanner installation guide onto my Solaris "Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.0/sun4-solaris/Socket.pm line 373." What is the problem ? I have tried to telnet localhost 514 which is the syslog port and the following message reported Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. I also checked that the below line is inside /etc/service syslog 514/udp Can I assume my solaris syslog configuration ok and it is the problem of the perl installation instead ? " His Problem was that he was trying to run the sophos-autoupdate script. My problem was with starting the MailScanner. So i tried to start the auto-update script to see if I would get an error. The sophos-autoupdate script also exited with an error, but this time the error mentioned the old hostname of my system that i THOUGHT I HAD CHANGED. When I initially setup my system, I did so using a temporary name. Not knowing the ins and outs of Solaris, I guess I did it incompletely because the system would configure itself with the old hostname after reboot. I changed my hostname back to the entries that I had in my /etc/hosts file and my /etc/hostname.dmfe0 file using the 'hostname' command and restarted MailScanner.. It started with no problems.. Then I modified all the files that mentioned the old hostname and restarted my server.. no issues... So the problem was with the MailScanner being unable to resolve my invalid system name.... (I think) Anyways, hope that helps someone in the future.. Regards, Errol U. Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From postmaster at hull.tradelair.com Fri Sep 5 02:45:17 2003 From: postmaster at hull.tradelair.com (MailScanner) Date: Thu Jan 12 21:19:47 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309050145.h851jHD19730@hull.tradelair.com> Our virus detector has just been triggered by a message you sent:- To: eferret@xbox-cheat-codes.com Subject: Re: Wicked screensaver Date: Thu Sep 4 21:45:17 2003 Any infected parts of the message (your_document.pif) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: your_document.pif contains Worm.Sobig.F Shortcuts to MS-Dos programs are very dangerous in email (your_document.pif) -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From smohan at VSNL.COM Fri Sep 5 03:55:54 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request Message-ID: This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From david at PLATFORMHOSTING.COM Fri Sep 5 04:01:37 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: References: Message-ID: <3F57FC91.3010407@platformhosting.com> Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From smohan at VSNL.COM Fri Sep 5 04:18:15 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request In-Reply-To: Message-ID: I'm on 4.03 I think. Thanks for the clarification. Regards Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Friday, September 05, 2003 8:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature request What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From mike at CAMAROSS.NET Fri Sep 5 04:18:31 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <3F57FC91.3010407@platformhosting.com> Message-ID: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From david at PLATFORMHOSTING.COM Fri Sep 5 04:16:23 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> References: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> Message-ID: <3F580007.5040508@platformhosting.com> So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of tehm > with a sendmail rule though, so they never even make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold increase in > Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From nathan at TCPNETWORKS.NET Fri Sep 5 04:25:24 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:36:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: <3F580007.5040508@platformhosting.com> Message-ID: <00b001c3735e$dee89390$640ba8c0@home.middlefinger.net> I can't even connect to platformhosting.com period :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of > tehm with a sendmail rule though, so they never even make it to > MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold > increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:39:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00b101c3735f$53743d40$640ba8c0@home.middlefinger.net> In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From nathan at TCPNETWORKS.NET Fri Sep 5 04:38:44 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:52:22 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00b701c37361$1d998c50$640ba8c0@home.middlefinger.net> I am using sendmail-8.11.6-25.72 on a RHAS 2.1 box. I don't think it worked on a RH6.1 box with sendmail-8.11.6-1.62.3 Plug it into your .mc and see if it works...send yourself a test message with an offensive subject and watch your maillog. You'll know very quickly whether it will or will not work. If it doesn't work, just remove the lines from your .mc and remake your sendmail.cf and restart MailScanner again. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at CAMAROSS.NET Fri Sep 5 04:55:56 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <00c601c37361$9c63bd30$640ba8c0@home.middlefinger.net> Here's what a maillog entry looks like: Sep 4 22:46:13 genesis sendmail[26183]: h853kBb26183: ruleset=Check_subject, arg1=Re: Thank you!, relay=adsl-65-69-4-238.dsl.hstntx.swbell.net [65.69.4.238], reject=550 5.0.0 Possible Sobig-F Virus - Please change subject Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Actually, I remembering seeing this but glossed over it for some reason. Do you know if this will work specifically in only certain Sendmail versions... We're a little outdated with Sendmail 8.11.6, but would love to utilize it. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence In sendmail.mc, I added this: LOCAL_RULESETS # Reject all mail with Sobig subjects. HSubject: $>Check_subject D{Msobig1}That movie D{Msobig2}Wicked screensaver D{Msobig3}Your application D{Msobig4}Approved D{Msobig5}My details D{Msobig6}Details D{Msobig7}Thank you! D{Msobig8}Returned mail: see transcript for details D{Mmsg} Possible Sobig-F Virus - Please change subject SCheck_subject R${Msobig1} $* $#error $: 550 ${Mmsg} RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} R${Msobig2} $* $#error $: 550 ${Mmsg} RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} R${Msobig3} $* $#error $: 550 ${Mmsg} RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} R${Msobig4} $* $#error $: 550 ${Mmsg} RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} R${Msobig5} $* $#error $: 550 ${Mmsg} RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} R${Msobig6} $* $#error $: 550 ${Mmsg} RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} R${Msobig7} $* $#error $: 550 ${Mmsg} RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} R${Msobig8} $* $#error $: 550 ${Mmsg} RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} This was suggested on the list several days back and has been working very well. May I remind you that the white gaps in text above are tabs and not simply spaces. Run your .mc through m4 and then restart MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Thursday, September 04, 2003 10:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence Mike, Just curious... What Sendmail rule are you using to block them? We've been rejecting the most offending IP addresses with the access database, but as you might expect... It's a little like a moving target. Nathan -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, September 04, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence The flow here has been trickling but steady. I am blocking LOTS of tehm with a sendmail rule though, so they never even make it to MailScanner. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, September 04, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sobig.F resurgence Hi All, A little off topic, but we've started noticing about a 10 fold increase in Sobig.F traffic over the last 48 hours. Is anyone else noticing this? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From sevans at FOUNDATION.SDSU.EDU Fri Sep 5 05:24:07 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only Message-ID: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sdsu.edu> Is there a way to run install.sh and have it stop once everything is compiled, and then run install.sh which will then just install MailScanner without needing to compile it? I need to install MailScanner on quite a few identical machines, and it takes a long time for everything to compile compared to how long it should take just to install it. Steve Evans SDSU Foundation From brose at MED.WAYNE.EDU Fri Sep 5 05:43:58 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence Message-ID: Check your logs to see if you can determine who it is. It may just be one or two systems pounding the heck out of you. I found a comcast.net host that was hitting me close to 3000 times on Monday and blocked it at the firewall. I also started using the dynablock.easynet.nl RBL which is similar to the MAPS-DUL RBL where it has listings of the DHCP netblocks used by ISPS for dialup, ASDL, etc basically all those stupid home users with infected machines which should be directly sending messages anyway. -----Original Message----- From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: Thursday, September 04, 2003 11:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F resurgence So it doesn't sound like you're seeing this then: http://www.platformhosting.com/mailscanner-mrtg/virus/virus.html I wonder if it is a new variant or something? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Mike Kercher wrote: > The flow here has been trickling but steady. I am blocking LOTS of > tehm with a sendmail rule though, so they never even make it to > MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold > increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ====================================================================== > == > > > ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From smohan at VSNL.COM Fri Sep 5 06:03:20 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request In-Reply-To: Message-ID: This still does not allow rules based on Subject field (rules take only To and From filed from the envelope). Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Friday, September 05, 2003 8:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature request What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From jrudd at UCSC.EDU Fri Sep 5 06:23:32 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: <1707FBA8-DF61-11D7-B2D5-003065F939FE@ucsc.edu> I was the original author, and I'm still using sendmail 8.10.something. So I would expect it would work on 8.11.x. On Thursday, Sep 4, 2003, at 20:38 US/Pacific, Nathan Johanson wrote: > > Actually, I remembering seeing this but glossed over it for some > reason. > Do you know if this will work specifically in only certain Sendmail > versions... We're a little outdated with Sendmail 8.11.6, but would > love > to utilize it. > > Nathan > > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Thursday, September 04, 2003 8:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > In sendmail.mc, I added this: > > > LOCAL_RULESETS > > # Reject all mail with Sobig subjects. > HSubject: $>Check_subject > D{Msobig1}That movie > D{Msobig2}Wicked screensaver > D{Msobig3}Your application > D{Msobig4}Approved > D{Msobig5}My details > D{Msobig6}Details > D{Msobig7}Thank you! > D{Msobig8}Returned mail: see transcript for details > D{Mmsg} Possible Sobig-F Virus - Please change subject > > SCheck_subject > R${Msobig1} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} > R${Msobig2} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} > R${Msobig3} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} > R${Msobig4} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} > R${Msobig5} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} > R${Msobig6} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} > R${Msobig7} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} > R${Msobig8} $* $#error $: 550 ${Mmsg} > RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > > This was suggested on the list several days back and has been working > very > well. > May I remind you that the white gaps in text above are tabs and not > simply > spaces. > Run your .mc through m4 and then restart MailScanner. > > Mike > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Nathan Johanson > Sent: Thursday, September 04, 2003 10:25 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > Mike, > > Just curious... > What Sendmail rule are you using to block them? > We've been rejecting the most offending IP addresses with the access > database, but as you might expect... It's a little like a moving > target. > > Nathan > > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Thursday, September 04, 2003 8:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > The flow here has been trickling but steady. I am blocking LOTS of > tehm > with a sendmail rule though, so they never even make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of David Hooton > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 fold increase > in > Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================= > = > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================= > = From lance at WARE.NET Fri Sep 5 06:51:56 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Message-ID: <200309050552.h855qor15702@ori.rl.ac.uk> Hi folks, I'm scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I seem to have lost my virus scanning and updates. Any hints or tips? My upgrade process including building a new box and moving my config files over. Thanks. Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030904/39165847/attachment.html From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 08:28:17 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner Error Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496A4@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Hi all, > > I just had a problem with my MailScanner that I fixed. I think this > should be added to the FAQ or something Then add it, the FAQ is user editable. ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From brose at MED.WAYNE.EDU Fri Sep 5 03:58:48 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:47 2006 Subject: Feature request Message-ID: What version are you using? It was recently added in the latest revs Notify Senders Of Blocked Filenames Or Filetypes = yes -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 04, 2003 10:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature request This feature request culminated from the Sobig virus experience. MS caught Sobig using filename checks eventhough the scanners were a little late in coming up with a fix. This sent out notification messages. Even though I did not get the virus, I got a load of notification messages. I did not want to turn notification/deliver disinfected message off lest I miss some other stuff. The ruleset of Silent virus does not apply to filename checks. It would be great if the ruleset engine can allow usage of other headers. E.g. Subject and X-MailScanner. Subject contains "details" and X-Mailscanner contains "found to be infected" action- do not notify default notify. AFAIK, this is not possible currently. Am I right? Regards Mohan From rc at ITSS.NERC.AC.UK Fri Sep 5 08:48:46 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning Message-ID: <3F583FDE.4050602@itss.nerc.ac.uk> We had an unpleasant experience this week when one of our mail relays got into SPAMCOP. It turned out this was due to "bounce messages" (non-existent users etc) hitting their spam-traps (whatever they are ?) It emerged that their system ignores delivery failure notices if they have the following line in their headers - Content-type: multipart/report; report-type=delivery-status; This may be common knowledge to some people, but it was a new one on me !! Cheers ... Ron From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:54:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only In-Reply-To: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sds u.edu> Message-ID: <5.2.0.9.2.20030905085356.060b2838@imap.ecs.soton.ac.uk> At 05:24 05/09/2003, you wrote: >Is there a way to run install.sh and have it stop once everything is >compiled, and then run install.sh which will then just install >MailScanner without needing to compile it? I need to install >MailScanner on quite a few identical machines, and it takes a long time >for everything to compile compared to how long it should take just to >install it. No, you can't do it that way as some of the modules have to be installed before other modules will compile. If you want to speed it up, remove the "sleep" statements. Then it goes *much* faster, just you don't get much of a chance to see what happened. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:46:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: MailScanner+PostFix ---- try this In-Reply-To: <229A346E44379140A59A48951B56E0C07A7E32@ARLABML01.DS.ARL.AR MY.MIL> Message-ID: <5.2.0.9.2.20030905084521.049f7ff8@imap.ecs.soton.ac.uk> All it made happen was that it wouldn't process a message until it had sat in the deferred queue for 3 seconds, it should still process them all but with a 3 second latency. Try reducing the 3 to 1 and see if that helps at all. At 21:54 04/09/2003, you wrote: >For me this seemed to cause lots of messages to get stuck in the >incoming deferred queue. There would be 200 or so messages in the >queue, but Mailscanner would only process 1 or 2 messages in each batch. >Once I removed the patch, it immediately processed all of the queued >messages in batches of 30. > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 09:04:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: <3F583FDE.4050602@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> I never use spamcop at all. Loads of people have reported that they will happily add any mail server listed in the headers of a message sent to them, whether the relaying was on their host or not. And it's very difficult to get off their list as well. It's one of the less useful lists. At 08:48 05/09/2003, you wrote: >We had an unpleasant experience this week when one of our mail relays >got into SPAMCOP. It turned out this was due to "bounce messages" >(non-existent users etc) hitting their spam-traps (whatever they are ?) > >It emerged that their system ignores delivery failure notices if they >have the following line in their headers - > >Content-type: multipart/report; report-type=delivery-status; > > >This may be common knowledge to some people, but it was a new one >on me !! > > > Cheers ... Ron -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 08:53:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: <200309050552.h855qor15702@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030905085219.03f0cfd8@imap.ecs.soton.ac.uk> Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 09:59:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: Long time! A few questions when you have a minute... In-Reply-To: Message-ID: <5.2.0.9.2.20030905095812.03f7d8d8@imap.ecs.soton.ac.uk> At 10:38 04/09/2003, you wrote: >One thing I wanted to check with you is I wondered if you considered >making it possible to configure via filename/type rules which files to >delete and which to quarantine. The reason why I ask is that in the midst >of the Sobig exitement I actually had a partition fill due to mainly the >quarantined copies of the virus. Of course I removed a lot of this but I >thought that it might be useful to have a rule that prevented MailScanner >from saving .pif files for example, that are almost never anything but >viruses. Not a big deal but thought I'd mention it. Try out www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.24-1.tar.gz or www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.24-1.rpm.tar.gz or www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.24-1.suse.tar.gz It seems to work just fine for me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Sep 5 10:11:01 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: Hi! > What Sendmail rule are you using to block them? > We've been rejecting the most offending IP addresses with the access > database, but as you might expect... It's a little like a moving target. # LOCAL_RULESETS # HSubject: $>Check_Subject D{SobigPattern1}Re: That movie D{SobigPattern2}Re: Wicked screensaver D{SobigPattern3}Re: Your application D{SobigPattern4}Re: Approved D{SobigPattern5}Re: Re: My details D{SobigPattern6}Re: Thank you! D{SobigPattern7}Re: Details D{SobigPattern8}Your details D{SobigPattern9}Thank you! D{SobigPattern10}Use this patch immediately ! D{SobigMesg}Hernoem het onderwerp van deze e-mail en stuur deze opnieuw. De omschrijving duidt mogelijk op een virus en is geblokkeerd. Please re-phrase the subject of this message and try again - Possible worm - BLOCKED - See http://www.multikabel.nl/viruswarning SCheck_Subject R${SobigPattern1} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern2} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern3} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern4} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern5} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern6} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern7} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern8} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern9} $#error $@ 5.7.1 $: ${SobigMesg} R${SobigPattern10} $#error $@ 5.7.1 $: ${SobigMesg} Bye, Raymond. From shrek-m at GMX.DE Fri Sep 5 10:01:50 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack Message-ID: <3F5850FE.50307@gmx.de> hi, with the wrong setting "Virus Scanners=" instead "Virus Scanners = none" mailscanner begins a DOS-attack with the correct seeting eg. "none" or "sophos" mailscanner is working correct. is this reproducable on other sytems? $ rpm -q mailscanner mailscanner-4.22-5 $ cat /etc/redhat-release Red Hat Linux release 8.0 (Psyche) - check your av-wrapper, eg. $ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar 1 file swept in 0 seconds. 1 virus was discovered. 1 file out of 1 was infected. - set "Virus Scanners =" $grep "Virus Scanners" /etc/MailScanner/MailScanner.conf # then set "Virus Scanners = none" instead. # Virus Scanners = sophos f-prot mcafee ##Virus Scanners = none ##Virus Scanners = sophos Virus Scanners = - # service MailScanner restart - send *1* infected email (or spam?) for testing to an local user-account - the hdd begins immediately a never ending work - wait a short time - # service MailScanner stop - the system calmes down - check your mailbox Message 1842: From postmaster@xp1800.localdomain Fri Sep 5 10:05:02 2003 Date: Fri, 5 Sep 2003 10:05:02 +0200 From: "MailScanner" To: postmaster@xp1800.localdomain Subject: {Virus?} Warning: E-mail viruses detected X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be infected Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" Content-Disposition: inline; filename="VirusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 10:05:02 2003 the virus scanner said: Denial of Service attack in message! Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= tine/20030905 (message h85852wQ002545). --=20 Postmaster Mailscanner thanks transtec Computers for their support -- shrek-m From raymond at PROLOCATION.NET Fri Sep 5 10:12:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:47 2006 Subject: Sobig.F resurgence In-Reply-To: Message-ID: Hi! > Actually, I remembering seeing this but glossed over it for some reason. > Do you know if this will work specifically in only certain Sendmail > versions... We're a little outdated with Sendmail 8.11.6, but would love > to utilize it. Should work. Bye, Raymond. From David.While at UCE.AC.UK Fri Sep 5 10:13:42 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: mailstats v0.24 Message-ID: <107DE25EC0216C45AEF670016024245F6F1C@exchangea.staff.uce.ac.uk> I have just released V0.24 of mailstats.pl - this includes the facility to add persistent virus senders to the access list. At the moment it uses the same criteria as spam but I will be lookign at providing separate values for the two in a later version. NOTE: it currently requires Tony's patch detailed in http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0309&L=mailscanner&T=0&F=&S=&P=9827 to provide the log file entries. Once Julian releases the next version of MailScanner then this is incorporated. Download as usual from http://www.while.homeunix.net/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/3bb308ba/attachment.html From mailscanner at ecs.soton.ac.uk Fri Sep 5 10:16:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack In-Reply-To: <3F5850FE.50307@gmx.de> Message-ID: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> It's hardly a DoS attack, it's a case of me not checking the configuration well enough. DoS attacks are generally attacks coming from outside. There are a million packages that don't work well if you configure them wrong. Setting up software wrong is not an "attack" of any sort, it's a screw-up by the admin. Anyway, the patch to add more checking is this: --- SweepViruses.pm.old 2003-09-04 15:50:05.000000000 +0100 +++ SweepViruses.pm 2003-09-05 10:16:54.000000000 +0100 @@ -573,6 +571,7 @@ $scannerlist = MailScanner::Config::Value('virusscanners'); $scannerlist =~ tr/,//d; + $scannerlist = "none" unless $scannerlist; # Catch empty setting @scanners = split(" ", $scannerlist); $counter = 0; At 10:01 05/09/2003, you wrote: >hi, > > >with the wrong setting "Virus Scanners=" >instead "Virus Scanners = none" >mailscanner begins a DOS-attack No, it stops working because you broke it. >with the correct seeting eg. "none" or "sophos" >mailscanner is working correct. > > > >is this reproducable on other sytems? > > > > >$ rpm -q mailscanner >mailscanner-4.22-5 >$ cat /etc/redhat-release >Red Hat Linux release 8.0 (Psyche) > > >- check your av-wrapper, eg. > >$ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar > >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar >1 file swept in 0 seconds. >1 virus was discovered. >1 file out of 1 was infected. > > >- set "Virus Scanners =" > >$grep "Virus Scanners" /etc/MailScanner/MailScanner.conf ># then set "Virus Scanners = none" instead. ># Virus Scanners = sophos f-prot mcafee >##Virus Scanners = none >##Virus Scanners = sophos >Virus Scanners = > > > >- # service MailScanner restart >- send *1* infected email (or spam?) for testing to an local user-account >- the hdd begins immediately a never ending work >- wait a short time >- # service MailScanner stop >- the system calmes down >- check your mailbox > > > >Message 1842: > From postmaster@xp1800.localdomain Fri Sep 5 10:05:02 2003 >Date: Fri, 5 Sep 2003 10:05:02 +0200 >From: "MailScanner" >To: postmaster@xp1800.localdomain >Subject: {Virus?} Warning: E-mail viruses detected >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be infected > >Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" >Content-Disposition: inline; filename="VirusWarning.txt" >Content-Transfer-Encoding: quoted-printable > >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "the entire message" >was believed to be infected by a virus and has been replaced by this warning >message. > >If you wish to receive a copy of the *infected* attachment, please >e-mail helpdesk and include the whole of this message >in your request. Alternatively, you can call them, with >the contents of this message to hand when you call. > >At Fri Sep 5 10:05:02 2003 the virus scanner said: > Denial of Service attack in message! > >Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= >tine/20030905 (message h85852wQ002545). >--=20 >Postmaster >Mailscanner thanks transtec Computers for their support > > > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at utwente.nl Fri Sep 5 12:07:51 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> References: <3F583FDE.4050602@itss.nerc.ac.uk> <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> Message-ID: On Fri, 5 Sep 2003 09:04:52 +0100, you wrote: >I never use spamcop at all. Loads of people have reported that they will >happily add any mail server listed in the headers of a message sent to >them, whether the relaying was on their host or not. And it's very >difficult to get off their list as well. It's one of the less useful lists. But other people do and you could be blocked. As far as I know you can get on their list and you will be automatically deleted when (in a certain timeframe) your IP-address does not come up again. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From shrek-m at GMX.DE Fri Sep 5 12:11:34 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:47 2006 Subject: "Virus Scanners=" --> DOS-attack In-Reply-To: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030905101121.05df6cd8@imap.ecs.soton.ac.uk> Message-ID: <3F586F66.9060901@gmx.de> Julian Field wrote: > It's hardly a DoS attack, it's a case of me not checking the > configuration > well enough. DoS attacks are generally attacks coming from outside. There > are a million packages that don't work well if you configure them wrong. > Setting up software wrong is not an "attack" of any sort, it's a screw-up > by the admin. > > Anyway, the patch to add more checking is this: > > --- SweepViruses.pm.old 2003-09-04 15:50:05.000000000 +0100 > +++ SweepViruses.pm 2003-09-05 10:16:54.000000000 +0100 > @@ -573,6 +571,7 @@ > > $scannerlist = MailScanner::Config::Value('virusscanners'); > $scannerlist =~ tr/,//d; > + $scannerlist = "none" unless $scannerlist; # Catch empty setting > @scanners = split(" ", $scannerlist); > $counter = 0; thanks, solved. # pwd /usr/lib/MailScanner/MailScanner # diff -Naur SweepViruses.pm.old SweepViruses.pm --- SweepViruses.pm.old 2003-09-05 11:37:14.000000000 +0200 +++ SweepViruses.pm 2003-09-05 12:32:31.000000000 +0200 @@ -538,6 +538,7 @@ $scannerlist = MailScanner::Config::Value('virusscanners'); $scannerlist =~ tr/,//d; + $scannerlist = "none" unless $scannerlist; # Catch empty setting @scanners = split(" ", $scannerlist); $counter = 0; > At 10:01 05/09/2003, you wrote: > >> [...] If you wish to receive a copy of the *infected* attachment, please >> e-mail helpdesk and include the whole of this message >> in your request. Alternatively, you can call them, with >> the contents of this message to hand when you call. >> >> At Fri Sep 5 10:05:02 2003 the virus scanner said: >> Denial of Service attack in message! > no "DOS attack" with misconfigured "Virus Scanners=" ;-) >> >> >> Note to Help Desk: Look on the MailScanner in >> /var/spool/MailScanner/quaran= >> tine/20030905 (message h85852wQ002545). >> --=20 >> Postmaster >> Mailscanner thanks transtec Computers for their support >> >> > -- shrek-m From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 12:11:46 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:47 2006 Subject: Bounce messages - a warning In-Reply-To: References: <3F583FDE.4050602@itss.nerc.ac.uk> <5.2.0.9.2.20030905090352.04071ec0@imap.ecs.soton.ac.uk> Message-ID: <200309051111.h85BBo500654@onyx.rockstone.co.uk> On Friday 05 September 2003 12:07 pm, Peter Peters wrote: > On Fri, 5 Sep 2003 09:04:52 +0100, you wrote: > >I never use spamcop at all. Loads of people have reported that they will > >happily add any mail server listed in the headers of a message sent to > >them, whether the relaying was on their host or not. And it's very > >difficult to get off their list as well. It's one of the less useful > > lists. > > But other people do and you could be blocked. This, IMHO, is a good reason to discourage other people from using it. Antony. -- If at first you don't succeed, destroy all the evidence that you tried. From gerry at DORFAM.CA Fri Sep 5 12:56:54 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:47 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: <200309050552.h855qor15702@ori.rl.ac.uk> Message-ID: You really shouldn't post using html. What virus scanner are you using? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From steve.freegard at LBSLTD.CO.UK Fri Sep 5 13:08:47 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mike at CAMAROSS.NET Fri Sep 5 13:30:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:47 2006 Subject: RPM Install - Compile Only In-Reply-To: <95B481BA6D181A4685081D263BF9A13A195E9E@mail.foundation.sdsu.edu> Message-ID: <00e101c373a9$7dc251a0$640ba8c0@home.middlefinger.net> If the machines are identical, I'd run install.sh on one machine and then copy the newly compiled rpm's out of /usr/src/... and install them on the other machines without using the install.sh After that, you should be able to install the mailscanner.rpm Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Evans Sent: Thursday, September 04, 2003 11:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: RPM Install - Compile Only Is there a way to run install.sh and have it stop once everything is compiled, and then run install.sh which will then just install MailScanner without needing to compile it? I need to install MailScanner on quite a few identical machines, and it takes a long time for everything to compile compared to how long it should take just to install it. Steve Evans SDSU Foundation From KCollins at NESBITTENGINEERING.COM Fri Sep 5 13:27:25 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:47 2006 Subject: test Message-ID: <2B1F39EA56FA7643A328F66521D41B760D3F@magellan.nesbitt.local> I'm having trouble posting to the list - I'm trying a test. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From Chris.Campbell at FAC.COM Fri Sep 5 13:33:15 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:47 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From rich at MAIL.WVNET.EDU Fri Sep 5 13:46:13 2003 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:19:47 2006 Subject: Unusual error message from MailScanner Message-ID: <1062765973.2171.13.camel@localhost.localdomain> I'm getting an unusual error message in my maillog from MailScanner. Sep 5 08:33:12 barney MailScanner[17513]: Commercial virus checker failed with real error: Modification of a read-only value attempted at /usr/lib/MailScanner/MailScanner/Log.pm line 103, line 1. If I scan backward and find the preceding messages for pid 17513 I find. Sep 5 08:33:10 barney MailScanner[17513]: Virus and Content Scanning: Starting Sep 5 08:33:10 barney MailScanner[17513]: /var/spool/MailScanner/incoming/17513/h84KAwCg01142 5/%nTips.bat Infection: W32/Klez.H@mm Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found 1 infections This is just one example. There are hundreds of them. I looked at yesterdays log and there were some there too. I'm not sure how long this has been going on. Other than the message things seem to be running fine. Is this something to worry about? I'm running... RedHat 7.3 mailscanner-4.22-5 spamassassin 2.55 f-prot 4.2.0, Mcafee 4.24.0, ClamAV-0.60 I'm also running incomming mounted on tmpfs. -- Richard Lynch From lists at MASONC.COM Fri Sep 5 13:58:42 2003 From: lists at MASONC.COM (Chris Mason) Date: Thu Jan 12 21:19:47 2006 Subject: Getting false virus reports Message-ID: <001901c373ad$6f335f40$7500a8c0@poseiden> I am getting a lot of shipping emails from buy.com since I have been doing a lot of shopping there lately, and each time I find the shipping notice in the spambox marked as a Virus. All buy.com mail is whitelisted. "At Thu Sep 4 21:35:18 2003 the virus scanner said: Found a form in HTML message" This seems to be a constant problem. Are we being overly cautious by blocking forms? If they are common doesn't it create a large problem? Chris Mason masonc@masonc.com Box 340, The Valley, Anguilla, British West Indies Yahoo IM: netconcepts_anguilla@yahoo.com 264 497-5670 Fax: 264 497-8463 www.netconcepts.ai From rob at thehostmasters.com Fri Sep 5 14:07:43 2003 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:19:47 2006 Subject: WHy was this not caught?? References: <001901c373ad$6f335f40$7500a8c0@poseiden> Message-ID: <00bc01c373ae$b26d30f0$0a01a8c0@basement> Just wondering why this was not caught by MS, as it even says in the header "(may be forged)" I seem to be getting more and more spam now that is not caught even after adjusting my settings to 4 rather than 5 for a hit and deleting spam over a score of 10 Anything I am doing wrong or not doing? Any help appreciated... Thanks and have a great day/night or evening depending on where you are in the world.. :) see headers below of email received ----------------------------------------------------------------------- Return-Path: Received: from mg134046.user.veloxzone.com.br (MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 for ; Fri, 5 Sep 2003 08:59:43 -0400 Message-ID: From: "Leanne Bowers" Reply-To: "Leanne Bowers" To: rob@stupidguytalk.org Subject: Medical Breakthrough for MEN Today_0NLY! Date: Sat, 06 Sep 2003 07:49:14 +0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="B__.28_.E9_02.3F.EC_2F" X-MailScanner-Information: Please contact info@thehostmasters.com for more info X-MailScanner: Found to be clean X-UIDL: M`-!!U@/!!F~U"!cAM!! Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:15:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: Unusual error message from MailScanner In-Reply-To: <1062765973.2171.13.camel@localhost.localdomain> Message-ID: <5.2.0.9.2.20030905141451.03f46560@imap.ecs.soton.ac.uk> Upgrade to 4.23-11 and this problem will disappear. At 13:46 05/09/2003, you wrote: >I'm getting an unusual error message in my maillog from MailScanner. > >Sep 5 08:33:12 barney MailScanner[17513]: Commercial virus checker >failed with real error: Modification of a read-only value attempted at >/usr/lib/MailScanner/MailScanner/Log.pm line 103, line 1. > >If I scan backward and find the preceding messages for pid 17513 I >find. > >Sep 5 08:33:10 barney MailScanner[17513]: Virus and Content Scanning: >Starting >Sep 5 08:33:10 barney MailScanner[17513]: >/var/spool/MailScanner/incoming/17513/h84KAwCg01142 >5/%nTips.bat Infection: W32/Klez.H@mm >Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found >virus W32/Klez.H@mm >Sep 5 08:33:10 barney MailScanner[17513]: Virus Scanning: F-Prot found >1 infections > >This is just one example. There are hundreds of them. I looked at >yesterdays log and there were some there too. I'm not sure how long >this has been going on. Other than the message things seem to be >running fine. Is this something to worry about? I'm running... > >RedHat 7.3 >mailscanner-4.22-5 >spamassassin 2.55 >f-prot 4.2.0, Mcafee 4.24.0, ClamAV-0.60 > >I'm also running incomming mounted on tmpfs. > >-- >Richard Lynch -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:16:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? In-Reply-To: <00bc01c373ae$b26d30f0$0a01a8c0@basement> References: <001901c373ad$6f335f40$7500a8c0@poseiden> Message-ID: <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> There is a new release of SpamAssassin coming out shortly, give that a try and you should find the spam-spotting improves. At 14:07 05/09/2003, you wrote: >Just wondering why this was not caught by MS, as it even says in the header >"(may be forged)" > >I seem to be getting more and more spam now that is not caught even after >adjusting my settings to 4 rather than 5 for a hit and deleting spam over a >score of 10 > >Anything I am doing wrong or not doing? > >Any help appreciated... > >Thanks and have a great day/night or evening depending on where you are in >the world.. >:) > >see headers below of email received >----------------------------------------------------------------------- > > >Return-Path: >Received: from mg134046.user.veloxzone.com.br >(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) > by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 > for ; Fri, 5 Sep 2003 08:59:43 -0400 >Message-ID: >From: "Leanne Bowers" >Reply-To: "Leanne Bowers" >To: rob@stupidguytalk.org >Subject: Medical Breakthrough for MEN Today_0NLY! >Date: Sat, 06 Sep 2003 07:49:14 +0500 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="B__.28_.E9_02.3F.EC_2F" >X-MailScanner-Information: Please contact info@thehostmasters.com for more >info >X-MailScanner: Found to be clean >X-UIDL: M`-!!U@/!!F~U"!cAM!! > > >Rob Charles >TheHostMasters >Montreal, Canada >514-846-0006 >Rob@TheHostMasters.com >http://www.TheHostMasters.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sailer at BNL.GOV Fri Sep 5 14:35:58 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: References: <200308281109.h7SB9Fk06653@camelot.blacknightsolutions.com> Message-ID: <20030905133558.GA19537@bnl.gov> I have a small RBL and domain, spambites.net. I am making it 'subscription' only, and it will be manually administered, as far as entries. Either a web form, or email submission. Entries will be 'expired' after so many days, depending on why it was entered (SPAM, open relay, etc). So, if any one is serious about this, I've got the framework in place. Tim On Thu, Aug 28, 2003 at 01:13:11PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > We might be interested in following suit, as the quantity of spam getting > > through recently is not acceptable (Spam Assasin keeps on timing out!) > > Its perhaps completely OT here, but why not combine forces? I am willing > to facilitate a couple of DNSes and we are with a lot of network guys > here, so we might do it right for once. > > We all try to fight spam, we all see the spammers comming in, so we only > need a interface to get things in. > > Are there people interested in that idea ? > > Bye, > Raymond. > -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From bp at LICENG.DK Fri Sep 5 14:44:47 2003 From: bp at LICENG.DK (Bjarke Pedersen) Date: Thu Jan 12 21:19:48 2006 Subject: Unsubscribe Message-ID: -- Bjarke Pedersen LICengineering A/S Ehlersvej 24 DK-2900 Hellerup Denmark +45 39 62 16 42 (voice) +45 39 62 54 80 (fax) From RKearney at AZERTY.COM Fri Sep 5 14:44:56 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules Message-ID: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> This might belong on the SA list, so lemme know if I should try there instead. We are running MS 4.21-9, SA 2.55 in spam.assassin.prefs.conf we have this set of rules to flag SoBig as spam. header __SOBIG_X X-MailScanner =~ /Found to be clean/ header __SOBIG_SUBJ1 Subject =~ /(?:Re\: Details|Re\: Re\: My details|Your details)/ header __SOBIG_SUBJ2 Subject =~ /(?:Re\: Thank you\!|Thank you\!)/ header __SOBIG_SUBJ3 Subject =~ /(?:Re\: Approved|Re\: That movie|Re\: Wicked screensaver|Re\: Your application)/ body __SOBIG_BODY /(?:See the attached file for details|Please see the attached file for details\.)/ meta SOBIG __SOBIG_X && (__SOBIG_SUBJ1 || __SOBIG_SUBJ2 || __SOBIG_SUBJ3) && __SOBIG_BODY describe SOBIG Sobig virus score SOBIG 20.0 For example.. here are the headers of a current sobig virus that got through(Our MS/SA gateway forwards to a Antivirus server which detects anyways) (with the received by headers and some stuff delete to protect the inocent) Message-Id: <200309051320.h85DJxHl008772@host.domain.com> From: To: Subject: Re: Wicked screensaver Date: Fri, 5 Sep 2003 10:14:01 --0300 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 X-COMPANY-MailScanner-Information: Please contact the Helpdesk for more information X-COMPANY-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.2, required 5, MICROSOFT_EXECUTABLE 0.10, RAZOR2_CHECK 2.06) X-COMPANY-MailScanner-SpamScore: ss I doublechecked my mySQL database and can ensure that the rule stated above is being used on some of these mails. thanks, -rob From errol.neal at ENHTECH.COM Fri Sep 5 15:00:03 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... Message-ID: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Hi all, Can someone explain to me how a scenario like this would work... MailScanner begins to process a batch of 100 messages. It unpacks those messages say in /tmp in a directory 360. For some reason, I need to restart the MailScanner, possibly to make a config change or whatever however MailScanner is not finished processing those 100 messages it unpacked in the work directory. It is only say 20% done. Will MailScanner know that there are 80 messages waiting in the subdirectory 360 in its work directory? If so, how? Regards, Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:02:35 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules In-Reply-To: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> References: <210DF55DED65B547896F728FB057F3B2019C468E@seaver.ussco.com> Message-ID: <200309051402.h85E2d502222@onyx.rockstone.co.uk> On Friday 05 September 2003 2:44 pm, Kearney, Rob wrote: > This might belong on the SA list, so lemme know if I should try there > instead. > > We are running MS 4.21-9, SA 2.55 > > in spam.assassin.prefs.conf we have this set of rules to flag SoBig as > spam. > > header __SOBIG_X X-MailScanner =~ /Found to be clean/ Please don't create an SA rule to label emails which have been scanned by MailScanner (in its default configuration) as spam. PLEASE do not post anything like this to the SA mailing list - people will use it without understanding the significance of what they are using. Regards, Antony. -- Mahatma Gandhi was once asked what he thought of Western Civilisation. He replied, "That would be a very good idea." From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:04:45 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... In-Reply-To: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> References: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Message-ID: <200309051404.h85E4n502249@onyx.rockstone.co.uk> On Friday 05 September 2003 3:00 pm, Errol Neal wrote: > Hi all, > > Can someone explain to me how a scenario like this would work... > > MailScanner begins to process a batch of 100 messages. It unpacks those > messages say in /tmp in a directory 360. > For some reason, I need to restart the MailScanner, possibly to make a > config change or whatever however MailScanner is not finished processing > those 100 messages it unpacked in the work directory. It is only say 20% > done. Will MailScanner know that there are 80 messages waiting in the > subdirectory 360 in its work directory? No. When you restart MailScanner it will find the batch of 100 unprocessed messages and start processing them again. Only messages which have been completely processed and removed from the input queue will go unseen by MailScanner the secodn time around. Regards, Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? !X- !R K--? From mailscanner at ecs.soton.ac.uk Fri Sep 5 14:59:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:48 2006 Subject: Concerns... In-Reply-To: <5.1.0.14.0.20030905095613.1002bbf8@mail.enhtech.com> Message-ID: <5.2.0.9.2.20030905145832.07483770@imap.ecs.soton.ac.uk> When shutting down, MailScanner will delete its temporary working directories if at all possible (which are usually under /var/spool/MailScanner/incoming, but this is defined in your MailScanner.conf file). Whether it manages it or not, it will simply restart processing the batch from scratch when it is started up again. So don't worry, nothing can get lost when this happens. At 15:00 05/09/2003, you wrote: >Hi all, > >Can someone explain to me how a scenario like this would work... > >MailScanner begins to process a batch of 100 messages. It unpacks those >messages say in /tmp in a directory 360. >For some reason, I need to restart the MailScanner, possibly to make a >config change or whatever however MailScanner >is not finished processing those 100 messages it unpacked in the work >directory. It is only say 20% done. Will MailScanner >know that there are 80 messages waiting in the subdirectory 360 in its work >directory? If so, how? > > >Regards, > > >Errol Neal > > >Errol Neal, Systems/Network Administrator >eneal@enhtech.com >Enhanced Technologies Inc. >http://www.enhtech.com >703-924-0301 or 800-368-3249 >703-924-0302 Fax -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Fri Sep 5 15:10:58 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.u k> Message-ID: <27969765.1062774658@mallard.open.ac.uk> On 05 September 2003 13:08 +0100 Steve Freegard wrote: > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch Hmm - for some reason I just get a list of files in the /var/www/html/mailscanner directory when I point my browser at it. MailWatch 0.2 worked fine... Have I done something silly? Mike. From ree at THUNDERSTAR.NET Fri Sep 5 07:12:25 2003 From: ree at THUNDERSTAR.NET (Ron E.) Date: Thu Jan 12 21:19:48 2006 Subject: postfix @xxxx.test files showing up in deferred Message-ID: Just wondering if anyone else running postfix + mailscanner has noticed this - I have recently had some zero byte files showing up in the incoming postfix deferred directory. The files are named like: @xxxxx.test xxxxx = 5 digit number Whenever the incoming postfix is reloaded I get some errors about these files that look like this: warning: valid_hostname: invalid character 64(decimal): @xxxxx.test Just wondering if these can be safely removed or what. Regards, Ron From steve.freegard at LBSLTD.CO.UK Fri Sep 5 15:16:55 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.uk> Hi Mike, No I've done something silly ;-))) When I did the CVS export I forgot to re-create the symbolic link from status.php to index.php. Just run 'ln -s status.php index.php' from /var/www/html/mailscanner and it'll start working. Regards, Steve. -----Original Message----- From: Mike Zanker [mailto:mike@ZANKER.ORG] Sent: 05 September 2003 15:11 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On 05 September 2003 13:08 +0100 Steve Freegard wrote: > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch Hmm - for some reason I just get a list of files in the /var/www/html/mailscanner directory when I point my browser at it. MailWatch 0.2 worked fine... Have I done something silly? Mike. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mike at ZANKER.ORG Fri Sep 5 15:21:56 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> Message-ID: <28627515.1062775316@mallard.open.ac.uk> Thanks! Mike. On 05 September 2003 15:16 +0100 Steve Freegard wrote: > Hi Mike, > > No I've done something silly ;-))) > > When I did the CVS export I forgot to re-create the symbolic link from > status.php to index.php. > > Just run 'ln -s status.php index.php' from /var/www/html/mailscanner > and it'll start working. > > Regards, > Steve. > > -----Original Message----- > From: Mike Zanker [mailto:mike@ZANKER.ORG] > Sent: 05 September 2003 15:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta > > > On 05 September 2003 13:08 +0100 Steve Freegard > wrote: > >> I've (finally!) released a beta of 0.3 - you can download it from >> http://www.sourceforge.net/projects/mailwatch > > Hmm - for some reason I just get a list of files in the > /var/www/html/mailscanner directory when I point my browser at it. > > MailWatch 0.2 worked fine... Have I done something silly? > > Mike. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer > viruses. From KShortt at AZERTY.COM Fri Sep 5 15:24:31 2003 From: KShortt at AZERTY.COM (Shortt, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules Message-ID: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> > header __SOBIG_X X-MailScanner =~ /Found to be clean/ >>Please don't create an SA rule to label emails which have been scanned by >>MailScanner (in its default configuration) as spam. >>PLEASE do not post anything like this to the SA mailing list - people will >>use it without understanding the significance of what they are using. It's not a default config. It happens to be a characteristic of the virus that was propogated and as the rule is written only matches such messages. It is also written with the "__" which does not add hits to the message by default. One can not presume the knowledge level (or lack of) when asking a question. A question is asked and directed at the people that have the knowledge. If someone uses the information incorrectly that is no ones fault but thier own. I thought that what the internet was about. Anyway...back to the original post. The rule was working and catching only SOBIG virii. We've recently noticed it's no longer functioning. Does anyone have any ideas for us to trouble shoot this? -k From pndiku at DSMAGIC.COM Fri Sep 5 15:19:21 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: References: Message-ID: <1062771560.30678.4.camel@mufasa.ds.co.ug> Hi all, Failed to get this working on a SuSE 7.0 system. Just like with previous mailwatch versions I had to cook up my own Logging function (see attached). It's based on Julian's work in the original CustomConfig.pm and seems to work fine for me! Comments? Peter On Fri, 2003-09-05 at 15:33, Chris Campbell wrote: > Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh > 7.3 (I was getting the same mysql server died error these bsd kids were > getting) > > > But, here is a question for you.... > > What are the odds we can grab and insert into the sql db the sendmail relay > log......and the status..... > I am looking for the relay part and whether is was Sent, Queued, etc..... > > > > > ..................................... > Christopher S. Campbell > UNIX Admin > First Albany Corp > 518.447.8544 > chris.campbell@fac.com > > > > > > Steve Freegard > LTD.CO.UK> cc: > Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta > MailScanner mailing > list > IL.AC.UK> > > > 09/05/03 08:08 AM > Please respond to > MailScanner mailing > list > > > > > > > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch > > If you haven't already noticed - the project has been moved to Sourceforge, > so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists > that are available and to use the other features such as the Feature > Requests, Bug Tracking, Forums and Patches from this point onward. > > Changes in this release: > > - New MailWatch.pm file that contains the MailWatch SQL Logging code. > > - Changed the SQL Logging procedure names from SQLLogging to > MailWatchLogging > to save confusion as to which versions people are using. > > - Updated MailWatchLogging procedures to better handle MySQL death and > subsequent restart without needing to restart MailScanner. > > - Message headers now displayed on the Message Detail page. > > - OpenRBL lookup address fixed (OpenRBL had updated their site). > > - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message > Detail page. > > - New 'Quarantine Manager' allows quarantined messages to be released to > recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. > > - Major speed-ups on page display. > > - Added extra Virus regular expressions and modified the existing to drop > the requirement of 'Include Scanner Name in Reports' in > MailScanner.conf. > > - New Sendmail inbound/outbound queue display. > > - Fixed the display of the 'Blocked Files' percentage in Today's Totals. > > - Fixed the volume display in the reports to use the average over the > reporting period e.g. if you receive 500Mb of mail on average per day > but > you occasionally spike at 1Gb - the reports will display the volume in > Mb. > > - Added new 'MySQL status' page to the 'Other' page. > > - Fixed 'SpamAssassin Rule Hits' report not display any data under some > installations of MailScanner. > > - New reports 'Top Mail Relays' and 'Top Sender Domains by > Quantity/Volume'. > > - Added 'hostname' the the list of available filters to allow people with > multiple scanners report only on a specific one. > > Kind regards, > Steve > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- # # MailWatch for MailScanner # Copyright (C) 2003 Steve Freegard (smf@f2s.com) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # use DBI; use Sys::Hostname; # Trace settings - uncomment this to debug # DBI->trace(2,'/root/dbitrace.log'); my($dbh); my($sth); my($hostname) = hostname; # Modify this as necessary for your configuration my($db_name) = "mailscanner"; my($db_host) = "localhost"; my($db_user) = "root"; my($db_pass) = ""; sub InitMailWatchLogging { MailScanner::Log::InfoLog("Initialising MailWatch Logging temp file"); $logfile1 = IO::File->new_tmpfile or die "IO::File->new_tmpfile: $!"; } # Shutdown. Write all the log entries to the SQL database, then close # the temporary log files. Closing them will also delete them as they were # created with tmpfile(). sub EndMailWatchLogging { my(@fields); MailScanner::Log::InfoLog("Ending SQL Logging temp output " . "and flushing to database"); # Create database connection my($dbh); # Connect to the database $dbh = DBI->connect("DBI:mysql:database=$db_name;host=$db_host", $db_user, $db_pass, {PrintError => 0}); or MailScanner::Log::DieLog("Cannot connect to the database: %s", $DBI::errstr); # Rewind to start of logfile1 $logfile1->flush(); seek($logfile1, 0, 0) or MailScanner::Log::DieLog("EndSQLLogging seek: %s", $!); while(<$logfile1>) { chomp; @fields = split(/\t/); # Work through each field protecting any special characters such as ' # The line below replaces ' with \' # @fields = map { s/\'/\\'/g } @fields; # Set any empty strings to NULL so the SQL insert works correctly @fields = map { ($_ eq '')?'NULL':"$_" } @fields; # Insert @fields into a database table my($sth) = $dbh->prepare("INSERT INTO maillog VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); $sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fields[4],$fields[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fields[11],$fields[12],$fields[13],$fields[14],$fields[15],$fields[16],$fields[17],$fields[18],$fields[19],$fields[20],$fields[21],$fields[22]) or MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); } # Close database connection $dbh->disconnect(); # Close and delete the temporary files (deletion is done automatically) $logfile1->close(); MailScanner::Log::InfoLog("Database flush completed"); } # Write all the log information for 1 message to the temporary file. # For messages with reports, write 1 line for each report. sub MailWatchLogging { my($message) = @_; # Get rid of control chars and tidy-up SpamAssassin report my $spamreport = $message->{spamreport}; $spamreport =~ s/\n/ /g; $spamreport =~ s/\t//g; # Get timestamp, and format it so it is suitable to use with MySQL my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(); my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", $year+1900,$mon+1,$mday,$hour,$min,$sec); my($date) = sprintf("%d-%02d-%02d",$year+1900,$mon+1,$mday); my($time) = sprintf("%02d:%02d:%02d",$hour,$min,$sec); # Also print 1 line for each report about this message. These lines # contain all the info above, + the attachment filename and text of # each report. my($file, $text, @report_array); while(($file, $text) = each %{$message->{allreports}}) { $file = "the entire message" if $file eq ""; # Use the sanitised filename to avoid problems caused by people forcing # logging of attachment filenames which contain nasty SQL instructions. $file = $message->{file2safefile}{$file} or $file; $text =~ s/\n/ /; # Make sure text report only contains 1 line $text =~ s/\t/ /; # and no tab characters push (@report_array, $text); } # Sanitize reports my $reports = join(",",@report_array); my $headers = join('\n',@{$message->{headers}}); # Print 1 line for each message. print $logfile1 join("\t", $timestamp, $message->{id}, $message->{size}, $message->{from}, join(',', @{$message->{to}}), $message->{subject}, $message->{clientip}, join(',', @{$message->{archiveplaces}}), $message->{isspam}, $message->{ishigh}, $message->{issaspam}, $message->{isrblspam}, $message->{spamwhitelisted}, $message->{sascore}, $spamreport, $message->{virusinfected}, $message->{nameinfected}, $message->{otherinfected}, $reports, 'entandikwa.ds.co.ug', $date, $time, $headers ). "\n"; } 1; From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:35:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Any Ideas on these rules In-Reply-To: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> References: <210DF55DED65B547896F728FB057F3B201CB4DD6@seaver.ussco.com> Message-ID: <200309051435.h85EZe502523@onyx.rockstone.co.uk> On Friday 05 September 2003 3:24 pm, Shortt, Kevin wrote: > > header __SOBIG_X X-MailScanner =~ /Found to be clean/ > > > >>Please don't create an SA rule to label emails which have been scanned by > >>MailScanner (in its default configuration) as spam. > >> > >>PLEASE do not post anything like this to the SA mailing list - people > >> will use it without understanding the significance of what they are > >> using. > > It's not a default config. It happens to be a characteristic of the virus > that was propogated and as the rule is written only matches such messages. No, what I meant by "default config" was that this header is exactly what gets added to emails which have been scanned by a default MailScanner installation. Therefore this particular rule will match perfectly innocent messages long after Sobig has disappeared over the horizon. I was merely saying that I do not think it is a good idea to encourage people to even think about matching on a part of the Sobig emails which will cause a high false positive rate if applied to other emails. I agree that in combination with your other rules this becomes less likely, but please use the other rules to achieve that without including this one. > One can not presume the knowledge level (or lack of) when asking a > question. A question is asked and directed at the people that have the > knowledge. If someone uses the information incorrectly that is no ones > fault but thier own. I thought that what the internet was about. If this means you think I was suggesting that you don't know what you're doing, then I never meant to say that. I was trying to say "please don't post a suggestion that SA should match on the MailScanner header in a bid towards identifying a message as spam", because people who don't know that it matches perfectly innocent MailScanner-scanned messages as well as the Sobig ones will end up blocking good email as a result. There's no need to include this header in the rule, so I think it should not be advocated as a way to identify spam. If that wasn't what you meant then please ignore the above. Regards, Antony. -- It suddenly dawns on the observer that there is no end to the creativity that these mindless hackers can come up with. - Kevin Kelly, Out of Control From anders.andersson at LTKALMAR.SE Fri Sep 5 15:41:13 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:48 2006 Subject: SV: how to set up an RBL Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Tim Sailer [mailto:sailer@BNL.GOV] > > I have a small RBL and domain, spambites.net. I am making it > 'subscription' only, and it will be manually administered, as > far as entries. Either a web form, or email submission. > Entries will be 'expired' after so many days, depending on > why it was entered (SPAM, open relay, etc). > > So, if any one is serious about this, I've got the framework in place. Add me to the offline list, Ive got a meeting in the end of the month and might get some more mailadmins interested. /Anders > > Tim > > On Thu, Aug 28, 2003 at 01:13:11PM +0200, Raymond Dijkxhoorn wrote: > > Hi! > > > > > We might be interested in following suit, as the quantity of spam > > > getting through recently is not acceptable (Spam Assasin keeps on > > > timing out!) > > > > Its perhaps completely OT here, but why not combine forces? I am > > willing to facilitate a couple of DNSes and we are with a lot of > > network guys here, so we might do it right for once. > > > > We all try to fight spam, we all see the spammers comming in, so we > > only need a interface to get things in. > > > > Are there people interested in that idea ? > > > > Bye, > > Raymond. > > > > -- > Tim Sailer > Information and Special Technologies Program > Office of CounterIntelligence > Brookhaven National Laboratory (631) 344-3001 > From phil at NXTEK.NET Fri Sep 5 15:47:49 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence In-Reply-To: <00ae01c3735c$626ef450$640ba8c0@home.middlefinger.net> Message-ID: <00bd01c373bc$b3ad49b0$641be5ce@PHIL> Can you let me know specifically how to do this? I saw a way to do it with other MTAs but may have missed how to with Sendmail. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Thursday, September 04, 2003 10:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.F resurgence > > > The flow here has been trickling but steady. I am blocking > LOTS of tehm with a sendmail rule though, so they never even > make it to MailScanner. > > Mike > > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of David Hooton > > Sent: Thursday, September 04, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sobig.F resurgence > > > Hi All, > > A little off topic, but we've started noticing about a 10 > fold increase in Sobig.F traffic over the last 48 hours. > > Is anyone else noticing this? > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ============================================================== > ========== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ============================================================== > ========== > From greyhair at GREYHAIR.NET Fri Sep 5 15:50:50 2003 From: greyhair at GREYHAIR.NET (Mr. Greyhair) Date: Thu Jan 12 21:19:48 2006 Subject: No subject Message-ID: <200309051450.h85Eooa03007@localhost.greyhair.net> It is mentioned on the mailscanner website that "MailScanner knows about a list of viruses that" ... "fake "From" address". "... up to system administrators to keep this list up to date." How does one maintain this list (correctly)? >From http://www.sng.ecs.soton.ac.uk/mailscanner/sobig.html: Why am I getting all this mail from you? First of all, the mail is not coming from us. Please read on... This virus sends e-mail messages with a fake "From" address, which might happen to be your address. MailScanner knows about a list of viruses that do this, and knows not to respond to the sender if the message contains any of these "faking" viruses. However, it is currently up to the individual system administrators to keep this list up to date. If they haven't added "Sobig" to the list, then their MailScanner will continue to issue warnings to the senders, not knowing that they are fake. Thanks. From david at PLATFORMHOSTING.COM Fri Sep 5 15:57:40 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <28627515.1062775316@mallard.open.ac.uk> References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> <28627515.1062775316@mallard.open.ac.uk> Message-ID: <3F58A464.6050507@platformhosting.com> Next upgrade question... I'm running the upgrade.php file and am getting the following error: - AlwaysLookedUpLast ................................................ OK *** ERROR/WARNING SUMMARY *** Database connection failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) MailScanner.conf: SpamActions != store (=deliver) MailScanner.conf: HighScoringSpamActions != store (=deliver) Now I would normally think ok, MySQL is dead, but it's running. My DB Name is mailwatch rather than mailscanner, but I can't seem to see the db name hardcoded in the php. Any ideas? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From steve.freegard at LBSLTD.CO.UK Fri Sep 5 15:57:49 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773ADD@neelix.lbsltd.co.uk> Hi Chris, >>> What are the odds we can grab and insert into the sql db the sendmail.... I'm reluctant to put this into MailWatch as it requires some intellegent parsing of the maillog on the message id which could and usually does appear more than once (particualarly when the message is deferred) and maillog should also only be readable by root which poses another problem. That said - I've written something for you which should give you the beginnings of what you're after - it is pretty crude however. I'm also presuming that you're using 0.2. Copy the attached files to /var/www/html/mailscanner. Run 'mysql mailscanner < create_relay_table.sql' to create the table. Make sure that sendmail_relay.php is executable and make an entry into root's crontab to run it every 'n' minutes - this script parses the maillog and for every entry that has the line 'Sendmail','relay=' and 'stat=' is makes an entry into the sendmail_relay table - if one already exists for the message id being inserted it is overwritten. You will then be able to see the relay information at the bottom of the Message Detail page. Kind regards, Steve -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: 05 September 2003 13:33 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- A non-text attachment was scrubbed... Name: detail.php Type: application/octet-stream Size: 3151 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/detail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: create_relay_table.sql Type: application/octet-stream Size: 204 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/create_relay_table.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail_relay.php Type: application/octet-stream Size: 806 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1a9ec8bc/sendmail_relay.obj From kodak at FRONTIERHOMEMORTGAGE.COM Fri Sep 5 15:58:00 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses In-Reply-To: <200309051450.h85Eooa03007@localhost.greyhair.net> Message-ID: <006301c373be$1999dbc0$0501a8c0@darkside> >It is mentioned on the mailscanner website that "MailScanner knows >about a list of viruses that" ... "fake "From" address". "... up to >system administrators to keep this list up to date." How does one >maintain this list (correctly)? Your MailScanner.conf has a line: Silent Viruses = blah blah blah Add Sobig to that line. (And other viruses as they crop up.) --J(K) From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 15:59:02 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: No subject In-Reply-To: <200309051450.h85Eooa03007@localhost.greyhair.net> References: <200309051450.h85Eooa03007@localhost.greyhair.net> Message-ID: <200309051459.h85Ex7502752@onyx.rockstone.co.uk> On Friday 05 September 2003 3:50 pm, Mr. Greyhair wrote: > It is mentioned on the mailscanner website that "MailScanner knows > about a list of viruses that" ... "fake "From" address". "... up to > system administrators to keep this list up to date." How does one > maintain this list (correctly)? The only way I know is by keeping up to date with the latest virus definitions and checking which ones forge the sender's address and which ones don't. The way things are going at present, you'd be pretty safe assuming a new email virus does forge the sender's address until you know otherwise :) Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. From KCollins at NESBITTENGINEERING.COM Fri Sep 5 16:13:04 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Problem posting to list` Message-ID: <2B1F39EA56FA7643A328F66521D41B760D41@magellan.nesbitt.local> I've tried for the past several days to post a reply back to the "False Positive" thread that I started a day or two ago. I'm obviously doing something wrong because when I post a new message it seems to come through just fine, but when I send my reply with things like mail headers and such my message just disappears into ether. I don't get a "bounce" or failure. My server sends the message out and then it disappears. Anyone else experiencing this? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From pndiku at DSMAGIC.COM Fri Sep 5 15:55:48 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <27969765.1062774658@mallard.open.ac.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.u k> <27969765.1062774658@mallard.open.ac.uk> Message-ID: <1062773747.30678.6.camel@mufasa.ds.co.ug> >From /var/www/html/mailscanner type: ln -s status.php index.php On Fri, 2003-09-05 at 17:10, Mike Zanker wrote: > On 05 September 2003 13:08 +0100 Steve Freegard > wrote: > > > I've (finally!) released a beta of 0.3 - you can download it from > > http://www.sourceforge.net/projects/mailwatch > > Hmm - for some reason I just get a list of files in the > /var/www/html/mailscanner directory when I point my browser at it. > > MailWatch 0.2 worked fine... Have I done something silly? > > Mike. From sailer at BNL.GOV Fri Sep 5 16:21:45 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: References: <20030905133558.GA19537@bnl.gov> Message-ID: <20030905152145.GS19537@bnl.gov> On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > I have a small RBL and domain, spambites.net. I am making it 'subscription' > > only, and it will be manually administered, as far as entries. Either > > a web form, or email submission. Entries will be 'expired' after so many > > days, depending on why it was entered (SPAM, open relay, etc). > > > > So, if any one is serious about this, I've got the framework in place. > > > > We all try to fight spam, we all see the spammers comming in, so we only > > > need a interface to get things in. > > > > > > Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. OK, basic rules, that I'm just tarting to flesh out is: Don't abuse the system. Keep a local DNS zone running (to save my connection). I can add you to the email alias I'm using as a starting point, so interested parties can bang around ideas. Let me know. Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From lance at WARE.NET Fri Sep 5 16:22:02 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:48 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: A<5.2.0.9.2.20030905085219.03f0cfd8@imap.ecs.soton.ac.uk> Message-ID: <200309051522.h85FMxr14769@ori.rl.ac.uk> Ok I'll try that, although I don't seem to have an /etc/MailScanner/lib. Guess I'll get it from the generic tar file. I fixed it temporarily by moving the new 3 column virus.scanners.conf into etc and manually editing the clam wrapper to the correct path for clamscan. Editing virus.scanners.conf didn't seem to help. TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 05, 2003 12:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Sep 5 15:14:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: <20030905133558.GA19537@bnl.gov> Message-ID: Hi! > I have a small RBL and domain, spambites.net. I am making it 'subscription' > only, and it will be manually administered, as far as entries. Either > a web form, or email submission. Entries will be 'expired' after so many > days, depending on why it was entered (SPAM, open relay, etc). > > So, if any one is serious about this, I've got the framework in place. > > We all try to fight spam, we all see the spammers comming in, so we only > > need a interface to get things in. > > > > Are there people interested in that idea ? I am surely interested, please submit me some info offlist. Bye, Raymond. From sailer at BNL.GOV Fri Sep 5 16:24:59 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: <20030905152145.GS19537@bnl.gov> References: <20030905133558.GA19537@bnl.gov> <20030905152145.GS19537@bnl.gov> Message-ID: <20030905152459.GU19537@bnl.gov> Offlist. Why do my fingers not listen when replying to email. Sorry folks. Tim On Fri, Sep 05, 2003 at 11:21:45AM -0400, Tim Sailer wrote: > On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > > Hi! > > > > > I have a small RBL and domain, spambites.net. I am making it 'subscription' > > > only, and it will be manually administered, as far as entries. Either > > > a web form, or email submission. Entries will be 'expired' after so many > > > days, depending on why it was entered (SPAM, open relay, etc). > > > > > > So, if any one is serious about this, I've got the framework in place. > > > > > > We all try to fight spam, we all see the spammers comming in, so we only > > > > need a interface to get things in. > > > > > > > > Are there people interested in that idea ? > > > > I am surely interested, please submit me some info offlist. > > OK, basic rules, that I'm just tarting to flesh out is: > > Don't abuse the system. > Keep a local DNS zone running (to save my connection). > > I can add you to the email alias I'm using as a starting point, > so interested parties can bang around ideas. Let me know. > > Tim > > -- > Tim Sailer > Information and Special Technologies Program > Office of CounterIntelligence > Brookhaven National Laboratory (631) 344-3001 > -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From rob at thehostmasters.com Fri Sep 5 16:25:53 2003 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? References: <001901c373ad$6f335f40$7500a8c0@poseiden> <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> Message-ID: <016201c373c2$00a922c0$0a01a8c0@basement> Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, my MS to the latest.... would not that also install the latest SA too? Thanks.. Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Julian Field" To: Sent: Friday, September 05, 2003 9:16 AM Subject: Re: WHy was this not caught?? > There is a new release of SpamAssassin coming out shortly, give that a try > and you should find the spam-spotting improves. > > At 14:07 05/09/2003, you wrote: > >Just wondering why this was not caught by MS, as it even says in the header > >"(may be forged)" > > > >I seem to be getting more and more spam now that is not caught even after > >adjusting my settings to 4 rather than 5 for a hit and deleting spam over a > >score of 10 > > > >Anything I am doing wrong or not doing? > > > >Any help appreciated... > > > >Thanks and have a great day/night or evening depending on where you are in > >the world.. > >:) > > > >see headers below of email received > >----------------------------------------------------------------------- > > > > > >Return-Path: > >Received: from mg134046.user.veloxzone.com.br > >(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) > > by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 > > for ; Fri, 5 Sep 2003 08:59:43 -0400 > >Message-ID: > >From: "Leanne Bowers" > >Reply-To: "Leanne Bowers" > >To: rob@stupidguytalk.org > >Subject: Medical Breakthrough for MEN Today_0NLY! > >Date: Sat, 06 Sep 2003 07:49:14 +0500 > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="B__.28_.E9_02.3F.EC_2F" > >X-MailScanner-Information: Please contact info@thehostmasters.com for more > >info > >X-MailScanner: Found to be clean > >X-UIDL: M`-!!U@/!!F~U"!cAM!! > > > > > >Rob Charles > >TheHostMasters > >Montreal, Canada > >514-846-0006 > >Rob@TheHostMasters.com > >http://www.TheHostMasters.com > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 16:29:27 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? Message-ID: <200309051529.h85FTW503063@onyx.rockstone.co.uk> On Friday 05 September 2003 4:25 pm, Rob Charles wrote: > Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, > my MS to the latest.... would not that also install the latest SA too? No. Independent packages. Different developers, maintainers, release dates... Some people use MS without SA. Some people use SA without MS. Regards, Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics From michele at BLACKNIGHTSOLUTIONS.COM Fri Sep 5 16:31:26 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:48 2006 Subject: Offlist/Onlist was RE: how to set up an RBL In-Reply-To: <20030905152459.GU19537@bnl.gov> Message-ID: <200309051529.h85FTWaM040294@lancelot.blacknightsolutions.com> > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tim Sailer > Sent: 05 September 2003 16:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: how to set up an RBL > > Offlist. Why do my fingers not listen when replying to email. > > Sorry folks. > > Tim It could have been a lot worse! Our last accountant posted an email to a mailing list instead of sending it to me... Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 From martinh at SOLID-STATE-LOGIC.COM Fri Sep 5 16:29:53 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:48 2006 Subject: WHy was this not caught?? In-Reply-To: <016201c373c2$00a922c0$0a01a8c0@basement> References: <001901c373ad$6f335f40$7500a8c0@poseiden> <5.2.0.9.2.20030905141546.042e26e0@imap.ecs.soton.ac.uk> <016201c373c2$00a922c0$0a01a8c0@basement> Message-ID: <3F58ABF1.5030904@solid-state-logic.com> Rob no upgrading all the underlying sw is a seperate task, just like when you installed it first time around -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Rob Charles wrote: > Hmm I thought SA is upgraded along with Mailscanner? I upgraded last week, > my MS to the latest.... would not that also install the latest SA too? > > Thanks.. > > > Rob Charles > TheHostMasters > Montreal, Canada > 514-846-0006 > Rob@TheHostMasters.com > http://www.TheHostMasters.com > > > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Friday, September 05, 2003 9:16 AM > Subject: Re: WHy was this not caught?? > > > >>There is a new release of SpamAssassin coming out shortly, give that a try >>and you should find the spam-spotting improves. >> >>At 14:07 05/09/2003, you wrote: >> >>>Just wondering why this was not caught by MS, as it even says in the > > header > >>>"(may be forged)" >>> >>>I seem to be getting more and more spam now that is not caught even after >>>adjusting my settings to 4 rather than 5 for a hit and deleting spam over > > a > >>>score of 10 >>> >>>Anything I am doing wrong or not doing? >>> >>>Any help appreciated... >>> >>>Thanks and have a great day/night or evening depending on where you are > > in > >>>the world.. >>>:) >>> >>>see headers below of email received >>>----------------------------------------------------------------------- >>> >>> >>>Return-Path: >>>Received: from mg134046.user.veloxzone.com.br >>>(MG134046.user.veloxzone.com.br [200.149.134.46] (may be forged)) >>> by localhost.localdomain (8.12.8/8.12.5) with SMTP id h85Cxdkg022954 >>> for ; Fri, 5 Sep 2003 08:59:43 -0400 >>>Message-ID: >>>From: "Leanne Bowers" >>>Reply-To: "Leanne Bowers" >>>To: rob@stupidguytalk.org >>>Subject: Medical Breakthrough for MEN Today_0NLY! >>>Date: Sat, 06 Sep 2003 07:49:14 +0500 >>>MIME-Version: 1.0 >>>Content-Type: multipart/alternative; >>> boundary="B__.28_.E9_02.3F.EC_2F" >>>X-MailScanner-Information: Please contact info@thehostmasters.com for > > more > >>>info >>>X-MailScanner: Found to be clean >>>X-UIDL: M`-!!U@/!!F~U"!cAM!! >>> >>> >>>Rob Charles >>>TheHostMasters >>>Montreal, Canada >>>514-846-0006 >>>Rob@TheHostMasters.com >>>http://www.TheHostMasters.com >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From miguelk at KONSULTEX.COM.BR Fri Sep 5 16:37:04 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta References: <67D9E7698329D411936E00508B6590B902773ADC@neelix.lbsltd.co.u k> <28627515.1062775316@mallard.open.ac.uk> <3F58A464.6050507@platformhosting.com> Message-ID: <3F58ADA0.8020605@konsultex.com.br> David; I haven't see MailWatch and I plan to try it. This is advice based on my experience with other web systems. I found that if you use 'localhost' for the dbname if dns is not ok on the machine this fails. I suggest to check that (host localhost) or try 127.0.0.1 Miguel David Hooton wrote: > Next upgrade question... > > I'm running the upgrade.php file and am getting the following error: > > > - AlwaysLookedUpLast ................................................ OK > > *** ERROR/WARNING SUMMARY *** > Database connection failed: Can't connect to local MySQL server through > socket '/tmp/mysql.sock' (2) > MailScanner.conf: SpamActions != store (=deliver) > MailScanner.conf: HighScoringSpamActions != store (=deliver) > > > Now I would normally think ok, MySQL is dead, but it's running. My DB > Name is mailwatch rather than mailscanner, but I can't seem to see the > db name hardcoded in the php. > > Any ideas? > > > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ======================================================================== > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Chris.Campbell at FAC.COM Fri Sep 5 16:41:52 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: Thanks for the reply Steve... However, I have 4 external (dmz) mailscanner boxes, with the maiwatch mysql db sever internally. I have all 4 inserting to this one mailwatch mysql box.... This is why I want the functionality without parsing the maillog.... I have written my own perl to do basically what you said below, and it seems to work for me. My goal is to let our help desk be able to get this information without my help though. I am sure the below will be helpful and useful for others, but in the meantime if I have some free time maybe I can come up with some php magic myself.... ..................................... Christopher S. Campbell UNIX Admin Steve Freegard ltd.co.uk> cc: "'MailScanner mailing list'" Subject: RE: ANNOUNCE: MailWatch for MailScanner 0.3 Beta 09/05/03 10:57 AM Hi Chris, >>> What are the odds we can grab and insert into the sql db the sendmail.... I'm reluctant to put this into MailWatch as it requires some intellegent parsing of the maillog on the message id which could and usually does appear more than once (particualarly when the message is deferred) and maillog should also only be readable by root which poses another problem. That said - I've written something for you which should give you the beginnings of what you're after - it is pretty crude however. I'm also presuming that you're using 0.2. Copy the attached files to /var/www/html/mailscanner. Run 'mysql mailscanner < create_relay_table.sql' to create the table. Make sure that sendmail_relay.php is executable and make an entry into root's crontab to run it every 'n' minutes - this script parses the maillog and for every entry that has the line 'Sendmail','relay=' and 'stat=' is makes an entry into the sendmail_relay table - if one already exists for the message id being inserted it is overwritten. You will then be able to see the relay information at the bottom of the Message Detail page. Kind regards, Steve -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: 05 September 2003 13:33 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Very nice... I *finally* got it hacked up enough to work on rh 7.2 and rh 7.3 (I was getting the same mysql server died error these bsd kids were getting) But, here is a question for you.... What are the odds we can grab and insert into the sql db the sendmail relay log......and the status..... I am looking for the relay part and whether is was Sent, Queued, etc..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard cc: Sent by: Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta MailScanner mailing list 09/05/03 08:08 AM Please respond to MailScanner mailing list Hi all, I've (finally!) released a beta of 0.3 - you can download it from http://www.sourceforge.net/projects/mailwatch If you haven't already noticed - the project has been moved to Sourceforge, so I encourage everyone who uses MailWatch to sign-up for the Mailing Lists that are available and to use the other features such as the Feature Requests, Bug Tracking, Forums and Patches from this point onward. Changes in this release: - New MailWatch.pm file that contains the MailWatch SQL Logging code. - Changed the SQL Logging procedure names from SQLLogging to MailWatchLogging to save confusion as to which versions people are using. - Updated MailWatchLogging procedures to better handle MySQL death and subsequent restart without needing to restart MailScanner. - Message headers now displayed on the Message Detail page. - OpenRBL lookup address fixed (OpenRBL had updated their site). - Spam Action(s) displayed next to Spam/High Scoring Spam on the Message Detail page. - New 'Quarantine Manager' allows quarantined messages to be released to recipient(s), deleted or learnt/unlearnt by SpamAssassin as Spam or Ham. - Major speed-ups on page display. - Added extra Virus regular expressions and modified the existing to drop the requirement of 'Include Scanner Name in Reports' in MailScanner.conf. - New Sendmail inbound/outbound queue display. - Fixed the display of the 'Blocked Files' percentage in Today's Totals. - Fixed the volume display in the reports to use the average over the reporting period e.g. if you receive 500Mb of mail on average per day but you occasionally spike at 1Gb - the reports will display the volume in Mb. - Added new 'MySQL status' page to the 'Other' page. - Fixed 'SpamAssassin Rule Hits' report not display any data under some installations of MailScanner. - New reports 'Top Mail Relays' and 'Top Sender Domains by Quantity/Volume'. - Added 'hostname' the the list of available filters to allow people with multiple scanners report only on a specific one. Kind regards, Steve -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. (See attached file: detail.php)(See attached file: create_relay_table.sql) (See attached file: sendmail_relay.php) -------------- next part -------------- A non-text attachment was scrubbed... Name: detail.php Type: application/octet-stream Size: 3238 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/detail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: create_relay_table.sql Type: application/octet-stream Size: 215 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/create_relay_table.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail_relay.php Type: application/octet-stream Size: 829 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/1cab939f/sendmail_relay.obj From kylist at SHCORP.COM Fri Sep 5 16:50:14 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:19:48 2006 Subject: how to drop "cleaned html" warnings to postmaster? Message-ID: <42999.10.10.1.71.1062777014.squirrel@webmailtest.shcorp.com> I'm running Mailscanner 4.22-5, which scans for unsafe HTML, etc. However, when such is found, the admin gets an email, so I get a bunch of emails full of these. I'd prefer to only get email telling me about "real" viruses. The "silent" option doesn't seem to be what I want here, since it only suppresses warnings to the sender. So how do I stop Mailscanner from sending warnings to me about "dangerous IFrame", etc? -- Kurt Yoder Sport & Health network administrator From errol.neal at ENHTECH.COM Fri Sep 5 16:51:40 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners Message-ID: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Hi all, I have a MailScanner that is about 13 hrs behind in terms of mail delivery. I need to move part of the queued mail onto another Scanner. What is the best way to do this while taking into consideration the mail already unpacked and probably half processed? Errol Neal Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From stiret at ONEREDSHOE.NET Fri Sep 5 16:52:29 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062777148.3080.15.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/51de96a8/attachment.bin From phil at NXTEK.NET Fri Sep 5 17:06:10 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses In-Reply-To: <006301c373be$1999dbc0$0501a8c0@darkside> Message-ID: <00d101c373c7$a24ac0c0$641be5ce@PHIL> Do silent viruses still get reported in the various mrtg scripts that monitor virus activity totals? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki > Sent: Friday, September 05, 2003 9:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses > > > >It is mentioned on the mailscanner website that "MailScanner knows > >about a list of viruses that" ... "fake "From" address". "... up to > >system administrators to keep this list up to date." How does one > >maintain this list (correctly)? > > Your MailScanner.conf has a line: > > Silent Viruses = blah blah blah > > Add Sobig to that line. (And other viruses as they crop up.) > > --J(K) > From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 17:08:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners In-Reply-To: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> References: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <200309051608.h85G8R503414@onyx.rockstone.co.uk> On Friday 05 September 2003 4:51 pm, Errol Neal wrote: > Hi all, > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > I need to move part of the queued mail onto another Scanner. What is the > best way to do this while taking into consideration the mail already > unpacked and probably half processed? Why not redirect your incoming mail to the other server so it handles the load from now on, and leaves the existing one to chug its way through the queue without having to deal with anything new? That way you don't have to work out which mails are half-processed and you don't have the overhead of moving the mail files across your network either. Antony. -- "I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. It is NOT portable , and it probably never will support anything other than AT-harddisks, as that's all I have :-(." - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 From David.While at UCE.AC.UK Fri Sep 5 17:08:56 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:48 2006 Subject: Silent Viruses Message-ID: <107DE25EC0216C45AEF670016024245F644180@exchangea.staff.uce.ac.uk> They certainly get reported in my mailstats.pl David While -----Original Message----- From: Phil Iovino [mailto:phil@NXTEK.NET] Sent: Fri 05/09/2003 17:06 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Silent Viruses Do silent viruses still get reported in the various mrtg scripts that monitor virus activity totals? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki > Sent: Friday, September 05, 2003 9:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses > > > >It is mentioned on the mailscanner website that "MailScanner knows > >about a list of viruses that" ... "fake "From" address". "... up to > >system administrators to keep this list up to date." How does one > >maintain this list (correctly)? > > Your MailScanner.conf has a line: > > Silent Viruses = blah blah blah > > Add Sobig to that line. (And other viruses as they crop up.) > > --J(K) > From steve.freegard at LBSLTD.CO.UK Fri Sep 5 17:11:24 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Scott, It seems like MailScanner can't find MailWatch.pm - double-check the "require 'MailScanner/MailWatch.pm';" line that you put in the top of CustomConfig.pm. This syntax seems to work okay for me, but I'm no Perl guru - have I done this correctly Julian?? Kind regards, Steve. -----Original Message----- From: Scott Tiret [mailto:stiret@ONEREDSHOE.NET] Sent: 05 September 2003 16:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From ellis at KAZAKCOMPOSITES.COM Fri Sep 5 17:11:40 2003 From: ellis at KAZAKCOMPOSITES.COM (Steve Ellis) Date: Thu Jan 12 21:19:48 2006 Subject: Bounced sobig passes thru MS and anti-virus checks Message-ID: <000f01c373c8$640db820$6600a8c0@Orthanc> Some automated replies, which also contained the Sobig virus, notifying users that they had sent an infected message apparently made it thru MS and anti-virus checks. The desktop AV package identified the message attachment as infected with Sobig.f. Directly sent Sobig messages are correctly handled both by MS checking the extension and by the anti-virus scan. Any suggestions as to where to start looking to determine why these messages made it thru? Steve Ellis Sr Engineer KaZaK Composites, Inc. 781.932.5667 x105 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/7ededbbe/attachment.html From steve.freegard at lbsltd.co.uk Fri Sep 5 17:11:24 2003 From: steve.freegard at lbsltd.co.uk (Steve Freegard) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Scott, It seems like MailScanner can't find MailWatch.pm - double-check the "require 'MailScanner/MailWatch.pm';" line that you put in the top of CustomConfig.pm. This syntax seems to work okay for me, but I'm no Perl guru - have I done this correctly Julian?? Kind regards, Steve. -----Original Message----- From: Scott Tiret [mailto:stiret@ONEREDSHOE.NET] Sent: 05 September 2003 16:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch I'm having a bit of a problem. I updated from MailWatch 0.2 to 0.3 beta, but can't get past this part of the start up. MailScanner just keeps trying to start every 10 seconds. Sep 5 11:51:06 cort MailScanner[24504]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:07 cort MailScanner[24504]: Config: calling custom init function MailWatchLogging Sep 5 11:51:16 cort MailScanner[24505]: MailScanner E-Mail Virus Scanner version 4.24-1 starting... Sep 5 11:51:17 cort MailScanner[24505]: Config: calling custom init function MailWatchLogging -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From errol.neal at ENHTECH.COM Fri Sep 5 17:13:04 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence In-Reply-To: <00b101c3735f$53743d40$640ba8c0@home.middlefinger.net> References: Message-ID: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Man that's tough! You are rejecting thank you messages? The best way to deal with this stuff is with this: ## # enable these for DNS blacklist protection from spam ## dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " $&{client_addr} " was rejected; please see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`proxies.relays.monkeys.com', `"550 Mail from " $&{client_addr} " was rejected; please see http://www.ordb.org/lookup/?host=" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail from " $&{client_addr} "was rejected; please see "')dnl dnl FEATURE(`dnsbl',`rbl.maps.vix.com', `"550 Mail from " $&{client_addr} " was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`dul.maps.vix.com')dnl dnl FEATURE(`dnsbl',`blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`dialups.mail-abuse.org', `"550 Mail from " $&{client_addr}" was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl FEATURE(`dnsbl',`relays.mail-abuse.org', `"550 Mail from " $&{client_addr}" was rejected; please see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional details"')dnl dnl dnl FEATURE(`rhsbl',`dsn.rfc-ignorant.org', `550 You do not accept bounces violating RFC 821/2505/2821 - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`postmaster.rfc-ignorant.org', `550 Mail rejected as your domain does not have a working postmaster address - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`abuse.rfc-ignorant.org', `550 Mail rejected as your domain does not have a working abuse address - see http://www.rfc-ignorant.org/', `h')dnl dnl FEATURE(`rhsbl',`whois.rfc-ignorant.org', `550 Mail rejected as your whois information does not exist or is obviously fictitous - see http://www.rfc-ignorant.org/', `h')dnl Since most of these relays are already in rbls and dnsbl, it is easy to just reject them on the basis of the relaying server at the rcpt as opposed to the parsing message headers. This ways, thank you messages from valid senders actually make it to your clients... Errol Neal At 10:39 PM 9/4/2003 -0500, you wrote: >In sendmail.mc, I added this: > > >LOCAL_RULESETS > ># Reject all mail with Sobig subjects. >HSubject: $>Check_subject >D{Msobig1}That movie >D{Msobig2}Wicked screensaver >D{Msobig3}Your application >D{Msobig4}Approved >D{Msobig5}My details >D{Msobig6}Details >D{Msobig7}Thank you! >D{Msobig8}Returned mail: see transcript for details >D{Mmsg} Possible Sobig-F Virus - Please change subject > >SCheck_subject >R${Msobig1} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} >R${Msobig2} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} >R${Msobig3} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} >R${Msobig4} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} >R${Msobig5} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} >R${Msobig6} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} >R${Msobig7} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} >R${Msobig8} $* $#error $: 550 ${Mmsg} >RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > >This was suggested on the list several days back and has been working very >well. >May I remind you that the white gaps in text above are tabs and not simply >spaces. >Run your .mc through m4 and then restart MailScanner. > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Nathan Johanson >Sent: Thursday, September 04, 2003 10:25 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F resurgence > > >Mike, > >Just curious... >What Sendmail rule are you using to block them? >We've been rejecting the most offending IP addresses with the access >database, but as you might expect... It's a little like a moving target. > >Nathan > >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Thursday, September 04, 2003 8:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F resurgence > > >The flow here has been trickling but steady. I am blocking LOTS of tehm >with a sendmail rule though, so they never even make it to MailScanner. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of David Hooton >Sent: Thursday, September 04, 2003 10:02 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Sobig.F resurgence > > >Hi All, > >A little off topic, but we've started noticing about a 10 fold increase in >Sobig.F traffic over the last 48 hours. > >Is anyone else noticing this? >-- >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > >======================================================================== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > >======================================================================== Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From errol.neal at ENHTECH.COM Fri Sep 5 17:16:27 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:48 2006 Subject: Moving Mail between Scanners In-Reply-To: <200309051608.h85G8R503414@onyx.rockstone.co.uk> References: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <5.1.0.14.0.20030905121452.101176b0@mail.enhtech.com> Already did that. SMTP is shutdown at this point and I am only delivering messages already queued in /var/spool/mqueue or those going to be queued there by MailScanner. But that does not deal with the fact that it will take the server several hours to deliver all of that mail and my clients being disappointed. Errol At 05:08 PM 9/5/2003 +0100, you wrote: >On Friday 05 September 2003 4:51 pm, Errol Neal wrote: > > > Hi all, > > > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > > I need to move part of the queued mail onto another Scanner. What is the > > best way to do this while taking into consideration the mail already > > unpacked and probably half processed? > >Why not redirect your incoming mail to the other server so it handles the >load from now on, and leaves the existing one to chug its way through the >queue without having to deal with anything new? > >That way you don't have to work out which mails are half-processed and you >don't have the overhead of moving the mail files across your network either. > >Antony. > >-- > >"I'm doing a (free) operating system (just a hobby, won't be big and >professional like gnu) for 386(486) AT clones. > >It is NOT portable , and it probably never will support anything other than >AT-harddisks, as that's all I have :-(." > > - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From dh at UPTIME.AT Fri Sep 5 17:19:57 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:48 2006 Subject: how to set up an RBL In-Reply-To: Message-ID: On Freitag, September 5, 2003, at 04:14 Uhr, Raymond Dijkxhoorn wrote: > Hi! > >> I have a small RBL and domain, spambites.net. I am making it >> 'subscription' >> only, and it will be manually administered, as far as entries. Either >> a web form, or email submission. Entries will be 'expired' after so >> many >> days, depending on why it was entered (SPAM, open relay, etc). >> >> So, if any one is serious about this, I've got the framework in place. > >>> We all try to fight spam, we all see the spammers comming in, so we >>> only >>> need a interface to get things in. >>> >>> Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. > same goes for me. Thanks -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/cc5d3121/PGP.bin From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 17:23:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496A9@pascal.priv.bmrb.co.uk> Errol Neal wrote: > Man that's tough! You are rejecting thank you messages? > The best way to deal with this stuff is with this: > >FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail > from " $&{client_addr} "was rejected; please see "') You might like to review the list of relays you are using BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lance at WARE.NET Fri Sep 5 17:20:22 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:48 2006 Subject: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 In-Reply-To: A<200309051522.h85FMxr14769@ori.rl.ac.uk> Message-ID: <200309051621.h85GLRr27458@ori.rl.ac.uk> Julian, I didn't seem to have any ".rpmnew" files. I also didn't have a lib directory in /etc/MailScanner. I downloaded the Solaris tar file and didn't find any there, or elsewhere also. What's the safest way to get to a current config while keeping my old changes? TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Lance Ware Sent: Friday, September 05, 2003 8:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Ok I'll try that, although I don't seem to have an /etc/MailScanner/lib. Guess I'll get it from the generic tar file. I fixed it temporarily by moving the new 3 column virus.scanners.conf into etc and manually editing the clam wrapper to the correct path for clamscan. Editing virus.scanners.conf didn't seem to help. TIA, Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 05, 2003 12:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanning/updates (clam) not happening after upgrade to 4.23-11 Look in /etc/MailScanner/lib and rename all the ".rpmnew" files over the top of your modified files. Then if you have the scanner installed in a non-default location (which is probably why you edited the scripts in the first place), edit /etc/MailScanner/virus.scanners.conf and fix the paths in there. I have moved all the configuration out of the scripts and into virus.scanners.conf to make things neater. At 06:51 05/09/2003, you wrote: >Hi folks, > > > >Im scratching my head. I recently upgraded from 4.22-5 to 4.23-11 and I >seem to have lost my virus scanning and updates. > > > >Any hints or tips? > > > >My upgrade process including building a new box and moving my config files >over. > > > >Thanks. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Fri Sep 5 17:26:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:48 2006 Subject: Sobig.F resurgence Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496AA@pascal.priv.bmrb.co.uk> Spicer, Kevin wrote: > Errol Neal wrote: >> Man that's tough! You are rejecting thank you messages? >> The best way to deal with this stuff is with this: >> >> FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail >> from " $&{client_addr} "was rejected; please see "') > > You might like to review the list of relays you are using > doh! Just goes to show I shouldn't mail the list while I'm on the phone! I meant blacklists not relays of course! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From stiret at ONEREDSHOE.NET Fri Sep 5 17:36:08 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AE1@neelix.lbsltd.co.uk> Message-ID: <1062779768.3080.20.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 12:11, Steve Freegard wrote: > Scott, > > It seems like MailScanner can't find MailWatch.pm - double-check the > "require 'MailScanner/MailWatch.pm';" line that you put in the top of > CustomConfig.pm. Thanks Steve, I worked it out. I had the require 'MailScanner/MailWatch.pm'; BEFORE the package MailScanner::CustomConfig; I interpreted near the top with at the top. I moved it below the package MailScanner::CustomConfig; and it seems to work fine now. INCORRECT: require 'MailScanner/MailWatch.pm'; package MailScanner::CustomConfig; CORRECT package MailScanner::CustomConfig; require 'MailScanner/MailWatch.pm'; Thanks again, -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/d0d83a49/attachment.bin From stiret at ONEREDSHOE.NET Fri Sep 5 17:47:32 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:48 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062780451.3080.25.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There seem to be some permission issues on the quarantine folders. They are owned by root, but need to be opened and used by others. What are the correct permissions for the /var/spool/MailScanner/quarantine folder? drwx------ 37 root root 4096 Sep 5 12:05 quarantine MailWatch cannot open the folders when they are like this. -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/8a61835a/attachment.bin From errol.neal at ENHTECH.COM Fri Sep 5 17:49:09 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016496AA@pascal.priv.bmrb. co.uk> Message-ID: <5.1.0.14.0.20030905124840.04093a08@mail.enhtech.com> Actually, no longer using osi, it is commented out in the .mc but I have not removed it. At 05:26 PM 9/5/2003 +0100, you wrote: >Spicer, Kevin wrote: > > Errol Neal wrote: > >> Man that's tough! You are rejecting thank you messages? > >> The best way to deal with this stuff is with this: > >> > >> FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail > >> from " $&{client_addr} "was rejected; please see "') > > > > You might like to review the list of relays you are using > > >doh! Just goes to show I shouldn't mail the list while I'm on the >phone! I meant blacklists not relays of course! > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From stiret at ONEREDSHOE.NET Fri Sep 5 17:50:35 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062780635.3080.28.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There are a couple of leftover php pages from 0.2 that are still a problem. rep_top_recipients_by_quantity.php rep_top_recipients_by_volume.php Both of these reports do not display the graph correctly. Thanks, -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/57cc1b96/attachment.bin From stiret at ONEREDSHOE.NET Fri Sep 5 17:54:52 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <1062780451.3080.25.camel@alain.oneredshoe.net> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> <1062780451.3080.25.camel@alain.oneredshoe.net> Message-ID: <1062780892.3080.32.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 12:47, Scott Tiret wrote: > On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > > Hi all, > > > > I've (finally!) released a beta of 0.3 - you can download it from > > http://www.sourceforge.net/projects/mailwatch > > There seem to be some permission issues on the quarantine folders. They > are owned by root, but need to be opened and used by others. What are > the correct permissions for the /var/spool/MailScanner/quarantine > folder? Never Mind. I've just read through the INSTALL file. The permissions issue wasn't addressed in the UPGRADING file. Sorry. -- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/d777d80a/attachment.bin From gerry at dorfam.ca Fri Sep 5 18:15:00 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? Message-ID: <63374.129.80.22.143.1062782100.squirrel@tiger.dorfam.ca> I am comparing two separate virus notifications and can't figure out why there is a difference. In the first message below F-Prot and Trend each found the Sobig.F virus. However it was missed by ClamAV and MailScanner didn't complain about the file tpye. In the second message ClamAV, F-Prot, and Trend found the same virus AND MailScanner flagged the filename. It appears that the actual problem file was hidden from ClamAV and MailScanner in the first message by sticking it in a txt file. Is this the reason for the difference? In other words, this is a serious short coming for those only running ClamAV. Gerry Message 1 Sender: mailer-daemon@twista.freelimit.com IP Address: 127.0.0.1 Recipient: bdoris@localhost Subject: Mail delivery failed: returning message to sender MessageID: h85GKCv7010242 Report: F-Prot: /var/spool/MailScanner/incoming/6184/h85GKCv7010242/msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file ./h85GKCv7010242/msg-6184-52.txt Message 2 Sender: 7uifbbly6@compuserve.com IP Address: 127.0.0.1 Recipient: bdoris@localhost Subject: Your details MessageID: h85GUEv7010704 Report: ClamAV: document_9446.pif contains Worm.Sobig.F F-Prot: /var/spool/MailScanner/incoming/6184/h85GUEv7010704/document_9446.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file ./h85GUEv7010704/document_9446.pif MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (document_9446.pif) No programs allowed (document_9446.pif) From stiret at ONEREDSHOE.NET Fri Sep 5 18:16:19 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <1062782179.3080.35.camel@alain.oneredshoe.net> On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There is a problem with Cron /usr/sbin/mailq.php. Have I done something else wrong? >
> Warning: main(/var/www/html/mailwatch/mailscanner/functions.php): failed to open stream: No such file or directory in /usr/sbin/mailq.php on line 22
>
> Fatal error: main(): Failed opening required '/var/www/html/mailwatch/mailscanner/functions.php' (include_path='.:/usr/share/pear') in /usr/sbin/mailq.php on line 22
-- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/6a933162/attachment.bin From mailscanner at LISTS.COM.AR Fri Sep 5 18:21:29 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Moving Mail between Scanners In-Reply-To: <5.1.0.14.0.20030905115016.03d8c008@mail.enhtech.com> Message-ID: <3F589BE9.27286.116BF7C@localhost> Well... you can't have it all, that is, some of the mail "in process" will have to be reprocessed, but you will (quite probably) not lose any message by following this procedure: As the standard init.d script doesn't allow for individual service handling, the easiest way to keep the output queue being processed while leaving everything else stopped (so the input queue which you'll be fiddling with doesn't get corrupted) is the following: service MailScanner stop (what 10 seconds approx. given that MailScanner processes take a while) this will have stopped everything. Regretfully, the half-processed messages at this point are discarded, but they will be processed again later. This will include at most "Max Children" messages (as configured in your MailScanner.conf file, default=5). It is a relatively small price. Now keep the outgoing sendmail (or whatever mta you're using) going: service MailScanner startout Now you have to look in the incoming queue directory(ies) (they're specified in MailScanner.conf as "Incoming Queue Dir =") and take the files from there to the other servers (you can include the current server among the ones that get part of the share). If you're using a 2-file queue MTA (sendmail or Exim) you have to move the files in pairs (q file & d file). Suppose you have: qf200309051122335321 df200309051122335321 qf200309051122333161 df200309051122333161 qf200309051122412612 df200309051122412612 you can decide to move the qf200309051122335321+df200309051122335321 pair to server1, the qf200309051122333161+df200309051122333161 pair to server2 and leave qf200309051122412612+df200309051122412612 in the current server (server0). First move the files you will move out from /var/spool/mqueue.in (or whatever incoming queue directory) to some place else Create the following directories in the _SAME_ filesystem as your incoming queue directory: mkdir /var/spool/migrate.2.server1 mkdir /var/spool/migrate.2.server2 mv qf200309051122335321 df200309051122335321 /var/spool/migrate.2.server1 mv qf200309051122333161 df200309051122333161 /var/spool/migrate.2.server2 (you'll have to script this reasonably and not do it manually). Once you've taken this queue files off the incoming spool, you can start all of MailScanner in server0 so it keeps processing. service MailScanner start In the destination servers, create one new directory in the _SAME_ filesystem as the incoming queue dir (it is _KEY_ for this to work that everything is in the same filesystem): mkdir /var/spool/migrated.from.server0 Now, copy the files to the new servers: scp /var/spool/migrate.2.server1/* server1:/var/spool/migrated.from.server0 scp /var/spool/migrate.2.server2/* server2:/var/spool/migrated.from.server0 Now in each of the new servers do: mv /var/spool/migrated.from.server0/df* /var/spool/mqueue.in mv /var/spool/migrated.from.server0/qf* /var/spool/mqueue.in The order is important, since MailScanner first looks for the qf file and then for the df file, so, by the time the qf file is found, you are sure that the corresponding qf file is already there. The "mv" inside a filesystem guarantees you that the file is complete by the time it is inserted in the queue directory. El 5 Sep 2003 a las 11:51, Errol Neal escribi?: > Hi all, > > I have a MailScanner that is about 13 hrs behind in terms of mail delivery. > I need to move part of the queued mail onto another Scanner. What is the > best way to do this while taking into consideration the mail already > unpacked and probably half processed? > > > Errol Neal > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax -- Mariano Absatz El Baby ---------------------------------------------------------- Lottery: A tax on people who are bad at math. From Kevin_Miller at CI.JUNEAU.AK.US Fri Sep 5 18:27:39 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence Message-ID: <08146035CA49D6119A36009027AC822A0264E71A@CITY-EXCH-NTS> >Man that's tough! You are rejecting thank you messages? >The best way to deal with this stuff is with this: > > >## ># enable these for DNS blacklist protection from spam >## >dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " snip Am I correct in thinking these are strictly sendmail actions and that they occur when the smtp server is first contacted, thus saving MS of having to do the grunt work? If so, do you just ignore, or leave blank the RBL entries in the MS configuration? ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From raymond at PROLOCATION.NET Fri Sep 5 18:31:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Message-ID: Hi! > dnl FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail from " > $&{client_addr} "was rejected; please see "')dnl Haha, you must have a load of spam if this is your current config =) Bye, Raymond. From gerry at dorfam.ca Fri Sep 5 18:33:10 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Bounced sobig passes thru MS and anti-virus checks In-Reply-To: <000f01c373c8$640db820$6600a8c0@Orthanc> References: <000f01c373c8$640db820$6600a8c0@Orthanc> Message-ID: <64754.129.80.22.133.1062783190.squirrel@tiger.dorfam.ca> > Some automated replies, which also contained the Sobig virus, notifying > users that they had sent an infected message apparently made it thru MS > and anti-virus checks. The desktop AV package identified the message > attachment as infected with Sobig.f. Directly sent Sobig messages are > correctly handled both by MS checking the extension and by the > anti-virus scan. > > > > Any suggestions as to where to start looking to determine why these > messages made it thru? > > > > > > Steve Ellis > > Sr Engineer > > KaZaK Composites, Inc. > > 781.932.5667 x105 I just sent a message to the list where I described two difference Sobig.F virus emails arriving at my system. One was picked up by F-Prot and Trend and the other was picked up by F-Prot, Trend, and ClamAV. Also, MailScanner flagged the filename in the second message by missed the first. It appears that the actual virus vile was contained within another file in the first message. While I expected that MailScanner wouldn't see the problem file name I wasn't aware that ClamAV would just pass the entire mess right through! Gerry From steve.freegard at LBSLTD.CO.UK Fri Sep 5 18:34:54 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta Message-ID: <67D9E7698329D411936E00508B6590B902773AE5@neelix.lbsltd.co.uk> Hi Scott, It looks like you need to edit the require line in mailq.php to reflect the real location of functions.php - probably something like /var/www/html/mailscanner/functions.php. I'll add this to the docs. Regards, Steve. -----Original Message----- From: Scott Tiret To: MAILSCANNER@JISCMAIL.AC.UK Sent: 05/09/03 18:16 Subject: Re: ANNOUNCE: MailWatch for MailScanner 0.3 Beta On Fri, 2003-09-05 at 08:08, Steve Freegard wrote: > Hi all, > > I've (finally!) released a beta of 0.3 - you can download it from > http://www.sourceforge.net/projects/mailwatch There is a problem with Cron /usr/sbin/mailq.php. Have I done something else wrong? >
> Warning: main(/var/www/html/mailwatch/mailscanner/functions.php): failed to open stream: No such file or directory in /usr/sbin/mailq.php on line 22
>
> Fatal error: main(): Failed opening required '/var/www/html/mailwatch/mailscanner/functions.php' (include_path='.:/usr/share/pear') in /usr/sbin/mailq.php on line 22
-- Scott Tiret Oneredshoe Network My Public Key http://www.oneredshoe.net/stiret@oneredshoe.net.asc -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From kevins at BMRB.CO.UK Fri Sep 5 18:35:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A79F4@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F4@pascal.priv.bmrb.co.uk> Message-ID: <1062783354.24760.15.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 17:49, Errol Neal wrote: >Actually, no longer using osi, it is commented out in the .mc but I >have >not removed it. Sorry, yes thats quite clear now I look more carefully. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From errol.neal at ENHTECH.COM Fri Sep 5 18:39:25 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <08146035CA49D6119A36009027AC822A0264E71A@CITY-EXCH-NTS> Message-ID: <5.1.0.14.0.20030905133800.100edde0@mail.enhtech.com> Yep you are correct. This is done at the rcpt before mail is even queued. This will save you alot of load and cpu. If you want sendmail to do this, just disable rbl checks in your spamassassin.prefs file in your MailScanner directory. At 09:27 AM 9/5/2003 -0800, you wrote: > >Man that's tough! You are rejecting thank you messages? > >The best way to deal with this stuff is with this: > > > > > >## > ># enable these for DNS blacklist protection from spam > >## > >dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " >snip > >Am I correct in thinking these are strictly sendmail actions and that they >occur when the smtp server is first contacted, thus saving MS of having to >do the grunt work? If so, do you just ignore, or leave blank the RBL >entries in the MS configuration? > >...Kevin >------------------- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From kevins at BMRB.CO.UK Fri Sep 5 18:42:06 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> Message-ID: <1062783727.24760.22.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 18:15, Gerry Doris wrote: >I am comparing two separate virus notifications and can't figure out why >there is a difference. In the first message below F-Prot and Trend each >found the Sobig.F virus. However it was missed by ClamAV and >MailScanner >didn't complain about the file tpye. It looks like the message is a bounce and the txt file is in fact the original message. MailScanner's blocking rules only look at the top level attachment IIRC, but the virus is in a second level (just like putting it in a zip file). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From slwatts at WINCKWORTHS.CO.UK Fri Sep 5 18:42:22 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:49 2006 Subject: OT: - holding mail for a particular domain Message-ID: Hi, I know this is off topic as it only really relates to the MTA but wandered if anyone could help. Using postfix 2 is it possible to stop delivery of all mail to a domain and hold it until the block is released? Thanks and sorry for posting this here but Kinda desperate! Sam -----Original Message----- From: Tim Sailer [mailto:sailer@BNL.GOV] Sent: 05 September 2003 16:22 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: how to set up an RBL On Fri, Sep 05, 2003 at 04:14:34PM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > I have a small RBL and domain, spambites.net. I am making it > > 'subscription' only, and it will be manually administered, as far as > > entries. Either a web form, or email submission. Entries will be > > 'expired' after so many days, depending on why it was entered (SPAM, > > open relay, etc). > > > > So, if any one is serious about this, I've got the framework in > > place. > > > > We all try to fight spam, we all see the spammers comming in, so > > > we only need a interface to get things in. > > > > > > Are there people interested in that idea ? > > I am surely interested, please submit me some info offlist. OK, basic rules, that I'm just tarting to flesh out is: Don't abuse the system. Keep a local DNS zone running (to save my connection). I can add you to the email alias I'm using as a starting point, so interested parties can bang around ideas. Let me know. Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From errol.neal at ENHTECH.COM Fri Sep 5 18:46:53 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Using Bayesian Engine Message-ID: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com> Hi again all, Trying to optimize my "babies" :-) What are the disadvantages of disabling the "Bayesian" engine? The notes in the Advanced Spam Assassin config say that it is a real resource hog. Will i notice a difference in the amount of spam that is actually blocked? Regards, Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From slwatts at WINCKWORTHS.CO.UK Fri Sep 5 18:53:53 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:49 2006 Subject: - holding mail for a particular domai - found it Message-ID: Sorry - I have found a way... Not sure if its correct but it appears to work: Re-write the transport mapping for that doimain to use 'defer:' Sam -----Original Message----- From: Samuel Luxford-Watts [mailto:slwatts@WINCKWORTHS.CO.UK] Sent: 05 September 2003 18:42 To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: - holding mail for a particular domain Hi, I know this is off topic as it only really relates to the MTA but wandered if anyone could help. Using postfix 2 is it possible to stop delivery of all mail to a domain and hold it until the block is released? Thanks and sorry for posting this here but Kinda desperate! Sam -----Original Message----- From: Tim Sailer [mailto:sailer@BNL.GOV] Sent: 05 September 2003 16:22 To: MAILSCANNER@JISCMAIL.AC.UK Sub -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit http://www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From mikea at MIKEA.ATH.CX Fri Sep 5 18:59:01 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:49 2006 Subject: Using Bayesian Engine In-Reply-To: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com>; from errol.neal@ENHTECH.COM on Fri, Sep 05, 2003 at 01:46:53PM -0400 References: <5.1.0.14.0.20030905134507.040efe40@mail.enhtech.com> Message-ID: <20030905125900.A77097@mikea.ath.cx> On Fri, Sep 05, 2003 at 01:46:53PM -0400, Errol Neal wrote: > Hi again all, > > Trying to optimize my "babies" :-) > > What are the disadvantages of disabling the "Bayesian" engine? The notes in > the Advanced Spam Assassin config say that it is a real resource hog. > Will i notice a difference in the amount of spam that is actually blocked? You may indeed, though I won't guarantee it. I certainly did -- by a *MUCH* bigger factor than I had expected. Which is the bigger resource hog: spam or the spam-filtering machine? I save a lot of resources for my users by filtering their mail for them, and they're _ever_ so glad I do. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at LISTS.COM.AR Fri Sep 5 19:05:44 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Filename Subject Text vs. Content Subject Text Message-ID: <3F58A648.16303.13F40ED@localhost> Hi, I'm using MS 4.23-11 with SA 2.55. It seems MS is somehow confusing "Filename Subject Text" "Content Subject Text". I have the following settings: Allow IFrame Tags = no Log IFrame Tags = yes Allow Form Tags = no Allow Object Codebase Tags = no Filename Modify Subject = no Filename Subject Text = {Nombre de archivo anexo prohibido} Content Modify Subject = yes Content Subject Text = {Contenido potencialmente peligroso} And, when getting a message with IFrame, it added the "Filename Subject Text" instead of the "Content Subject Text" I expected. Here's the log: Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html (no rule matched) Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from boletininformar@redinformar.com.ar Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific exploits in 1221617 Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent viruses And the modified was: {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: A?o 1 - N?mero 51 - SEPTIEMBRE 5, 2003 Are these entries mixed up? -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 19:19:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062783727.24760.22.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> <1062783727.24760.22.camel@bach.kevinspicer.co.uk> Message-ID: <200309051819.h85IJT504407@onyx.rockstone.co.uk> On Friday 05 September 2003 6:42 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 18:15, Gerry Doris wrote: > > I am comparing two separate virus notifications and can't figure out > > why there is a difference. In the first message below F-Prot and Trend > > each found the Sobig.F virus. However it was missed by ClamAV and > > MailScanner didn't complain about the file tpye. > > It looks like the message is a bounce and the txt file is in fact the > original message. MailScanner's blocking rules only look at the top > level attachment IIRC, but the virus is in a second level (just like > putting it in a zip file). This doesn't sound like a plausible explanation to me. I thought MailScanner recursively checked archives/zips/etc until it found a 'real file' to check for being a virus or not. I just tested this by taking eicar.com, tar-gzipping it, then winzipping the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 file. Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I run on this mail server, means it got missed by BitDefender, F-Prot, Inoculan, Kaspersky and NOD32). Not a good result (but I notice ClamAV, which the original posting was about, did see it). Antony. -- 90% of network problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. From errol.neal at ENHTECH.COM Fri Sep 5 19:24:15 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. Message-ID: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Hi again.. My boss is giving me headaches about the performance of our MailScanners. What kind of performance should one expect on Sun Solaris 500 mhz sparc with 512 ram and ide disks running 4.22-4? I think right now we are pumping out somewhere in the neighborhood of 300-500 messages per hour. I think that is reasonable for the hardware we have and these system are dedicated Scanners. Can someone throw some hardware templates at me based upon their experiences and give me some numbers? Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 19:27:58 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <200309051819.h85IJT504407@onyx.rockstone.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A79F7@pascal.priv.bmrb.co.uk> <1062783727.24760.22.camel@bach.kevinspicer.co.uk> <200309051819.h85IJT504407@onyx.rockstone.co.uk> Message-ID: <200309051828.h85IS3504437@onyx.rockstone.co.uk> On Friday 05 September 2003 7:19 pm, Antony Stone wrote: > I thought MailScanner recursively checked archives/zips/etc until it found > a 'real file' to check for being a virus or not. Before anyone else points it out, I realise that I was clearly wrong in this thinking, as my own test results demonstrated: > I just tested this by taking eicar.com, tar-gzipping it, then winzipping > the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 > file. > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I > run on this mail server, means it got missed by BitDefender, F-Prot, > Inoculan, Kaspersky and NOD32). It's also clear from the output of AntiVir that it's doing its own archive unpacking. Here's the message logged by MailScanner (which is simply the output it recevied from AntiVir): AntiVir: ALERT: [Eicar-Test-Signatur virus] thisiseicar.bz2 --> thisiseicar --> thisiseicar.tgz --> unkwn.tar --> thisiseicar.com <<< Contains code of the Eicar-Test-Signatur virus As you can see it works its own way down inside the files until it sees what's lurking in the middle. Antony -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From mikea at MIKEA.ATH.CX Fri Sep 5 19:42:26 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. In-Reply-To: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com>; from errol.neal@ENHTECH.COM on Fri, Sep 05, 2003 at 02:24:15PM -0400 References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <20030905134226.D77167@mikea.ath.cx> On Fri, Sep 05, 2003 at 02:24:15PM -0400, Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? I'm currently running a dedicated Intel P-III 450 MHz with IDE disks, 384 MB RAM. OS is FreeBSD 4.8, with sendmail 8.12.something, MailScanner, SpamAssassin using Bayesian filtering, and ClamAV. The box does pretty well at this load, although it *will* be nice to get the long-promised server-grade dual-P-IV-2.4-GHz box with 1 GB RAM and huge Fast Wide SCSI-III disks: Mail Statistics; Produced by isdmon2:/home/mikea/bin/mailstats.pl; Run by isdmon2:/etc/crontab Mails spamassassin rejected scanner total mails Total says 'spam' by ruleset says virus undelivered Sep 3 6194 1543 (24.91%) 471 ( 7.60%) 651 (10.51%) 2665 (43.03%) Sep 2 6910 1400 (20.26%) 427 ( 6.18%) 703 (10.17%) 2530 (36.61%) Sep 1 129 4 ( 3.10%) 5 ( 3.88%) 45 (34.88%) 54 (41.86%) Aug 31 51 1 ( 1.96%) 2 ( 3.92%) 5 ( 9.80%) 8 (15.69%) Aug 30 585 255 (43.59%) 43 ( 7.35%) 89 (15.21%) 387 (66.15%) Aug 29 5381 1419 (26.37%) 407 ( 7.56%) 513 ( 9.53%) 2339 (43.47%) Aug 28 6131 1464 (23.88%) 454 ( 7.40%) 696 (11.35%) 2614 (42.64%) Aug 27 6638 1363 (20.53%) 495 ( 7.46%) 856 (12.90%) 2714 (40.89%) My `top` output tends to look like this: last pid: 51725; load averages: 0.50, 0.62, 0.52 up 30+05:40:08 13:41:16 147 processes: 147 sleeping CPU states: 41.2% user, 0.0% nice, 12.0% system, 0.4% interrupt, 46.5% idle Mem: 124M Active, 125M Inact, 77M Wired, 13M Cache, 48M Buf, 34M Free Swap: 2048M Total, 55M Used, 1993M Free, 2% Inuse PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 38768 mikea 2 0 13420K 10812K select 63:34 4.54% 4.54% Xvnc 39894 root 10 0 27432K 25996K nanslp 0:19 2.00% 2.00% perl 40821 root 10 0 27324K 25876K nanslp 0:14 0.44% 0.44% perl 39825 root 10 0 27500K 26072K nanslp 0:17 0.29% 0.29% perl -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Fri Sep 5 20:16:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> Message-ID: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > I just tested this by taking eicar.com, tar-gzipping it, then winzipping > the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 > file. > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I > run on this mail server, means it got missed by BitDefender, F-Prot, > Inoculan, Kaspersky and NOD32). And of course MailScanner didn't pick up the .com file & block it. I performed a test myself, which I hoped would imitate the message which the original post was about. I created an email with email.com and eicar.zip attached, then forwarded the email as an attachment to myself. Both Sophos(savi) and Clam picked up both copies of eicar, whats more MailScanner also blocked the com file. This suggests that although the original post's problem message (I guess) had the original email attached ther was something irregular about its formatting which prevented MailScanner and Clam from recognising it as an attached message and treat it as such. It would be most interesting to see the source of the original message (if you still have it Gerry). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 20:23:37 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A08@pascal.priv.bmrb.co.uk> <1062789400.24760.39.camel@bach.kevinspicer.co.uk> Message-ID: <200309051923.h85JNg504643@onyx.rockstone.co.uk> On Friday 05 September 2003 8:16 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > > I just tested this by taking eicar.com, tar-gzipping it, then > > winzipping the tgz file, then bzip2-ing the winzip file, and emailing > > myself the .bz2 file. > And of course MailScanner didn't pick up the .com file & block it. Well, that is what I would expect (not picking it up) since MailScanner's file extension rules definitely only apply to the actual file being attached. > It would be most interesting to see the source of the original message > (if you still have it Gerry). I agree :) Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer From kevins at BMRB.CO.UK Fri Sep 5 20:36:44 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> Message-ID: <1062790604.24761.49.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 20:23, Antony Stone wrote: >> And of course MailScanner didn't pick up the .com file & block it. >Well, that is what I would expect (not picking it up) since >MailScanner's >file extension rules definitely only apply to the actual file being >attached. I agree thats correct, but thats why my test results... >>I performed a test myself, which I hoped would imitate the message >>which >>the original post was about. I created an email with email.com and >>eicar.zip attached, then forwarded the email as an attachment to >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, >>whats more MailScanner also blocked the com file. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ surprised me (pleasantly). I didn't really expect that MailScanner would recurse through attached emails (Julians too clever by half!). Which begs the question why didn't it recurse through the attached message in Gerry's file. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jase at SENSIS.COM Fri Sep 5 20:40:18 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? Message-ID: > >>I performed a test myself, which I hoped would imitate the message > >>which > >>the original post was about. I created an email with email.com and > >>eicar.zip attached, then forwarded the email as an attachment to > >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, > >>whats more MailScanner also blocked the com file. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > surprised me (pleasantly). I didn't really expect that MailScanner > would recurse through attached emails (Julians too clever by half!). > Which begs the question why didn't it recurse through the attached > message in Gerry's file. Without seeing the file myself, I would guess that it is inside of an attached email message (.txt) in some rfc format which Clam does not unpack to check for viruses. Jason From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 20:44:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062790604.24761.49.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A0B@pascal.priv.bmrb.co.uk> <1062790604.24761.49.camel@bach.kevinspicer.co.uk> Message-ID: <200309051944.h85Jia504722@onyx.rockstone.co.uk> On Friday 05 September 2003 8:36 pm, Kevin Spicer wrote: > On Fri, 2003-09-05 at 20:23, Antony Stone wrote: > >> And of course MailScanner didn't pick up the .com file & block it. > > > >Well, that is what I would expect (not picking it up) since > >MailScanner's > >file extension rules definitely only apply to the actual file being > >attached. > > I agree thats correct, but thats why my test results... > > >>I performed a test myself, which I hoped would imitate the message > >>which > >>the original post was about. I created an email with email.com and > >>eicar.zip attached, then forwarded the email as an attachment to > >>myself. Both Sophos(savi) and Clam picked up both copies of eicar, > >>whats more MailScanner also blocked the com file. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > surprised me (pleasantly). I didn't really expect that MailScanner > would recurse through attached emails (Julians too clever by half!). > Which begs the question why didn't it recurse through the attached > message in Gerry's file. Hm. I think finding a file in an RFC822 attachment is different from recursing inside zip-type archives - I would expect MailScanner's filename rules to match the first but not the second. Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From mailscanner at BARENDSE.TO Fri Sep 5 21:10:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:49 2006 Subject: sendmail discard subjects Message-ID: I am using mailscanner rules to discard emails that have a certain subject. This works great for some viruses and read and not read receipt messages that are extremely annoying. Any read / not read messages usually have subject that looks like Read: blabla subject This is only the case for replies to mails that are in the regular character set. These rules do not catch mails that reply to mails that were in a different character set. If I look in pine the mail subject looks normal but when I look in the qf/df pairs the subject looks like this: H??Subject: =?iso-8859-1?Q?Read=3A_Angaben_f=FCr_Tarragona I tried the following in my subjects file: read: =?iso-8859-1?Q?Read=3A_ not.read: ?iso-8859-1?Q?not_read gelezen: niet.gelezen: le?do: no.le?do: lida: lidas: but the strange character set ones still get through and the 2 lines that include the iso char set do not seem to work. need I do anything special so sendmail will recognize these other messages as well?? From vosburgh at DALSEMI.COM Fri Sep 5 21:22:02 2003 From: vosburgh at DALSEMI.COM (David Vosburgh) Date: Thu Jan 12 21:19:49 2006 Subject: Real Expectations.. References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <3F58F06A.2090800@dalsemi.com> We have MailScanner/SA/Sophos on a Sun 220R running Solaris 8 with 2x450Mhz and 1GB RAM. Prior to the Sobig-f outbreak two weeks ago the system was comfortably handling about 20-25k messages per day with an infection rate < 1%. The load average was generally between 1 and 2. In the last few days, we have been getting 30-40k messages per day, with an infection rate of about 20%. While the delivery times haven't changed much (still ~3 to 6 seconds), the load average on the system is generally between 3 and 5 now. I think we're getting close to the capacity of this system at the current load. Dave Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? > > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax > From HancockS at MORGANCO.COM Fri Sep 5 21:24:40 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root Message-ID: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Is anyone running Exim, MS, and eTrust? Exim wants to run as mail and etrust inocmd32 must run as root. Any ideas? Part two. What is a simple MTA that runs as root. I'm just using MS as an email gateway. I've install sendmail on a dev box but it's a bit intimidating. Thanks Scott Hanocck From Denis.Beauchemin at USHERBROOKE.CA Fri Sep 5 21:26:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:49 2006 Subject: Spam actions rules precedence Message-ID: <1062793594.3309.13.camel@dbeauchemin.sti.usherbrooke.ca> Hi, I have a problem with a user that doesn't want to receive any spam message (I usually tag them and send them). So I used: Spam Actions = /etc/MailScanner/rules/spam.action.rules High Scoring Spam Actions = /etc/MailScanner/rules/spam.action.rules And /etc/MailScanner/rules/spam.action.rules contains: To: user1@biblio.usherb.ca store delete To: user1@courrier.usherb.ca store delete To: *@courrier.usherb.ca attachment deliver To: *@biblio.usherb.ca attachment deliver FromOrTo: Default deliver User1 received an email that was on my blacklist (log says "is spam (blacklisted)". Shouldn't the above rules have dropped it? Log says "actions are attachment,store,deliver". Looks like it added them all. I thought it would have used the first one (store delete). How can I do this? I am running 4.21-9. Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 21:30:44 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> References: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Message-ID: <200309052030.h85KUm504948@onyx.rockstone.co.uk> On Friday 05 September 2003 9:24 pm, Hancock, Scott wrote: > Is anyone running Exim, MS, and eTrust? > > Exim wants to run as mail and etrust inocmd32 must run as root. > > Any ideas? sudo in the eTrust wrapper script? > Part two. > > What is a simple MTA that runs as root. I would suspect none these days. Dropping privilege is such a standard security measure that I'd be surprised if anything up to date didn't do it. Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. From damien at MC-KENNA.COM Fri Sep 5 21:46:20 2003 From: damien at MC-KENNA.COM (Damien McKenna) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> References: <3EA1A302A4978A4C970D2C63F327156ED54428@worc-mail2.int.morganco.com> Message-ID: <200309051646.20357.damien@mc-kenna.com> On Friday 05 September 2003 04:24 pm, Hancock, Scott wrote: > Exim wants to run as mail and etrust inocmd32 must run as root. Recompile exim? -- Damien McKenna damien@mc-kenna.com http://mc-kenna.com/ From dustin.baer at IHS.COM Fri Sep 5 21:34:44 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence References: <5.1.0.14.0.20030905120818.1018da50@mail.enhtech.com> Message-ID: <3F58F364.82CC3545@ihs.com> > > > >LOCAL_RULESETS > > > ># Reject all mail with Sobig subjects. > >HSubject: $>Check_subject > >D{Msobig1}That movie > >D{Msobig2}Wicked screensaver > >D{Msobig3}Your application > >D{Msobig4}Approved > >D{Msobig5}My details > >D{Msobig6}Details > >D{Msobig7}Thank you! > >D{Msobig8}Returned mail: see transcript for details > >D{Mmsg} Possible Sobig-F Virus - Please change subject > > > >SCheck_subject > >R${Msobig1} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig1} $* $#error $: 550 ${Mmsg} > >R${Msobig2} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig2} $* $#error $: 550 ${Mmsg} > >R${Msobig3} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig3} $* $#error $: 550 ${Mmsg} > >R${Msobig4} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig4} $* $#error $: 550 ${Mmsg} > >R${Msobig5} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig5} $* $#error $: 550 ${Mmsg} > >R${Msobig6} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig6} $* $#error $: 550 ${Mmsg} > >R${Msobig7} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig7} $* $#error $: 550 ${Mmsg} > >R${Msobig8} $* $#error $: 550 ${Mmsg} > >RRE: ${Msobig8} $* $#error $: 550 ${Mmsg} > > > > > >This was suggested on the list several days back and has been working very > >well. > >May I remind you that the white gaps in text above are tabs and not simply > >spaces. > >Run your .mc through m4 and then restart MailScanner. To anyone who is doing the above: With all the complaints about how much email traffic is being generated by virus scanners (thankfully NOT MailScanner) rejecting the SoBig virus to the spoofed address, why on earth would you want to reject these subjects? You are creating just as much INCORRECT rejection traffic. I have the same list with "$#discard $: discard" and I couldn't care less if someone doesn't get a "Thank you!" or "Re: Thank you!" message for a few weeks. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From DelislMa at COLLEGESHERBROOKE.QC.CA Fri Sep 5 22:24:13 2003 From: DelislMa at COLLEGESHERBROOKE.QC.CA (Marc Delisle) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn Message-ID: <3F58FEFD.1020103@CollegeSherbrooke.qc.ca> Hi, I just installed MailScanner and enjoy it very much! However, I could not make the user_scores_dsn feature of SpamAssassin 2.55 work. I added the same user_scores_dsn, user_scores_sql_username, user_scores_sql_password and user_scores_sql_table lines that I had in my local.cf file, to /opt/MailScanner/etc/spam.assassin.prefs.conf and restarted MailScanner. MailScanner.conf contains: SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf In this database I have per-user preferences about "required_hits". Maybe MailScanner is not sending spamassassin the username to do the lookup? Thanks. Marc Delisle Coll?ge de Sherbrooke (Qu?bec) From kevins at BMRB.CO.UK Fri Sep 5 22:34:41 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Sobig.F resurgence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A15@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A15@pascal.priv.bmrb.co.uk> Message-ID: <1062797682.24760.59.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:34, Dustin Baer wrote: >With all the complaints about how much email traffic is being generated >by virus scanners (thankfully NOT MailScanner) rejecting the SoBig >virus Actually that does affect MailScanner if the mailscanner admin has notify senders on (default until latest version I think) and has not added Sobig to the silent viruses list. >to the spoofed address, why on earth would you want to reject these >subjects? You are creating just as much INCORRECT rejection traffic. The Sobig virus uses its own SMTP engine to send directly to your server (unless you're using an ISP's server that you have no control over as a secondary queueing MX and it hits that first). Therefore rejecting the message with a 550 error would normally cause the _remote_ MTA to generate a bounce to the 'sender'. Since in this case that 'remote MTA' would be the virus itself it is not going to produce a bounce message, instead just silently ignore the error. Therefore (with the exception of the case mentioned above) the only time this ruleset should cause someone to receive a bounce from their local MTA is when they have sent a genuine message which happens to use that subject. In this scenario I think it is appropriate to issue a 550 response rather than silently dropping the mail. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at DORFAM.CA Fri Sep 5 22:37:42 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: <1062789400.24760.39.camel@bach.kevinspicer.co.uk> Message-ID: On Fri, 5 Sep 2003, Kevin Spicer wrote: > On Fri, 2003-09-05 at 19:27, Antony Stone wrote: > > > I just tested this by taking eicar.com, tar-gzipping it, then > winzipping > > the tgz file, then bzip2-ing the winzip file, and emailing myself the > .bz2 > > file. > > > > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV > engines I > > run on this mail server, means it got missed by BitDefender, F-Prot, > > Inoculan, Kaspersky and NOD32). > > And of course MailScanner didn't pick up the .com file & block it. > > I performed a test myself, which I hoped would imitate the message which > the original post was about. I created an email with email.com and > eicar.zip attached, then forwarded the email as an attachment to > myself. Both Sophos(savi) and Clam picked up both copies of eicar, > whats more MailScanner also blocked the com file. > > This suggests that although the original post's problem message (I > guess) had the original email attached ther was something irregular > about its formatting which prevented MailScanner and Clam from > recognising it as an attached message and treat it as such. > > It would be most interesting to see the source of the original message > (if you still have it Gerry). I have attached the headers for both messages. I'm really confused on this. The first message's attachment in my quarantine directory is only the warning text message put in by MailScanner. It is included as msg-6184-52.txt. The second messsage has an actual virus document_9446.pif stored in the quarantine directory. It didn't bother with attaching this. There seems to be something about the first message that triggered F-Prot and Trend to believe there was a virus in it and MailScanner duly quarantined the txt message...which was nothing but the warning message??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer -------------- next part -------------- From Mailer-Daemon@twista.freelimit.com Fri Sep 5 12:21:13 2003 Return-Path: Received: from localhost (localhost [127.0.0.1]) by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GKCv7010242 for ; Fri, 5 Sep 2003 12:20:13 -0400 Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101] by localhost with POP3 (fetchmail-6.2.0) for bdoris@localhost (single-drop); Fri, 05 Sep 2003 12:20:13 -0400 (EDT) Received: from twista.freelimit.com ([69.57.144.39]) by fep01-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <20030905161929.NTIY232520.fep01-mail.bloor.is.net.cable.rogers.com@twista.freelimit.com> for ; Fri, 5 Sep 2003 12:19:29 -0400 Received: from mailnull by twista.freelimit.com with local (Exim 4.20) id 19vJJ2-0005O9-7M for bdoris@rogers.com; Fri, 05 Sep 2003 11:19:28 -0500 X-Failed-Recipients: comments@kidschat.ws From: Mail Delivery System To: bdoris@rogers.com Subject: {Virus?} Mail delivery failed: returning message to sender Message-Id: Date: Fri, 05 Sep 2003 11:19:28 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - twista.freelimit.com X-AntiAbuse: Original Domain - rogers.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-DORFAM-MailScanner-Info: Contact postmaster@dorfam.ca X-DORFAM-MailScanner: Found to be infected X-DORFAM-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.1, required 7, BAYES_30, LARGE_HEX, MAILER_DAEMON, UPPERCASE_25_50) X-IMAPbase: 1062795648 3 Status: RO X-Status: X-Keywords: X-UID: 1 Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:21:12 2003 the virus scanner said: F-Prot: msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242). -- Postmaster Mailscanner thanks transtec Computers for their support From 7UIfBBLy6@compuserve.com Fri Sep 5 12:30:26 2003 Return-Path: <7UIfBBLy6@compuserve.com> Received: from localhost (localhost [127.0.0.1]) by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GUEv7010704 for ; Fri, 5 Sep 2003 12:30:17 -0400 Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101] by localhost with POP3 (fetchmail-6.2.0) for bdoris@localhost (single-drop); Fri, 05 Sep 2003 12:30:17 -0400 (EDT) Received: from SILVERTH-ULL7ZO ([24.42.1.205]) by fep01-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com@SILVERTH-ULL7ZO> for ; Fri, 5 Sep 2003 12:28:02 -0400 From: <7UIfBBLy6@compuserve.com> To: Subject: {Virus?} {Spam?} Your details Date: Fri, 5 Sep 2003 12:28:08 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_013A03D1" Message-Id: <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com@SILVERTH-ULL7ZO> X-DORFAM-MailScanner-Info: Contact postmaster@dorfam.ca X-DORFAM-MailScanner: Found to be infected X-DORFAM-MailScanner-SpamCheck: spam, SpamAssassin (score=10.6, required 7, DATE_IN_PAST_03_06, DCC_CHECK, FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS, INVALID_DATE, MICROSOFT_EXECUTABLE, MIME_BOUND_NEXTPART, MISSING_MIMEOLE, NO_REAL_NAME, PYZOR_CHECK, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK) Status: RO X-Status: X-Keywords: X-UID: 2 This is a multipart message in MIME format --_NextPart_000_013A03D1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Warning: This message has had one or more attachments removed Warning: (document_9446.pif). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Please see the attached file for details. --_NextPart_000_013A03D1 Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt" Content-Disposition: attachment; filename="VirusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "document_9446.pif" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:30:25 2003 the virus scanner said: ClamAV: document_9446.pif contains Worm.Sobig.F=20 F-Prot: document_9446.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file document_9446.pif MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (d= ocument_9446.pif) No programs allowed (document_9446.pif) Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran= tine/20030905 (message h85GUEv7010704). --=20 Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Sep 5 12:21:12 2003 the virus scanner said: F-Prot: msg-6184-52.txt->document_all.pif Infection: W32/Sobig.F@mm Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242). -- Postmaster Mailscanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 5 22:44:13 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: Missed virus? In-Reply-To: References: Message-ID: <200309052144.h85LiK505220@onyx.rockstone.co.uk> On Friday 05 September 2003 10:37 pm, Gerry Doris wrote: > On Fri, 5 Sep 2003, Kevin Spicer wrote: > > It would be most interesting to see the source of the original message > > (if you still have it Gerry). > I have attached the headers for both messages. I was hoping to see the headers for the original incoming message, rather than the 'cleaned' version sent on by MailScanner. I guess those headers have disappeared now? Ho Hum.... Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From kevins at BMRB.CO.UK Fri Sep 5 22:46:33 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spam actions rules precedence In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A12@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A12@pascal.priv.bmrb.co.uk> Message-ID: <1062798394.24760.69.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:26, Denis Beauchemin wrote: >User1 received an email that was on my blacklist (log says "is spam >(blacklisted)". Shouldn't the above rules have dropped it? Say user1 is user1@biblio.usherb.ca then the following rules match To: user1@biblio.usherb.ca store delete To: *@biblio.usherb.ca attachment deliver >Log says "actions are attachment,store,deliver". Looks like it added >them all. I thought it would have used the first one (store delete). That would be correct - obviously it can't delete and deliver the same mail. >How can I do this? I am running 4.21-9. I think Julian recently implemented some way of giving certain rules precedence, but I can't find it documented in the distribution. If its there you'll need the latest version. (Search the archives for Julians post). You will have to consider what happens when a mail arrives that is destined for user1 and a.n.other. How the rules resolve in this case. Theres been some discussion about methods to split messages to achive one mail per recipient on various MTAs but this might create too much load. My personal preference is to educate users on filtering their mailboxes using the X-MailScanner-SpamScore header. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Sep 5 22:57:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: MS, etrust, Exim, and run as root In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A11@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A11@pascal.priv.bmrb.co.uk> Message-ID: <1062799028.24761.80.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 21:24, Hancock, Scott wrote: >Exim wants to run as mail and etrust inocmd32 must run as root. >Any ideas? ls -l /path/to/inocmd32 > some-file # In case is doesn't work & you # wanta to change it back! groupadd -g some-unused-group-number-lower-than-500 etrust usermod -G etrust mail chown root:etrust /path/to/inocmd32 chmod 4750 /path/to/inocmd32 (Whilst SUID isn't often a good idea this at least restricts it to only the one user.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Sep 5 23:07:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> Message-ID: <1062799636.24760.88.camel@bach.kevinspicer.co.uk> On Fri, 2003-09-05 at 22:24, Marc Delisle wrote: >In this database I have per-user preferences about "required_hits". >Maybe MailScanner is not sending spamassassin the username >to do the lookup? MailScanner doesn't know the username, it only knows the email address and has no concept of whether the address relates to a user on the current machine (thats left to sendmail's rulesets). Also remember (unless you've configured otherwise) MailScanner processes incoming mail as is, therefore you will often get one mail addressed to several recipients which only goes through MS and SA once. If you want to do per-user stuff with SA you'll need to run it through procmail instead, which takes effect at the local delivery stage when the mail has been split by recipient. If its only scores you want to check you could write a procmail recipe that checks the X-MailScanner-SpamScore header (if necessary processing each mail through a small script which looks up the score in your database). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at LISTS.COM.AR Fri Sep 5 23:14:32 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:49 2006 Subject: Spanish translations update Message-ID: <3F58E098.23888.2230EF6@localhost> Hi Julian, I'm attaching an archive with revised Spanish report files. These are based on the 4.23-11 release version. I did a little bit of editing, changed some MIME headers, added the "transtec Computers" thanx message, eliminated some accented characters that sometimes are badly encoded, etc. Would you be so kind to put these in the next release? TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- Computers are only human. -------------- next part -------------- A non-text attachment was scrubbed... Name: MS-4.23-11-new_es_reports.tgz Type: application/octet-stream Size: 4774 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/12aca604/MS-4.23-11-new_es_reports.obj From chris at TRUDEAU.ORG Sat Sep 6 00:15:11 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> Message-ID: <00ea01c37403$8e533ed0$23c8a8c0@SERV> Uhhh.....don't send archive files as attachments to the list. I'm sure I'm not the only one that fired an illegal attachment warning in response to your post. CT ----- Original Message ----- From: "Mariano Absatz" To: Sent: Friday, September 05, 2003 6:14 PM Subject: {DefendMail File Violation} Spanish translations update > Warning: This message has had one or more attachments removed > Warning: (MS-4.23-11-new_es_reports.tgz). > Warning: Please read the "DefendMail_ATTACHMENT_Warning.txt" attachment(s) for more information. > > Hi Julian, > > I'm attaching an archive with revised Spanish report files. > > These are based on the 4.23-11 release version. > > I did a little bit of editing, changed some MIME headers, added the "transtec > Computers" thanx message, eliminated some accented characters that sometimes > are badly encoded, etc. > > Would you be so kind to put these in the next release? > > TIA. > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Computers are only human. > > > From mike at CAMAROSS.NET Sat Sep 6 00:23:01 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <00ea01c37403$8e533ed0$23c8a8c0@SERV> Message-ID: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> It didn't go off over here. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau-Personal Sent: Friday, September 05, 2003 6:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {File Violation} Spanish translations update Uhhh.....don't send archive files as attachments to the list. I'm sure I'm not the only one that fired an illegal attachment warning in response to your post. CT ----- Original Message ----- From: "Mariano Absatz" To: Sent: Friday, September 05, 2003 6:14 PM Subject: {DefendMail File Violation} Spanish translations update > Warning: This message has had one or more attachments removed > Warning: (MS-4.23-11-new_es_reports.tgz). > Warning: Please read the "DefendMail_ATTACHMENT_Warning.txt" > attachment(s) for more information. > > Hi Julian, > > I'm attaching an archive with revised Spanish report files. > > These are based on the 4.23-11 release version. > > I did a little bit of editing, changed some MIME headers, added the "transtec > Computers" thanx message, eliminated some accented characters that sometimes > are badly encoded, etc. > > Would you be so kind to put these in the next release? > > TIA. > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Computers are only human. > > > From Antony at SOFT-SOLUTIONS.CO.UK Sat Sep 6 00:20:57 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <00ea01c37403$8e533ed0$23c8a8c0@SERV> References: <3F58E098.23888.2230EF6@localhost> <00ea01c37403$8e533ed0$23c8a8c0@SERV> Message-ID: <200309052321.h85NL2505578@onyx.rockstone.co.uk> On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > Uhhh.....don't send archive files as attachments to the list. Why not? The standard file extension messages tell people that if their attachment got blocked, they should zip it and try again - because most people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their MailScanners. > I'm sure I'm not the only one that fired an illegal attachment warning in > response to your post. No problem here - I think this will be petty rare. Antony. -- Ramdisk is not an installation procedure. From steve.douglas at SBIINCORPORATED.COM Sat Sep 6 01:02:55 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:49 2006 Subject: ANNOUNCE: Stable 4.23-11 released Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCC1@mail.gardenbotanika.com> Thank you, Julian. I have completed the upgrade and followed as you suggested. I am finally out of the woodwork from all indications. SD :-) > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, September 02, 2003 5:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > Just follow the instructions, and don't forget to run > upgrade_MailScanner_conf to do the hard work for you. > > At 17:32 02/09/2003, you wrote: > >I have not yet ever performed an update. I am using 4.22.xx on RedHat v9 > >via RPM with the latest f-prot. I know there is an entry on just > performing > >the RPM update, but is there anything you might recommend on the side > that I > >back first and an extra precaution before running the new RPM? > > > >I already have the rules and .conf files backed up. Thank you. > > > >SD > >:-) > > > > > > > -----Original Message----- > > > From: Brett Moss [mailto:bamcomp@YAHOO.COM] > > > Sent: Monday, September 01, 2003 7:22 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: ANNOUNCE: Stable 4.23-11 released > > > > > > hello again, > > > sorry but i had forgot to change the mcafee-wrapper > > > from rpmnew > > > this is what happens when working between 2 and 5 am i > > > guess > > > thanks again > > > brett > > > > > > > i am unable to find an -I switch > > > > > > > > -I: invalid switch or incorrect usage > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > > http://sitebuilder.yahoo.com > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From vernon at COMP-WIZ.COM Sat Sep 6 03:01:30 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain Message-ID: <20030906015827.M72029@comp-wiz.com> Anyone know of any problems with using the latest version of Spamassain and MailScanner? I've finally figured out that my problem is when I enable "Use Spamassain" The minute an email is received when it is on MailScanner crashes out. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030905/83456acb/attachment.html From mike at CAMAROSS.NET Sat Sep 6 04:31:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <20030906015827.M72029@comp-wiz.com> Message-ID: <000a01c37427$6dca58f0$640ba8c0@home.middlefinger.net> I've been using 2.60 for quite some time with no issues. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Vernon Webb Sent: Friday, September 05, 2003 9:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassain Anyone know of any problems with using the latest version of Spamassain and MailScanner? I've finally figured out that my problem is when I enable "Use Spamassain" The minute an email is received when it is on MailScanner crashes out. Thanks From vanhorn at whidbey.com Sat Sep 6 04:37:41 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:49 2006 Subject: F-prot revisited References: <200309031917.h83JHUr02416@ori.rl.ac.uk> Message-ID: <3F595685.E640944B@whidbey.com> Alan Fiebig wrote: > The product works great, and is very cost effective. The license will run you around $129 per year, and for that price you get a license to install the product on any 5 hosts, including Windows and Linux servers, workstations, PocketPC PDAs, Groupwise servers, Exchange servers; all versions are included in the box. The 5 node license is the smallest they sell, but at $129 total, I think that's a very good price compared to what I was looking at. Based on your comments, I went looking for the product. I found http://www.my-etrust.com/ and browsed around a bit, even asked "Sammy" about Linux, but didn't see a trace of anything but Windows software. If I buy the five-pack, is there a Linux version in there somewhere, or can you post a URL that gets to the Linux version? I plan to continue running f-prot and ClamAV, but at this price I have no hesitation to add eTrust. I still won't bother putting it on my Windows workstation, Windows is slow enough without an AV product running! Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From errol.neal at ENHTECH.COM Sat Sep 6 04:06:17 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:49 2006 Subject: Specifying a rule set correctly. Message-ID: <1062817577.3f594f292e6a3@webmail.resume.com> Hi all, I need to correctly understand how the queue deliver method works and how to specify a ruleset so I can use batch for all other domains besides those that I specify. I want to set the method to queue for several domains. How do I do this properly? This is what I have so far.. To: @enhtech.com queue To: @resume.com queue And of course, I have specified the file name where I store the rule sets in the MailScanner.conf like so: Delivery Method = /opt/MailScanner/etc/rules/delivery.method.rules Okay, now for my understanding. If mailscanner has a batch of 100 messages and message number 52 in that batch is a clean message to enhtech.com, will that message be dropped in the queue immediately? Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mike at CAMAROSS.NET Sat Sep 6 05:00:14 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:49 2006 Subject: Specifying a rule set correctly. In-Reply-To: <1062817577.3f594f292e6a3@webmail.resume.com> Message-ID: <001301c3742b$60c4ecc0$640ba8c0@home.middlefinger.net> What are you trying to achieve? Faster delivery or what? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Errol Neal Sent: Friday, September 05, 2003 10:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Specifying a rule set correctly. Hi all, I need to correctly understand how the queue deliver method works and how to specify a ruleset so I can use batch for all other domains besides those that I specify. I want to set the method to queue for several domains. How do I do this properly? This is what I have so far.. To: @enhtech.com queue To: @resume.com queue And of course, I have specified the file name where I store the rule sets in the MailScanner.conf like so: Delivery Method = /opt/MailScanner/etc/rules/delivery.method.rules Okay, now for my understanding. If mailscanner has a batch of 100 messages and message number 52 in that batch is a clean message to enhtech.com, will that message be dropped in the queue immediately? Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mike at ZANKER.ORG Sat Sep 6 08:05:31 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> References: <004301c37404$a67ee0d0$640ba8c0@home.middlefinger.net> Message-ID: <140826031.1062835531@jemima.zanker.org> On 05 September 2003 18:23 -0500 Mike Kercher wrote: > It didn't go off over here. It caused a whole load of error messages to be logged here, e.g. Sep 5 23:15:02 mallard MailScanner[30596]: es/sender.mcp.report.txt Sep 5 23:15:02 mallard MailScanner[30596]: ProcessClamAVOutput: unrecognised line "es/sender.mcp.report.txt". Please contact the authors! Mike. From kevins at BMRB.CO.UK Sat Sep 6 09:13:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> Message-ID: <1062836011.24760.107.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >Anyone know of any problems with using the latest version of Spamassain >and MailScanner? >I've finally figured out that my problem is when I enable "Use >>crashes out. Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 09:15:04 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> Message-ID: <1062836105.24761.110.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >Anyone know of any problems with using the latest version of Spamassain >and MailScanner? No, but if you're using 2.60 from the nightly CVS snapshots it may be worth downloading again, in case the particular snapshot you grabbed was broken. If you still have problems downgrade to 2.55. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 09:17:00 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:49 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A29@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A29@pascal.priv.bmrb.co.uk> Message-ID: <1062836221.24761.113.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 09:13, Spicer, Kevin wrote: >On Sat, 2003-09-06 at 03:01, Vernon Webb wrote: >>Anyone know of any problems with using the latest version of Spamassain >>and MailScanner? >>I've finally figured out that my problem is when I enable "Use >>crashes out. >Thanks Oops, accidentally hit the shortcut for 'send' there! Sorry. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From DelislMa at COLLEGESHERBROOKE.QC.CA Sat Sep 6 13:50:43 2003 From: DelislMa at COLLEGESHERBROOKE.QC.CA (Marc Delisle) Date: Thu Jan 12 21:19:49 2006 Subject: support for SpamAssassin user_scores_dsn References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A16@pascal.priv.bmrb.co.uk> <1062799636.24760.88.camel@bach.kevinspicer.co.uk> Message-ID: <3F59D823.7060305@CollegeSherbrooke.qc.ca> Kevin Spicer a ?crit: > On Fri, 2003-09-05 at 22:24, Marc Delisle wrote: > > >>In this database I have per-user preferences about "required_hits". >>Maybe MailScanner is not sending spamassassin the username >>to do the lookup? > > > MailScanner doesn't know the username, it only knows the email address > and has no concept of whether the address relates to a user on the > current machine (thats left to sendmail's rulesets). Also remember > (unless you've configured otherwise) MailScanner processes incoming mail > as is, therefore you will often get one mail addressed to several > recipients which only goes through MS and SA once. If you want to do > per-user stuff with SA you'll need to run it through procmail instead, > which takes effect at the local delivery stage when the mail has been > split by recipient. > > If its only scores you want to check you could write a procmail recipe > that checks the X-MailScanner-SpamScore header (if necessary processing > each mail through a small script which looks up the score in your > database). Thanks Kevin, I just noticed in http://au2.spamassassin.org/full/2.5x/dist/sql/README that "you must be running spamc/spamd in order for this to work". I understand that sometimes there are several recipients, however in practice most often there is one recipient, and I can relate this recipient to a local user, so per-user stuff was useful for me before I started using MailScanner (I used spamd and a milter). I would have preferred not having to learn procmail (I would have to code the lookup and the headers rewriting) and instead rely on MailScanner (which maybe could talk to spamd, is this planned? ). Marc Delisle From chris at TRUDEAU.ORG Sat Sep 6 14:47:05 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:49 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> <00ea01c37403$8e533ed0$23c8a8c0@SERV> <200309052321.h85NL2505578@onyx.rockstone.co.uk> Message-ID: <017901c3747d$5c4e8690$23c8a8c0@SERV> well then...the standard file extensions messages should be changed (as have mine)... Anyone remember MIMAIL? that was a zip/archive and with 4-8 hours between release and signature updates (depending on the AV company) there was a significant infection that filename/type rules missed because we all thought ZIP files were ok... CT ----- Original Message ----- From: "Antony Stone" To: Sent: Friday, September 05, 2003 7:20 PM Subject: Re: {File Violation} Spanish translations update > On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > > > Uhhh.....don't send archive files as attachments to the list. > > Why not? The standard file extension messages tell people that if their > attachment got blocked, they should zip it and try again - because most > people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their MailScanners. > > > I'm sure I'm not the only one that fired an illegal attachment warning in > > response to your post. > > No problem here - I think this will be petty rare. > > Antony. > > -- > > Ramdisk is not an installation procedure. From Antony at SOFT-SOLUTIONS.CO.UK Sat Sep 6 15:03:10 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <017901c3747d$5c4e8690$23c8a8c0@SERV> References: <3F58E098.23888.2230EF6@localhost> <200309052321.h85NL2505578@onyx.rockstone.co.uk> <017901c3747d$5c4e8690$23c8a8c0@SERV> Message-ID: <200309061403.h86E3F508760@onyx.rockstone.co.uk> On Saturday 06 September 2003 2:47 pm, Chris Trudeau-Personal wrote: > > On Saturday 06 September 2003 12:15 am, Chris Trudeau-Personal wrote: > > > Uhhh.....don't send archive files as attachments to the list. > > > > Why not? The standard file extension messages tell people that if their > > attachment got blocked, they should zip it and try again - because most > > people allow zip files (.zip, .gz, .tgz, .bz2 etc) through their > > MailScanners. > well then...the standard file extensions messages should be changed (as > have mine)... In which case, how do you recommend legitimate users send, for example, a .exe file to each other if you block the .exe and also any compressed archive they might put it into? My recommendation is to send such things in a password-protected zip, so that there has to be a deliberate action by the recipient to get access to the file inside the zip - they can't just open it "by accident". That won;t work if you simply block all zips though. Antony. -- This email was created using 100% recycled electrons. From chris at TRUDEAU.ORG Sat Sep 6 15:31:08 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update References: <3F58E098.23888.2230EF6@localhost> <200309052321.h85NL2505578@onyx.rockstone.co.uk> <017901c3747d$5c4e8690$23c8a8c0@SERV> <200309061403.h86E3F508760@onyx.rockstone.co.uk> Message-ID: <01db01c37483$842438d0$23c8a8c0@SERV> > In which case, how do you recommend legitimate users send, for example, a > .exe file to each other if you block the .exe and also any compressed archive > they might put it into? I suggest to my users that they use FTP, SSH, HTTP or some other means of providing a file that violates my policy. If this is not doable for them and they require exe and archives I allow it and make them request it in writing. I have done some in depth statsistical analysis on executables and archive files. There are very few of them used, and a LARGE percentage of those that are used end up infected with a virus. I simply think it makes more sense to err on the side of caution. > My recommendation is to send such things in a password-protected zip, so that > there has to be a deliberate action by the recipient to get access to the > file inside the zip - they can't just open it "by accident". That won;t > work if you simply block all zips though. There are commerical versions of content scanning solutions that will actually open the archive and scan the contents, which in the case of MIMAIL would have been enough as its payload was an executable. Your practice of allowing password-protection offers half of the solution using these systems, because the archive has to be encrypted for the contents not to be viewable to these scanners...thus the archive would have to be password-protected and encrypted. In addition, perhaps I allow .zip files...because they can be password protected...but the one that was sent to the list was neither a .zip OR password protected...so...again...I prefer to err on the side of caution to protect my users. my only point was that a mailing list is likely not the right place to send archives attached to emails. Especially one that many people probably have whitelisted for SPAM anyway. As I pointed out, I assumed I wasn't the only user of this list who has archives turned on...and simply advised against using the list as a distribution point for potentially harmful attachments. CT > Antony. > > -- > > This email was created using 100% recycled electrons. From kevins at BMRB.CO.UK Sat Sep 6 15:25:31 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A2C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A2C@pascal.priv.bmrb.co.uk> Message-ID: <1062858332.24760.129.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 13:50, Marc Delisle wrote: >I would have preferred not having to learn procmail (I would have to >code the lookup and the headers rewriting) and instead rely on >MailScanner I didn't make it clear that procmail will only work if your users have their mail accounts on the machine, which I should have done (I assumed that because you previously used SA you did this through procmail - which was clearly wrong). In my experience a good deal of the spam at my site is addressed to multiple local recipients (certainly that which I receive is) >MailScanner (which maybe could talk to spamd, is this planned) No, and frankly I doubt it ever will be. MailScanner talks to SA using SA's API which is the best way to do it. One further option (involving a little coding) is to configure your MTA to split messages into one recipient per message (note this has potential performance implications) and then write a Custom Config function which pulls the score for the user from your database. Then make Required SpamAssassin Score and/or High SpamAssassin Score point to your function. I imagine this would be quite simple to do. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Sat Sep 6 15:35:47 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: support for SpamAssassin user_scores_dsn In-Reply-To: <1062858332.24760.129.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > I didn't make it clear that procmail will only work if your users have > their mail accounts on the machine, which I should have done (I assumed > that because you previously used SA you did this through procmail - > which was clearly wrong). In my experience a good deal of the spam at > my site is addressed to multiple local recipients (certainly that which > I receive is) If you are using sendmail its possible to split that so it will work perfectly. This is also in the FAQ ... Bye, Raymond. From mike at CAMAROSS.NET Sat Sep 6 15:46:45 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:50 2006 Subject: {File Violation} Spanish translations update In-Reply-To: <01db01c37483$842438d0$23c8a8c0@SERV> Message-ID: <002901c37485$b1f82d50$640ba8c0@home.middlefinger.net> Ugh...I have WAY too many users that can't even spell FTP ...much less use it! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau-Personal Sent: Saturday, September 06, 2003 9:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {File Violation} Spanish translations update > In which case, how do you recommend legitimate users send, for > example, a .exe file to each other if you block the .exe and also any > compressed archive > they might put it into? I suggest to my users that they use FTP, SSH, HTTP or some other means of providing a file that violates my policy. If this is not doable for them and they require exe and archives I allow it and make them request it in writing. I have done some in depth statsistical analysis on executables and archive files. There are very few of them used, and a LARGE percentage of those that are used end up infected with a virus. I simply think it makes more sense to err on the side of caution. > My recommendation is to send such things in a password-protected zip, > so that > there has to be a deliberate action by the recipient to get access to the > file inside the zip - they can't just open it "by accident". That won;t > work if you simply block all zips though. There are commerical versions of content scanning solutions that will actually open the archive and scan the contents, which in the case of MIMAIL would have been enough as its payload was an executable. Your practice of allowing password-protection offers half of the solution using these systems, because the archive has to be encrypted for the contents not to be viewable to these scanners...thus the archive would have to be password-protected and encrypted. In addition, perhaps I allow .zip files...because they can be password protected...but the one that was sent to the list was neither a .zip OR password protected...so...again...I prefer to err on the side of caution to protect my users. my only point was that a mailing list is likely not the right place to send archives attached to emails. Especially one that many people probably have whitelisted for SPAM anyway. As I pointed out, I assumed I wasn't the only user of this list who has archives turned on...and simply advised against using the list as a distribution point for potentially harmful attachments. CT > Antony. > > -- > > This email was created using 100% recycled electrons. From vernon at COMP-WIZ.COM Sat Sep 6 16:00:59 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062836105.24761.110.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A23@pascal.priv.bmrb.co.uk> <1062836105.24761.110.camel@bach.kevinspicer.co.uk> Message-ID: <20030906150006.M92083@comp-wiz.com> > No, but if you're using 2.60 from the nightly CVS snapshots it may be > worth downloading again, in case the particular snapshot you grabbed was > broken. ?If you still have problems downgrade to 2.55. I've tried both and each time I set it to yes and restart MailScanner, MailScanner fails. :( -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/6438c063/attachment.html From kevins at BMRB.CO.UK Sat Sep 6 17:32:52 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> Message-ID: <1062865988.21420.7.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 16:00, Vernon Webb wrote: >> No, but if you're using 2.60 from the nightly CVS snapshots it may be >> worth downloading again, in case the particular snapshot you grabbed was >> broken. If you still have problems downgrade to 2.55. >I've tried both and each time I set it to yes and restart MailScanner, >MailScanner fails. :( You don't say which MTA you're using. If you use an MTA that runs as a user other than root make sure that user has a real home directory (SA writes into the home directory of the user that calls it). How did you install SA? tar/ rpm / CPAN? If you did it any other way than from the tarball uninstall and build the tarball. Make sure make test works (warning, it takes forever!) - don't worry if the spamd tests fail. Make sure SA works from the command line (spamassassin -D --lint) Make sure SA works from the command line using the MailScanner spam.assassin.prefs.conf file (spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf) If you're running your MTA as another user su to that user and try the command above again. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 18:26:43 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062865988.21420.7.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A33@pascal.priv.bmrb.co.uk> <1062865988.21420.7.camel@bach.kevinspicer.co.uk> Message-ID: <20030906172004.M13077@comp-wiz.com> > You don't say which MTA you're using. ?If you use an MTA that runs as a > user other than root make sure that user has a real home directory (SA > writes into the home directory of the user that calls it).? I'm running sendmail on a RedHat 9.0 Box > How did you install SA? ?tar/ rpm / CPAN?? Using the rpm. > If you did it any other way than from the tarball uninstall and build > the tarball. ?Make sure make test works (warning, it takes forever!) - > don't worry if the spamd tests fail.? That was the first thing I tried and when I used the Makefile.PL I got the following error: Warning: I could not locate your pod2man program. Please make sure, ???????? your pod2man program is in your PATH before you execute 'make' When I attempted a lookup of these problem on Google I found that the Perl uses something or other that needed to be changed in /etc/sysconfig/i18n from LANG="en_US.UTF-8" to LANG="en_US" but this did not help at all. So I'm unable to install from the tarball. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/5ecade62/attachment.html From raymond at PROLOCATION.NET Sat Sep 6 18:37:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <20030906172004.M13077@comp-wiz.com> Message-ID: Hi! > I'm running sendmail on a RedHat 9.0 Box > > > How did you install SA? ?tar/ rpm / CPAN?? Please install via source or CPAN. RPM is known to give trouble. > That was the first thing I tried and when I used the Makefile.PL I got the following error: > > Warning: I could not locate your pod2man program. Please make sure, > ???????? your pod2man program is in your PATH before you execute 'make' Change your settings (check the faq) its mentioned there over and over. In your /etc/sysconfig there is a file: i18n [root@vmx30 sysconfig]# more i18n LANG="en_US" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" Most likely you have something different in the LANG section. Change it to the above. Bye, Raymond. From kevins at BMRB.CO.UK Sat Sep 6 18:40:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A35@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A35@pascal.priv.bmrb.co.uk> Message-ID: <1062870030.21420.12.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 18:26, Vernon Webb wrote: >That was the first thing I tried and when I used the Makefile.PL I got >the following error: >Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' See Julians instructions here... http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml They tell you how to get round the pod2man problem. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 18:38:41 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: References: <20030906172004.M13077@comp-wiz.com> Message-ID: <20030906173748.M74149@comp-wiz.com> > Change your settings (check the faq) its mentioned there over and over. > > In your /etc/sysconfig there is a file: i18n > > [root@vmx30 sysconfig]# more i18n > LANG="en_US" > SUPPORTED="en_US.UTF-8:en_US:en" > SYSFONT="latarcyrheb-sun16" > > Most likely you have something different in the LANG section. > Change it to the above. As I already mentioned, I've done this and I still get the error message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/43bcdd91/attachment.html From sevans at FOUNDATION.SDSU.EDU Sat Sep 6 18:47:33 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain Message-ID: <95B481BA6D181A4685081D263BF9A13A195EB8@mail.foundation.sdsu.edu> Well I assume you do have pod2man in your path, check to be sure (ie whereis pod2man) Then try this from the SpamAssassin FAQ, http://spamassassin.taint.org/faq/index.cgi?req=show&file=faq04.014.htp Steve Evans SDSU Foundation _____ From: Vernon Webb [mailto:vernon@COMP-WIZ.COM] Sent: Saturday, September 06, 2003 10:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassain > Change your settings (check the faq) its mentioned there over and over. > > In your /etc/sysconfig there is a file: i18n > > [root@vmx30 sysconfig]# more i18n > LANG="en_US" > SUPPORTED="en_US.UTF-8:en_US:en" > SYSFONT="latarcyrheb-sun16" > > Most likely you have something different in the LANG section. > Change it to the above. As I already mentioned, I've done this and I still get the error message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/c6e3e98f/attachment.html From raymond at PROLOCATION.NET Sat Sep 6 18:51:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <20030906173748.M74149@comp-wiz.com> Message-ID: Hi! > > [root@vmx30 sysconfig]# more i18n > > LANG="en_US" > > SUPPORTED="en_US.UTF-8:en_US:en" > > SYSFONT="latarcyrheb-sun16" > > > > Most likely you have something different in the LANG section. > > Change it to the above. > > As I already mentioned, I've done this and I still get the error message. You also opened a new shell ? Bye, Raymond. From vernon at COMP-WIZ.COM Sat Sep 6 19:29:51 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: References: <20030906173748.M74149@comp-wiz.com> Message-ID: <20030906182753.M93602@comp-wiz.com> > You also opened a new shell ? Not sure what you mean by that, but I've finally gotten it installed only to encouter the same problem. I start MailScanner with "Use SpamAssassin = yes" and the second a piece o mail comes in MailScanner crashes. Vern -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/a0bdff99/attachment.html From tunceresen at ERESEN.COM Sat Sep 6 19:43:44 2003 From: tunceresen at ERESEN.COM (Tunc Eresen) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com Message-ID: Hello, all (just joined the list) I am ing Mailscanner and spamassasin on Cobalt RAQ 550, --------- I am getting following error when I start mailscanner with following Shutting down MailScanner daemons: MailScanner: MailScanner ok incoming sendmail: ok outgoing sendmail: head: /var/run/sendmail.out.pid: No such file or directory ok [root spool]# /etc/rc.d/init.d/MailScanner start Starting MailScanner daemons: incoming sendmail: ok outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file or directory ok MailScanner: ok What changes should I make to correct this error? Thanks TUNC ERESEN From kevins at BMRB.CO.UK Sat Sep 6 20:24:35 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3C@pascal.priv.bmrb.co.uk> Message-ID: <1062876276.21420.18.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 19:43, Tunc Eresen wrote: > > outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file or directory >What changes should I make to correct this error? Well , you might like to start by checking that /var/spool/mqueue exists and is accessible. It seems odd that it isn't there - has your sendmail installation been built or configured to use a different queue directory? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sat Sep 6 20:29:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> Message-ID: <1062876591.21420.25.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 19:29, Vernon Webb wrote: >> You also opened a new shell ? >Not sure what you mean by that, but I've finally gotten it installed >only to encouter the same problem. I start MailScanner with "Use >SpamAssassin = yes" and the second a piece o mail comes in MailScanner >crashes. >Vern He meant, did you either close your terminal window (if working in X) or logout and log back in - so that your environment reflects the changes that you made. Did you run the spamassassin -D --lint test I suggested? In what way does MailScanner 'crash'? Do the processes die? Is there anything in the maillog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From shrek-m at GMX.DE Sat Sep 6 20:34:05 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:19:50 2006 Subject: tunceresen@eresen.com In-Reply-To: References: Message-ID: <3F5A36AD.7000601@gmx.de> Tunc Eresen wrote: >Hello, all (just joined the list) >I am ing Mailscanner and spamassasin on Cobalt RAQ 550, >--------- >I am getting following error when I start mailscanner with following >Shutting down MailScanner daemons: > MailScanner: MailScanner ok > incoming sendmail: ok > outgoing sendmail: head: /var/run/sendmail.out.pid: No such file >or directory >ok >[root spool]# /etc/rc.d/init.d/MailScanner start >Starting MailScanner daemons: > incoming sendmail: ok > outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file >or directory >ok > MailScanner: ok >What changes should I make to correct this error? > # ll /var/spool drwx------ 2 root mail 4096 Sep 6 12:08 mqueue drwx------ 2 root root 16384 Sep 6 12:08 mqueue.in # rpm -q sendmail sendmail-8.12.8-6.80 # ll /var/run/sendmail.* -rw------- 1 root smmsp 150 Sep 6 21:30 /var/run/sendmail.in.pid -rw------- 1 root smmsp 66 Sep 6 21:30 /var/run/sendmail.out.pid -- shrek-m From vernon at COMP-WIZ.COM Sat Sep 6 21:24:02 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062876591.21420.25.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A3B@pascal.priv.bmrb.co.uk> <1062876591.21420.25.camel@bach.kevinspicer.co.uk> Message-ID: <20030906202352.M38025@comp-wiz.com> > Did you run the spamassassin -D --lint? test I suggested? I'm sorry I didn't get that. What as the command? When I do spamd -D --lint I get --lint not recognized. If I do spamd -D I get a bunch of stuff but it seems that things do start ok. What exactlyy am I looking for? > In what way does MailScanner 'crash'?? Do the processes die?? Is there > anything in the maillog? I'm not sure that this has anything to do with it, but I'm getting a bunch of these error messages in the maillog (can't be good): dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/fe0bb0bb/attachment.html From kevins at BMRB.CO.UK Sat Sep 6 22:14:01 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> Message-ID: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 21:24, Vernon Webb wrote: >> Did you run the spamassassin -D --lint test I suggested? >I'm sorry I didn't get that. What as the command? When I do spamd -D >--lint I get --lint not recognized. If I do spamd -D I get a bunch of >stuff but it seems that things do start ok. What exactly am I looking >for? The commands are... spamassassin -D --lint and spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf [Please note that the line wrapped in the second example above, you should type it all on one line] The -D option indicates Debug (so you get verbose output) --lint tells spamassassin to check the configuration files are sane (you'll get error messages if they are not). In the second example we also tell it to use the spamassassin config that MailScanner uses. The idea is to check that SpamAssassin is working okay (first command) then check that it hasn't been broken by something in the MailScanner config (second command). spamd has nothing to do with it. MailScanner doesn't use spamd, it calls the SA API directly - which is better. >> In what way does MailScanner 'crash'? Do the processes die? Is there >> anything in the maillog? >I'm not sure that this has anything to do with it, but I'm getting a >bunch of these error messages in the maillog (can't be good): >dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Possibly, the whole line would have been nice! Presumably this is being logged by a sendmail process? possibly a sign that sendmail isn't listening on the loopback interface. You can find out by doing... netstat -an | grep :25 If you get a line that looks line this... tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN [sorry it wrapped again - but you get the idea?] ...then that is not your problem, however if the first 0.0.0.0 is an ip address of one of your interfaces then it is. IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe someone has changed this to an IP of an external interface? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vernon at COMP-WIZ.COM Sat Sep 6 23:01:24 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A40@pascal.priv.bmrb.co.uk> <1062882842.21420.44.camel@bach.kevinspicer.co.uk> Message-ID: <20030906220113.M20527@comp-wiz.com> > The commands? are... > > spamassassin -D --lint I got no errors here. > spamassassin -D --lint > --config-file=/etc/MailScanner/spam.assassin.prefs.conf This one ran REAL fast and here's what got: debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 0 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 13662 untie-ing debug: bayes: 13662 untie-ing db_toks debug: bayes: 13662 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 13662 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 0 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 13662 untie-ing debug: bayes: 13662 untie-ing db_toks debug: bayes: 13662 untie-ing db_seen debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= > Possibly, the whole line would have been nice! ? Here's the whole line: Sep? 6 17:30:45 home sm-msp-queue[11614]: h85D9arc008082: to=postmaster, delay=1+08:20:30, xdelay=00:00:00, mailer=relay, pri=15064715, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] > Presumably this is being > logged by a sendmail process?? possibly a sign that sendmail isn't > listening on the loopback interface.? You can find out by doing... > IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe > someone has changed this to an IP of an external interface? But you are right and this confuses me. If I set up sendmail options with: ? Port=smtp,Addr=127.0.0.1, Name=MTA then I don't get any incoming mail. However if I set it up with the public IP it works fine. Is that how it's supposed to work? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030906/f64a2a56/attachment.html From brose at MED.WAYNE.EDU Sun Sep 7 00:03:40 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc Message-ID: MailScanner doesn't seem to be catching this. I thought Ms was written to cehck for the mime enclosed in header stuff. Did this get broken along the later versions. -=Bobby From kevins at BMRB.CO.UK Sun Sep 7 00:16:53 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A43@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A43@pascal.priv.bmrb.co.uk> Message-ID: <1062890214.21422.82.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: >MailScanner doesn't seem to be catching this. I thought Ms was written >to cehck for the mime enclosed in header stuff. Did this get broken >along the later versions. This looks like it might be the same issue as yesterdays thread 'Missed Virus?'. Could you give a few more details, like MailScanner version, scanner name, format of the message that got through (was it an MTA bounce message with a .txt attachment containing the original mail with a virus?). Source of the mail would be good if you have it (but please snip out the encoded virus data from between the MIME section headers!!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 00:11:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Spamassain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A42@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A42@pascal.priv.bmrb.co.uk> Message-ID: <1062889876.21422.76.camel@bach.kevinspicer.co.uk> On Sat, 2003-09-06 at 23:01, Vernon Webb wrote: >> spamassassin -D --lint >> --config-file=/etc/MailScanner/spam.assassin.prefs.conf >This one ran REAL fast and here's what got: >debug: running in taint mode? no Yeah that all looks in order >> Possibly, the whole line would have been nice! > Here's the whole line: >Sep 6 17:30:45 home sm-msp-queue[11614]: h85D9arc008082: >to=postmaster, delay=1+08:20:30, xdelay=00:00:00, mailer=relay, >pri=15064715, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection >refused by [127.0.0.1] Thats pretty much what I thought its a locally generated mail thats been queued and can't be passed to the incoming sendmail process because its not listening on the loopback interface. >> Presumably this is being >> logged by a sendmail process? possibly a sign that sendmail isn't >> listening on the loopback interface. You can find out by doing... >> IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe >> someone has changed this to an IP of an external interface? >But you are right and this confuses me. If I set up sendmail options >with: > Port=smtp,Addr=127.0.0.1, Name=MTA >then I don't get any incoming mail. However if I set it up with the >public IP it works fine. Is that how it's supposed to work? According to the comment in my sendmail.mc file (which is Mandrake, but presumably this holds for all sendmail configs) you should comment out the line entirely (by prepending dnl ) if you want to bind to all interfaces (the default behavior). Don't forget you'll need to rebuild sendmail.cf and stop/restart the sendmail processes started by MailScanner first. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Sun Sep 7 00:40:30 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: Message-ID: Do you still have a df/qf pair of the virus mail? Would like to study it. Bouncing it will not be much use as most MUAs tend to fix certain stuff. On Sat, 6 Sep 2003, Rose, Bobby wrote: > MailScanner doesn't seem to be catching this. I thought Ms was written > to cehck for the mime enclosed in header stuff. Did this get broken > along the later versions. > > -=Bobby > From brose at MED.WAYNE.EDU Sun Sep 7 01:17:52 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc Message-ID: I saw the thread and I think I see what folks were saying. I think we all thought people were saying they it was the pif guy coming thru bit it's the mm.enc one. I'm running 4.23.11 on Solaris with both Sophos and ClamAV running and I block exe, pif, com, bat, scr, etc. I don't have the actual message since NortonAV for Exchange is catching it and stripping it out. That's why I started looking into it because I thought it odd that Norton was blabbering about it since all external mail goes thru MailScanner before getting to Exchange. Sure enough it was external messages that Nav for Exchange was picking up. Our Exchange boxes are configured to only accept mail from the mail gateway. So I did some further checking and it's the .enc which is where it's encoded in the mime header. I thought that MS had been written in the early 4.xx version to blcok anything encoded in the headers so I'm thing that maybe it's gbeen broken due to all the new content checking options that's been added. Now I don't know if it's the virus or the AV software that someone is using but the message is from a postmaster@xxx.xxx.xx and is a rejection message saying that the message you sent was infected. So it's either a virus generated message or a real bounce message where the original message was sent back with the virus. It don't know if there are AV products out there that send the whole oringal message back if reject which sounds kind of dumb. -=B -----Original Message----- From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] Sent: Saturday, September 06, 2003 7:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: >MailScanner doesn't seem to be catching this. I thought Ms was written >to cehck for the mime enclosed in header stuff. Did this get broken >along the later versions. This looks like it might be the same issue as yesterdays thread 'Missed Virus?'. Could you give a few more details, like MailScanner version, scanner name, format of the message that got through (was it an MTA bounce message with a .txt attachment containing the original mail with a virus?). Source of the mail would be good if you have it (but please snip out the encoded virus data from between the MIME section headers!!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Sun Sep 7 15:27:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:50 2006 Subject: Please stop bouncing infected emails! In-Reply-To: Message-ID: <5.2.1.1.2.20030907152659.0280f050@imap.ecs.soton.ac.uk> Please read www.sng.ecs.soton.ac.uk/mailscanner/reject.html At 16:01 06/09/2003, Brian Tompsett wrote: > Please stop bouncing infected emails! > >http://www.spywareinfo.com/articles/sobigbounces/ > >Email server administrators, please read this message. > >If your mail server is set up to bounce emails with viruses attached >with a message to the sender, please turn that feature off. Unless >you've been in a cave for the past few days, you know that tens of >millions -possibly hundreds of millions- of emails carrying the >sobig.f virus have been hammering email servers worldwide. Not a >single one of these emails has the sender in the FROM: field. Not one >of them. > >The person listed in the FROM: field is not infected with a virus. >Someone with that person in their address book is infected. Your >bounce message serves no useful purpose and is contributing actively >to this problem. For Christ's sake, stop bouncing the virus emails. >Route them to /dev/null/ and be done with it. > >By bouncing these emails, you are making the problem twice as bad as >it is already is. Please, look at the CPU and bandwidth usage of your >servers. Every email server on the planet connected to the internet is >under the same or greater load, and you, personally, are contributing >to that load. > > Brian Tompsett > Universities of Hull, Edinburgh and London > +44 1482 465222 > > >From Postmaster@hull.ac.uk Sat Sep 06 09:50:28 2003 >Received: from [150.237.196.2] (helo=mailhub3.hull.ac.uk) > by mailhub.dcs.hull.ac.uk with esmtp (Exim 3.03 #2) > id 19vYm3-0002hS-00 > for bct@dcs.hull.ac.uk; Sat, 06 Sep 2003 09:50:27 +0100 >Received: from ensim.dbzgtlegacy.com by puccini.ucc.hull.ac.uk with ESMTP; >Sat, 6 Sep 2003 09:49:57 +0100 >Received: (from root@localhost) > by ensim.dbzgtlegacy.com (8.11.6/8.11.6) id h86Lq0231137; > Sat, 6 Sep 2003 16:52:00 -0500 >Date: Sat, 6 Sep 2003 16:52:00 -0500 >Message-Id: <200309062152.h86Lq0231137@ensim.dbzgtlegacy.com> >From: "MailScanner" >To: b.c.tompsett@dcs.hull.ac.uk >Subject: Warning: E-mail viruses detected >X-MailScanner: generated >Status: RO >Content-Length: 634 > >Our virus detector has just been triggered by a message you sent:- > To: smith@amazinghumor.com > Subject: Re: Your application > Date: Sat Sep 6 16:52:00 2003 >Any infected parts of the message (application.pif) >have not been delivered. > >This message is simply to warn you that your computer system may have a >virus present and should be checked. > >The virus detector said this about the message: >Report: application.pif contains Worm.Sobig.F >Shortcuts to MS-Dos programs are very dangerous in email (application.pif) > > >-- >MailScanner >Email Virus Scanner >www.mailscanner.info >Mailscanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Sep 7 19:19:34 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:19:50 2006 Subject: bayes and mailscanner 4.23-11 Message-ID: <200309071820.h87IKXr19816@ori.rl.ac.uk> Hi Folks, Do I need to adjust these based on the %org-name% entry? bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_ignore_header X-MailScanner-Information TIA Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/ff2e9ac5/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 09:24:07 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:50 2006 Subject: Real Expectations.. In-Reply-To: <3F5AE0E9.3F470715@whidbey.com> References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> <3F5AE0E9.3F470715@whidbey.com> Message-ID: <200309070824.h878OE512642@onyx.rockstone.co.uk> On Sunday 07 September 2003 8:40 am, G. Armour Van Horn wrote: > I don't know how it compares to a Sparc, but I'm running an AMD K6-2/500 > with 384 MB of RAM, RedHat 8.0, Sendmail per RH RPM, MailScanner 4.23-11, > f-prot, SpamAssassin 2.6. Every morning I send out the Quotes of the Day > through this machine, which uses a Perl script to merge the address lists > with the e-mails and dumps it off to Sendmail. The load average goes to 10 > or thereabouts during the mail run, but it gets through 6,200 messages in > less than two hours while handling any incoming mail. These Quote of the Day emails are going to be quite short (I hope!) in comparison to the "average" email coming in or going out through a normal system, they won't have any attachments which need unpacking or virus scanning, and the spam check is going to be pretty trivial too. It would be interesting to know, as well as the fact you can process 6,200 of these messages in something under 2 hours at a load average of 10, how many normal messages your system processes during the following 6 hours of the business day, and what its load average is during that time. Regards, Antony. -- It wasn't a sight to be seen on an empty stomach, although it could probably cause one. - Terry Pratchett, Soul Music From kevins at BMRB.CO.UK Sun Sep 7 12:39:03 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Real Expectations.. Message-ID: <1062934744.21420.116.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 08:40, G. Armour Van Horn wrote: >I suspect that I'm throttled by my 768K DSL, but the machine couldn't >handle >a lot more based on the LA. Hmmm, is the LA caused by processes waiting on I/O or processor? If its I/O then try sticking the MailScanner incoming directory in tmpfs (if you've not done so already) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:19:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A48@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A48@pascal.priv.bmrb.co.uk> Message-ID: <1062933571.21422.95.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 01:47, Rose, Bobby wrote: >Hah I think I found something to work with. I use DCC milter and >recently started using the greylisting function so I checked it's logs >and one of the messages that made it thru Mailscanner. It's not the >complete message but does contain the header makeup. Thats really useful, I looks like the headers generated by the MTA (in this case an iMail server - might have guessed it was a windaz boz ;) ) indicate that the message has a mime type of text/plain, however the 'text' message is actually a mime message of type message/rfc822 [I think...], which in turn is a multipart/mixed message. So the fault lies with iMail for giving the message the wrong mime type (which is incorrect) and sending the virus back (which is stupid). That doesn't help us though! Because MailScanner takes the text/plain at face value it doesn't recurse into the message looking for problems as it does with correctly formatted messages. Some of the virus scanners do recognise it as a message and do handle it correctly. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From David.While at UCE.AC.UK Sun Sep 7 10:58:28 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:50 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644182@exchangea.staff.uce.ac.uk> No my mailstats program analyses the log file produced by MailScanner. If an email is marked as spam by MailScanner (however it is configured) is added to the list using an algorithm. The sender has to send more than one in a certain time period before it gets added. Currently my set up only uses SpamAssassin to mark mails as spam so it is not relying on other RBLs (except in that SpamAssassin uses them but if it didn't it would still work). The most common SpamAssassin trap is the Bayes system at the moment. David While -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Sun 07/09/2003 10:46 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: RBL Hi! > I now have an RBL running which is dynamically updated using the output > from my mailstats.pl program. It is my intention to add this feature to > mailstats.pl so that the RBL can be updated using the collective power > of MailScanner users. At the moment it is being tested and seems to be > working OK. > > If you are interested to know more please email me off list. I know its silightly OT here, but what are you exactly blocking in that list? You block senders marked as spam, so you rely with the list totally on other RBLs ? Bye, Raymond. From David.While at UCE.AC.UK Sun Sep 7 11:05:39 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:50 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644183@exchangea.staff.uce.ac.uk> My plan was that the IP address would have to be reported by more than one client before it got added. David While -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Sun 07/09/2003 11:01 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: RBL Hi! > my mailstats program analyses the log file produced by MailScanner. If > an email is marked as spam by MailScanner (however it is configured) is > added to the list using an algorithm. The sender has to send more than > one in a certain time period before it gets added. k. > Currently my set up only uses SpamAssassin to mark mails as spam so it > is not relying on other RBLs (except in that SpamAssassin uses them but > if it didn't it would still work). The most common SpamAssassin trap is > the Bayes system at the moment. What about false positives ? They automaticly also get added. Not saying its bad, but just a thought. What would be nice is a inter face for the RBL where you could see the 'spam', headers/text and approve it to going on the list. If we havea couple of people watching over the output that should be do-able and more reliable... Else its depending on everyones site settings whats in the RBL. If i decide to filter all english messages, since we only want to get dutch mail, that would be nasty :) Bye, Raymond. From raymond at PROLOCATION.NET Sun Sep 7 11:01:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:50 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644182@exchangea.staff.uce.ac.uk> Message-ID: Hi! > my mailstats program analyses the log file produced by MailScanner. If > an email is marked as spam by MailScanner (however it is configured) is > added to the list using an algorithm. The sender has to send more than > one in a certain time period before it gets added. k. > Currently my set up only uses SpamAssassin to mark mails as spam so it > is not relying on other RBLs (except in that SpamAssassin uses them but > if it didn't it would still work). The most common SpamAssassin trap is > the Bayes system at the moment. What about false positives ? They automaticly also get added. Not saying its bad, but just a thought. What would be nice is a inter face for the RBL where you could see the 'spam', headers/text and approve it to going on the list. If we havea couple of people watching over the output that should be do-able and more reliable... Else its depending on everyones site settings whats in the RBL. If i decide to filter all english messages, since we only want to get dutch mail, that would be nasty :) Bye, Raymond. From SJCJonker at SJC.NL Sun Sep 7 12:16:41 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:50 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> Message-ID: <3F5B1399.3070901@SJC.nl> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/df78883e/attachment.bin From kevins at BMRB.CO.UK Sun Sep 7 16:28:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:50 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5D@pascal.priv.bmrb.co.uk> Message-ID: <1062948539.21422.123.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 16:16, Antony Stone wrote: > Enc is where > it's encoded into the mime header. >Please can somebody explain to me what this means? Are you saying >that a >virus can be encoded in a MIME header, rather than (as is usual) in a MIME >body to which the header refers? No, I think the .enc actually means its base-64 encoded as it would appear within a mime body. Clearly a signature which matched the virus when decoded would not match the virus when it is encoded as part of a message. As we've seen in this thread there are some MTA's which bounce an encoded message but indicate (incorrectly) that it is plain text, this means mailscanner treats it as a text file and it will only be spotted by those virus scanners which either a) have special signatures for the encoded version or b) spot this it is encoded and decode it before scanning. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tunceresen at eresen.com Sun Sep 7 07:31:43 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:50 2006 Subject: DCC-Pyzor In-Reply-To: <1062882842.21420.44.camel@bach.kevinspicer.co.uk> Message-ID: <200309070632.h876WBD11562@ns2.findmenet.com> Hello, all I run "spamassasin -D --lint" on Cobalt server 550 with Spamassasin+Mailscanner I had following errors. Should install these packages? debug: DCC is not available: dccproc not found debug: Pyzor is not available: pyzor not found Best Regards, O. TUNC ERESEN NT & Security Consultant. Mobile: (44)07785 363 481 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER tunc@eresen.com www.eresen.com eresen@hotmail.com (MSN Messenger service) eutsl@yahoo.com (Yahoo Messenger service) The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc@eresen.com as soon as possible. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Saturday, September 06, 2003 10:14 PM To: MAILSCANNER@JISCMAIL.AC.UK On Sat, 2003-09-06 at 21:24, Vernon Webb wrote: >> Did you run the spamassassin -D --lint test I suggested? >I'm sorry I didn't get that. What as the command? When I do spamd -D >--lint I get --lint not recognized. If I do spamd -D I get a bunch of >stuff but it seems that things do start ok. What exactly am I looking >for? The commands are... spamassassin -D --lint and spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf [Please note that the line wrapped in the second example above, you should type it all on one line] The -D option indicates Debug (so you get verbose output) --lint tells spamassassin to check the configuration files are sane (you'll get error messages if they are not). In the second example we also tell it to use the spamassassin config that MailScanner uses. The idea is to check that SpamAssassin is working okay (first command) then check that it hasn't been broken by something in the MailScanner config (second command). spamd has nothing to do with it. MailScanner doesn't use spamd, it calls the SA API directly - which is better. >> In what way does MailScanner 'crash'? Do the processes die? Is there >> anything in the maillog? >I'm not sure that this has anything to do with it, but I'm getting a >bunch of these error messages in the maillog (can't be good): >dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Possibly, the whole line would have been nice! Presumably this is being logged by a sendmail process? possibly a sign that sendmail isn't listening on the loopback interface. You can find out by doing... netstat -an | grep :25 If you get a line that looks line this... tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN [sorry it wrapped again - but you get the idea?] ...then that is not your problem, however if the first 0.0.0.0 is an ip address of one of your interfaces then it is. IIRC RedHat's sendmail by default listens only on 127.0.0.1, maybe someone has changed this to an IP of an external interface? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: OSMAN TUNC ERESEN (tunc@eresen.com).vcf Type: text/x-vcard Size: 697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/53a4058c/OSMANTUNCERESENtunceresen.com.vcf From raymond at PROLOCATION.NET Sun Sep 7 10:46:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644181@exchangea.staff.uce.ac.uk> Message-ID: Hi! > I now have an RBL running which is dynamically updated using the output > from my mailstats.pl program. It is my intention to add this feature to > mailstats.pl so that the RBL can be updated using the collective power > of MailScanner users. At the moment it is being tested and seems to be > working OK. > > If you are interested to know more please email me off list. I know its silightly OT here, but what are you exactly blocking in that list? You block senders marked as spam, so you rely with the list totally on other RBLs ? Bye, Raymond. From brose at MED.WAYNE.EDU Sun Sep 7 15:34:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc Message-ID: I'm the same way. Sobig is being caught for the most part but you have different versions going on here. You have mm and mm.enc. Enc is where it's encoded into the mime header. -----Original Message----- From: G. Armour Van Horn [mailto:vanhorn@whidbey.com] Sent: Sunday, September 07, 2003 3:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc I'm running 4.23-11, and most SoBig messages are getting caught not only by both virus scanners (f-prot and ClamAV) but also based on file name by MailScanner itself, since .pif files shouldn't be allowed to start with. It's not a problem with recent versions, how recent is your setup? Van "Rose, Bobby" wrote: > MailScanner doesn't seem to be catching this. I thought Ms was > written to cehck for the mime enclosed in header stuff. Did this get > broken along the later versions. > > -=Bobby -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From tunceresen at eresen.com Sun Sep 7 14:38:02 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <1062933815.21422.100.camel@bach.kevinspicer.co.uk> Message-ID: <200309071338.h87DcCD01154@ns2.findmenet.com> Hello, all Where is the install scripts for DCC-Pyzor on the www. Best Regards, O. TUNC ERESEN NT & Security Consultant. Mobile: (44)07785 363 481 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER tunc@eresen.com www.eresen.com eresen@hotmail.com (MSN Messenger service) eutsl@yahoo.com (Yahoo Messenger service) The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc@eresen.com as soon as possible. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Sunday, September 07, 2003 12:24 PM To: MAILSCANNER@JISCMAIL.AC.UK On Sun, 2003-09-07 at 07:31, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >I had following errors. Should install these packages? >debug: DCC is not available: dccproc not found >debug: Pyzor is not available: pyzor not found You don't need to, SA will function without them (it's just telling you that they are not there so it isn't going to try and use them). However adding them both (and razor2 if you have not yet done so) will improve your spam detection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: OSMAN TUNC ERESEN (tunc@eresen.com).vcf Type: text/x-vcard Size: 697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/6a7c4e1b/OSMANTUNCERESENtunceresen.com.vcf From brose at MED.WAYNE.EDU Sun Sep 7 01:47:54 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc Message-ID: Hah I think I found something to work with. I use DCC milter and recently started using the greylisting function so I checked it's logs and one of the messages that made it thru Mailscanner. It's not the complete message but does contain the header makeup. -=B -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: Saturday, September 06, 2003 7:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc Do you still have a df/qf pair of the virus mail? Would like to study it. Bouncing it will not be much use as most MUAs tend to fix certain stuff. On Sat, 6 Sep 2003, Rose, Bobby wrote: > MailScanner doesn't seem to be catching this. I thought Ms was > written to cehck for the mime enclosed in header stuff. Did this get > broken along the later versions. > > -=Bobby > -------------- next part -------------- VERSION: 3 DATE: 09/06/03 18:41:06 EDT IP: mail.straight-away.com ::ffff:12.96.54.33 HELO: straight-away.com env_From: <> mail_host= env_To: addr=tcrossle@exchange.med.wayne.edu dir=userdirs/relay/tcrossle@exchange.med.wayne.edu Date: Sat, 6 Sep 2003 19:58:15 -0400 Message-Id: <10309061958.AA74726420@straight-away.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Postmaster" Sender: To: Subject: Undeliverable Mail X-Mailer: Requested action not taken: virus detected Original message follows. Received: from TAIMUR-YRXU8L7C [68.41.139.205] by straight-away.com (SMTPD32-8.00) id A48B47900EA; Sat, 06 Sep 2003 19:58:03 -0400 From: To: Subject: Re: Wicked screensaver Date: Sat, 6 Sep 2003 18:43:01 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_000A06F8" Message-Id: <20030906195862.SM01312@TAIMUR-YRXU8L7C> This is a multipart message in MIME format --_NextPart_000_000A06F8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Please see the attached file for details. --_NextPart_000_000A06F8 Content-Type: application/octet-stream; name="wicked_scr.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wicked_scr.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v [message truncated] ### end of message body ######################## X-DCC-MessageCare-Metrics: eeyore 1108; Body=1 Fuz1=1 Fuz2=1 checksum server IP: c662cec7 0d155b95 bce5bb9d ff58c603 env_From: d41d8cd9 8f00b204 e9800998 ecf8427e From: 342e96a8 d0fd1448 210eb78e be98cab9 substitute mail_host: 617d4dcd 2d889dc3 be693d50 abc8d8bc Message-ID: 8dd46981 5ced570e 505354e0 5d3b0130 Body: 10f0b989 22c6bfa4 15799515 a6b73d06 0 Fuz1: 35cfefec f12cc999 7914fa41 c0d8d574 0 Fuz2: 969aa337 96782573 213678b0 57166e33 0 recipient : 25705ccc 2d472d5b b9c76cbf de557a76 First Embargo rejection message: 451 4.7.1 mail h86Mf65a022618 from ::ffff:12.96.54.33 embargoed by DCC result: reject From vanhorn at whidbey.com Sun Sep 7 08:40:25 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:51 2006 Subject: Real Expectations.. References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> Message-ID: <3F5AE0E9.3F470715@whidbey.com> I don't know how it compares to a Sparc, but I'm running an AMD K6-2/500 with 384 MB of RAM, RedHat 8.0, Sendmail per RH RPM, MailScanner 4.23-11, f-prot, SpamAssassin 2.6. Every morning I send out the Quotes of the Day through this machine, which uses a Perl script to merge the address lists with the e-mails and dumps it off to Sendmail. The load average goes to 10 or thereabouts during the mail run, but it gets through 6,200 messages in less than two hours while handling any incoming mail. I suspect that I'm throttled by my 768K DSL, but the machine couldn't handle a lot more based on the LA. Van Errol Neal wrote: > Hi again.. > > My boss is giving me headaches about the performance of our MailScanners. > What kind of performance should one expect on Sun Solaris 500 mhz sparc > with 512 ram and ide disks running 4.22-4? > I think right now we are pumping out somewhere in the neighborhood of > 300-500 messages per hour. I think that is reasonable for the hardware we > have and these system are dedicated Scanners. > Can someone throw some hardware templates at me based upon their > experiences and give me some numbers? > > Errol > > Errol Neal, Systems/Network Administrator > eneal@enhtech.com > Enhanced Technologies Inc. > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-924-0302 Fax -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From kevins at BMRB.CO.UK Sun Sep 7 12:34:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A52@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A52@pascal.priv.bmrb.co.uk> Message-ID: <1062934470.21422.110.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 11:05, David While wrote: >My plan was that the IP address would have to be reported by more than >one client before it got added. You could perhaps also return different data (172.0.0.1, 172.0.0.2 etc.) depending on how many clients report it, or how many hits on it the reporting clients have - this would allow users of the RBL to make their own judgements about when a sender should be blacklited. Over time a sender with no more reports could drop back down the scale, where the more conservative clients will then start to detect and report it again, pushing it back up. Actually thats just got really complicated! Maybe for the future? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:23:35 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4A@pascal.priv.bmrb.co.uk> Message-ID: <1062933815.21422.100.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 07:31, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >I had following errors. Should install these packages? >debug: DCC is not available: dccproc not found >debug: Pyzor is not available: pyzor not found You don't need to, SA will function without them (it's just telling you that they are not there so it isn't going to try and use them). However adding them both (and razor2 if you have not yet done so) will improve your spam detection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Sep 7 12:28:02 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: Real Expectations.. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4D@pascal.priv.bmrb.co.uk> Message-ID: <1062934083.21420.104.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 09:24, Antony Stone wrote: >These Quote of the Day emails are going to be quite short (I hope!) in >comparison to the "average" email coming in or going out through a >normal >system, they won't have any attachments which need unpacking or virus >scanning, and the spam check is going to be pretty trivial too. Especially if you whitelist outgoing mail for spam checks, you could even whitelist the address that send these messages for virus checks too (by using a ruleset). Presumably you already address each copy of the email to a batch of recipients rather than firing a single message for each recipient (or are the messages personalised?) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 16:16:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: References: Message-ID: <200309071516.h87FG8514090@onyx.rockstone.co.uk> On Sunday 07 September 2003 3:34 pm, Rose, Bobby wrote: > I'm the same way. Sobig is being caught for the most part but you have > different versions going on here. You have mm and mm.enc. Enc is where > it's encoded into the mime header. Please can somebody explain to me what this means? Are you saying that a virus can be encoded in a MIME header, rather than (as is usual) in a MIME body to which the header refers? I don't know much abut MIME encoding formats, but on the basis that the Sobig virus files I've seen are generally around 70kbytes in size, this suggests something very strange about what can be fitted into a MIME header...? Antony. -- Wanted: telepath. You know where to apply. From kevins at BMRB.CO.UK Sun Sep 7 16:31:57 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: DCC-Pyzor In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A5B@pascal.priv.bmrb.co.uk> Message-ID: <1062948718.21422.126.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 14:38, Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: >Hello, all >Where is the install scripts for DCC-Pyzor on the www. Look for DCC and Pyzor on this page... http://au2.spamassassin.org/full/2.5x/dist/INSTALL It gives the URL's for downloading and instructions for installing. (Note these may be slightly different from the instructions on the DCC & Pyzor sites as they don't bother with the components that SpamAssassin doesn't use.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vanhorn at whidbey.com Sun Sep 7 08:28:17 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc References: Message-ID: <3F5ADE11.A2B2A24B@whidbey.com> I'm running 4.23-11, and most SoBig messages are getting caught not only by both virus scanners (f-prot and ClamAV) but also based on file name by MailScanner itself, since .pif files shouldn't be allowed to start with. It's not a problem with recent versions, how recent is your setup? Van "Rose, Bobby" wrote: > MailScanner doesn't seem to be catching this. I thought Ms was written > to cehck for the mime enclosed in header stuff. Did this get broken > along the later versions. > > -=Bobby -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From mailscanner at BARENDSE.TO Sun Sep 7 11:37:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:51 2006 Subject: RBL In-Reply-To: <107DE25EC0216C45AEF670016024245F644183@exchangea.staff.uce.ac.uk> Message-ID: Isn't that what DCC is doing, more or less? On Sun, 7 Sep 2003, David While wrote: > My plan was that the IP address would have to be reported by more than one client before it got added. > > David While > > -----Original Message----- > From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] > Sent: Sun 07/09/2003 11:01 > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: Re: RBL > > > > Hi! > > > my mailstats program analyses the log file produced by MailScanner. If > > an email is marked as spam by MailScanner (however it is configured) is > > added to the list using an algorithm. The sender has to send more than > > one in a certain time period before it gets added. > > k. > > > Currently my set up only uses SpamAssassin to mark mails as spam so it > > is not relying on other RBLs (except in that SpamAssassin uses them but > > if it didn't it would still work). The most common SpamAssassin trap is > > the Bayes system at the moment. > > What about false positives ? They automaticly also get added. Not saying > its bad, but just a thought. What would be nice is a inter face for the > RBL where you could see the 'spam', headers/text and approve it to going > on the list. > > If we havea couple of people watching over the output that should be > do-able and more reliable... > > Else its depending on everyones site settings whats in the RBL. If i > decide to filter all english messages, since we only want to get dutch > mail, that would be nasty :) > > Bye, > Raymond. > > > From mailscanner at ecs.soton.ac.uk Sun Sep 7 19:51:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: Message-ID: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> I can explain what is happening with all of these cases. A dumb MTA is rejecting the message, and including the entire content text of the rejected message in the rejection notice, rather than just the headers or the first few lines (which is what sensible ones do). As the MIME structure of the rejected message is completely broken by it being included very simply in the rejection notice, your email app can't actually decode the attachment anyway. So it's actually quite safe. But some AV products generate a false alarm on it, Norton in particular. At 01:17 07/09/2003, you wrote: >Now I don't know if it's the virus or the AV software that someone is >using but the message is from a postmaster@xxx.xxx.xx and is a rejection >message saying that the message you sent was infected. So it's either a >virus generated message or a real bounce message where the original >message was sent back with the virus. It don't know if there are AV >products out there that send the whole oringal message back if reject >which sounds kind of dumb. > >-----Original Message----- >From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >Sent: Saturday, September 06, 2003 7:17 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F@mm.enc > > >On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: > > >MailScanner doesn't seem to be catching this. I thought Ms was written > > >to cehck for the mime enclosed in header stuff. Did this get broken > >along the later versions. > >This looks like it might be the same issue as yesterdays thread 'Missed >Virus?'. Could you give a few more details, like MailScanner version, >scanner name, format of the message that got through (was it an MTA >bounce message with a .txt attachment containing the original mail with >a virus?). Source of the mail would be good if you have it (but please >snip out the encoded virus data from between the MIME section headers!!) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From SJCJonker at SJC.NL Sun Sep 7 14:24:16 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:51 2006 Subject: ANNOUNCE: MailWatch for MailScanner 0.3 Beta In-Reply-To: <3F5B1399.3070901@SJC.nl> References: <67D9E7698329D411936E00508B6590B902773AD9@neelix.lbsltd.co.uk> <3F5B1399.3070901@SJC.nl> Message-ID: <3F5B3180.7070808@SJC.nl> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/2969deef/attachment.bin From David.While at UCE.AC.UK Sun Sep 7 10:16:44 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:51 2006 Subject: RBL Message-ID: <107DE25EC0216C45AEF670016024245F644181@exchangea.staff.uce.ac.uk> I now have an RBL running which is dynamically updated using the output from my mailstats.pl program. It is my intention to add this feature to mailstats.pl so that the RBL can be updated using the collective power of MailScanner users. At the moment it is being tested and seems to be working OK. If you are interested to know more please email me off list. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030907/8a26f619/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Sun Sep 7 02:29:06 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: References: Message-ID: <200309070129.h871TC511397@onyx.rockstone.co.uk> On Sunday 07 September 2003 1:17 am, Rose, Bobby wrote: > I thought that MS had been written in the early 4.xx version to blcok > anything encoded in the headers I'm not sure what you mean by this - "block anything encoded in the headers"? > so I'm thing that maybe it's gbeen broken due to > all the new content checking options that's been added. > > Now I don't know if it's the virus or the AV software that someone is > using but the message is from a postmaster@xxx.xxx.xx and is a rejection > message saying that the message you sent was infected. So it's either a > virus generated message or a real bounce message where the original > message was sent back with the virus. It don't know if there are AV > products out there that send the whole oringal message back if reject > which sounds kind of dumb. You're right - there are some very dumb mail systems out there - no need to blame the AV products - they just say "this is a virus" - it's the mail system which decides what to do with the email the virus was found in. Sensible ones check if the virus was of the type that forges sender addresses and keep quiet if it is. Slightly stupid ones bounce messages back saying "you just sent us a virus" to people who didn't. Really dumb and dangerous ones bounce messages back saying "you just sent us a virus and here it is back again" to people who didn't send it in the first place (but at least they've got it now...) Antony. -- Software development can be quick, high-quality, or low-cost. The customer gets to pick any two out of three. From kevins at BMRB.CO.UK Sun Sep 7 20:15:37 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:51 2006 Subject: bayes and mailscanner 4.23-11 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7A60@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A60@pascal.priv.bmrb.co.uk> Message-ID: <1062962138.32514.128.camel@bach.kevinspicer.co.uk> On Sun, 2003-09-07 at 19:19, Lance Ware wrote: >Hi Folks, >Do I need to adjust these based on the %org-name% entry? >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck >bayes_ignore_header X-MailScanner-SpamScore >bayes_ignore_header X-MailScanner-Information Yes BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tomaz.borstnar at OVER.NET Sun Sep 7 20:44:39 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:19:51 2006 Subject: ANNOUNCE: mailstats V0.21 In-Reply-To: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapid s.mi.us> References: <221C759285B78647AEE6181FD6AF36A7078B91DB@bambi.grand-rapids.mi.us> Message-ID: <6.0.0.22.0.20030907214359.02f649a0@127.0.0.1> At 20:03 2.9.2003, you wrote: >What can I do to assist in getting mcafee AV support in mailstats? also does it support specifying two AV engines? Tomaz From mailscanner at ecs.soton.ac.uk Mon Sep 8 04:41:39 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:51 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309080341.h883fdkE002940@seer.ecs.soton.ac.uk> New Guestbook-Entry from cheapku clam + mailscanner is great.

I appericiate your whole team!

From martinh at SOLID-STATE-LOGIC.COM Mon Sep 8 09:06:11 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:51 2006 Subject: list broke Message-ID: <3F5C3873.2080605@solid-state-logic.com> hmm very quiet over the weekend, I wonder I;m unsubscribed or something.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Sep 8 09:19:38 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:51 2006 Subject: list broke (OT) In-Reply-To: <3F5C3873.2080605@solid-state-logic.com> References: <3F5C3873.2080605@solid-state-logic.com> Message-ID: <3F5C3B9A.1000900@solid-state-logic.com> OK sorry guys - mozilla having a monday morning snarfle.. (goes off and gets coat :-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Martin Hepworth wrote: > hmm > > very quiet over the weekend, I wonder I;m unsubscribed or something.. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic Ltd > +44 (0)1865 842300 > > > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ********************************************************************** ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From philip.steeman at KHBO.BE Mon Sep 8 10:34:24 2003 From: philip.steeman at KHBO.BE (Philip Steeman) Date: Thu Jan 12 21:19:51 2006 Subject: readqf error in mqueue.in Message-ID: <3F5C4D20.7080003@khbo.be> Hello, I keep getting this error message when I look at my mqueue.in (a few errors a day, but they stay in the queue) > h87GbqSt004010readqf: cannot open ./dfh87GbqSt004010: No such file or directory > -1 Sun Sep 7 18:37 <> > (Deferred: Connection timed out with mail2.artmarket.com.) > info@artlist.com When I look a little furder, I can see that these messages are copied correctly in /var/spool/mqueue > h87GbqSt004010* 579 Sun Sep 7 18:37 <> > (Deferred: Connection timed out with mail2.artmarket.com.) > info@artlist.com It seems to me that I always get this error, when the "Connection is timed out". Versions: - MailScanner: 4.22.5 (debian-testing) - sendmail: 8.12.13 (debian-stable) - kernel: 2.4.21 (compiled) Can anybody help me? I think that everything keeps working, but I don't like errormessages (and perhaps it can help others with the same problem, or am I the only one with this error?). Philip From dustin.baer at IHS.COM Mon Sep 8 13:56:09 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F resurgence References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A15@pascal.priv.bmrb.co.uk> <1062797682.24760.59.camel@bach.kevinspicer.co.uk> Message-ID: <3F5C7C69.8B64A1F9@ihs.com> Kevin Spicer wrote: > > The Sobig virus uses its own SMTP engine to send directly to your server > (unless you're using an ISP's server that you have no control over as a > secondary queueing MX and it hits that first). Therefore rejecting the > message with a 550 error would normally cause the _remote_ MTA to > generate a bounce to the 'sender'. Since in this case that 'remote MTA' > would be the virus itself it is not going to produce a bounce message, > instead just silently ignore the error. Therefore (with the exception > of the case mentioned above) the only time this ruleset should cause > someone to receive a bounce from their local MTA is when they have sent > a genuine message which happens to use that subject. In this scenario I > think it is appropriate to issue a 550 response rather than silently > dropping the mail. I stand corrected. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From gerry at dorfam.ca Mon Sep 8 15:00:21 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:51 2006 Subject: MailWatch for MailScanner 0.3 Beta Install Problems Message-ID: <64789.129.80.22.143.1063029621.squirrel@tiger.dorfam.ca> Last night I downloaded and installed the MailWatch 0.3 beta code. I followed the install instructions and have it running. However, I did run into a few problems... 1. when I use a web browser to access https://server_name/mailscanner I end up with a listing of the directory instead of the authentication screen. I need to click on status.php to get the authentication screen and get the application running. 2. I have two users in the users table. One is gerry and the other is root. I can't log into the authentication screen using gerry. It only works with user root. I have edited $db_host, $db_user, etc in MailWatch.pm for user gerry. Also, I can successfully log directly into mysql's mailscanner database using user gerry and his password both from the mail server or other local hosts. 3. I use ClamAV, F-Prot, and Trend. Is there a way to have all stats for all three? It appears that I can only use one. Other than the above items all appears to be working great. I get all the stats and graphs just fine. Nice job! Gerry From tunceresen at eresen.com Mon Sep 8 15:18:53 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:51 2006 Subject: Sendmail stopped sending email after installs In-Reply-To: <3F5C3B9A.1000900@solid-state-logic.com> Message-ID: <200309081419.h88EJBD15927@ns2.findmenet.com> Hello, Sendmail server stopped sending emails after spamassasin and mailscanner install and I am getting following messages "Sep 8 15:17:28 ns1 sendmail[2885]: NOQUEUE: SYSERR(root): can not chdir(=/var/spool/mqueue): No such file or directory" Any adies Best Regards, O. TUNC ERESEN NT & Security Consultant. Mobile: (44)07785 363 481 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER tunc@eresen.com www.eresen.com eresen@hotmail.com (MSN Messenger service) eutsl@yahoo.com (Yahoo Messenger service) The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc@eresen.com as soon as possible. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at COLBY.EDU Mon Sep 8 13:56:02 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:51 2006 Subject: MS 4.23-11: buglet in update_virus_scanners Message-ID: Julian, I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners gagged the first time cron ran it on my Solaris 9 box. It turns out the /usr/bin/grep on Sun does not support the "-e" option, while GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. So I had to tweak my copy to use GNU grep. I don't how you want to fix this for all permutations of grep. What a pain. --- Jeff Earickson From ellis at KAZAKCOMPOSITES.COM Mon Sep 8 15:40:38 2003 From: ellis at KAZAKCOMPOSITES.COM (Steve Ellis) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> Message-ID: <000001c37617$2bf50870$6600a8c0@Orthanc> The attached file is an example (with virus removed) of the virus containing bounces I've been getting. The bounce is due to "no such user", not as a result of infection. As best I can tell, the payload is successfully decoded. MailScanner 4.22-5 with Command anti-virus did not catch this. Is this something MS should catch? Steve Ellis Sr Engineer KaZaK Composites, Inc. 781.932.5667 x105 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, September 07, 2003 2:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc I can explain what is happening with all of these cases. A dumb MTA is rejecting the message, and including the entire content text of the rejected message in the rejection notice, rather than just the headers or the first few lines (which is what sensible ones do). As the MIME structure of the rejected message is completely broken by it being included very simply in the rejection notice, your email app can't actually decode the attachment anyway. So it's actually quite safe. But some AV products generate a false alarm on it, Norton in particular. At 01:17 07/09/2003, you wrote: >Now I don't know if it's the virus or the AV software that someone is >using but the message is from a postmaster@xxx.xxx.xx and is a rejection >message saying that the message you sent was infected. So it's either a >virus generated message or a real bounce message where the original >message was sent back with the virus. It don't know if there are AV >products out there that send the whole oringal message back if reject >which sounds kind of dumb. > >-----Original Message----- >From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >Sent: Saturday, September 06, 2003 7:17 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sobig.F@mm.enc > > >On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote: > > >MailScanner doesn't seem to be catching this. I thought Ms was written > > >to cehck for the mime enclosed in header stuff. Did this get broken > >along the later versions. > >This looks like it might be the same issue as yesterdays thread 'Missed >Virus?'. Could you give a few more details, like MailScanner version, >scanner name, format of the message that got through (was it an MTA >bounce message with a .txt attachment containing the original mail with >a virus?). Source of the mail would be good if you have it (but please >snip out the encoded virus data from between the MIME section headers!!) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- A non-text attachment was scrubbed... Name: mking.sav Type: application/octet-stream Size: 3697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/d29ae470/mking.obj From miguelk at KONSULTEX.COM.BR Mon Sep 8 15:40:27 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:51 2006 Subject: Sendmail stopped sending email after installs References: <200309081419.h88EJBD15927@ns2.findmenet.com> Message-ID: <3F5C94DB.4070302@konsultex.com.br> I would check if there is such a directory. I have: drwx------ 2 root mail 4096 Sep 8 11:32 mqueue and then if there are files in it. My files inside are like this: -rw------- 1 root root 983 Aug 23 21:20 Qfh7NKpIDA003253 ...... There don't have to be files in it of course... This is on RedHat 9. Miguel Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: > > > >Hello, > > Sendmail server stopped sending emails after spamassasin and mailscanner >install and I am getting following messages > "Sep 8 15:17:28 ns1 sendmail[2885]: NOQUEUE: SYSERR(root): can not >chdir(=/var/spool/mqueue): No such file or directory" >Any adies > >Best Regards, > >O. TUNC ERESEN > >NT & Security Consultant. > >Mobile: (44)07785 363 481 > >17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER > >tunc@eresen.com > >www.eresen.com > >eresen@hotmail.com (MSN Messenger service) > >eutsl@yahoo.com (Yahoo Messenger service) > >The information contained in this email and any attachment is confidential. It >is intended only for the named addressee's. If you are not the named addressee >please notify the sender immediately and do not disclose, copy or distribute the >contents to any other person other than the intended addressee's.. If you have >received this transmission in error it would be helpful if you could notify >tunc@eresen.com as soon as possible. > > > > > > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From mailscanner at ecs.soton.ac.uk Mon Sep 8 15:32:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:51 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: Message-ID: <5.2.1.1.2.20030908153102.0377a0a8@imap.ecs.soton.ac.uk> At 13:56 08/09/2003, you wrote: >Julian, > I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners >gagged the first time cron ran it on my Solaris 9 box. It turns out >the /usr/bin/grep on Sun does not support the "-e" option, while >GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. >So I had to tweak my copy to use GNU grep. I don't how you want to >fix this for all permutations of grep. What a pain. It seems to be just a Solaris problem at the moment, I have already added a bit extra to the script so that it puts /usr/xpg4/bin (or is it /usr/bin/xpg4) in the path before /usr/bin so that the correct version of grep is found. You don't need the GNU version, the xpg4 version is just fine. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From tunceresen at eresen.com Mon Sep 8 15:58:34 2003 From: tunceresen at eresen.com (=?us-ascii?Q?Tunc_Eresen=28=3F`..=2C=2C.-=3E__Cobalt___M447785363481_?=) Date: Thu Jan 12 21:19:51 2006 Subject: Sendmail stopped sending email after installs mailscanner errors In-Reply-To: <3F5C94DB.4070302@konsultex.com.br> Message-ID: <200309081459.h88EwvD17908@ns2.findmenet.com> Errors still there I am seeing following error when I shut down mailscanner. What does it couse this? /etc/rc.d/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: MailScanner ok incoming sendmail: ok outgoing sendmail: head: /var/run/sendmail.out.pid: No such file or directory [root /root]# /etc/rc.d/init.d/MailScanner start Starting MailScanner daemons: incoming sendmail: ok outgoing sendmail: can not chdir(=/var/spool/mqueue): No such file or directory Tunc -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Miguel Koren O'Brien de Lacy Sent: Monday, September 08, 2003 3:40 PM To: MAILSCANNER@JISCMAIL.AC.UK I would check if there is such a directory. I have: drwx------ 2 root mail 4096 Sep 8 11:32 mqueue and then if there are files in it. My files inside are like this: -rw------- 1 root root 983 Aug 23 21:20 Qfh7NKpIDA003253 ...... There don't have to be files in it of course... This is on RedHat 9. Miguel Tunc Eresen(?`..,,.-> Cobalt M447785363481 wrote: > > > >Hello, > > Sendmail server stopped sending emails after spamassasin and >mailscanner install and I am getting following messages "Sep 8 >15:17:28 ns1 sendmail[2885]: NOQUEUE: SYSERR(root): can not >chdir(=/var/spool/mqueue): No such file or directory" >Any adies > >Best Regards, > >O. TUNC ERESEN > >NT & Security Consultant. > >Mobile: (44)07785 363 481 > >17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER > >tunc@eresen.com > >www.eresen.com > >eresen@hotmail.com (MSN Messenger service) > >eutsl@yahoo.com (Yahoo Messenger service) > >The information contained in this email and any attachment is >confidential. It is intended only for the named addressee's. If you are >not the named addressee please notify the sender immediately and do not >disclose, copy or distribute the contents to any other person other >than the intended addressee's.. If you have received this transmission >in error it would be helpful if you could notify tunc@eresen.com as soon as possible. > > > > > > -- Esta mensagem foi verificada pelo sistema de antivmrus e acredita-se estar livre de perigo. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: OSMAN TUNC ERESEN (tunc@eresen.com).vcf Type: text/x-vcard Size: 697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/75e2823a/OSMANTUNCERESENtunceresen.com.vcf From mailscanner at ecs.soton.ac.uk Mon Sep 8 16:47:29 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:51 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309081547.h88FlTCI008415@seer.ecs.soton.ac.uk> New Guestbook-Entry from T3O THANK YOU. From splee at PLEXIO.COM Mon Sep 8 16:48:04 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:51 2006 Subject: Panda Software command line scanner Message-ID: <1063036084.17058.45.camel@ralph.plexio.private> Hi, I'm currently using Sophos with MS/Exim and it has worked very well so far. I'd like to add a second but cheaper AV engine and found Panda Software's command line Permimeter Scan product for Linux. Their website seems to suggest that the per user (or mailbox I guess) fee for 3 years costs $13.50 USD. Presumably that means $135 for 10 users / 3 years? I sent Panda a message on pricing but only received an automated reply that didn't make sense to me. Anyone here using Panda with MS and how much did it cost? Thanks, Stephen From michele at BLACKNIGHTSOLUTIONS.COM Mon Sep 8 17:11:46 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:51 2006 Subject: Panda Software command line scanner In-Reply-To: <1063036084.17058.45.camel@ralph.plexio.private> Message-ID: <200309081609.h88G9gaM085702@lancelot.blacknightsolutions.com> Panda are a pain to deal with. I know some people have had success, but they seem to be few and far between. If you do a search in the archives you'll come across a number of references to their *cough* efficient customer service. Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 From hmkash at ARL.ARMY.MIL Mon Sep 8 17:25:33 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:19:51 2006 Subject: MailScanner+PostFix ---- try this Message-ID: <229A346E44379140A59A48951B56E0C07A7E3A@ARLABML01.DS.ARL.ARMY.MIL> Still doesn't work with 1. I added a line to log $ModDate{$file} and the current time. It appears that the mod time on the queue files is around 15 minutes in the future?? This explains why queue files always show up with the year instead of the time in a long listing (ls -l). Should I try "time + 15*60 - 3"? :-) Howard Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035179 Time = 1063034523 Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035179 Time = 1063034523 Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035180 Time = 1063034523 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, September 05, 2003 3:46 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this All it made happen was that it wouldn't process a message until it had sat in the deferred queue for 3 seconds, it should still process them all but with a 3 second latency. Try reducing the 3 to 1 and see if that helps at all. At 21:54 04/09/2003, you wrote: >For me this seemed to cause lots of messages to get stuck in the >incoming deferred queue. There would be 200 or so messages in the >queue, but Mailscanner would only process 1 or 2 messages in each batch. >Once I removed the patch, it immediately processed all of the queued >messages in batches of 30. > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Mon Sep 8 18:25:28 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc References: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> Message-ID: <3F5CBB88.933287DE@ihs.com> Julian Field wrote: > > I can explain what is happening with all of these cases. A dumb MTA is > rejecting the message, and including the entire content text of the > rejected message in the rejection notice, rather than just the headers or > the first few lines (which is what sensible ones do). As the MIME structure > of the rejected message is completely broken by it being included very > simply in the rejection notice, your email app can't actually decode the > attachment anyway. So it's actually quite safe. But some AV products > generate a false alarm on it, Norton in particular. If anybody is interested, I have captured a qf/df pair that makes it through MailScanner/Sophos email scanning and Lotus Notes/Symantec (Norton) email scanning, yet is triggered by Symantec (Norton) on the desktop. http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip Dustin From mike at CAMAROSS.NET Mon Sep 8 18:38:10 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again Message-ID: <004601c3762f$f8c22780$680ba8c0@home.middlefinger.net> The following e-mail messages were found to have viruses in them: Sender: sender@domain.ca IP Address: 199.214.175.1 Recipient: user@domain.com Subject: INFORMATION LETTER 2003-23 MessageID: h88HRUi26922 Report: Sophos: Could not check ODD 08479-01 RLA Att Oil Gas Access in West Centra Caribou Range.pdf (unexpected error [0x80040202]) Running mailscanner-4.22-5, RH 7.3, latest Sophos Mike From gerry at dorfam.ca Mon Sep 8 18:42:13 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc In-Reply-To: <3F5CBB88.933287DE@ihs.com> References: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> <3F5CBB88.933287DE@ihs.com> Message-ID: <60725.129.80.22.143.1063042933.squirrel@tiger.dorfam.ca> > Julian Field wrote: >> >> I can explain what is happening with all of these cases. A dumb MTA is >> rejecting the message, and including the entire content text of the >> rejected message in the rejection notice, rather than just the headers >> or >> the first few lines (which is what sensible ones do). As the MIME >> structure >> of the rejected message is completely broken by it being included very >> simply in the rejection notice, your email app can't actually decode the >> attachment anyway. So it's actually quite safe. But some AV products >> generate a false alarm on it, Norton in particular. > > If anybody is interested, I have captured a qf/df pair that makes it > through MailScanner/Sophos email scanning and Lotus Notes/Symantec > (Norton) email scanning, yet is triggered by Symantec (Norton) on the > desktop. > > http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip > > Dustin > Do you know if there is a real virus in the email or is it a damaged virus that is harmless per Julian's note? Gerry From dustin.baer at IHS.COM Mon Sep 8 18:50:09 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc References: <5.2.1.1.2.20030907194554.031c5e88@imap.ecs.soton.ac.uk> <3F5CBB88.933287DE@ihs.com> <60725.129.80.22.143.1063042933.squirrel@tiger.dorfam.ca> Message-ID: <3F5CC151.78345197@ihs.com> Gerry Doris wrote: > > > Julian Field wrote: > >> > >> I can explain what is happening with all of these cases. A dumb MTA is > >> rejecting the message, and including the entire content text of the > >> rejected message in the rejection notice, rather than just the headers > >> or > >> the first few lines (which is what sensible ones do). As the MIME > >> structure > >> of the rejected message is completely broken by it being included very > >> simply in the rejection notice, your email app can't actually decode the > >> attachment anyway. So it's actually quite safe. But some AV products > >> generate a false alarm on it, Norton in particular. > > > > If anybody is interested, I have captured a qf/df pair that makes it > > through MailScanner/Sophos email scanning and Lotus Notes/Symantec > > (Norton) email scanning, yet is triggered by Symantec (Norton) on the > > desktop. > > > > http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip > > > > Dustin > > > > Do you know if there is a real virus in the email or is it a damaged virus > that is harmless per Julian's note? > > Gerry Well, it acts exactly like Julian discusses above, i.e. passes through mail scanning software, but is caught by Norton on the desktop. Then again, I suppose a smart person could extract it, decode it and it would be the actual SoBig virus. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From brose at MED.WAYNE.EDU Mon Sep 8 19:06:56 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again Message-ID: Geez, maybe the name of the file is too long. Maybe 8.3 wasn't so bad. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 08, 2003 1:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: PDF errors again The following e-mail messages were found to have viruses in them: Sender: sender@domain.ca IP Address: 199.214.175.1 Recipient: user@domain.com Subject: INFORMATION LETTER 2003-23 MessageID: h88HRUi26922 Report: Sophos: Could not check ODD 08479-01 RLA Att Oil Gas Access in West Centra Caribou Range.pdf (unexpected error [0x80040202]) Running mailscanner-4.22-5, RH 7.3, latest Sophos Mike From brose at MED.WAYNE.EDU Mon Sep 8 19:09:23 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:51 2006 Subject: Sobig.F@mm.enc Message-ID: I haven't actually seen it intact yet from the client side but I don't think a user can get to it. Actually Nav for Exchange replaces with a text file and the text file is place into the same place as the sobig code so you don't see the deleted.txt attachment either. -----Original Message----- From: Dustin Baer [mailto:dustin.baer@IHS.COM] Sent: Monday, September 08, 2003 1:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sobig.F@mm.enc Gerry Doris wrote: > > > Julian Field wrote: > >> > >> I can explain what is happening with all of these cases. A dumb MTA > >> is rejecting the message, and including the entire content text of > >> the rejected message in the rejection notice, rather than just the > >> headers or the first few lines (which is what sensible ones do). As > >> the MIME structure > >> of the rejected message is completely broken by it being included very > >> simply in the rejection notice, your email app can't actually decode the > >> attachment anyway. So it's actually quite safe. But some AV products > >> generate a false alarm on it, Norton in particular. > > > > If anybody is interested, I have captured a qf/df pair that makes it > > through MailScanner/Sophos email scanning and Lotus Notes/Symantec > > (Norton) email scanning, yet is triggered by Symantec (Norton) on > > the desktop. > > > > http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip > > > > Dustin > > > > Do you know if there is a real virus in the email or is it a damaged > virus that is harmless per Julian's note? > > Gerry Well, it acts exactly like Julian discusses above, i.e. passes through mail scanning software, but is caught by Norton on the desktop. Then again, I suppose a smart person could extract it, decode it and it would be the actual SoBig virus. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Mon Sep 8 13:07:24 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:51 2006 Subject: {VIRUS?} {SPAM?} Returned due to virus; was: Re: Approved Message-ID: <200309081813.TAA03697@crow.ecs.soton.ac.uk> Warning: This message has had one or more attachments removed Warning: (details.pif.htm). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. See the attached file for details -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "details.pif.htm" is on the list of unacceptable attachments for this site and has been replaced by this warning message. If you wish to receive a copy of the original attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Mon Sep 8 19:13:47 2003 the virus scanner said: Attempt to hide real filename extension (details.pif.htm) Note to Help Desk: Look on crow in /export/2/var/MailScanner/quarantine/20030908 (message TAA03697). -- Postmaster Mailscanner thanks transtec Computers for their support From mike at CAMAROSS.NET Mon Sep 8 19:19:11 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again In-Reply-To: Message-ID: <005301c37635$b3f6dc30$680ba8c0@home.middlefinger.net> Here's another: Subject: PDF's MessageID: h88EjRi18718 Report: Sophos: Could not check C2375_R03_ABStraddleGroupReport1_RevAug26.pdf (unexpected error [0x80040202]) Report: Sophos: Could not check C2375_R03_ABStraddleGroupReport2_RevAug26.zip/AppA-Harmattan Decision 2001-62.pdf (unexpected error [0x80040202]) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 08, 2003 1:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: PDF errors again Geez, maybe the name of the file is too long. Maybe 8.3 wasn't so bad. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 08, 2003 1:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: PDF errors again The following e-mail messages were found to have viruses in them: Sender: sender@domain.ca IP Address: 199.214.175.1 Recipient: user@domain.com Subject: INFORMATION LETTER 2003-23 MessageID: h88HRUi26922 Report: Sophos: Could not check ODD 08479-01 RLA Att Oil Gas Access in West Centra Caribou Range.pdf (unexpected error [0x80040202]) Running mailscanner-4.22-5, RH 7.3, latest Sophos Mike From virusak at dec1.czu.cz Mon Sep 8 19:22:29 2003 From: virusak at dec1.czu.cz (MailScanner) Date: Thu Jan 12 21:19:51 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309081822.h88IMT729836@dec1.czu.cz> Our virus detector has just been triggered by a message you sent:- To: Subject: Re: Re: My details Date: Mon Sep 8 20:22:28 2003 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: h88IM9c29788/movie0045.pif Infection: W32/Sobig.F@mm Shortcuts to MS-Dos programs are very dangerous in email in movie0045.pif -- MailScanner Email Virus Scanner www.mailscanner.info From mailscanner at jiscmail.ac.uk Mon Sep 8 19:25:42 2003 From: mailscanner at jiscmail.ac.uk (mailscanner@jiscmail.ac.uk) Date: Thu Jan 12 21:19:51 2006 Subject: Details Message-ID: <200309081825.TAA06295@crow.ecs.soton.ac.uk> Please see the attached file for details. From joshua.hirsh at PARTNERSOLUTIONS.CA Mon Sep 8 19:35:16 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AE5@eqmail1.efni.vpn> Does Sophos crash when you run sweep manually on the PDF as well? If so, you should probably contact Sophos directly about the problem. I haven't personally run into any problems with PDF's using the newest Sophos (version 3.73). If the PDF isn't confidential, you could try to send me a copy of it and see what happens (or post it somewhere). Cheers, -Joshua From mark at TIPPINGMAR.COM Mon Sep 8 19:55:46 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again In-Reply-To: <004601c3762f$f8c22780$680ba8c0@home.middlefinger.net> Message-ID: <3F5C6E42.1292.E9FD9CC@localhost> Sophos has problems with certain PDFs and generates the error message you are seeing. They know about the problem. This was definitely true in 3.72. I'm not sure if they have fixed it in 3.73 or not. If you want to allow these attachments through, in spite of their not being scanned, you can add Allowed Sophos Error Messages = "corrupt", "0x80040202" but only if you are using the latest version of MailScanner. See the thread "Unexpected Error?" from approx Aug 8. Mark On 8 Sep 2003 at 12:38, Mike Kercher wrote: > The following e-mail messages were found to have viruses in them: > > Sender: sender@domain.ca > IP Address: 199.214.175.1 > Recipient: user@domain.com > Subject: INFORMATION LETTER 2003-23 > MessageID: h88HRUi26922 > Report: Sophos: Could not check ODD 08479-01 RLA Att Oil Gas Access in > West Centra Caribou Range.pdf (unexpected error [0x80040202]) > > Running mailscanner-4.22-5, RH 7.3, latest Sophos > > Mike From jwilliam at KCR.UKY.EDU Mon Sep 8 20:44:24 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again In-Reply-To: <3F5C6E42.1292.E9FD9CC@localhost> References: <004601c3762f$f8c22780$680ba8c0@home.middlefinger.net> Message-ID: <5.1.1.5.2.20030908154153.00bcfa10@mail.kcr.uky.edu> At 11:55 AM 9/8/2003 -0700, you wrote: >Sophos has problems with certain PDFs and generates the error message you are >seeing. They know about the problem. This was definitely true in >3.72. I'm not sure >if they have fixed it in 3.73 or not. If you want to allow these >attachments through, in >spite of their not being scanned, you can add > >Allowed Sophos Error Messages = "corrupt", "0x80040202" FYI I'm running MailScanner 4.23-11 and Sophos 3.73 on Solaris. I get that problem. Subject: Fwd: AACE Fall Meeting Announcement report: Sophos: Could not check ./h88IZ0C03306/AACE.pdf (unexpected error [0x80040202]) John --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From pages at ntin.net Mon Sep 8 21:00:13 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:19:51 2006 Subject: Double file extension? Message-ID: <62284142250.20030908150013@ntin.net> Hello , This is the default double file extension finder in MailScanner # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Why does it catch this file? filename: TIGER.schedule.gbc1.xls Sure the file has many periods in that shouldn't be there, but users are notorious for naming files stupidly. But the file only has one three letter extension. Shouldn't this rule be looking for files that contain more than one 3 letter extension. Best regards, Robert B, NTIN mailto:pages@ntin.net From joshua.hirsh at PARTNERSOLUTIONS.CA Mon Sep 8 21:04:06 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:51 2006 Subject: Double file extension? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AE8@eqmail1.efni.vpn> Actually, the first part of the rule is the problem: "\.[a-z][a-z0-9]{2,3}" is read as any extension that starts with 'a to z' followed by 2 or 3 characters of 'a to z' or '0 to 9', which means gbc1 was matched against this. I personally disabled this rule as most "bad" extensions get blocked anyways. Cheers, -Joshua From mkettler at EVI-INC.COM Mon Sep 8 21:09:59 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:51 2006 Subject: Double file extension? In-Reply-To: <62284142250.20030908150013@ntin.net> Message-ID: <5.2.1.1.0.20030908160649.026d4378@xanadu.evi-inc.com> At 03:00 PM 9/8/2003 -0500, NTIN Page Guy wrote: >This is the default double file extension finder in MailScanner > ># Deny all other double file extensions. This catches any hidden filenames. >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding > >Why does it catch this file? > >filename: TIGER.schedule.gbc1.xls > >Sure the file has many periods in that shouldn't be there, but users >are notorious for naming files stupidly. But the file only has one >three letter extension. > >Shouldn't this rule be looking for files that contain more than one 3 >letter extension. No, it's not two 3-letter extensions... Read the regex closer. It's looking for a dot, followed by 1 letter, followed by 2-3 alphanumerics, followed by a dot, followed by 3 alphanumerics. Thus the first extension can be 3-4 characters, but must start with a letter and the second extension has to be 3 charachters. This way it can catch .html.exe .mpeg.pif, etc, and winds up catching gbc1.xls. From steve.freegard at LBSLTD.CO.UK Mon Sep 8 21:12:10 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:51 2006 Subject: MailWatch for MailScanner 0.3 Beta Install Problems Message-ID: <67D9E7698329D411936E00508B6590B902773AED@neelix.lbsltd.co.uk> Hi Gerry, Answers to your points: 1) This is an error on my part when I did the export from CVS and created the package - status.php should be a link to index.php. You can create this by doing: ln -s status.php index.php from the mailscanner directory. 2) The passwords for MySQL and the MailWatch authentication are completely seperate. From MySQL I suggest you try: UPDATE users SET password=md5('<>') WHERE username='gerry'; and try again. 3) You can only select one virus scanner and you should pick the scanner you have the most confidence in. There isn't any benefit of trying to use more than one scanner - it's only used for reporting, and using more than one may cause this to become inaccurate due to some virus vendors giving the same virus different names... >>> Nice job! Thanks! Kind regards, Steve. -----Original Message----- From: Gerry Doris To: MAILSCANNER@JISCMAIL.AC.UK Cc: steve.freegard@LBSLTD.CO.UK Sent: 08/09/03 15:00 Subject: MailWatch for MailScanner 0.3 Beta Install Problems Last night I downloaded and installed the MailWatch 0.3 beta code. I followed the install instructions and have it running. However, I did run into a few problems... 1. when I use a web browser to access https://server_name/mailscanner I end up with a listing of the directory instead of the authentication screen. I need to click on status.php to get the authentication screen and get the application running. 2. I have two users in the users table. One is gerry and the other is root. I can't log into the authentication screen using gerry. It only works with user root. I have edited $db_host, $db_user, etc in MailWatch.pm for user gerry. Also, I can successfully log directly into mysql's mailscanner database using user gerry and his password both from the mail server or other local hosts. 3. I use ClamAV, F-Prot, and Trend. Is there a way to have all stats for all three? It appears that I can only use one. Other than the above items all appears to be working great. I get all the stats and graphs just fine. Nice job! Gerry -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From greyhair at GREYHAIR.NET Mon Sep 8 21:40:01 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:19:51 2006 Subject: PDF errors again In-Reply-To: <3F5C6E42.1292.E9FD9CC@localhost> References: <3F5C6E42.1292.E9FD9CC@localhost> Message-ID: <3F5CE921.2070805@greyhair.net> Get a copy of the PDF's and see if it is a particular version of or security added to the pdf. I know that security can be added to the pdf where acrobat v4 or less is unable to read the pdf but v5 and higher can. (40bit vs. 128 bit encryption) It could be that security (ie. users can read but not edit without password, or read only with password) was added to the pdf and sophos is unable to break the code?? Like Joshua Hirsh said, post or send a pdf that fails to see if we can help figure out the issue. As an aside, Does anyone know where one could get a "infected" pdf for test purposes? greyhair Mark Nienberg wrote: >Sophos has problems with certain PDFs and generates the error message you are >seeing. They know about the problem. This was definitely true in 3.72. I'm not sure >if they have fixed it in 3.73 or not. If you want to allow these attachments through, in >spite of their not being scanned, you can add > >Allowed Sophos Error Messages = "corrupt", "0x80040202" > >but only if you are using the latest version of MailScanner. See the thread >"Unexpected Error?" from approx Aug 8. > >Mark > > >On 8 Sep 2003 at 12:38, Mike Kercher wrote: > > > >>The following e-mail messages were found to have viruses in them: >> >> Sender: sender@domain.ca >>IP Address: 199.214.175.1 >> Recipient: user@domain.com >> Subject: INFORMATION LETTER 2003-23 >> MessageID: h88HRUi26922 >> Report: Sophos: Could not check ODD 08479-01 RLA Att Oil Gas Access in >>West Centra Caribou Range.pdf (unexpected error [0x80040202]) >> >>Running mailscanner-4.22-5, RH 7.3, latest Sophos >> >>Mike >> >> > > > > From gerry at DORFAM.CA Mon Sep 8 22:38:48 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:51 2006 Subject: MailWatch for MailScanner 0.3 Beta Install Problems In-Reply-To: <67D9E7698329D411936E00508B6590B902773AED@neelix.lbsltd.co.uk> Message-ID: On Mon, 8 Sep 2003, Steve Freegard wrote: > Hi Gerry, > > Answers to your points: > > 1) This is an error on my part when I did the export from CVS and created > the package - status.php should be a link to index.php. > You can create this by doing: ln -s status.php index.php from the > mailscanner directory. Yep! That fixed it. > > 2) The passwords for MySQL and the MailWatch authentication are completely > seperate. From MySQL I suggest you try: > > UPDATE users SET password=md5('<>') WHERE username='gerry'; > > and try again. I had set up Apache to only use SSL. I'm far from an Apache expert but whatever I did ended up requiring the users table passwords to match the passwords I had set in Apache. I'm asked for the Apache password and it goes straight through the MailWatch password screen now that I've set them the same. Thanks for your help! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From steve.douglas at SBIINCORPORATED.COM Mon Sep 8 22:56:12 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:51 2006 Subject: SpamAssassin / sa-learn Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCE4@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/ee791029/SteveDouglas.obj From steve.douglas at SBIINCORPORATED.COM Mon Sep 8 22:58:12 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCE5@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/9b4d632c/SteveDouglas.obj From mkettler at EVI-INC.COM Mon Sep 8 23:02:38 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FCE4@mail.gardenbotani ka.com> Message-ID: <5.2.1.1.0.20030908180013.01763990@xanadu.evi-inc.com> At 04:56 PM 9/8/2003 -0500, Steve Douglas wrote: >My next step is to try and figure the sa-learn thing out. That is another >story for the moment, but when I attempt to test the sa-learn out it is >still defaulting to the /root/.spamassassin path. Does anyone have a >suggestion? Modify the root user's /root/.spamassassin/user_prefs to have a bayes_path statement that points it to /var/.../bayes_. You can also do it in /etc/mail/local.cf, but this will prevent any bayes database for any user (root or otherwise) from being any other place. And sometimes it's handy to have a local non-root account test some things. man Mail::SpamAssassin::Conf should cover this pretty well. From phil at NXTEK.NET Tue Sep 9 00:15:18 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FCE5@mail.gardenbotanika.com> Message-ID: <022101c3765f$1b1d94c0$6e98abd0@phil> I can't speak for MailWatch but MRTG is very cool. I would use that along with something like spamstats or virusstats scripts. You can monitor TONS of other stuff as well. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Douglas Sent: Monday, September 08, 2003 4:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailWatch vs. MRTG Can someone weigh-in on both or one of these packages? I already keep busy maintaining my MS server as it is. I am not by far a Linux guru and don't really want to blow up my server, but either one or both of these packages are very tempting. Thanks for any opinions or feedback! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/f35ef087/attachment.html From virusak at dec1.czu.cz Tue Sep 9 00:41:51 2003 From: virusak at dec1.czu.cz (MailScanner) Date: Thu Jan 12 21:19:52 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309082341.h88Nfp924631@dec1.czu.cz> Our virus detector has just been triggered by a message you sent:- To: Subject: Re: That movie Date: Tue Sep 9 01:41:51 2003 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: h88Nfkc24605/document_all.pif Infection: W32/Sobig.F@mm Shortcuts to MS-Dos programs are very dangerous in email in document_all.pif -- MailScanner Email Virus Scanner www.mailscanner.info From gerry at DORFAM.CA Tue Sep 9 00:44:27 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail Message-ID: More and more posts to this list are in HTML. I don't know about the rest of you but it causes me grief. I'm beginning to think I'm the only one not using Outlook. Can't we go back to the text messages we used to have? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From raymond at PROLOCATION.NET Tue Sep 9 00:51:18 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail In-Reply-To: Message-ID: Hi! > More and more posts to this list are in HTML. I don't know about the rest > of you but it causes me grief. I'm beginning to think I'm the only one > not using Outlook. > > Can't we go back to the text messages we used to have? Use MS to convert HTML -> TXT =) But indeed, i dont read the HTML crap either ... pine ... So you're not the only one. Bye, Raymond. From gerry at dorfam.ca Tue Sep 9 00:59:38 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail In-Reply-To: References: Message-ID: <4167.10.0.10.1.1063065578.squirrel@tiger.dorfam.ca> > Hi! > >> More and more posts to this list are in HTML. I don't know about the >> rest >> of you but it causes me grief. I'm beginning to think I'm the only one >> not using Outlook. >> >> Can't we go back to the text messages we used to have? > > Use MS to convert HTML -> TXT =) > > But indeed, i dont read the HTML crap either ... pine ... > So you're not the only one. > > Bye, > Raymond. > Hey, Raymond, shouldn't you be in bed? It must be 1:00am Tuesday where you are? Gerry From brose at MED.WAYNE.EDU Tue Sep 9 01:00:51 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail Message-ID: I use Outlook but I don't use any of that HTML crap either. Since we're all on this list, Mailscanner has the option to convert though I haven't used that on our system. -----Original Message----- From: Gerry Doris [mailto:gerry@DORFAM.CA] Sent: Monday, September 08, 2003 7:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: HTML Mail More and more posts to this list are in HTML. I don't know about the rest of you but it causes me grief. I'm beginning to think I'm the only one not using Outlook. Can't we go back to the text messages we used to have? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From raymond at PROLOCATION.NET Tue Sep 9 01:06:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail In-Reply-To: <4167.10.0.10.1.1063065578.squirrel@tiger.dorfam.ca> Message-ID: Hi! > > Use MS to convert HTML -> TXT =) > > > > But indeed, i dont read the HTML crap either ... pine ... > > So you're not the only one. > Hey, Raymond, shouldn't you be in bed? It must be 1:00am Tuesday where > you are? Make that 02:00. Ohw well... :=) Some people dont need much sleep... Bye, Raymond. From newsletters at PCSITES.COM Tue Sep 9 01:51:48 2003 From: newsletters at PCSITES.COM (Richard Ahlquist) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FCE5@mail.gardenbotanika.com> Message-ID: <001c01c3766c$8cee5140$5f01a8c0@MINE> I user MailWatch(v0.2) and MailStats(v2.0), both serve a good purpose. MailStats is great for quick at a glance info. MailWatch it great for long term statistics IMHO. If you'd like I will be happy to give you the addresses (off list, my poor little DSL linked server couldn't handle the brunt of the whole list peeking) of both on my site and let you take a look. Richard Ahlquist -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Douglas Sent: Monday, September 08, 2003 5:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailWatch vs. MRTG Can someone weigh-in on both or one of these packages? I already keep busy maintaining my MS server as it is. I am not by far a Linux guru and don't really want to blow up my server, but either one or both of these packages are very tempting. Thanks for any opinions or feedback! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/060fe725/attachment.html From newsletters at PCSITES.COM Tue Sep 9 02:15:51 2003 From: newsletters at PCSITES.COM (Richard Ahlquist) Date: Thu Jan 12 21:19:52 2006 Subject: Panda Software command line scanner In-Reply-To: <1063036084.17058.45.camel@ralph.plexio.private> Message-ID: <002401c3766f$ebe7f2c0$5f01a8c0@MINE> I recently tried to purchase a perpetual single license of their Linux command line scanner. The web site provided no way to order less than 6 perpetual licenses so I emailed them. Basically they refused to provide me with any way to order it online and wanted me to call. All I want to do is place the order and get on with it. Due to their reluctance to provide this customer service (several emails were exchanged) I decided they weren't a company I wanted to get involved with at the time. So I added Clam to my F-Prot and I have been happy as a clam ever since. If someone figures out a way to order a single license reliably please let us know. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Lee Sent: Monday, September 08, 2003 11:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Panda Software command line scanner Hi, I'm currently using Sophos with MS/Exim and it has worked very well so far. I'd like to add a second but cheaper AV engine and found Panda Software's command line Permimeter Scan product for Linux. Their website seems to suggest that the per user (or mailbox I guess) fee for 3 years costs $13.50 USD. Presumably that means $135 for 10 users / 3 years? I sent Panda a message on pricing but only received an automated reply that didn't make sense to me. Anyone here using Panda with MS and how much did it cost? Thanks, Stephen From danieltan at shopnsave.com.sg Tue Sep 9 02:50:26 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:19:52 2006 Subject: spam mails without text Message-ID: <008101c37674$be80c5a0$3900a8c0@Daniel> hi all, i have seen that spammers have become smarter and mailing spams in html without any text. even the text in the mail is in picture format thus our scanner is not able to scan through the mail based on the text of the body. Any ways to identify them as spam? Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From david at PLATFORMHOSTING.COM Tue Sep 9 03:18:38 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:52 2006 Subject: Your pick of the virus scanners... In-Reply-To: <008101c37674$be80c5a0$3900a8c0@Daniel> References: <008101c37674$be80c5a0$3900a8c0@Daniel> Message-ID: <3F5D387E.4020403@platformhosting.com> Feel free to scream at me if this has been beaten to death previously, but I'm looking for some kind of feedback as to what virus scanner everyone is using. We're currently using ClamAV and Mcafee, but are looking for a third scanner to add to the mix, it is incredibly rare that anything gets through, but as a due diligence thing I would like to add the third. I have seen heaps of people talking about F-prot and Sophos, but if you had to choose 3, which 3 would you choose? I'm looking for an economical solution that is not licensed per mail box. -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for viruses and unsafe content by Platform Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au Platform Mail Security www.mailsecurity.net.au Platform Hosting www.platformhosting.com ======================================================================== From mike at ZANKER.ORG Tue Sep 9 07:11:53 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:19:52 2006 Subject: HTML Mail In-Reply-To: References: Message-ID: <248418046.1063091513@jemima.zanker.org> On 08 September 2003 19:44 -0400 Gerry Doris wrote: > More and more posts to this list are in HTML. I don't know about the > rest of you but it causes me grief. I'm beginning to think I'm the > only one not using Outlook. > > Can't we go back to the text messages we used to have? ...and while we're at it, can people start NEW threads when the topic changes rather than replying to an existing message in another thread, please? It makes messages far easier to read with a threaded mail reader. Thanks, Mike. From waldner at WALDNER.PRIV.AT Tue Sep 9 07:02:29 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn In-Reply-To: Your message of "Mon, 08 Sep 2003 16:56:12 CDT." <3963522F0E71474CB14C0FF54A6914F70142FCE4@mail.gardenbotanika.com> References: <3963522F0E71474CB14C0FF54A6914F70142FCE4@mail.gardenbotanika.com> Message-ID: <20030909060251.BDDA347066@fsck.waldner.priv.at> On Mon, 08 Sep 2003 16:56:12 CDT, Steve Douglas writes: >My next step is to try and figure the sa-learn thing out. That is another >story for the moment, but when I attempt to test the sa-learn out it is >still defaulting to the /root/.spamassassin path. Does anyone have a >suggestion? Run sa-learn with "-p /path/to/MailScanner/etc/spam.assassin.prefs.conf", so that it uses the same bayes-path as MailScanner. cheers, &rw -- -- Admin: Die wo machen, dass das Internet geht, aber die man nicht fragen -- darf, wenn es um ein klemmendes Word geht, da sonst das Internet an -- meinem Rechner wieder nicht geht, weil die dann stinkewuetend werden. -- Bernd Juergens -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030909/427cf30f/attachment.bin From john at TRADOC.FR Tue Sep 9 07:21:37 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn In-Reply-To: <20030909060251.BDDA347066@fsck.waldner.priv.at> References: <3963522F0E71474CB14C0FF54A6914F70142FCE4@mail.gardenbotanika.com> <20030909060251.BDDA347066@fsck.waldner.priv.at> Message-ID: On Tue, 9 Sep 2003 08:02:29 +0200, Robert Waldner wrote: > Run sa-learn with "-p /path/to/MailScanner/etc/spam.assassin.prefs.conf", > so that it uses the same bayes-path as MailScanner. Or even easier, as I learned on this list, make /etc/mail/spamassassin/local.cf a symlink to spam.assassin.prefs.conf John. -- -- Over 2000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From anders.andersson at LTKALMAR.SE Tue Sep 9 08:26:26 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:52 2006 Subject: SV: Your pick of the virus scanners... Message-ID: > -----Ursprungligt meddelande----- > Fr?n: David Hooton [mailto:david@PLATFORMHOSTING.COM] > > Feel free to scream at me if this has been beaten to death > previously, but I'm looking for some kind of feedback as to > what virus scanner everyone is using. > > We're currently using ClamAV and Mcafee, but are looking for > a third scanner to add to the mix, it is incredibly rare that > anything gets through, but as a due diligence thing I would > like to add the third. > > I have seen heaps of people talking about F-prot and Sophos, > but if you had to choose 3, which 3 would you choose? > > I'm looking for an economical solution that is not licensed > per mail box. I only know of one more AV product thats not based on users if you reallly care about their license say ;) eTrust from CA is about 100$ and not to bad... though I havent figured out how updates work etc. (ie it updates but I want to what and how) but thats probably my own fault for being stupid. We also run mcafee and f-secure so as you say I guess we are pretty safe.... > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ============================================================== > ========== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ============================================================== > ========== > From m.sapsed at BANGOR.AC.UK Tue Sep 9 09:25:40 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:52 2006 Subject: PDF errors again References: <3F5C6E42.1292.E9FD9CC@localhost> Message-ID: <3F5D8E84.4030908@bangor.ac.uk> Mark Nienberg wrote: > Sophos has problems with certain PDFs and generates the error message you are > seeing. They know about the problem. This was definitely true in 3.72. I'm not sure > if they have fixed it in 3.73 or not. If you want to allow these attachments through, in > spite of their not being scanned, you can add > > Allowed Sophos Error Messages = "corrupt", "0x80040202" > > but only if you are using the latest version of MailScanner. See the thread > "Unexpected Error?" from approx Aug 8. From what I gathered from Sophos support, the PDF's they have a problem with are ones generated by some non-Adobe PDF creators. The problem was supposed to have been fixed in 3.72 (but wasn't) and appears to be still present in 3.73 :-( Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From postmaster at raq2146.uk2net.com Tue Sep 9 10:22:56 2003 From: postmaster at raq2146.uk2net.com (MailScanner) Date: Thu Jan 12 21:19:52 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309090922.h899Mux21769@raq2146.uk2net.com> Our virus detector has just been triggered by a message you sent:- To: orders@bikersweb.co.uk Subject: Your details Date: Tue Sep 9 10:22:56 2003 Any infected parts of the message (thank_you.pif) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: /home/MailScanner/incoming/14169thank_you.pif Infection: W32/Sobig.F@mm Shortcuts to MS-Dos programs are very dangerous in email (thank_you.pif) -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From michele at BLACKNIGHTSOLUTIONS.COM Tue Sep 9 11:16:14 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:52 2006 Subject: PDF problems Message-ID: <200309091016.h89AG6v19469@camelot.blacknightsolutions.com> Has anybody using MailScanner with f-prot had any problems with PDFs? We have had some rather odd problems with PDFs when sent alone, but these disappear if we zip them before sending (or our suppliers etc. do the same) Is this an f-prot problem or a MailScanner one? Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From phil at NXTEK.NET Tue Sep 9 14:12:36 2003 From: phil at NXTEK.NET (Phil Iovino) Date: Thu Jan 12 21:19:52 2006 Subject: Your pick of the virus scanners... In-Reply-To: <3F5D387E.4020403@platformhosting.com> Message-ID: <008301c376d4$0e1e7fd0$8f99abd0@phil> I'd like to know as well. We use the RAV engine which seems very cool. I believe the license is $60/yr, but may change since Microsoft acquired them (I'm not sure what exactly they acquired -- parts of the technology or the whole company). I've been considering ClamAV, Mcafee, F-prot, and Sophos. Running 2-3 total including RAV as well may be ideal. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton > Sent: Monday, September 08, 2003 9:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Your pick of the virus scanners... > > > Feel free to scream at me if this has been beaten to death > previously, but I'm looking for some kind of feedback as to > what virus scanner everyone is using. > > We're currently using ClamAV and Mcafee, but are looking for > a third scanner to add to the mix, it is incredibly rare that > anything gets through, but as a due diligence thing I would > like to add the third. > > I have seen heaps of people talking about F-prot and Sophos, > but if you had to choose 3, which 3 would you choose? > > I'm looking for an economical solution that is not licensed > per mail box. > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ============================================================== > ========== > This message has been scanned for viruses and unsafe content by > Platform Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > Platform Mail Security www.mailsecurity.net.au > Platform Hosting www.platformhosting.com > > ============================================================== > ========== > From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 15:36:12 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: Updating virus definitions Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCEB@mail.gardenbotanika.com> I have RedHat v9, 1 GB RAM, the newest version of MS (4.23-11), 80 GB disk space, and f-prot version (4.2.1). I have turned the pipe off to the /bin so that I would watch real-time the results. At the moment whenever I manually perform the MS cron.hourly script "update_virus_scanners" I am receiving the following line as a result: invalid command-line option "/usr/local/f-prot" I am following what the output states, but can not identify where the command line is generated from. I have checked the virus.scanners.conf. The file contains syntax as follows: f-prot /usr/lib/MailScanner/f-prot-wrapper /usr/local/f-prot To my uneducated eye (newbieism) it appeared to be fine. I then went to the /usr/lib/MailScanner path and verified the f-prot-autoupdate.rpmnew file was changed to the f-prot-autoupdate file and that to original was renamed with an .old extension. I can go to the f-prot tools directory and run their perl script that is supplied with the program manually and it runs fine. Thanks for any consideration. ---------- The update_Virus_scanners syntax is as follows: #!/bin/bash SCANNERSCONF=/etc/MailScanner/virus.scanners.conf #LOCKFILE=/var/lock/MailScanner.autoupdate.lock LOCKFILE=/tmp/MailScanner.autoupdate.lock # the lockfile is not meant to be perfect, it's just in case the # two cron scripts get run close to each other to keep them from # stepping on each other's toes. [ -f $LOCKFILE ] && exit 0 trap "rm -f $LOCKFILE" EXIT touch $LOCKFILE # Set umask so user mail can read (and share-lock) the Busy.lock files umask 022 cat ${SCANNERSCONF} | sed -e 's/#.*$//' | grep -e -wrapper | \ while read NAME WRAPPER PACKAGEDIR do #echo String is $NAME $WRAPPER $PACKAGEDIR UPDATER=`echo $WRAPPER | sed -e 's/-wrapper/-autoupdate/'` if [ -n "${NAME}" -a -n "${WRAPPER}" -a -n "${PACKAGEDIR}" ] then if ${WRAPPER} "${PACKAGEDIR}" -IsItInstalled then #echo Found $NAME installed logger -p mail.info -t update.virus.scanners Found $NAME installed if [ -x ${UPDATER} ] then #echo Updating $NAME logger -p mail.info -t update.virus.scanners Running autoupdate for $NAME ${UPDATER} "${PACKAGEDIR}" 2>&1 #>/dev/null fi fi fi done exit 0 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030909/015ca549/attachment.html From steve.freegard at LBSLTD.CO.UK Tue Sep 9 15:39:58 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG Message-ID: <67D9E7698329D411936E00508B6590B902773AFC@neelix.lbsltd.co.uk> Hi Steve, Here's my opinion - I use both, and I'm the author of MailWatch - IMHO they were both designed with different goals in mind and it depends on what your requirements are MailScanner-MRTG is brilliant for monitoring your mail server and getting the top-level statistics from it - also, it is lightweight on the server itself, and dead easy to install and requires little or no changes to MailScanner itself to operate. I designed MailWatch with a specific goal in mind - we used to use a commercial content scanner here and it *sucked* (even though it was expensive), but it did have a reasonable UI for a helpdesk to use but the reporting also sucked. I wanted something that would allow me to see message level info (to, from, subject, size, sascore, status etc.) of recent messages processed by MailScanner(s) and to generate management reports from this information and to allow the Helpdesk to release quarantined messages and respond to mail queries amongst other things. MailWatch is NOT easy to install, however I've attempted to make it a bit easier in 0.3beta. It does require minimal changes to MailScanner, and it will also introduce extra load on the server, although this is fairly minimal and even less so in 0.3beta. Hope this helps. Kind regards, Steve. -----Original Message----- From: Steve Douglas To: MAILSCANNER@JISCMAIL.AC.UK Sent: 08/09/03 22:58 Subject: MailWatch vs. MRTG Can someone weigh-in on both or one of these packages? I already keep busy maintaining my MS server as it is. I am not by far a Linux guru and don't really want to blow up my server, but either one or both of these packages are very tempting. Thanks for any opinions or feedback! <> -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From spycobalt at SPYPRODUCTIONS.COM Tue Sep 9 15:50:46 2003 From: spycobalt at SPYPRODUCTIONS.COM (Mike At Spy) Date: Thu Jan 12 21:19:52 2006 Subject: Just Installed mailscanner,spamassassin In-Reply-To: <008301c376d4$0e1e7fd0$8f99abd0@phil> Message-ID: I just installed mailscanner on my Cobalt RAQ4, and it seems to work great off hand. I am curious as to what it is doing with the access file where we previously would put domains to filter out whenever it has to started back up. makemap: /etc/mail/access: line 4838: key discountbuyers.info: duplicate key I also installed SpamAssassin. Since our access file is pretty darn big, do we even need to block domains anymore with it (since mailscanner and spamassassin are now installed)? Thanks for any input, -Mike From mikea at MIKEA.ATH.CX Tue Sep 9 16:11:52 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:52 2006 Subject: Just Installed mailscanner,spamassassin In-Reply-To: ; from spycobalt@SPYPRODUCTIONS.COM on Tue, Sep 09, 2003 at 10:50:46AM -0400 References: <008301c376d4$0e1e7fd0$8f99abd0@phil> Message-ID: <20030909101152.A94317@mikea.ath.cx> On Tue, Sep 09, 2003 at 10:50:46AM -0400, Mike At Spy wrote: > I just installed mailscanner on my Cobalt RAQ4, and it seems to work great > off hand. > > I am curious as to what it is doing with the access file where we previously > would put domains to filter out whenever it has to started back up. > > makemap: /etc/mail/access: line 4838: key discountbuyers.info: duplicate key MaiLScanner doesn't do *anything* with /etc/mail/access. This message certainly indicates that you have two lines in /etc/mail/access with key "discountbuyers.info"; makemap doesn't like duplicate keys in the default ("hash") DB format. Do a `grep -n discountbuyers.info` on /etc/mail/access to find them. > I also installed SpamAssassin. > > Since our access file is pretty darn big, do we even need to block domains > anymore with it (since mailscanner and spamassassin are now installed)? I've still got a fairly hefty access file; it's full of confirmed, sturdy, obdurate beggars^Wspammers, and it's worth keeping in place to reduce the load on sendmail, MailScanner, ClamAV, and SpamAssassin. Remember, if you reject the session at the initial connection request, then you don't need to accept the mail and run all those CPU-and-disk- intensive processes on it. $ wc -l /etc/mail/access 5613 /etc/mail/access Here're my mail stats for the past 8 days, to give you an idea of what I reject when: Mails spamassassin rejected scanner total mails Total says 'spam' by ruleset says virus undelivered Sep 8 7100 1551 (21.85%) 456 ( 6.42%) 1017 (14.32%) 3024 (42.59%) Sep 7 2734 1053 (38.51%) 181 ( 6.62%) 390 (14.26%) 1624 (59.40%) Sep 6 2764 1144 (41.39%) 196 ( 7.09%) 303 (10.96%) 1643 (59.44%) Sep 5 5555 1450 (26.10%) 447 ( 8.05%) 363 ( 6.53%) 2260 (40.68%) Sep 4 6629 1815 (27.38%) 499 ( 7.53%) 412 ( 6.22%) 2726 (41.12%) Sep 3 6194 1543 (24.91%) 471 ( 7.60%) 651 (10.51%) 2665 (43.03%) Sep 2 6910 1400 (20.26%) 427 ( 6.18%) 703 (10.17%) 2530 (36.61%) Sep 1 129 4 ( 3.10%) 5 ( 3.88%) 45 (34.88%) 54 (41.86%) Yesterday, 08 Sep., was ... _special_. Yeah, that's the word. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From gerry at dorfam.ca Tue Sep 9 16:21:30 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:52 2006 Subject: Your pick of the virus scanners... In-Reply-To: <008301c376d4$0e1e7fd0$8f99abd0@phil> References: <3F5D387E.4020403@platformhosting.com> <008301c376d4$0e1e7fd0$8f99abd0@phil> Message-ID: <57488.129.80.22.133.1063120890.squirrel@tiger.dorfam.ca> > I'd like to know as well. We use the RAV engine which seems very cool. I > believe the license is $60/yr, but may change since Microsoft acquired > them (I'm not sure what exactly they acquired -- parts of the technology > or the whole company). I've been considering ClamAV, Mcafee, F-prot, and > Sophos. Running 2-3 total including RAV as well may be ideal. > I've been experimenting with TrendMicro's scanner. I'm not sure of the pricing (it's free for home use) but this is the fastest scanner I've used. I mean...this sucker is really quick! TrendMicro updates their virus files in a timely fashion and I wrote my own update script to work with MailScanner's update_virus_scanners script. So far it has caught every virus that's hit my system. I use it with ClamAV and F-Prot. Gerry From raymond at PROLOCATION.NET Tue Sep 9 16:24:14 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:52 2006 Subject: Your pick of the virus scanners... In-Reply-To: <57488.129.80.22.133.1063120890.squirrel@tiger.dorfam.ca> Message-ID: Hi! > I've been experimenting with TrendMicro's scanner. I'm not sure of the > pricing (it's free for home use) but this is the fastest scanner I've > used. I mean...this sucker is really quick! > > TrendMicro updates their virus files in a timely fashion and I wrote my > own update script to work with MailScanner's update_virus_scanners script. > So far it has caught every virus that's hit my system. I use it with > ClamAV and F-Prot. Hows the speed compared to f-prot ? Bye, Raymond. From Kevin_Miller at CI.JUNEAU.AK.US Tue Sep 9 16:49:00 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:52 2006 Subject: Your pick of the virus scanners... Message-ID: <08146035CA49D6119A36009027AC822A0264E736@CITY-EXCH-NTS> >-----Original Message----- >From: David Hooton [mailto:david@PLATFORMHOSTING.COM] >Feel free to scream at me if this has been beaten to death previously, >but I'm looking for some kind of feedback as to what virus scanner >everyone is using. > >We're currently using ClamAV and Mcafee, but are looking for a third >scanner to add to the mix, it is incredibly rare that anything gets >through, but as a due diligence thing I would like to add the third. > >I have seen heaps of people talking about F-prot and Sophos, but if you >had to choose 3, which 3 would you choose? > >I'm looking for an economical solution that is not licensed >per mail box. We're running Trend on our internal network, and servers including Exchange 5.5. Works well, timely updates, etc. but that's on the Windows side. Haven't looked at them on Linux yet. We wanted a different virus scanner on our mail servers for additional security so on one I have f-prot, and the other f-secure and clam. All are working well. I got my f-prot before they went to per mail box licensing. We'll see next April, but unless they change the cost I'll probably change that. F-secure was willing to work w/me cost wise so I went w/them (and clam) on the 2nd box. Command antivirus (http://www.authentium.com/) was also willing to work w/me, so they may be worth checking out. Standard disclaimers apply; no affiliation, etc. S'later... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gerry at dorfam.ca Tue Sep 9 17:20:57 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG In-Reply-To: <67D9E7698329D411936E00508B6590B902773AFC@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773AFC@neelix.lbsltd.co.uk> Message-ID: <46587.129.80.22.133.1063124457.squirrel@tiger.dorfam.ca> > Hi Steve, > > Here's my opinion - I use both, and I'm the author of MailWatch - IMHO > they > were both designed with different goals in mind and it depends on what > your > requirements are > > MailScanner-MRTG is brilliant for monitoring your mail server and getting > the top-level statistics from it - also, it is lightweight on the server > itself, and dead easy to install and requires little or no changes to > MailScanner itself to operate. > > I designed MailWatch with a specific goal in mind - we used to use a > commercial content scanner here and it *sucked* (even though it was > expensive), but it did have a reasonable UI for a helpdesk to use but the > reporting also sucked. I wanted something that would allow me to see > message level info (to, from, subject, size, sascore, status etc.) of > recent > messages processed by MailScanner(s) and to generate management reports > from > this information and to allow the Helpdesk to release quarantined messages > and respond to mail queries amongst other things. > > MailWatch is NOT easy to install, however I've attempted to make it a bit > easier in 0.3beta. It does require minimal changes to MailScanner, and it > will also introduce extra load on the server, although this is fairly > minimal and even less so in 0.3beta. > > Hope this helps. > > Kind regards, > Steve. I installed MailWatch the other night. The install instructions were clear and I didn't find the process overly difficult. There is more involved than installing mailscanner-mrtg but should be easy for anyone who can read. Mailscanner-mrtg provides 15 graphs covering the last 24 hours and are updated every 5 minutes. Each of these graphs can be clicked on to open similar graphs for the last week, month and year. The graphs show the - # of emails received - MB of emails received - # of spam messages - # of virus messages - # of copies of mailscanner running - # of copies of sendmail running - amount of memory used - cpu load average - cpu utilization - ethernet traffic - space in /var/spool - space in / - space in /dev/shm (ram disk) - # files in incoming queue - # files in out going queue I find these graphs to be great for a casual look to make sure everything is running correctly. For example, after playing with the server last night I checked the graphs and noticed that there were two more instances of sendmail running than there should be. I'm not sure how I caused this but it was easly fixed once I noticed. The MailWatch application provides a wealth of detailed information (including graphs of much of the data) on what your server is doing. You can see details of each individual message (sender, receiver, headers, spam count, size, date, and time). Spam messages are highlighted in pink and virus messages in red. All of this data is kept in a mysql database and a multitude of reports are available to sort and graph the data in various ways. It's easy to see who receives the most mail by either volume or size. Which domains send you the most mail (# of messages or size). What are the spamassassin rule hits on your mail. etc... Both of these packages are very well done but intended for different uses. If I was given a new email server to administer I'd immediately want to install these packages. There's been a lot of work put into them and it shows! Gerry From Kevin_Miller at CI.JUNEAU.AK.US Tue Sep 9 17:35:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:52 2006 Subject: Huh? Message-ID: <08146035CA49D6119A36009027AC822A0264E738@CITY-EXCH-NTS> Got this notice this morning: ------------------------------- The following e-mail messages were found to have viruses in them: Sender: tntyoung@msn.com IP Address: 65.54.169.128 Recipient: username@ci.juneau.ak.us Subject: DO THIS!!! Cleaning Your Mouse MessageID: h893OqJ7006788 Report: /var/spool/MailScanner/incoming/31733/h893OqJ7006788/msg-31733-144.html could be infected with an unknown virus ------------------------------- Huh? A message *could* be infected with an *unknown* virus? How's that work? MailScanner 4.14-9 F-prot 3.12a (I know, I need to upgrade. It's on the list.) I suppose it's good that it's catching what it thinks may be a virus, but a few more details would nifty. Anybody else seen these? ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From spycobalt at SPYPRODUCTIONS.COM Tue Sep 9 17:43:50 2003 From: spycobalt at SPYPRODUCTIONS.COM (Mike At Spy) Date: Thu Jan 12 21:19:52 2006 Subject: Just Installed mailscanner,spamassassin In-Reply-To: <20030909101152.A94317@mikea.ath.cx> Message-ID: Thank you to Mike Andrews for answering my first question. For my second question, and hopefully last; I followed the instructions at: http://www.qitc.net/support/mailscanner/ For installing on my Cobalt RAQ4. Everything went great for mailscanner, and it is working nicely. I installed SpamAssassin, and it seemed to install just fine with no complaints. However, after I turned in 'on' in Mailscanner, I was no longer able to POP mail. After awhile, and messing with the filter levels, I turned SpamAssassin off in Mailscanner and suddenly recieved all of my mail, that apprarently, was sitting somewhere on the server. In the maillog, I do see an error referring to mailscanner not being able to find SpamAssassin as being installed. Any suggestions? Thanks! -Mike From mkettler at EVI-INC.COM Tue Sep 9 18:08:36 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:52 2006 Subject: Huh? In-Reply-To: <08146035CA49D6119A36009027AC822A0264E738@CITY-EXCH-NTS> Message-ID: <5.2.1.1.0.20030909130659.02880790@xanadu.evi-inc.com> At 08:35 AM 9/9/2003 -0800, Kevin Miller wrote: >Huh? A message *could* be infected with an *unknown* virus? How's that >work? Most virus scanners have a heuristic analysis ability, and f-prot does have such a feature available. All that means is the scanner noticed that the executable had some very unusual loader code patterns, typical of what happens when a virus is added on to an executable and not generally seen in normal programs. From Kevin at MICA.NET Tue Sep 9 18:19:10 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:19:52 2006 Subject: Sobig.F notification question Message-ID: <8B699873CEBA3543926B467E76808232034475@sol.hq.mica.net> I noticed this on the Mailscanner website regarding the Sobig.F virus: "However, it is currently up to the individual system administrators to keep this list up to date. If they haven't added "Sobig" to the list, then their MailScanner will continue to issue warnings to the senders, not knowing that they are fake." After seeing this, I promptly went into my config and tried to find out where this should be configured. I'm assuming that I should add "Sobig" to the end of the silent viruses line. This is what my silent viruses line looks like now: Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Sobig It doesn't say specifically on the mailscanner page that this is what I need to do, so I wanted to double check that this is all that needs to be done. Have I properly configured my MailScanner so that it won't send replies to Sobig virus identifications, or are there additional steps I need to take? Maybe on the Sobig page on the MailScanner site, there should be an example so that other (sometimes clueless :) admins like me would know what to do :) thx k -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030909/20deef9e/attachment.html From dcmwai at AMTB-M.ORG.MY Tue Sep 9 18:26:39 2003 From: dcmwai at AMTB-M.ORG.MY (=?Big5?B?s6+7yrC2IENoYW4gTWluIFdhaQ==?=) Date: Thu Jan 12 21:19:52 2006 Subject: blacklist... Message-ID: <3F5E0D4F.2060906@amtb-m.org.my> Hello all, Is there any blacklist rules set for Mailscanner Spamassassin, just like the whitelist function? Thank You. From mailscanner at CARLO65.DE Tue Sep 9 18:30:23 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:19:52 2006 Subject: Sobig.F notification question In-Reply-To: <8B699873CEBA3543926B467E76808232034475@sol.hq.mica.net> References: <8B699873CEBA3543926B467E76808232034475@sol.hq.mica.net> Message-ID: <3F5E0E2F.3010005@carlo65.de> Hi Kevin, Kevin Hanser schrieb: > This is what my silent viruses > line looks like now: > > Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Sobig > > It doesn't say specifically on the mailscanner page that this is what I > need to do, so I wanted to double check that this is all that needs to > be done. > > Have I properly configured my MailScanner so that it won't send replies > to Sobig virus identifications, or are there additional steps I need to > take? Maybe on the Sobig page on the MailScanner site, there should be > an example so that other (sometimes clueless :) admins like me would > know what to do :) Your configuration is proper, it is working like this on my box. You should not forget to restart MailScanner after configuration changes. Regards, Roland From dustin.baer at IHS.COM Tue Sep 9 18:31:46 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:52 2006 Subject: blacklist... References: <3F5E0D4F.2060906@amtb-m.org.my> Message-ID: <3F5E0E82.90513C2F@ihs.com> ?????? Chan Min Wai wrote: > > Hello all, > > Is there any blacklist rules set for Mailscanner Spamassassin, just like > the whitelist function? > > Thank You. Yes, take a look in the MailScanner.conf file for: # Spam Blacklist: # Make this point to a ruleset, and anything in that ruleset whose value # is "yes" will *always* be marked as spam. # This can also be the filename of a ruleset. Is Definitely Spam = Dustin From lindsay at pa.net Tue Sep 9 18:34:29 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:19:52 2006 Subject: Sobig.F notification question In-Reply-To: <8B699873CEBA3543926B467E76808232034475@sol.hq.mica.net> References: <8B699873CEBA3543926B467E76808232034475@sol.hq.mica.net> Message-ID: <200309091334.29798.lindsay@pa.net> On Tuesday 09 September 2003 13:19, you wrote: > I noticed this on the Mailscanner website regarding the Sobig.F virus: > > "However, it is currently up to the individual system administrators to > keep this list up to date. If they haven't added "Sobig" to the list, > then their MailScanner will continue to issue warnings to the senders, > not knowing that they are fake." > > After seeing this, I promptly went into my config and tried to find out > where this should be configured. I'm assuming that I should add "Sobig" > to the end of the silent viruses line. This is what my silent viruses > line looks like now: > > Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Sobig > > It doesn't say specifically on the mailscanner page that this is what I > need to do, so I wanted to double check that this is all that needs to > be done. > > Have I properly configured my MailScanner so that it won't send replies > to Sobig virus identifications, or are there additional steps I need to > take? Maybe on the Sobig page on the MailScanner site, there should be > an example so that other (sometimes clueless :) admins like me would > know what to do :) It looks right to me. Here is our Silent Viruses line which includes some others viruses if you are interested. Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Trojan.Dropper Mimail Dumaru Dumaro -lindsay > > thx > > k From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 18:55:06 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCF6@mail.gardenbotanika.com> I tried the symlink stuff with no luck. But then this is my very first production Linux server and I am still wet behind the ears. What would the syntax be for the symlink? I understand it to be "ln -s target source." Thanks. SD :-) > -----Original Message----- > From: John Wilcock [mailto:john@TRADOC.FR] > Sent: Tuesday, September 09, 2003 1:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin / sa-learn > > On Tue, 9 Sep 2003 08:02:29 +0200, Robert Waldner wrote: > > Run sa-learn with "-p > /path/to/MailScanner/etc/spam.assassin.prefs.conf", > > so that it uses the same bayes-path as MailScanner. > > Or even easier, as I learned on this list, make > /etc/mail/spamassassin/local.cf a symlink to spam.assassin.prefs.conf > > John. > > -- > -- Over 2000 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr From RKearney at AZERTY.COM Tue Sep 9 19:02:23 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn Message-ID: <210DF55DED65B547896F728FB057F3B2019C46AE@seaver.ussco.com> assuming you got a message like... ln: `local.cf':File exists then you have to remove local.cf before hand. i.e. cd /etc/mail/spamassassin mv local.cf local.cf.orig then.. ln -s /etc/MailScanner/spam.assassin.prefs.conf local.cf -rob -----Original Message----- From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] Sent: Tuesday, September 09, 2003 1:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin / sa-learn I tried the symlink stuff with no luck. But then this is my very first production Linux server and I am still wet behind the ears. What would the syntax be for the symlink? I understand it to be "ln -s target source." Thanks. SD :-) > -----Original Message----- > From: John Wilcock [mailto:john@TRADOC.FR] > Sent: Tuesday, September 09, 2003 1:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin / sa-learn > > On Tue, 9 Sep 2003 08:02:29 +0200, Robert Waldner wrote: > > Run sa-learn with "-p > /path/to/MailScanner/etc/spam.assassin.prefs.conf", > > so that it uses the same bayes-path as MailScanner. > > Or even easier, as I learned on this list, make > /etc/mail/spamassassin/local.cf a symlink to spam.assassin.prefs.conf > > John. > > -- > -- Over 2000 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr From kevins at BMRB.CO.UK Tue Sep 9 19:06:22 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AA6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AA6@pascal.priv.bmrb.co.uk> Message-ID: <1063130787.16542.6.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-09 at 18:55, Steve Douglas wrote: >I tried the symlink stuff with no luck. But then this is my very first >production Linux server and I am still wet behind the ears. What would >the >syntax be for the symlink? I understand it to be "ln -s target >source." >Thanks. Yep, where target is the real file and source is the location where the link should be created. A favourite gotcha is using relative paths, if you use a relative path for the source, then this is relative to your current working directory. If you use a relative path for the target this is realtive to the source (shell autocompletion really screws this up!). Its easier to use an absolute path for the target, but better practice to use a relative path. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From virusak at dec1.czu.cz Tue Sep 9 19:40:34 2003 From: virusak at dec1.czu.cz (MailScanner) Date: Thu Jan 12 21:19:52 2006 Subject: Warning: E-mail viruses detected Message-ID: <200309091840.h89IeYo17880@dec1.czu.cz> Our virus detector has just been triggered by a message you sent:- To: Subject: Re: That movie Date: Tue Sep 9 20:40:34 2003 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: h89IeQc17837/your_document.pif Infection: W32/Sobig.F@mm Shortcuts to MS-Dos programs are very dangerous in email in your_document.pif -- MailScanner Email Virus Scanner www.mailscanner.info From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 20:22:54 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: SpamAssassin / sa-learn Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCF8@mail.gardenbotanika.com> This is the exact message I received with nl: 'local.cf':File exists. Thank you for the feedback. I appreciate it! SD :-) > -----Original Message----- > From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > Sent: Tuesday, September 09, 2003 1:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin / sa-learn > > assuming you got a message like... > > ln: `local.cf':File exists > > then you have to remove local.cf before hand. > > i.e. > cd /etc/mail/spamassassin > mv local.cf local.cf.orig > then.. ln -s /etc/MailScanner/spam.assassin.prefs.conf local.cf > > > > -rob > > -----Original Message----- > From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] > Sent: Tuesday, September 09, 2003 1:55 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin / sa-learn > > > I tried the symlink stuff with no luck. But then this is my very first > production Linux server and I am still wet behind the ears. What would > the > syntax be for the symlink? I understand it to be "ln -s target source." > Thanks. > > SD > :-) > > > > -----Original Message----- > > From: John Wilcock [mailto:john@TRADOC.FR] > > Sent: Tuesday, September 09, 2003 1:22 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SpamAssassin / sa-learn > > > > On Tue, 9 Sep 2003 08:02:29 +0200, Robert Waldner wrote: > > > Run sa-learn with "-p > > /path/to/MailScanner/etc/spam.assassin.prefs.conf", > > > so that it uses the same bayes-path as MailScanner. > > > > Or even easier, as I learned on this list, make > > /etc/mail/spamassassin/local.cf a symlink to spam.assassin.prefs.conf > > > > John. > > > > -- > > -- Over 2000 webcams from ski resorts around the world - www.snoweye.com > > -- Translate your technical documents and web pages - www.tradoc.fr From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 20:34:04 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCF9@mail.gardenbotanika.com> Mr. Freegard, thank you for the feedback. MailWatch was VERY tempting to install, but I have become very protective of my MailScanner gateway. Is there a way that MailWatch could run on another server and monitor my MS gateway? I appreciate you jumping in and providing some information. Thank you. SD :-) > -----Original Message----- > From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > Sent: Tuesday, September 09, 2003 9:40 AM > To: 'Steve Douglas '; ' > Subject: RE: MailWatch vs. MRTG > > Hi Steve, > > Here's my opinion - I use both, and I'm the author of MailWatch - IMHO > they > were both designed with different goals in mind and it depends on what > your > requirements are > > MailScanner-MRTG is brilliant for monitoring your mail server and getting > the top-level statistics from it - also, it is lightweight on the server > itself, and dead easy to install and requires little or no changes to > MailScanner itself to operate. > > I designed MailWatch with a specific goal in mind - we used to use a > commercial content scanner here and it *sucked* (even though it was > expensive), but it did have a reasonable UI for a helpdesk to use but the > reporting also sucked. I wanted something that would allow me to see > message level info (to, from, subject, size, sascore, status etc.) of > recent > messages processed by MailScanner(s) and to generate management reports > from > this information and to allow the Helpdesk to release quarantined messages > and respond to mail queries amongst other things. > > MailWatch is NOT easy to install, however I've attempted to make it a bit > easier in 0.3beta. It does require minimal changes to MailScanner, and it > will also introduce extra load on the server, although this is fairly > minimal and even less so in 0.3beta. > > Hope this helps. > > Kind regards, > Steve. > > -----Original Message----- > From: Steve Douglas > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: 08/09/03 22:58 > Subject: MailWatch vs. MRTG > > Can someone weigh-in on both or one of these packages? I already keep > busy maintaining my MS server as it is. I am not by far a Linux guru > and don't really want to blow up my server, but either one or both of > these packages are very tempting. Thanks for any opinions or feedback! > > > > > > > > > > <> > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 20:37:50 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCFA@mail.gardenbotanika.com> Thank you taking the time out to provide feedback on these packages. I do believe it is time for me to crack my knuckles and take a serious look at them. Since I installed MS I feel kind of out in the dark (even though I know it is doing a great job) with no way to easily validate the stats of my server. Thanks again for the feedback! SD :-) > -----Original Message----- > From: Gerry Doris [mailto:gerry@dorfam.ca] > Sent: Tuesday, September 09, 2003 11:21 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailWatch vs. MRTG > > > Hi Steve, > > > > Here's my opinion - I use both, and I'm the author of MailWatch - IMHO > > they > > were both designed with different goals in mind and it depends on what > > your > > requirements are > > > > MailScanner-MRTG is brilliant for monitoring your mail server and > getting > > the top-level statistics from it - also, it is lightweight on the server > > itself, and dead easy to install and requires little or no changes to > > MailScanner itself to operate. > > > > I designed MailWatch with a specific goal in mind - we used to use a > > commercial content scanner here and it *sucked* (even though it was > > expensive), but it did have a reasonable UI for a helpdesk to use but > the > > reporting also sucked. I wanted something that would allow me to see > > message level info (to, from, subject, size, sascore, status etc.) of > > recent > > messages processed by MailScanner(s) and to generate management reports > > from > > this information and to allow the Helpdesk to release quarantined > messages > > and respond to mail queries amongst other things. > > > > MailWatch is NOT easy to install, however I've attempted to make it a > bit > > easier in 0.3beta. It does require minimal changes to MailScanner, and > it > > will also introduce extra load on the server, although this is fairly > > minimal and even less so in 0.3beta. > > > > Hope this helps. > > > > Kind regards, > > Steve. > > I installed MailWatch the other night. The install instructions were > clear and I didn't find the process overly difficult. There is more > involved than installing mailscanner-mrtg but should be easy for anyone > who can read. > > Mailscanner-mrtg provides 15 graphs covering the last 24 hours and are > updated every 5 minutes. Each of these graphs can be clicked on to open > similar graphs for the last week, month and year. The graphs show the > > - # of emails received > - MB of emails received > - # of spam messages > - # of virus messages > - # of copies of mailscanner running > - # of copies of sendmail running > - amount of memory used > - cpu load average > - cpu utilization > - ethernet traffic > - space in /var/spool > - space in / > - space in /dev/shm (ram disk) > - # files in incoming queue > - # files in out going queue > > I find these graphs to be great for a casual look to make sure everything > is running correctly. For example, after playing with the server last > night I checked the graphs and noticed that there were two more instances > of sendmail running than there should be. I'm not sure how I caused this > but it was easly fixed once I noticed. > > The MailWatch application provides a wealth of detailed information > (including graphs of much of the data) on what your server is doing. You > can see details of each individual message (sender, receiver, headers, > spam count, size, date, and time). Spam messages are highlighted in pink > and virus messages in red. All of this data is kept in a mysql database > and a multitude of reports are available to sort and graph the data in > various ways. It's easy to see who receives the most mail by either > volume or size. Which domains send you the most mail (# of messages or > size). What are the spamassassin rule hits on your mail. etc... > > Both of these packages are very well done but intended for different uses. > If I was given a new email server to administer I'd immediately want to > install these packages. There's been a lot of work put into them and it > shows! > > Gerry From vanhorn at whidbey.com Tue Sep 9 20:49:00 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:52 2006 Subject: Real Expectations.. References: <5C0296D26910694BB9A9BBFC577E7AB0015A7A4D@pascal.priv.bmrb.co.uk> <1062934083.21420.104.camel@bach.kevinspicer.co.uk> Message-ID: <3F5E2EAC.DA939526@whidbey.com> Last I looked, it was impossible to whitelist for viruses, I think I have myself whitelisted for spam. This morning the text version was 5K and the HTML version was 8K, so they aren't particularly short. They are individually sent, not so much for personalization but so that I can include the recipient's address in the text so I can correctly handle bounces. Van Kevin Spicer wrote: > On Sun, 2003-09-07 at 09:24, Antony Stone wrote: > > >These Quote of the Day emails are going to be quite short (I hope!) in > >comparison to the "average" email coming in or going out through a > >normal > >system, they won't have any attachments which need unpacking or virus > >scanning, and the spam check is going to be pretty trivial too. > > Especially if you whitelist outgoing mail for spam checks, you could > even whitelist the address that send these messages for virus checks too > (by using a ruleset). Presumably you already address each copy of the > email to a batch of recipients rather than firing a single message for > each recipient (or are the messages personalised?) > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From vanhorn at whidbey.com Tue Sep 9 20:50:45 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:52 2006 Subject: Real Expectations.. References: <1062934744.21420.116.camel@bach.kevinspicer.co.uk> Message-ID: <3F5E2F15.5F3E6B7F@whidbey.com> You know, I've never checked that. Vmstat should tell me, right? My actual plan is to move my scanning onto a newer box (already well along) and use this box only for outbound mail and web hosting, removing MailScanner entirely. Van Kevin Spicer wrote: > On Sun, 2003-09-07 at 08:40, G. Armour Van Horn wrote: > > >I suspect that I'm throttled by my 768K DSL, but the machine couldn't > >handle > >a lot more based on the LA. > > Hmmm, is the LA caused by processes waiting on I/O or processor? If its > I/O then try sticking the MailScanner incoming directory in tmpfs (if > you've not done so already) > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From jay at HITECHSAVVY.COM Tue Sep 9 20:41:13 2003 From: jay at HITECHSAVVY.COM (Jay Farschman) Date: Thu Jan 12 21:19:52 2006 Subject: PostFix, SASL and MailScanner 4.23-11 Message-ID: Hello, I've built a server with PostFix and SASL for authorization. It quite well. It authenticates me before allowing me to send email. I then loaded MailScanner following the How-to at http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml which is pretty straight forward. When I start MailScanner SASL is no longer able to authenticate me. My email client (Outlook Express) displays the sypmtom asking me to re-enter the password. Anyone see something like this before? Software Versions: ################## MailScanner 4.23-11 postfix-2.0.14-1 postfix-utils-2.0.14-1 postfix-debuginfo-2.0.14-1 cyrus-sasl-2.1.10-4 cyrus-sasl-plain-2.1.10-4 cyrus-sasl-gssapi-2.1.10-4 cyrus-sasl-md5-2.1.10-4 cyrus-sasl-devel-2.1.10-4 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 5 22:22:16 files postfix/smtpd[10314]: connect from unknown [192.168.1.104] Sep 5 22:22:16 files postfix/smtpd[10314]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Sep 5 22:22:16 files postfix/smtpd[10314]: warning: unknown [192.168.1.104]: SASL LOGIN authentication failed Sep 5 22:22:17 files postfix/smtpd[10314]: lost connection after AUTH from unknown[192.168.1.104] Sep 5 22:22:17 files postfix/smtpd[10314]: disconnect from unknown [192.168.1.104] ******************* Or the detailed version ******************* Sep 5 16:29:44 files postfix/smtpd[10500]: < unknown[192.168.1.104]: EHLO vaio Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- files.hitechsavvy.com Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- PIPELINING Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- SIZE 10240000 Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- ETRN Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- AUTH PLAIN LOGIN Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250- AUTH=PLAIN LOGIN Sep 5 16:29:44 files postfix/smtpd[10500]: match_hostname: unknown ~? 127.0.0.0/8 Sep 5 16:29:44 files postfix/smtpd[10500]: match_hostaddr: 192.168.1.104 ~? 127.0.0.0/8 Sep 5 16:29:44 files postfix/smtpd[10500]: match_list_match: unknown: no match Sep 5 16:29:44 files postfix/smtpd[10500]: match_list_match: 192.168.1.104: no match Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 250 8BITMIME Sep 5 16:29:44 files postfix/smtpd[10500]: watchdog_pat: 0x80a0940 Sep 5 16:29:44 files postfix/smtpd[10500]: < unknown[192.168.1.104]: AUTH LOGIN Sep 5 16:29:44 files postfix/smtpd[10500]: smtpd_sasl_authenticate: sasl_method LOGIN Sep 5 16:29:44 files postfix/smtpd[10500]: smtpd_sasl_authenticate: uncoded challenge: Username: Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 334 VXNlcm5hbWU6 Sep 5 16:29:44 files postfix/smtpd[10500]: < unknown[192.168.1.104]: amF5 Sep 5 16:29:44 files postfix/smtpd[10500]: smtpd_sasl_authenticate: decoded response: jay Sep 5 16:29:44 files postfix/smtpd[10500]: smtpd_sasl_authenticate: uncoded challenge: Password: Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 334 UGFzc3dvcmQ6 Sep 5 16:29:44 files postfix/smtpd[10500]: < unknown[192.168.1.104]: bWFua28lc2FsYXQ= Sep 5 16:29:44 files postfix/smtpd[10500]: smtpd_sasl_authenticate: decoded response: Sep 5 16:29:44 files postfix/smtpd[10500]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Sep 5 16:29:44 files postfix/smtpd[10500]: warning: unknown [192.168.1.104]: SASL LOGIN authentication failed Sep 5 16:29:44 files postfix/smtpd[10500]: > unknown[192.168.1.104]: 535 Error: authentication failed Sep 5 16:29:45 files postfix/smtpd[10500]: watchdog_pat: 0x80a0940 Sep 5 16:29:45 files postfix/smtpd[10500]: smtp_get: EOF Sep 5 16:29:45 files postfix/smtpd[10500]: lost connection after AUTH from unknown[192.168.1.104] Sep 5 16:29:45 files postfix/smtpd[10500]: disconnect from unknown [192.168.1.104] Sep 5 16:29:45 files postfix/smtpd[10500]: master_notify: status 1 Sep 5 16:29:45 files postfix/smtpd[10500]: connection closed Sep 5 16:29:45 files postfix/smtpd[10500]: watchdog_stop: 0x80a0940 Sep 5 16:29:45 files postfix/smtpd[10500]: watchdog_start: 0x80a0940 From vanhorn at whidbey.com Tue Sep 9 20:57:30 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:19:52 2006 Subject: Real Expectations.. References: <5.1.0.14.0.20030905141601.100e0928@mail.enhtech.com> <3F5AE0E9.3F470715@whidbey.com> <200309070824.h878OE512642@onyx.rockstone.co.uk> Message-ID: <3F5E30AA.2251DE67@whidbey.com> I don't keep much in the way of stats, but going back to a day before LogWatch stopped including Sendmail in the report, I had 84MB transferred in 15,204 messages for the day as a whole. During the business day, with the normal loads from Apache, I rarely see the LA hit .5. The messages (5K text, 8K HTML) aren't large, but they are certainly larger than my median incoming message. Van Antony Stone wrote: > On Sunday 07 September 2003 8:40 am, G. Armour Van Horn wrote: > > > I don't know how it compares to a Sparc, but I'm running an AMD K6-2/500 > > with 384 MB of RAM, RedHat 8.0, Sendmail per RH RPM, MailScanner 4.23-11, > > f-prot, SpamAssassin 2.6. Every morning I send out the Quotes of the Day > > through this machine, which uses a Perl script to merge the address lists > > with the e-mails and dumps it off to Sendmail. The load average goes to 10 > > or thereabouts during the mail run, but it gets through 6,200 messages in > > less than two hours while handling any incoming mail. > > These Quote of the Day emails are going to be quite short (I hope!) in > comparison to the "average" email coming in or going out through a normal > system, they won't have any attachments which need unpacking or virus > scanning, and the spam check is going to be pretty trivial too. > > It would be interesting to know, as well as the fact you can process 6,200 of > these messages in something under 2 hours at a load average of 10, how many > normal messages your system processes during the following 6 hours of the > business day, and what its load average is during that time. > > Regards, > > Antony. > > -- > > It wasn't a sight to be seen on an empty stomach, although it could probably > cause one. > > - Terry Pratchett, Soul Music -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From steve.freegard at LBSLTD.CO.UK Tue Sep 9 21:01:21 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG Message-ID: <67D9E7698329D411936E00508B6590B902773B07@neelix.lbsltd.co.uk> Hi Steve, >>> Mr. Freegard, thank you for the feedback. No problem at all. >>> Is there a way that MailWatch could run on another server and monitor my MS gateway? Yes - you can set-up another server with MySQL on it and just install MailWatch.pm on your MailScanner box and point it at the MySQL server. However - you won't be able to release quarantined messages and there are a couple of other things which won't work if you do this. If you want to give it a try - then I suggest that you wait until the 29th September as I'm about to go on holiday. I'll knock up some better instructions for you on my return. Kind regards, Steve. -----Original Message----- From: Steve Douglas To: 'Steve Freegard' Cc: 'MAILSCANNER@JISCMAIL.AC.UK' Sent: 09/09/03 20:34 Subject: RE: MailWatch vs. MRTG Mr. Freegard, thank you for the feedback. MailWatch was VERY tempting to install, but I have become very protective of my MailScanner gateway. Is there a way that MailWatch could run on another server and monitor my MS gateway? I appreciate you jumping in and providing some information. Thank you. SD :-) > -----Original Message----- > From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > Sent: Tuesday, September 09, 2003 9:40 AM > To: 'Steve Douglas '; ' > Subject: RE: MailWatch vs. MRTG > > Hi Steve, > > Here's my opinion - I use both, and I'm the author of MailWatch - IMHO > they > were both designed with different goals in mind and it depends on what > your > requirements are > > MailScanner-MRTG is brilliant for monitoring your mail server and getting > the top-level statistics from it - also, it is lightweight on the server > itself, and dead easy to install and requires little or no changes to > MailScanner itself to operate. > > I designed MailWatch with a specific goal in mind - we used to use a > commercial content scanner here and it *sucked* (even though it was > expensive), but it did have a reasonable UI for a helpdesk to use but the > reporting also sucked. I wanted something that would allow me to see > message level info (to, from, subject, size, sascore, status etc.) of > recent > messages processed by MailScanner(s) and to generate management reports > from > this information and to allow the Helpdesk to release quarantined messages > and respond to mail queries amongst other things. > > MailWatch is NOT easy to install, however I've attempted to make it a bit > easier in 0.3beta. It does require minimal changes to MailScanner, and it > will also introduce extra load on the server, although this is fairly > minimal and even less so in 0.3beta. > > Hope this helps. > > Kind regards, > Steve. > > -----Original Message----- > From: Steve Douglas > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: 08/09/03 22:58 > Subject: MailWatch vs. MRTG > > Can someone weigh-in on both or one of these packages? I already keep > busy maintaining my MS server as it is. I am not by far a Linux guru > and don't really want to blow up my server, but either one or both of > these packages are very tempting. Thanks for any opinions or feedback! > > > > > > > > > > <> > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From steve.douglas at SBIINCORPORATED.COM Tue Sep 9 21:17:54 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:52 2006 Subject: DCC-Pyzor Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FCFB@mail.gardenbotanika.com> Upon completing the dcc installation per the instructions located on http://au2.spamassassin.org/full/2.5x/dist/INSTALL and enter per the instructions the following: Cdcc 'info' AND I receive the following: /var/dcc/map is not the size of the DCC map file DCC server 127.0.0.1 at 127.0.0.1 not responding ---------------------------------------------------------------------- Any information or feedback is appreciated. SD :-) > -----Original Message----- > From: Kevin Spicer [mailto:] > Sent: Sunday, September 07, 2003 10:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DCC-Pyzor > > On Sun, 2003-09-07 at 14:38, Tunc Eresen(?`..,,.-> Cobalt M447785363481 > wrote: > > >Hello, all > > >Where is the install scripts for DCC-Pyzor on the www. > > Look for DCC and Pyzor on this page... > http://au2.spamassassin.org/full/2.5x/dist/INSTALL > > It gives the URL's for downloading and instructions for installing. > (Note these may be slightly different from the instructions on the DCC & > Pyzor sites as they don't bother with the components that SpamAssassin > doesn't use.) > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From steve.freegard at LBSLTD.CO.UK Tue Sep 9 21:20:46 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch 'MySQL server has gone away' error -- FIXED Message-ID: <67D9E7698329D411936E00508B6590B902773B08@neelix.lbsltd.co.uk> Hello all, For all those people encountering the 'MySQL server has gone away' error when using MailWatch - I've finally found a fix: When you install DBD-MySQL from CPAN, it gives you the latest version 2.9002 by default - this version doesn't work for some reason. Instead - download DBD-MySQL-2.1028 (this is the previous version) from here: http://search.cpan.org/CPAN/authors/id/J/JW/JWIED/DBD-mysql-2.1028.tar.gz and install this instead (perl Makefile.PL && make && make install), you will need the mysql-devel libraries installed for it to compile. Once you've installed this, reload MailScanner and everything will then work correctly. Kind regards, Steve. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From TGFurnish at HERFF-JONES.COM Tue Sep 9 21:42:45 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:52 2006 Subject: Logwatch plugin for MailScanner? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07B2@inex1.herffjones.hj-int> Redhat ships with Logwatch nicely configured to do nightly log summaries of anything unusual to root. It's a nice framework, IMHO. Before I start writing a plugin for summarizing MailScanner logs at my site I thought I'd ask - anyone already done one? -- Trever From gebhard at EPOST.DE Tue Sep 9 21:36:41 2003 From: gebhard at EPOST.DE (Holger Gebhard) Date: Thu Jan 12 21:19:52 2006 Subject: Newbie Question: MCP Feature Message-ID: Hello Group, i have two strange Problems with the new MCP-Feature in MailScanner... System: Debian Woody 3.0R1 MailScanner Version 4.23-11 SpamAssassin Version 2.55 Clamav Version 0.60 MCP doesent check Mails for "Keywords", but all other Features in Mailscanner works fine. I try to use the paths who are permitted in the standart "MCP-Configuration" in MailScanner.conf (%mcp-dir%). When a Message pass MailScanner i can see that the MCP-Check seems to start up with no errors in mail.log, mail.info, etc. but detect absolutely nothing (no keywords from example-rulefile and/or nothing from self written rulefile). The second Problem is when I set "Is Definitely MCP" in MailScanner.conf to "Yes" for example, every Mail will be marked as MCP... This works fine... But when I set the "Non MCP Actions" to deliver and "MCP Action" to bounce, no bouncemail will send. The Logfile shows the "Message File" cant be found... The "Sender MCP Report" Path is set correctly... For testing I try to clear all Paths in the "MCP-Configuration". I know that MCP with no Paths use the "normal" SpamAssassin with the included SPAM-Detection Rules and not the "MCP-Rules"... Whatever, the Logs show that MCP detects "SPAM" equal to the following SPAM-Check (SpamAssassin)... ( With this Configuration MailScanner crashs after the SPAM-Check and all Email send thru MailScanner will not delivered ;-) ) For me it seems to be a SpamAssassin or Rulesetproblem? What means the "second" copy of Spamassassin (MCP)? A manual startet SpamAssassin? Have anyone testet this Feature or have it running? Can anybody help me? Thanks Holger From gerry at DORFAM.CA Tue Sep 9 21:49:26 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:52 2006 Subject: MailWatch vs. MRTG In-Reply-To: <3963522F0E71474CB14C0FF54A6914F70142FCFA@mail.gardenbotanika.com> Message-ID: On Tue, 9 Sep 2003, Steve Douglas wrote: > Thank you taking the time out to provide feedback on these packages. I do > believe it is time for me to crack my knuckles and take a serious look at > them. Since I installed MS I feel kind of out in the dark (even though I > know it is doing a great job) with no way to easily validate the stats of my > server. > > Thanks again for the feedback! > > SD > :-) If you want stats then install MailWatch. It generates enough stats to keep anyone happy! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From kevins at BMRB.CO.UK Tue Sep 9 21:55:49 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:52 2006 Subject: Real Expectations.. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AAC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AAC@pascal.priv.bmrb.co.uk> Message-ID: <1063140949.12147.24.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-09 at 20:49, G. Armour Van Horn wrote: >Last I looked, it was impossible to whitelist for viruses, Actually you can (kinda), make Virus Scanning a ruleset. I do this from my home machine, so I can ssh into my home machine from work and use it to send Eicar to my work account to check that the mailscanner I administer at work is functioning okay. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Tue Sep 9 22:06:21 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:52 2006 Subject: Real Expectations.. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AAD@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AAD@pascal.priv.bmrb.co.uk> Message-ID: <1063141582.16542.38.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-09 at 20:50, G. Armour Van Horn wrote: >You know, I've never checked that. Vmstat should tell me, right? That should help you work out if the memory is a problem. You should also take a look at iostat and sar. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Tue Sep 9 22:26:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:52 2006 Subject: DCC-Pyzor In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AB2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AB2@pascal.priv.bmrb.co.uk> Message-ID: <1063142812.16542.60.camel@bach.kevinspicer.co.uk> On Tue, 2003-09-09 at 21:17, Steve Douglas wrote: >Upon completing the dcc installation per the instructions located on >http://au2.spamassassin.org/full/2.5x/dist/INSTALL and enter per the >instructions the following: >Cdcc 'info' >AND I receive the following: >/var/dcc/map is not the size of the DCC map file Thats odd, this suggests that either the file /var/dcc/map is missing or not correctly formatted? Maybe try reinstalling. A-ha! delete everything in /var/dcc then try reinstalling, Seems to have worked for me. >DCC server 127.0.0.1 at 127.0.0.1 not responding Thats normal, you're not running a dcc server so it won't respond BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at LISTS.COM.AR Tue Sep 9 22:35:15 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:52 2006 Subject: Filename Subject Text vs. Content Subject Text Message-ID: <3F5E1D63.17.18B65CC@localhost> Hi, I'm using MS 4.23-11 with SA 2.55. It seems MS is somehow confusing "Filename Subject Text" "Content Subject Text". I have the following settings: Allow IFrame Tags = no Log IFrame Tags = yes Allow Form Tags = no Allow Object Codebase Tags = no Filename Modify Subject = no Filename Subject Text = {Nombre de archivo anexo prohibido} Content Modify Subject = yes Content Subject Text = {Contenido potencialmente peligroso} And, when getting a message with IFrame, it added the "Filename Subject Text" instead of the "Content Subject Text" I expected. Here's the log: Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html (no rule matched) Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from boletininformar@redinformar.com.ar Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific exploits in 1221617 Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent viruses And the modified was: {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: A?o 1 - N?mero 51 - SEPTIEMBRE 5, 2003 Are these entries mixed up? -- Mariano Absatz El Baby ---------------------------------------------------------- Don't worry about the world coming to an end today.It's already tomorrow in Australia. -- Charles Schulz From ron at SUMMIT-TECH.CA Tue Sep 9 22:41:33 2003 From: ron at SUMMIT-TECH.CA (Ron Nessim) Date: Thu Jan 12 21:19:52 2006 Subject: Exim, FreeBSD and Mailscanner Message-ID: I have been trying to install Mailscanner, and I have reached a strange problem with the expansion of directory variables like %etc-dir%. When they are expanded they get expanded as exponents, so my directory paths are all incorrect. Here is the entry from the maillog: Sep 9 17:30:01 mail MailScanner[56695]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Sep 9 17:30:01 mail MailScanner[56695]: Could not read file %etc- dir%/spam.assassin.prefs.conf Sep 9 17:30:01 mail MailScanner[56695]: Error in line 783, file "0.000000e+00tc-dir%/spam.assassin.prefs.conf" for spamassassinprefsfile does not exist (or can not be read) Does anyone know how I can fix this? Thanks, Ron. From mark at TIPPINGMAR.COM Tue Sep 9 23:33:55 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:19:52 2006 Subject: Logwatch plugin for MailScanner? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C07B2@inex1.herffjones.hj-int> Message-ID: <3F5DF2E3.25303.148DF4A4@localhost> On 9 Sep 2003 at 15:42, Furnish, Trever G wrote: > Redhat ships with Logwatch nicely configured to do nightly log summaries of > anything unusual to root. It's a nice framework, IMHO. Before I start > writing a plugin for summarizing MailScanner logs at my site I thought I'd > ask - anyone already done one? Well, sort of. I wrote a very simple one that just reports: the number of viruses, the number of delivered spam, the number of deleted spam, and the number of timeouts for spamassassin. It is ridiculously underpowered compared to other standalone log analyzers contributed by others on this list. But it is in the right form for use with logwatch, so maybe you could use it as a starting point for something more powerful. By the way, I upgraded the logwatch that came with my RedHat 7.3 to one from the logwatch website (4.3.2-1), which is a huge improvement. ---- Mark Here is the file "/etc/log.d/conf/services/mailscanner.conf" ################################################################ # $Id: MailScanner.conf,v 0.1 2003/05/28 mark Exp $ ################################################################ # You can put comments anywhere you want to. They are effective for the # rest of the line. # this is in the format of = . Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*. # Yes = True = On = 1 # No = False = Off = 0 Title = "MailScanner" # Which logfile group... LogFile = maillog # Only give lines pertaining to the MailScanner service... *OnlyService = MailScanner *RemoveHeaders And here is the file "/etc/log.d/scripts/services/mailscanner" #!/usr/bin/perl ############################################################# # $Id: MailScanner,v 0.3 2003/06/02 mark ############################################################# $Viruses = 0; $SpamDeleted = 0; $SpamDelivered = 0; $SAtimeout = 0; while (defined($ThisLine = )) { if ($ThisLine =~ /actions are .*delete/) { $SpamDeleted++; } elsif ($ThisLine =~ /actions are .*deliver/) { $SpamDelivered++; } if ($ThisLine =~ /SpamAssassin timed out/) { $SAtimeout++; } if ( ($Virii) = ($ThisLine =~ /Virus Scanning: Found (\d+) viruses/) ) { $Viruses += $Virii; } } if ($Viruses > 0) { print "\n" . $Viruses . " viruses found"; } if ($SpamDeleted > 0) { print "\n" . $SpamDeleted . " spam messages deleted"; } if ($SpamDelivered > 0) { print "\n" . $SpamDelivered . " spam messages delivered"; } if ($SAtimeout > 0) { print "\n" . $SAtimeout . " SpamAssassin time outs"; } exit(0); From Ulysees at ULYSEES.COM Tue Sep 9 23:43:16 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:19:52 2006 Subject: Filename Subject Text vs. Content Subject Text References: <3F5E1D63.17.18B65CC@localhost> Message-ID: <000701c37723$cec67860$0a010a0a@prometheus> I'm getting the same thing, MS 4.23-11 no SA and any mail being caught with a html form is coming up with filename? uly ----- Original Message ----- From: "Mariano Absatz" To: Sent: Tuesday, September 09, 2003 10:35 PM Subject: [MAILSCANNER] Filename Subject Text vs. Content Subject Text Hi, I'm using MS 4.23-11 with SA 2.55. It seems MS is somehow confusing "Filename Subject Text" "Content Subject Text". I have the following settings: Allow IFrame Tags = no Log IFrame Tags = yes Allow Form Tags = no Allow Object Codebase Tags = no Filename Modify Subject = no Filename Subject Text = {Nombre de archivo anexo prohibido} Content Modify Subject = yes Content Subject Text = {Contenido potencialmente peligroso} And, when getting a message with IFrame, it added the "Filename Subject Text" instead of the "Content Subject Text" I expected. Here's the log: Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html (no rule matched) Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from boletininformar@redinformar.com.ar Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific exploits in 1221617 Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent viruses And the modified was: {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: A?o 1 - N?mero 51 - SEPTIEMBRE 5, 2003 Are these entries mixed up? -- Mariano Absatz El Baby ---------------------------------------------------------- Don't worry about the world coming to an end today.It's already tomorrow in Australia. -- Charles Schulz From TGFurnish at HERFF-JONES.COM Tue Sep 9 23:48:50 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:52 2006 Subject: Logwatch plugin for MailScanner? {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BC1@inex1.herffjones.hj-int> Good 'nuff - thanks. I'll start from yours and get back to you if I come up with useful enhancements. -- Trever > -----Original Message----- > From: Mark Nienberg [mailto:mark@TIPPINGMAR.COM] > Sent: Tuesday, September 09, 2003 5:34 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Logwatch plugin for MailScanner? {Scanned by HJMS} > > > On 9 Sep 2003 at 15:42, Furnish, Trever G wrote: > > Redhat ships with Logwatch nicely configured to do nightly > log summaries of > > anything unusual to root. It's a nice framework, IMHO. > Before I start > > writing a plugin for summarizing MailScanner logs at my > site I thought I'd > > ask - anyone already done one? > > Well, sort of. I wrote a very simple one that just reports: > > the number of viruses, > the number of delivered spam, > the number of deleted spam, > and the number of timeouts for spamassassin. > > It is ridiculously underpowered compared to other standalone > log analyzers > contributed by others on this list. But it is in the right > form for use with logwatch, so > maybe you could use it as a starting point for something more > powerful. > > By the way, I upgraded the logwatch that came with my RedHat > 7.3 to one from the > logwatch website (4.3.2-1), which is a huge improvement. > ---- > Mark > > > Here is the file "/etc/log.d/conf/services/mailscanner.conf" > > ################################################################ > # $Id: MailScanner.conf,v 0.1 2003/05/28 mark Exp $ > ################################################################ > > # You can put comments anywhere you want to. They are > effective for the > # rest of the line. > > # this is in the format of = . Whitespace at > the beginning > # and end of the lines is removed. Whitespace before and > after the = sign > # is removed. Everything is case *insensitive*. > > # Yes = True = On = 1 > # No = False = Off = 0 > > Title = "MailScanner" > > # Which logfile group... > LogFile = maillog > > # Only give lines pertaining to the MailScanner service... > *OnlyService = MailScanner > *RemoveHeaders > > > And here is the file "/etc/log.d/scripts/services/mailscanner" > > #!/usr/bin/perl > ############################################################# > # $Id: MailScanner,v 0.3 2003/06/02 mark > ############################################################# > > $Viruses = 0; > $SpamDeleted = 0; > $SpamDelivered = 0; > $SAtimeout = 0; > > while (defined($ThisLine = )) { > if ($ThisLine =~ /actions are .*delete/) { > $SpamDeleted++; > } elsif ($ThisLine =~ /actions are .*deliver/) { > $SpamDelivered++; > } > > if ($ThisLine =~ /SpamAssassin timed out/) { > $SAtimeout++; > } > > if ( ($Virii) = ($ThisLine =~ /Virus Scanning: Found (\d+) > viruses/) ) { > $Viruses += $Virii; > } > } > > > if ($Viruses > 0) { > print "\n" . $Viruses . " viruses found"; > } > > if ($SpamDeleted > 0) { > print "\n" . $SpamDeleted . " spam messages deleted"; > } > > if ($SpamDelivered > 0) { > print "\n" . $SpamDelivered . " spam messages delivered"; > } > > if ($SAtimeout > 0) { > print "\n" . $SAtimeout . " SpamAssassin time outs"; > } > > exit(0); > From vernon at COMP-WIZ.COM Tue Sep 9 23:52:04 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner Eating Up System Proccesses Message-ID: <20030909224407.M20022@comp-wiz.com> Now I have a new problem. When I start MailScanner it seems to tie up my system so bad that I can't even access web pages. When I look at the system processes there are a number of MailSacanner processes running eating up the CPU, some processes as high as 13% and then they go down from there to like 9% , 7% and so forth. You add them all up and the system is almost at a standstill. It never used to do this so I don't understand why it is. Any ideas? Vernon Webb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030909/4c77ceb4/attachment.html From TGFurnish at HERFF-JONES.COM Wed Sep 10 00:27:26 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner Eating Up System Proccesses {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C07B4@inex1.herffjones.hj-int> Some things to try: vmstat 1 ...are there many processes in the blocked state (second column)? If so, perhaps you have an I/O problem. Also shows how much swap is used (ought to be low and slowly changing or never changing) and how much free memory there is. free ...shows statistics about memory and swap usage. ps auxww | grep MailScanner ...the STAT column (8th, on my machine) may give you some clues - if you see D it's blocked on something, probably I/O. If you see R, it's in a run queue waiting for the cpu. Probably not going to see Z, but that's defunct, meaning the proc is dead and the parent hasn't cleaned it up yet. pstree -ap | less ...assuming Linux. If HPUX, try UNIX95= ps -efH | more instead. This sometimes makes it easier to see important parent/child relationships between processes. Try turning off spamassassin and restarting MailScanner. Try enabling debugging in MailScanner and SpamAssassin. Try turning off rbl checks. Try turning off razor/Pyzor/DCC checks. Try turning off Bayes. iostat 1 ... may show more detail about any i/o bottleneck if you have multiple drives. HTH, Trever -----Original Message----- From: Vernon Webb [mailto:vernon@COMP-WIZ.COM] Sent: Tuesday, September 09, 2003 5:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Eating Up System Proccesses {Scanned by HJMS} Now I have a new problem. When I start MailScanner it seems to tie up my system so bad that I can't even access web pages. When I look at the system processes there are a number of MailSacanner processes running eating up the CPU, some processes as high as 13% and then they go down from there to like 9% , 7% and so forth. You add them all up and the system is almost at a standstill. It never used to do this so I don't understand why it is. Any ideas? Vernon Webb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030909/e824a374/attachment.html From mikew at CRUCIS.NET Wed Sep 10 01:07:56 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade Message-ID: <200309091907.56932.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe I missed it if this was listed before, but I upgraded to 4.23-11 from 4.22-? and since the upgrade, I'm getting this message from cron. ====================================================== /etc/cron.hourly/update_virus_scanners: find: invalid predicate `-IsItInstalled' Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME are included on the command line as well. Virus scanning report - 7 September 2003 @ 5:01 F-PROT ANTIVIRUS Program version: 3.13 Engine version: 3.13.1 VIRUS SIGNATURE FILES SIGN.DEF created 1 September 2003 SIGN2.DEF created 2 September 2003 MACRO.DEF created 1 September 2003 Search: /usr/local/f-prot Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -AI -OLD Results of virus scanning: Files: 23 MBRs: 0 Boot sectors: 0 Objects scanned: 23 Time: 0:01 No viruses or suspicious files/boot sectors were found. Is there a patch to take care of this? Mike W - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/Xmtc5fq6h2uDDlQRAgCaAJ4pi49iZuB1p3gNvuytA32VerTf9QCePNR6 DdEa2/K+GRSPp8XUmEGPz7k= =DSPy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From mikew at CRUCIS.NET Wed Sep 10 01:11:39 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: References: Message-ID: <200309091911.39984.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 08 September 2003 07:56 am, you wrote: > Julian, > I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners > gagged the first time cron ran it on my Solaris 9 box. It turns out > the /usr/bin/grep on Sun does not support the "-e" option, while > GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. > So I had to tweak my copy to use GNU grep. I don't how you want to > fix this for all permutations of grep. What a pain. > > --- Jeff Earickson I'm getting an error from cron on my RH8 Linux box too. mw - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/Xmw75fq6h2uDDlQRAo19AJ0b7lTF575OQW1n8GltJkaFjnaWfgCcDAhM ZEqE+QVqo+Nqj+unyMrtYO8= =NX+2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From raymond at PROLOCATION.NET Wed Sep 10 01:16:43 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade In-Reply-To: <200309091907.56932.mikew@crucis.net> Message-ID: Hi! > Virus scanning report - 7 September 2003 @ 5:01 > > F-PROT ANTIVIRUS > Program version: 3.13 > Engine version: 3.13.1 What about updrading engine, this isnt catching even the new Sobig variants now. Upgrade is 2 minutes work... > Maybe I missed it if this was listed before, but I upgraded to 4.23-11 > from 4.22-? and since the upgrade, I'm getting this message from cron. > ====================================================== > /etc/cron.hourly/update_virus_scanners: > find: invalid predicate `-IsItInstalled' > Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME Please upgrade your AV engine, F-Prot doesnt support it neither. Bye, Raymond. From mikew at CRUCIS.NET Wed Sep 10 01:23:13 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade In-Reply-To: References: Message-ID: <200309091923.13161.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 09 September 2003 07:16 pm, you wrote: > Hi! > > > Virus scanning report - 7 September 2003 @ 5:01 > > > > F-PROT ANTIVIRUS > > Program version: 3.13 > > Engine version: 3.13.1 > > What about updrading engine, this isnt catching even the new Sobig > variants now. Upgrade is 2 minutes work... > > > Maybe I missed it if this was listed before, but I upgraded to > > 4.23-11 from 4.22-? and since the upgrade, I'm getting this message > > from cron. ====================================================== > > /etc/cron.hourly/update_virus_scanners: > > find: invalid predicate `-IsItInstalled' > > Error: /AUTO may not be specified unless /DELETE, /DISINF or > > /RENAME > > Please upgrade your AV engine, F-Prot doesnt support it neither. > > Bye, > Raymond. Thanks. I've been delaying upgrading F-Prot due to their license change. But...can't wait any longer it seems. Mike W - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/Xm7x5fq6h2uDDlQRAhIyAKCFlyEumIMFI1LKvmMgBMw4O4ztxQCgzr4Z 3z50QGRuKmxCCiNgBqvicTs= =PSUn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Sep 10 02:43:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade In-Reply-To: <200309091907.56932.mikew@crucis.net> Message-ID: <5.2.1.1.2.20030910024243.03947008@imap.ecs.soton.ac.uk> If you look in /usr/lib/MailScanner, you will find one or more files whose names end with ".rpmnew". These need to be moved over the top of the old files. This is documented on the downloads page on the website, right at the top. At 01:07 10/09/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Maybe I missed it if this was listed before, but I upgraded to 4.23-11 >from 4.22-? and since the upgrade, I'm getting this message from cron. >====================================================== >/etc/cron.hourly/update_virus_scanners: > >find: invalid predicate `-IsItInstalled' >Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME >are included on the command line as well. >Virus scanning report - 7 September 2003 @ 5:01 > >F-PROT ANTIVIRUS >Program version: 3.13 >Engine version: 3.13.1 > >VIRUS SIGNATURE FILES >SIGN.DEF created 1 September 2003 >SIGN2.DEF created 2 September 2003 >MACRO.DEF created 1 September 2003 > >Search: /usr/local/f-prot >Action: Report only >Files: "Dumb" scan of all files >Switches: -ARCHIVE -AI -OLD > > >Results of virus scanning: > >Files: 23 >MBRs: 0 >Boot sectors: 0 >Objects scanned: 23 > >Time: 0:01 > >No viruses or suspicious files/boot sectors were found. > >Is there a patch to take care of this? > >Mike W >- -- >Registered Linux - 256979 >NRA Life >ARS: W0TMW > > > > > > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE/Xmtc5fq6h2uDDlQRAgCaAJ4pi49iZuB1p3gNvuytA32VerTf9QCePNR6 >DdEa2/K+GRSPp8XUmEGPz7k= >=DSPy >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by F-Prot and MailScanner, >and is believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 10 02:45:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: <200309091911.39984.mikew@crucis.net> References: Message-ID: <5.2.1.1.2.20030910024510.03ad0d78@imap.ecs.soton.ac.uk> At 01:11 10/09/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Monday 08 September 2003 07:56 am, you wrote: > > Julian, > > I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners > > gagged the first time cron ran it on my Solaris 9 box. It turns out > > the /usr/bin/grep on Sun does not support the "-e" option, while > > GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. > > So I had to tweak my copy to use GNU grep. I don't how you want to > > fix this for all permutations of grep. What a pain. > > > > --- Jeff Earickson >I'm getting an error from cron on my RH8 Linux box too. And what might this error message be? >mw >- -- >Registered Linux - 256979 >NRA Life >ARS: W0TMW > > > > > > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE/Xmw75fq6h2uDDlQRAo19AJ0b7lTF575OQW1n8GltJkaFjnaWfgCcDAhM >ZEqE+QVqo+Nqj+unyMrtYO8= >=NX+2 >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by F-Prot and MailScanner, >and is believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 10 02:47:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner Eating Up System Proccesses In-Reply-To: <20030909224407.M20022@comp-wiz.com> Message-ID: <5.2.1.1.2.20030910024616.03b76f18@imap.ecs.soton.ac.uk> I suggest you start by looking at your maillog and see what is being logged. It may be something as simple as an error in the conf files. The maillog is the key to tracking down a lot of problems like this. At 23:52 09/09/2003, you wrote: >Now I have a new problem. When I start MailScanner it seems to tie up my >system so bad that I can't even access web pages. When I look at the >system processes there are a number of MailSacanner processes running >eating up the CPU, some processes as high as 13% and then they go down >from there to like 9% , 7% and so forth. You add them all up and the >system is almost at a standstill. It never used to do this so I don't >understand why it is. Any ideas? > >Vernon Webb -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030910/becc1be6/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 10 02:56:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: Newbie Question: MCP Feature In-Reply-To: Message-ID: <5.2.1.1.2.20030910025541.03bda7b8@imap.ecs.soton.ac.uk> Please remember that the MCP stuff in there is strictly prototype at the moment, I wouldn't even call it alpha-test code yet. I make no guarantees whatsoever that any of it works, but it basically seemed to work when I tested it. At 21:36 09/09/2003, you wrote: >Hello Group, > >i have two strange Problems with the new MCP-Feature in MailScanner... > >System: >Debian Woody 3.0R1 >MailScanner Version 4.23-11 >SpamAssassin Version 2.55 >Clamav Version 0.60 > >MCP doesent check Mails for "Keywords", but all other Features in >Mailscanner works fine. > >I try to use the paths who are permitted in the standart "MCP-Configuration" >in MailScanner.conf (%mcp-dir%). When a Message pass MailScanner i can >see that the MCP-Check seems to start up with no errors in mail.log, >mail.info, etc. but detect absolutely nothing (no keywords from >example-rulefile and/or nothing from self written rulefile). > >The second Problem is when I set "Is Definitely MCP" in MailScanner.conf to >"Yes" for example, every Mail will be marked as MCP... This works fine... >But when I set the "Non MCP Actions" to deliver and "MCP Action" to bounce, >no bouncemail will send. The Logfile shows the "Message File" cant be >found... >The "Sender MCP Report" Path is set correctly... > >For testing I try to clear all Paths in the "MCP-Configuration". >I know that MCP with no Paths use the "normal" SpamAssassin with the >included SPAM-Detection Rules and not the "MCP-Rules"... >Whatever, the Logs show that MCP detects "SPAM" equal to the following >SPAM-Check (SpamAssassin)... >( With this Configuration MailScanner crashs after the SPAM-Check and all >Email send thru MailScanner will not delivered ;-) ) > >For me it seems to be a SpamAssassin or Rulesetproblem? >What means the "second" copy of Spamassassin (MCP)? A manual startet >SpamAssassin? >Have anyone testet this Feature or have it running? > >Can anybody help me? > > >Thanks > >Holger -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Wed Sep 10 03:21:22 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: SA no go Message-ID: Julian, It is late at night, and I haven't investigated, but SA 2.60 seems to have quit after I upgraded to 4.23-11. SA works fine 4.22-5, so I have dropped back to that. I didn't notice that SA wasn't there for a day with 4.23-11. Setup: Solaris 9, both SA 2.60 and MS installed from tarballs, Razor, sendmail. The output of "spamassassin -D --lint" looks normal to me. Any ideas? The 4.23-11 conf file says to use SA (checked the conf file, and it looks right). Hmmm... --- Jeff Earickson From mailscanner at ecs.soton.ac.uk Wed Sep 10 03:45:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: SA no go In-Reply-To: Message-ID: <5.2.1.1.2.20030910034113.01648d98@imap.ecs.soton.ac.uk> I've just tried this on a RH8 box and it works fine. The only thing changed between the 2 versions of the SA support in MailScanner is that the "Max SpamAssassin Size" check causes the message to be truncated rather than ignored. So big spam doesn't evade the check completely, it just gets its end chopped off. I haven't had a chance to install it all on Solaris 9 yet. I've got a Sun in my office back home, I must get around to updating that to Solaris 9 (assuming I can find the media, we have a site licence). Can you put through it the 2 sample messages supplied with SpamAssassin (sample-nonspam.txt and sample-spam.txt) and show me all the MailScanner headers you get please. Would be worth setting "Always Include SpamAssassin Report = yes" as well, so we can see what happens to the non-spam example. At 03:21 10/09/2003, you wrote: >Julian, > >It is late at night, and I haven't investigated, but SA 2.60 >seems to have quit after I upgraded to 4.23-11. SA works fine >4.22-5, so I have dropped back to that. I didn't notice that SA >wasn't there for a day with 4.23-11. Setup: Solaris 9, both >SA 2.60 and MS installed from tarballs, Razor, sendmail. >The output of "spamassassin -D --lint" looks normal to me. >Any ideas? The 4.23-11 conf file says to use SA (checked the >conf file, and it looks right). Hmmm... > >--- Jeff Earickson -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Sep 10 03:48:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: Exim, FreeBSD and Mailscanner In-Reply-To: Message-ID: <5.2.1.1.2.20030910034734.03bc74e8@imap.ecs.soton.ac.uk> What are the exact lines in your MailScanner.conf file that set these variables? (Please cut and paste, don't retype, I want to see if there are any typos or anything weird in them) At 22:41 09/09/2003, you wrote: >I have been trying to install Mailscanner, and I have reached a strange >problem with the expansion of directory variables like %etc-dir%. When they >are expanded they get expanded as exponents, so my directory paths are all >incorrect. Here is the entry from the maillog: > >Sep 9 17:30:01 mail MailScanner[56695]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Sep 9 17:30:01 mail MailScanner[56695]: Could not read file %etc- >dir%/spam.assassin.prefs.conf >Sep 9 17:30:01 mail MailScanner[56695]: Error in line 783, >file "0.000000e+00tc-dir%/spam.assassin.prefs.conf" for >spamassassinprefsfile does not exist (or can not be read) > >Does anyone know how I can fix this? > >Thanks, > >Ron. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ugob at CAMO-ROUTE.COM Wed Sep 10 04:04:51 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:19:53 2006 Subject: Spamassassin keeps on dying Message-ID: <54C38A0B814C8E438EF73FC76F362927313219@mtlnt501fs.CAMOROUTE.COM> Hi, I've been testing MailScanner successfully, but I have a few questions. I've been following the mailing list for a while, but haven't found complete answers yet, and searching the archives is quite hard. Here is my setup: internet -> Mailscanner (pentium II 300, scsi) -> Exchange server (with symantec AV) I currently use only MailScanner with ClamAV. My goal is to reduce the load on the Exchange server by blocking most dangerous files before they reach it. While at it, I want to reduce the spam entering our system. It adds security at the same time, by adding one anti-virus layer, and prevent the Exchange server from being connected directly to the net. I use MRTG for stats. Since we only process a maximum of 100 messages a day, the setup is OK. I'm running RedHat 9. I'd like to add SpamAssassin to my setup. I installed it from the source, and modified MailScanner.conf consequently, but I always get this message SpamAssassin timed out and was killed, consecutive failure 1 of 20 Is there a MS, SA, DCC, Pyzor, Razor how-to? ( I installed most of them, but I don't know how to make them work together). Another concern I have is regarding virus delivery and dangerous HTML. Since I want to reduce the load on my Exchange server, I don't want viruses to be delivered, unless they are deinfected (I don't want to have a message delivered to the recipient saying that I MS stopped a virus, they don't care). I use stats from MRTG to show my boss the benefits of MS. Consequently, I don't want virus to be delivered, but I want dangerous HTML messages to be converted to text and send to the recipient. However, I tried it and when I ask not to deliver virus, it applies this setting to the bad html and therefore the convert dangerous html to text is ignored. For spam, I want that high-score spam not delivered, stored and forwared to me, and I want regular spam to be stored, and a message to the recipient sent saying there was a spam, and where to get it if it is not one. How would I have to configure my system to achieve my goals? What files should I send to the list to complete my question? From ron at SUMMIT-TECH.CA Wed Sep 10 04:16:04 2003 From: ron at SUMMIT-TECH.CA (Ron Nessim) Date: Thu Jan 12 21:19:53 2006 Subject: Exim, FreeBSD and Mailscanner Message-ID: > What are the exact lines in your MailScanner.conf file that set these > variables? (Please cut and paste, don't retype, I want to see if there are > any typos or anything weird in them) Here is an excerpt from the config file where these variables are set: # # Definition of variables which are substituted into definitions below # # Set the directory containing all the reports in all the languages %report-dir% = /usr/local/share/MailScanner/reports/en # Configuration directory containing this file %etc-dir% = /usr/local/etc/MailScanner # Rulesets directory containing your ".rules" files %rules-dir% = /usr/local/etc/MailScanner/rules # # System settings # --------------- # [...] Thanks, Ron. From ugob at CAMO-ROUTE.COM Wed Sep 10 04:39:18 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:19:53 2006 Subject: Spamassassin keeps on dying Message-ID: <54C38A0B814C8E438EF73FC76F362927303498@mtlnt501fs.CAMOROUTE.COM> If it can help, here is the output of: [root@mail postfix.in]# spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: Score set 1 chosen. debug: Initialising learner debug: debug: Only 0 spam(s) in Bayes DB < 200 debug: bayes: 11908 untie-ing debug: bayes: 11908 untie-ing db_toks debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= debug: bayes: 11908 untie-ing From mailscanner at ELKNET.NET Wed Sep 10 06:55:43 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:53 2006 Subject: F-prot revisited Message-ID: <200309100452.h8A4qGr23793@ori.rl.ac.uk> Sorry about the delay in responding, been busy lately :) ############################### 1) >On Wed, 3 Sep 2003, Alan Fiebig wrote: > >> While F-Prot's $29 Linux workstation version is all you technically need >> to run with MailScanner, per F-Prot, you would be in violation of their >> license. Their expensive 'per user' mail server version contains a whole >On Wed, 3 Sep 2003, Steffan replied back: > >But they don't sell the command line version for servers ! They just sell >bigger products - and we don't need that, we use MailScanner. I know, that is my entire point. They only sell the stand alone command line scanner for workstations. To comply with the F-Prot license, you have to buy the big mail server product, which is expensive due to it being priced per mailbox. Then, after buying the big package, you end up only using a tiny portion of it, the command line scanner. All the rest of the product was waisted since you don't need it for MailScanner. If you were to buy the inexpensive, $29 workstation command line scanner, it would work perfectly with MailScanner. But then you would be in violation of F-Prot's license. ############################### 2) >Even on the CA page, I didn't see a final price for the product I need, >but maybe at that time I was already too tired after trying to find a >price. That's because you don't buy it from CA, you buy it from a reseller. In my earlier post, I mentioned that the lowest price for e-Trust is $129 for a 5 node license. The price has now come down a bit. You can find it at CDW for example: http://www.cdw.com/shop/products/default.asp?EDC=475675 ############################### 3) >On Fri, 5 Sep 2003, G. Armour Van Horn replied back: > >Based on your comments, I went looking for the product. I found >http://www.my-etrust.com/ and browsed around a bit, even >asked "Sammy" about Linux, but didn't see a trace of anything but >Windows software. If I buy the five-pack, is there a Linux version >in there somewhere, or can you post a URL that gets to the Linux version? In the 5 node license I mentioned, which now sells for $109 from CDW, you get 11 different versions included: 1) Windows - Win95 on up, workstations and servers 2) Linux 3) Exchange 4) Lotus Notes/Domino 5) Stand alone firewall 6) PocketPC PDA 7) Palm PDA 8) Macintosh 9) Proxy servers - Microsoft and Apache 10) Novell servers 11) Sun Solaris Use as many or as few of the versions as you wish on up to 5 hosts, all for $109. -Alan From newsletters at PCSITES.COM Wed Sep 10 06:42:53 2003 From: newsletters at PCSITES.COM (Richard Ahlquist) Date: Thu Jan 12 21:19:53 2006 Subject: F-prot revisited In-Reply-To: <200309100452.h8A4qGr23793@ori.rl.ac.uk> Message-ID: <000001c3775e$620c24a0$5f01a8c0@MINE> Alan, First let me stat IANAL. I have followed comments on the list about F-prot since they changed their license. I have been running the workstation command line version since day one and will most likely continue to do so until something better comes along. Here is my issue with what you said though. I looked at the workstation license and to say its vague is an understatement, nowhere in the page I saw ( http://www.f-prot.com/support/helpfiles/unix/linux_ws/license.html ) did it state you cannot use the product in conjunction with MailScanner or in any type of automated system or even on a system running a mail server/daemon/thingamabob. As a matter of fact on this page ( http://www.f-prot.com/support/helpfiles/unix/linux_ws/comm_scan.html ) it specifically mentions that it can be called from other applications. Also please note, no where in the license for the product do they mention a definition of what the difference is between a workstation and anything else. So unless F-prot has posted the wrong licensing info to their site there is nothing in writing that I see that says I cant use their command line scanner to scan the files on my system. Whether they are being copied from one folder to another by hand or by sendmail. Just my 2cents. Take them or leave them. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alan Fiebig Sent: Wednesday, September 10, 2003 1:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: F-prot revisited Sorry about the delay in responding, been busy lately :) ############################### 1) >On Wed, 3 Sep 2003, Alan Fiebig wrote: > >> While F-Prot's $29 Linux workstation version is all you technically need >> to run with MailScanner, per F-Prot, you would be in violation of their >> license. Their expensive 'per user' mail server version contains a whole >On Wed, 3 Sep 2003, Steffan replied back: > >But they don't sell the command line version for servers ! They just sell >bigger products - and we don't need that, we use MailScanner. I know, that is my entire point. They only sell the stand alone command line scanner for workstations. To comply with the F-Prot license, you have to buy the big mail server product, which is expensive due to it being priced per mailbox. Then, after buying the big package, you end up only using a tiny portion of it, the command line scanner. All the rest of the product was waisted since you don't need it for MailScanner. If you were to buy the inexpensive, $29 workstation command line scanner, it would work perfectly with MailScanner. But then you would be in violation of F-Prot's license. ############################### 2) >Even on the CA page, I didn't see a final price for the product I need, >but maybe at that time I was already too tired after trying to find a >price. That's because you don't buy it from CA, you buy it from a reseller. In my earlier post, I mentioned that the lowest price for e-Trust is $129 for a 5 node license. The price has now come down a bit. You can find it at CDW for example: http://www.cdw.com/shop/products/default.asp?EDC=475675 ############################### 3) >On Fri, 5 Sep 2003, G. Armour Van Horn replied back: > >Based on your comments, I went looking for the product. I found >http://www.my-etrust.com/ and browsed around a bit, even >asked "Sammy" about Linux, but didn't see a trace of anything but >Windows software. If I buy the five-pack, is there a Linux version >in there somewhere, or can you post a URL that gets to the Linux version? In the 5 node license I mentioned, which now sells for $109 from CDW, you get 11 different versions included: 1) Windows - Win95 on up, workstations and servers 2) Linux 3) Exchange 4) Lotus Notes/Domino 5) Stand alone firewall 6) PocketPC PDA 7) Palm PDA 8) Macintosh 9) Proxy servers - Microsoft and Apache 10) Novell servers 11) Sun Solaris Use as many or as few of the versions as you wish on up to 5 hosts, all for $109. -Alan From christo at IT4AFRICA.CO.ZA Wed Sep 10 07:55:44 2003 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:53 2006 Subject: Filetype rules Not working Message-ID: <006401c37768$8e801a50$660210ac@christo> I am running the latest MS on a redhat 9 box. I want to allow all filetypes for certain people and block the rest of people with the default filtype list. Here are my config files filetype.allowall.rules.conf allow . - - filetype.rules.conf allow text - - allow script - - allow archive - - deny self-extract No self-extracting archives No self-extracting arch deny ELF No executables No programs allowed deny executable No executables No programs allowed deny MPEG No MPEG movies No MPEG movies allowed deny AVI No AVI movies No AVI movies allowed deny MNG No MNG/PNG movies No MNG movies allowed deny QuickTime No QuickTime movies No QuickTime movies allowed deny Registry No Windows Registry entries No Windows Registry fil Mailscanner.conf Filetype Rules = %rules-dir%/filetype.rules filetype.rules FromOrTo: someone@* /etc/MailScanner/filetype.allowall.rules.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf With this config it should work if i send to or from someone@any of my domains to allow all file types and block the rest. BUT it is not working. Any ideas Thanx Christo Disclaimer ---------------- This message and any attachment/s are confidential and intended solely for the addressee. If you have received this message in error, please notify AG Industries Limited immediately. Any unauthorised use, alteration or dissemination is prohibited. Whilst every effort has been made to ensure no viruses are present in this e-mail and/or attachments, we strongly recommend that you subject this e-mail and attachment/s to your own virus checking procedures prior to opening. AG Industries Limited accepts no liability whatsoever for any loss, whether direct, indirect or consequential, arising from information made available and actions resulting there from. Messages sent via this medium may be subject to delays, non-delivery and unauthorised alteration. Any recipient of an unacceptable communication, a chain letter or offensive material of any nature is requested to report it to Postmaster@ag-industries.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030910/d66c8ad1/attachment.html From dot at DOTAT.AT Wed Sep 10 09:19:40 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:53 2006 Subject: Exim, FreeBSD and Mailscanner In-Reply-To: Message-ID: Ron Nessim wrote: >I have been trying to install Mailscanner, and I have reached a strange >problem with the expansion of directory variables like %etc-dir%. When they >are expanded they get expanded as exponents, so my directory paths are all >incorrect. Here is the entry from the maillog: > >Sep 9 17:30:01 mail MailScanner[56695]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... 4.21 doesn't support %variable% expansion. Tony. -- f.a.n.finch http://dotat.at/ HEBRIDES BAILEY: SOUTHEASTERLY 4 INCREASING 6 OR 7, PERHAPS GALE 8 LATER. RAIN AT TIMES. GOOD. From dcmwai at AMTB-M.ORG.MY Wed Sep 10 12:32:50 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:19:53 2006 Subject: blacklist... In-Reply-To: <3F5E0E82.90513C2F@ihs.com> References: <3F5E0D4F.2060906@amtb-m.org.my> <3F5E0E82.90513C2F@ihs.com> Message-ID: <3F5F0BE2.5050709@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dustin Baer ?0: > Yes, take a look in the MailScanner.conf file for: > > # Spam Blacklist: > # Make this point to a ruleset, and anything in that ruleset whose value > # is "yes" will *always* be marked as spam. > # This can also be the filename of a ruleset. > Is Definitely Spam = > > Dustin > So I'll point it to somewhere like this Is Definitely Spam = %rules-dir%/spam.blacklist.rules and in this spam.blacklist.rules is the content same as whitelist? FromOrTo: spam@spammer.org yes From: anotherspam@cracker.org yes an I Right? Thank You - -- - ------------------------------ ?????x Amitabha Buddhist Society (M) 16A, 1st Floor, Jalan Pahang, 53000, Kuala Lumpur, Malaysia. Tel:+603-40414101, 40452630 Fax:+603-40412172 WebPage: http://www.amtb-m.org.my E-Mail: amtbmy@amtb-m.org.my -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XwvfV0p9slMZLW4RAseEAJ4g4ai3Z8YVYKjDLXvxRmgN2HleIACgvNow Shq2eq6gZgZRM1kzO30I7C8= =EHS8 -----END PGP SIGNATURE----- From steve.douglas at SBIINCORPORATED.COM Wed Sep 10 14:31:27 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FD08@mail.gardenbotanika.com> I performed the below directions and now I receive the following: "Invalid command-line option "/usr/local/f-prot" SD :-) > -----Original Message----- > From: Julian Field [mailto:] > Sent: Tuesday, September 09, 2003 8:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: F-Prot update fails after upgrade > > If you look in /usr/lib/MailScanner, you will find one or more files whose > names end with ".rpmnew". These need to be moved over the top of the old > files. > This is documented on the downloads page on the website, right at the top. > > At 01:07 10/09/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Maybe I missed it if this was listed before, but I upgraded to 4.23-11 > >from 4.22-? and since the upgrade, I'm getting this message from cron. > >====================================================== > >/etc/cron.hourly/update_virus_scanners: > > > >find: invalid predicate `-IsItInstalled' > >Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME > >are included on the command line as well. > >Virus scanning report - 7 September 2003 @ 5:01 > > > >F-PROT ANTIVIRUS > >Program version: 3.13 > >Engine version: 3.13.1 > > > >VIRUS SIGNATURE FILES > >SIGN.DEF created 1 September 2003 > >SIGN2.DEF created 2 September 2003 > >MACRO.DEF created 1 September 2003 > > > >Search: /usr/local/f-prot > >Action: Report only > >Files: "Dumb" scan of all files > >Switches: -ARCHIVE -AI -OLD > > > > > >Results of virus scanning: > > > >Files: 23 > >MBRs: 0 > >Boot sectors: 0 > >Objects scanned: 23 > > > >Time: 0:01 > > > >No viruses or suspicious files/boot sectors were found. > > > >Is there a patch to take care of this? > > > >Mike W > >- -- > >Registered Linux - 256979 > >NRA Life > >ARS: W0TMW > > > > > > > > > > > > > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.7 (GNU/Linux) > > > >iD8DBQE/Xmtc5fq6h2uDDlQRAgCaAJ4pi49iZuB1p3gNvuytA32VerTf9QCePNR6 > >DdEa2/K+GRSPp8XUmEGPz7k= > >=DSPy > >-----END PGP SIGNATURE----- > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by F-Prot and MailScanner, > >and is believed to be clean. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From steve.douglas at sbiincorporated.com Wed Sep 10 14:31:27 2003 From: steve.douglas at sbiincorporated.com (Steve Douglas) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FD08@mail.gardenbotanika.com> I performed the below directions and now I receive the following: "Invalid command-line option "/usr/local/f-prot" SD :-) > -----Original Message----- > From: Julian Field [mailto:] > Sent: Tuesday, September 09, 2003 8:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: F-Prot update fails after upgrade > > If you look in /usr/lib/MailScanner, you will find one or more files whose > names end with ".rpmnew". These need to be moved over the top of the old > files. > This is documented on the downloads page on the website, right at the top. > > At 01:07 10/09/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Maybe I missed it if this was listed before, but I upgraded to 4.23-11 > >from 4.22-? and since the upgrade, I'm getting this message from cron. > >====================================================== > >/etc/cron.hourly/update_virus_scanners: > > > >find: invalid predicate `-IsItInstalled' > >Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME > >are included on the command line as well. > >Virus scanning report - 7 September 2003 @ 5:01 > > > >F-PROT ANTIVIRUS > >Program version: 3.13 > >Engine version: 3.13.1 > > > >VIRUS SIGNATURE FILES > >SIGN.DEF created 1 September 2003 > >SIGN2.DEF created 2 September 2003 > >MACRO.DEF created 1 September 2003 > > > >Search: /usr/local/f-prot > >Action: Report only > >Files: "Dumb" scan of all files > >Switches: -ARCHIVE -AI -OLD > > > > > >Results of virus scanning: > > > >Files: 23 > >MBRs: 0 > >Boot sectors: 0 > >Objects scanned: 23 > > > >Time: 0:01 > > > >No viruses or suspicious files/boot sectors were found. > > > >Is there a patch to take care of this? > > > >Mike W > >- -- > >Registered Linux - 256979 > >NRA Life > >ARS: W0TMW > > > > > > > > > > > > > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.7 (GNU/Linux) > > > >iD8DBQE/Xmtc5fq6h2uDDlQRAgCaAJ4pi49iZuB1p3gNvuytA32VerTf9QCePNR6 > >DdEa2/K+GRSPp8XUmEGPz7k= > >=DSPy > >-----END PGP SIGNATURE----- > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by F-Prot and MailScanner, > >and is believed to be clean. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Wed Sep 10 14:34:52 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:53 2006 Subject: SOLVED Filename Subject Text vs. Content Subject Text In-Reply-To: <000701c37723$cec67860$0a010a0a@prometheus> Message-ID: <3F5EFE4C.8567.4F9FECB@localhost> Alright... I look at the code and the bug is quite trivial. The following patch solves it: ===================================CUT HERE================================== --- Message.pm.orig Wed Sep 10 10:27:53 2003 +++ Message.pm Wed Sep 10 10:29:45 2003 @@ -1923,7 +1923,7 @@ !$this->{nameinfected} && # They want the tagging & not already tagged !$global::MS->{mta}->TextStartsHeader($this, 'Subject:', $contenttag)) { if (MailScanner::Config::Value('contentprependsubject',$this)) { - $global::MS->{mta}->PrependHeader($this, 'Subject:', $nametag, ' '); + $global::MS->{mta}->PrependHeader($this, 'Subject:', $contenttag, ' '); $subjectchanged = 1; } } else { ===================================CUT HERE================================== Julian, would you apply it to the next release? El 9 Sep 2003 a las 23:43, Ulysees escribi?: > I'm getting the same thing, MS 4.23-11 no SA and any mail being caught with > a html form is coming up with filename? > > uly > > ----- Original Message ----- > From: "Mariano Absatz" > To: > Sent: Tuesday, September 09, 2003 10:35 PM > Subject: [MAILSCANNER] Filename Subject Text vs. Content Subject Text > > > Hi, > > I'm using MS 4.23-11 with SA 2.55. > > It seems MS is somehow confusing "Filename Subject Text" "Content Subject > Text". > > I have the following settings: > Allow IFrame Tags = no > Log IFrame Tags = yes > Allow Form Tags = no > Allow Object Codebase Tags = no > Filename Modify Subject = no > Filename Subject Text = {Nombre de archivo anexo prohibido} > Content Modify Subject = yes > Content Subject Text = {Contenido potencialmente peligroso} > > And, when getting a message with IFrame, it added the "Filename Subject > Text" instead of the "Content Subject Text" I expected. > > Here's the log: > > Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes > Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting > Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html > (no rule matched) > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html > Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from > boletininformar@redinformar.com.ar > Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific > exploits in 1221617 > Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems > Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 > Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent > viruses > > > And the modified was: > {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: A?o 1 - > N?mero 51 - SEPTIEMBRE 5, 2003 > > > Are these entries mixed up? > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Don't worry about the world coming to an end today.It's already tomorrow in > Australia. -- Charles Schulz -- Mariano Absatz El Baby ---------------------------------------------------------- I must confess, I was born at a very early age. -- Groucho Marx From ugob at CAMO-ROUTE.COM Wed Sep 10 14:40:41 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:19:53 2006 Subject: Mailscanner-mrtg Message-ID: <54C38A0B814C8E438EF73FC76F36292731321B@mtlnt501fs.CAMOROUTE.COM> Hi, I've installed mailscanner-mrtg with the rpm, but I don't see anything in the "Mail Relayed Daily Graph" nor in "MBytes of Mail Transferred Daily Graph" nor " Copies Of Sendmail Daily Graph". I'm using MS 4.23-11 on Redhat9 with postfix. I have a small volume of e-mails (max 100/days). Also, in "Number Of Files In Outoing Queue", I've got an average of 226 files. In "Number Of Files In Incoming Queue", I've got an average of 209 files. Is this normal? From andersjk at SOL-INVICTUS.ORG Wed Sep 10 14:45:03 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed Message-ID: Hi All, I have had MailScanner installed for quite some time, and it works great, still there have been calls that it's not quite good enough. The latest "Manager" wants to get in for discussion "Messagelabs" product for spam/virus/porn filtering. www.messagelabs.com. I would like to keep MailScanner up and running, basically I need some info on Messagelabs if they are good or bad or are they using MailScanner in the background? :) I apologize if this is not the appropriate forum. thanks in advance, Kevin Anderson -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at ecs.soton.ac.uk Wed Sep 10 13:14:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: SA no go In-Reply-To: <5.2.1.1.2.20030910034113.01648d98@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.1.1.2.20030910131344.027e90f8@imap.ecs.soton.ac.uk> MCP doesn't work if SpamAssassin is enabled. I have yet to work out why... At 03:45 10/09/2003, you wrote: >I've just tried this on a RH8 box and it works fine. The only thing changed >between the 2 versions of the SA support in MailScanner is that the "Max >SpamAssassin Size" check causes the message to be truncated rather than >ignored. So big spam doesn't evade the check completely, it just gets its >end chopped off. > >I haven't had a chance to install it all on Solaris 9 yet. I've got a Sun >in my office back home, I must get around to updating that to Solaris 9 >(assuming I can find the media, we have a site licence). > >Can you put through it the 2 sample messages supplied with SpamAssassin >(sample-nonspam.txt and sample-spam.txt) and show me all the MailScanner >headers you get please. Would be worth setting "Always Include SpamAssassin >Report = yes" as well, so we can see what happens to the non-spam example. > >At 03:21 10/09/2003, you wrote: >>Julian, >> >>It is late at night, and I haven't investigated, but SA 2.60 >>seems to have quit after I upgraded to 4.23-11. SA works fine >>4.22-5, so I have dropped back to that. I didn't notice that SA >>wasn't there for a day with 4.23-11. Setup: Solaris 9, both >>SA 2.60 and MS installed from tarballs, Razor, sendmail. >>The output of "spamassassin -D --lint" looks normal to me. >>Any ideas? The 4.23-11 conf file says to use SA (checked the >>conf file, and it looks right). Hmmm... >> >>--- Jeff Earickson > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From edu at ICARUS.COM.BR Wed Sep 10 15:01:10 2003 From: edu at ICARUS.COM.BR (Eduardo Andre) Date: Thu Jan 12 21:19:53 2006 Subject: Mailscanner-mrtg In-Reply-To: <54C38A0B814C8E438EF73FC76F36292731321B@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292731321B@mtlnt501fs.CAMOROUTE.COM> Message-ID: <28394.200.244.152.3.1063202470.squirrel@10.0.1.3> MailScanner-MRTG is make to work in MailScanner with Sendmail and no with MailScanner with Postfix. You'll change the scripts os MailScanner-MRTG for work with PostFix. Att. Eduardo > Hi, > > I've installed mailscanner-mrtg with the rpm, but I don't see > anything in the "Mail Relayed Daily Graph" nor in "MBytes of > Mail Transferred Daily Graph" nor " Copies Of Sendmail Daily > Graph". I'm using MS 4.23-11 on Redhat9 with postfix. I have a > small volume of e-mails (max 100/days). > > Also, in "Number Of Files In Outoing Queue", I've got an average > of 226 files. In "Number Of Files In Incoming Queue", I've got an > average of 209 files. > > Is this normal? > From martinh at SOLID-STATE-LOGIC.COM Wed Sep 10 14:56:42 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed In-Reply-To: References: Message-ID: <3F5F2D9A.3070206@solid-state-logic.com> Kevin Anderson wrote: > Hi All, > > I have had MailScanner installed for quite some time, and it works great, > still there have been calls that it's not quite good enough. The latest > "Manager" wants to get in for discussion "Messagelabs" product for > spam/virus/porn filtering. www.messagelabs.com. > > I would like to keep MailScanner up and running, basically I need some > info on Messagelabs if they are good or bad or are they using MailScanner > in the background? :) > > I apologize if this is not the appropriate forum. > > thanks in advance, > Kevin Anderson > > -- > @ > _____________________________________________ > chaos, panic and disorder... my job is done... Kevin heard nothing but good reports about Messagelabs service. provides mailscanner like service, but obviously costs more around ?5000 as a minimum per year. Their reporting seems OK, but I've not tried it only looked at the interface, so I'm not sure they compete against the mailwatch/mailstats extenstions, but it did seem pretty basic. Other commercial alternatives are postini and brightview. At the end of the day it depends whether the PHB can justify the costs of messagelabs vs whatever the costs are for mailscanner (av licences etc). -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From Antony at SOFT-SOLUTIONS.CO.UK Wed Sep 10 15:03:52 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed In-Reply-To: References: Message-ID: <200309101404.h8AE3xR08846@agate.rockstone.co.uk> On Wednesday 10 September 2003 2:45 pm, Kevin Anderson wrote: > Hi All, > > I have had MailScanner installed for quite some time, and it works great, > still there have been calls that it's not quite good enough. The latest > "Manager" wants to get in for discussion "Messagelabs" product for > spam/virus/porn filtering. www.messagelabs.com. > > I would like to keep MailScanner up and running, basically I need some > info on Messagelabs if they are good or bad or are they using MailScanner > in the background? :) I too would be interested in an objective comparison of what MS can do vs. what MessageLabs offer. I have no idea whether they use MS in their service - and they probably wouldn't say if they did (my opinion), however I have heard that: a) they are very good for anti-virus filtering (because they process so many emails that they often get to see the very early viruses, before signatures are available, and can pick them up by filename / filetype checks and then actually help to get the signatures created); and b) they are not so good for spam filtering for almost the same reason - they see so much email that they can't develop a single definition of what is spam. It might be interesting if anyone is running a MailScanner server on a link supplied by MessageLabs, to know what sort of spam levels they pick up (I would be worried if they picked up any viruses at all after being filtered by ML), as this would give some indication of what MS can do that ML can't (or doesn't). Antony. -- "John Major" and "Cher" are as much abstractions as "the national debt" or "the state of Welsh rugby". - Guy Claxton, Hare Brain, Tortoise Mind From David.While at UCE.AC.UK Wed Sep 10 15:09:57 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed Message-ID: <107DE25EC0216C45AEF670016024245F6F24@exchangea.staff.uce.ac.uk> I had a messagelabs server end up in my blocked list (using my MailStats program) - checking teh logs indeicated that it was spam that had been received from them. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: 10 September 2003 15:04 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: A humble opinion is needed On Wednesday 10 September 2003 2:45 pm, Kevin Anderson wrote: > Hi All, > > I have had MailScanner installed for quite some time, and it works great, > still there have been calls that it's not quite good enough. The latest > "Manager" wants to get in for discussion "Messagelabs" product for > spam/virus/porn filtering. www.messagelabs.com. > > I would like to keep MailScanner up and running, basically I need some > info on Messagelabs if they are good or bad or are they using MailScanner > in the background? :) I too would be interested in an objective comparison of what MS can do vs. what MessageLabs offer. I have no idea whether they use MS in their service - and they probably wouldn't say if they did (my opinion), however I have heard that: a) they are very good for anti-virus filtering (because they process so many emails that they often get to see the very early viruses, before signatures are available, and can pick them up by filename / filetype checks and then actually help to get the signatures created); and b) they are not so good for spam filtering for almost the same reason - they see so much email that they can't develop a single definition of what is spam. It might be interesting if anyone is running a MailScanner server on a link supplied by MessageLabs, to know what sort of spam levels they pick up (I would be worried if they picked up any viruses at all after being filtered by ML), as this would give some indication of what MS can do that ML can't (or doesn't). Antony. -- "John Major" and "Cher" are as much abstractions as "the national debt" or "the state of Welsh rugby". - Guy Claxton, Hare Brain, Tortoise Mind From Antony at SOFT-SOLUTIONS.CO.UK Wed Sep 10 15:16:53 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed In-Reply-To: <107DE25EC0216C45AEF670016024245F6F24@exchangea.staff.uce.ac.uk> References: <107DE25EC0216C45AEF670016024245F6F24@exchangea.staff.uce.ac.uk> Message-ID: <200309101416.h8AEGvR08879@agate.rockstone.co.uk> On Wednesday 10 September 2003 3:09 pm, David While wrote: > I had a messagelabs server end up in my blocked list (using my MailStats > program) - checking teh logs indeicated that it was spam that had been > received from them. Does this mean that people *send* their email through MessageLabs servers as well? I must admit I thought they were in incoming-only service - they operate by running MX on your DNS record, and then forwarding the filtered stuff to your own (not directly accessible to anyone else) mail server. I didn't know that customers sent their mail out through ML servers too. Antony. -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, August 25, 1995 From mbowman at UDCOM.COM Wed Sep 10 15:14:09 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:53 2006 Subject: OT: Sobig EOL ? Message-ID: An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030910/a2e20ee9/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Sep 10 15:23:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:53 2006 Subject: OT: Sobig EOL ? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496C3@pascal.priv.bmrb.co.uk> Matthew Bowman wrote: > Hi > > Sobig.F end of life is/was today? > Yep, Sobig-G tomorrow? 4 of the 6 previous versions came out the day after the previous one expired (and presumably one of the other 2 was Sobig-A!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kim at SCHULZ.DK Wed Sep 10 15:23:28 2003 From: kim at SCHULZ.DK (Kim Schulz) Date: Thu Jan 12 21:19:53 2006 Subject: OT: Sobig EOL ? In-Reply-To: References: Message-ID: <20030910162328.3f0124f6.kim@schulz.dk> On Wed, 10 Sep 2003 10:14:09 -0400 Matthew Bowman wrote: > > Hi > > Sobig.F end of life is/was today? > > I've seen a massive reduction in sobig.f detections which is a good > thing. Anyone else seeing that too? > > My stats > http://smithers.vbcomm.net/mailstats/mrtg yes it is supposed to die today. Lets see if it actually happens. From jburzenski at AMERICANHM.COM Wed Sep 10 15:19:16 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:19:53 2006 Subject: A humble opinion is needed Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8080AF552@ahm_exchange2> Kevin, According to some cursory google searches, messagelabs products borrow code from SpamAssassin which is what MS uses. So, you can argue to management that they will be paying for a similar product they are currently using for free. Jason -----Original Message----- From: Kevin Anderson [mailto:andersjk@SOL-INVICTUS.ORG] Sent: Wednesday, September 10, 2003 9:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: A humble opinion is needed Hi All, I have had MailScanner installed for quite some time, and it works great, still there have been calls that it's not quite good enough. The latest "Manager" wants to get in for discussion "Messagelabs" product for spam/virus/porn filtering. www.messagelabs.com. I would like to keep MailScanner up and running, basically I need some info on Messagelabs if they are good or bad or are they using MailScanner in the background? :) I apologize if this is not the appropriate forum. thanks in advance, Kevin Anderson -- @ _____________________________________________ chaos, panic and disorder... my job is done... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030910/893eb1e5/attachment.html From jburzenski at AMERICANHM.COM Wed Sep 10 15:25:11 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:19:53 2006 Subject: Sobig EOL ? Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8080AF557@ahm_exchange2> I am currently reporting ~500 sobig messages blocked whereas yesterday there were well over 5000 by this time. I sent the MRTG graphs to management this morning illustrating the extinction of Sobig.F. -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Wednesday, September 10, 2003 10:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Sobig EOL ? Hi Sobig.F end of life is/was today? I've seen a massive reduction in sobig.f detections which is a good thing. Anyone else seeing that too? My stats http://smithers.vbcomm.net/mailstats/mrtg Matthew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030910/12dbeddc/attachment.html From mikea at MIKEA.ATH.CX Wed Sep 10 15:42:29 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:53 2006 Subject: OT: Sobig EOL ? In-Reply-To: <20030910162328.3f0124f6.kim@schulz.dk>; from kim@SCHULZ.DK on Wed, Sep 10, 2003 at 04:23:28PM +0200 References: <20030910162328.3f0124f6.kim@schulz.dk> Message-ID: <20030910094229.A99775@mikea.ath.cx> On Wed, Sep 10, 2003 at 04:23:28PM +0200, Kim Schulz wrote: > On Wed, 10 Sep 2003 10:14:09 -0400 > Matthew Bowman wrote: > > > > Hi > > > > Sobig.F end of life is/was today? > > > > I've seen a massive reduction in sobig.f detections which is a good > > thing. Anyone else seeing that too? > > > > My stats > > http://smithers.vbcomm.net/mailstats/mrtg > > yes it is supposed to die today. Lets see if it actually happens. It appears to have died in fact: I saw *one* so far today, at 0320 local, and three Klez. $ vrate3_week 2>/dev/null Hour = 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Sep 9 6 6 7 5 6 5 3 7 10 16 26 37 34 32 36 37 34 43 30 22 12 12 10 4 Sep 8 14 9 10 13 9 11 18 10 13 13 71 114 111 107 107 102 93 66 43 29 23 16 11 5 Sep 7 13 16 19 15 14 19 19 16 21 19 20 16 17 14 15 9 13 8 18 21 20 18 14 17 Sep 6 6 7 5 10 9 8 7 9 12 12 14 15 16 16 14 20 18 14 13 13 21 17 16 12 Sep 5 5 8 7 11 7 6 5 12 9 12 18 26 29 28 30 25 32 34 24 12 4 7 7 6 Sep 4 7 5 1 4 6 6 10 16 17 27 37 40 36 38 38 15 23 24 28 6 10 8 5 6 Sep 3 19 13 19 12 11 9 19 27 48 52 54 47 52 51 48 38 33 23 26 25 10 4 6 6 Sep 2 3 1 0 1 0 0 2 45 59 57 53 53 63 53 61 58 57 38 15 15 15 20 17 18 $ vrate2 Richard, >Here is my issue with what you said though. I looked at the workstation >license and to say its vague is an understatement, nowhere in the page I saw >( http://www.f-prot.com/support/helpfiles/unix/linux_ws/license.html ) did >it state you cannot use the product in conjunction with MailScanner or in >any type of automated system or even on a system running a mail >server/daemon/thingamabob. This argument has been chewed on here a number of times, and the MS list really isn't the place to keep debating it. Let me summarize, and we can then leave it at that, I'm not on a soap box here. You are correct, the license does not spell out the requirements or differences between workstation and server versions. That failure on F-Prot's part may be a defense in court, or it may not. However, the F-Prot site does state the following three points quite plainly: (http://www.f-prot.com/support/unix_faq/22.html) ################################################# 1) F-Prot Antivirus for Linux/BSD Workstations: A Workstation license is intended for usage on a single-user workstation, protecting the user and systems on that same workstation. If the computer provides networked services, e.g., is a file sharing server e.g., Samba), web server or mail server, then a File Server or a Mail Server license would be required. The Workstation version is licensed per workstation. 2) F-Prot Antivirus for Linux/BSD File Servers: A File Server license is suitable for file sharing (e.g., Samba), application, print, web and FTP servers, i.e., computers that provide network services other than mail services, protecting the users of those services. If the computer provides mail services, e.g., is an in-coming or out-going mail server then a Mail Server license would be required. The File Server version is licensed per server. 3) F-Prot Antivirus for Linux/BSD Mail Servers: A Mail Server license is suitable for mail servers, for either in-coming or out-going mail, protecting the users against e-mail viruses and worms. The Mail Server version is licensed on a per user basis. ################################################# So, in summary, the company that owns the software has told us that a) The workstation version IS NOT to be used on a mail server b) The file server version IS NOT to be used if the server provides mail services c) The mail server MUST be used on any server providing mail services, even if the inboxes are not local Letter of the law, or spirit of the law? Do you appreciate the software and signatures F-Prot provides you enough to not try and take advantage of a loophole? Are you willing to run the risk of court time and expenses defending your position of 'but the license didn't say so'? If so, then so be it. I however do not wish to risk my job and company, nor lower my business ethics to that level. If I don't agree with the price F-Prot is asking for their software (and I don't), then that's my choice. I will use another product (eTrust) which is very affordable and works great. If enough people move away from F-Prot, perhaps they will adjust their pricing plans. But, I will not go against F-Prots written statement of which version they require me to use. -Alan From richard_cipher at YAHOO.COM Wed Sep 10 15:58:08 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:19:53 2006 Subject: Error in Anti-Virus Software Recognition? Message-ID: I have: Redhat 7.2 with current patches Sendmail 8.12 Spammassassin 2.55, using current versions of DCC and RAZOR MailScanner 4.23-11 When I installed the current version of MailScanner, I started seeing the following in my mail log hourly: Sep 10 02:01:01 myComputer update.virus.scanners: Found bitdefender installed Sep 10 02:01:01 myComputer update.virus.scanners: Running autoupdate for bitdefender Sep 10 02:01:01 myComputer update.virus.scanners: Found clamav installed Sep 10 02:01:01 myComputer update.virus.scanners: Running autoupdate for clamav Sep 10 02:01:03 myComputer ClamAV-autoupdate[23808]: ClamAV did not need updating Sep 10 02:01:03 myComputer update.virus.scanners: Found f-prot installed Sep 10 02:01:03 myComputer update.virus.scanners: Running autoupdate for f-prot Sep 10 02:01:39 myComputer update.virus.scanners: Found panda installed Sep 10 02:01:39 myComputer update.virus.scanners: Found rav installed Sep 10 02:01:39 myComputer update.virus.scanners: Running autoupdate for rav However, I only have f-prot and clamav installed, and should only be getting updates for those two. Everything seems to be working, just says it's getting updates for tools i don't have installed. Any ideas? Evert Ford Westone Laboratories www.westone.com From Antony at SOFT-SOLUTIONS.CO.UK Wed Sep 10 17:25:49 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:53 2006 Subject: Error in Anti-Virus Software Recognition? In-Reply-To: References: Message-ID: <200309101625.h8AGPsR09191@agate.rockstone.co.uk> On Wednesday 10 September 2003 3:58 pm, Evert Ford wrote: > When I installed the current version of MailScanner, I started seeing the > following in my mail log hourly: > > Sep 10 02:01:01 myComputer update.virus.scanners: Found bitdefender > installed > Sep 10 02:01:01 myComputer update.virus.scanners: Found clamav installed > Sep 10 02:01:03 myComputer update.virus.scanners: Found f-prot installed > Sep 10 02:01:39 myComputer update.virus.scanners: Found panda installed > Sep 10 02:01:39 myComputer update.virus.scanners: Found rav installed > > However, I only have f-prot and clamav installed, and should only be > getting updates for those two. Everything seems to be working, just says > it's getting updates for tools i don't have installed. Can you check to see if you have any/all of the following *executable* files on your system? /usr/bin/pavcl /usr/local/bd7/shared/bdc /usr/local/bin/clamscan /usr/local/f-prot/f-prot /usr/local/rav8/bin/ravav I know it seems unlikely you'd have software you didn't know about, but the autoupdate script works by checking to see if the A-V executable exists and is executable, and if it finds it, attempts an update. I'd start by checking your machine to see if it's really finding something. Antony. -- There are only 10 types of people in the world: those who understand binary notation, and those who don't. From mikew at CRUCIS.NET Wed Sep 10 17:31:27 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade In-Reply-To: <5.2.1.1.2.20030910024243.03947008@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030910024243.03947008@imap.ecs.soton.ac.uk> Message-ID: <200309101131.30702.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 09 September 2003 08:43 pm, you wrote: > If you look in /usr/lib/MailScanner, you will find one or more files > whose names end with ".rpmnew". These need to be moved over the top > of the old files. This is documented on the downloads page on the > website, right at the top. > > At 01:07 10/09/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Maybe I missed it if this was listed before, but I upgraded to > > 4.23-11 from 4.22-? and since the upgrade, I'm getting this message > > from cron. ====================================================== > >/etc/cron.hourly/update_virus_scanners: > > > >find: invalid predicate `-IsItInstalled' > >Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME > >are included on the command line as well. > >Virus scanning report - 7 September 2003 @ 5:01 > > > >F-PROT ANTIVIRUS > >Program version: 3.13 > >Engine version: 3.13.1 > > > >VIRUS SIGNATURE FILES > >SIGN.DEF created 1 September 2003 > >SIGN2.DEF created 2 September 2003 > >MACRO.DEF created 1 September 2003 > > > >Search: /usr/local/f-prot > >Action: Report only > >Files: "Dumb" scan of all files > >Switches: -ARCHIVE -AI -OLD > > > > > >Results of virus scanning: > > > >Files: 23 > >MBRs: 0 > >Boot sectors: 0 > >Objects scanned: 23 > > > >Time: 0:01 > > > >No viruses or suspicious files/boot sectors were found. > > > >Is there a patch to take care of this? > > Thanks Julian. I'd skimmed right over it. Mike W - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/X1Hi5fq6h2uDDlQRAo5uAJ49r+wfdPnqV4cVLgN5MZboBVpzfwCfaITG Vd4y9aeMY8GI7AIKYdVNrF0= =DWEf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From john.thewlis at MISSIONCRITICAL.IE Wed Sep 10 17:46:55 2003 From: john.thewlis at MISSIONCRITICAL.IE (John Thewlis) Date: Thu Jan 12 21:19:53 2006 Subject: MailWatch Pear Install Error Message-ID: Hi I am trying to install MailWatch for MailScanner on a Cobalt RaQ4r. When I try to download pear, I get the following error:- # lynx -source http://go-pear.org | php -q # sh: php: command not found Broken pipe Any ideas as to how to fix this pear install problem? Thanks for any help John From richard_cipher at YAHOO.COM Wed Sep 10 18:01:11 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:19:53 2006 Subject: Error in Anti-Virus Software Recognition? In-Reply-To: <200309101625.h8AGPsR09191@agate.rockstone.co.uk> Message-ID: > /usr/bin/pavcl > /usr/local/bd7/shared/bdc > /usr/local/bin/clamscan > /usr/local/f-prot/f-prot > /usr/local/rav8/bin/ravav > > I know it seems unlikely you'd have software you didn't know > about, but the > autoupdate script works by checking to see if the A-V executable > exists and > is executable, and if it finds it, attempts an update. I'd start by > checking your machine to see if it's really finding something. > > Antony. clamscan and f-prot are there, but the others aren't....I expected that, since I installed clamav and f-prot on this system. as well as checking those locations, i did a 'find / -type f -name executable_name -print' for each of those files to make sure they weren't living somewhere else on my system, and they weren't. This isn't a huge issue for me because MailScanner is working perfectly otherwise, i just wonder why MailScanner thinks its updating virus scanners that aren't installed? Regards, Evert Ford Westone Laboratories http://www.westone.com From martinh at SOLID-STATE-LOGIC.COM Wed Sep 10 17:58:35 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:19:53 2006 Subject: MailWatch Pear Install Error In-Reply-To: References: Message-ID: <3F5F583B.90300@solid-state-logic.com> John Thewlis wrote: > Hi > > I am trying to install MailWatch for MailScanner on a Cobalt RaQ4r. > > When I try to download pear, I get the following error:- > > # lynx -source http://go-pear.org | php -q > # sh: php: command not found > Broken pipe > > Any ideas as to how to fix this pear install problem? > > Thanks for any help > > John John 1) install php on your machine and 2) make sure it'sin your default path.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From hmkash at ARL.ARMY.MIL Wed Sep 10 19:02:56 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner+PostFix ---- try this Message-ID: <229A346E44379140A59A48951B56E0C07A7E59@ARLABML01.DS.ARL.ARMY.MIL> Here's the explanation of the future times from Postfix's qmgr_active.c file: /* qmgr_active_done() deals with a message after delivery /* has been tried for all in-core recipients. If the message /* was bounced, a bounce message is sent to the sender, or /* to the Errors-To: address if one was specified. /* If there are more on-file recipients, a new batch of /* in-core recipients is read from the queue file. Otherwise, /* if a delivery agent marked the queue file as corrupt, /* the queue file is moved to the "corrupt" queue (surprise); /* if at least one delivery failed, the message is moved /* to the deferred queue. The time stamps of a deferred queue /* file are set to the nearest wakeup time of its recipient /* sites (if delivery failed due to a problem with a next-hop /* host), are set into the future by the amount of time the /* message was queued (per-message exponential backoff), or are set /* into the future by a minimal backoff time, whichever is more. /* The minimal_backoff_time parameter specifies the minimal /* amount of time between delivery attempts; maximal_backoff_time /* specifies an upper limit. The default minimal_backoff_time is 1000s (16m 40s). Howard -----Original Message----- From: Kash, Howard (Civ,ARL/CISD) Sent: Monday, September 08, 2003 12:26 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this Still doesn't work with 1. I added a line to log $ModDate{$file} and the current time. It appears that the mod time on the queue files is around 15 minutes in the future?? This explains why queue files always show up with the year instead of the time in a long listing (ls -l). Should I try "time + 15*60 - 3"? :-) Howard Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035179 Time = 1063034523 Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035179 Time = 1063034523 Sep 8 11:22:03 hostname MailScanner[18672]: Message info: ModDate = 1063035180 Time = 1063034523 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, September 05, 2003 3:46 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this All it made happen was that it wouldn't process a message until it had sat in the deferred queue for 3 seconds, it should still process them all but with a 3 second latency. Try reducing the 3 to 1 and see if that helps at all. At 21:54 04/09/2003, you wrote: >For me this seemed to cause lots of messages to get stuck in the >incoming deferred queue. There would be 200 or so messages in the >queue, but Mailscanner would only process 1 or 2 messages in each batch. >Once I removed the patch, it immediately processed all of the queued >messages in batches of 30. > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From vernon at COMP-WIZ.COM Wed Sep 10 19:33:40 2003 From: vernon at COMP-WIZ.COM (Vernon Webb) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner Eating Up System Proccesses In-Reply-To: <5.2.1.1.2.20030910024616.03b76f18@imap.ecs.soton.ac.uk> References: <20030909224407.M20022@comp-wiz.com> <5.2.1.1.2.20030910024616.03b76f18@imap.ecs.soton.ac.uk> Message-ID: <20030910182815.M30362@comp-wiz.com> > I suggest you start by looking at your maillog and see what is being logged. It may be something as simple as an > error in the conf files. The maillog is the key to tracking down a lot of problems like this. I've gotten both MailScanner and SpamAssassin working together. This error seems to be a Sendmail configuration?issue with the?smtp port option. When I set the option "Port=smtp,Addr=192.168.0.134, Name=MTA" to anything other than the public IP address it starts generating the following errors: Sep 10 14:21:13 linux sm-msp-queue[13704]: h87D9S17003902: to=postmaster, delay=3+05:09:38, xdelay=00:00:00, mailer=relay, pri=13026863, relay= [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] I've been trying to set it to 0.0.0.0 or 127.0.0.1 so that all my local mail (messages being sent to root) are received which I am not currently getting. The only mail I'm receiving is external mail. Vern From mike at CAMAROSS.NET Wed Sep 10 20:06:01 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:53 2006 Subject: MailScanner Eating Up System Proccesses In-Reply-To: <20030910182815.M30362@comp-wiz.com> Message-ID: <008b01c377ce$93e91440$680ba8c0@home.middlefinger.net> Comment that line out completely in your sendmail.mc and the regen your sendmail.cf through m4 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Vernon Webb Sent: Wednesday, September 10, 2003 1:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner Eating Up System Proccesses > I suggest you start by looking at your maillog and see what is being logged. It may be something as simple as an > error in the conf files. The maillog is the key to tracking down a lot of problems like this. I've gotten both MailScanner and SpamAssassin working together. This error seems to be a Sendmail configuration?issue with the?smtp port option. When I set the option "Port=smtp,Addr=192.168.0.134, Name=MTA" to anything other than the public IP address it starts generating the following errors: Sep 10 14:21:13 linux sm-msp-queue[13704]: h87D9S17003902: to=postmaster, delay=3+05:09:38, xdelay=00:00:00, mailer=relay, pri=13026863, relay= [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] I've been trying to set it to 0.0.0.0 or 127.0.0.1 so that all my local mail (messages being sent to root) are received which I am not currently getting. The only mail I'm receiving is external mail. Vern From steve.douglas at SBIINCORPORATED.COM Wed Sep 10 21:59:30 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:53 2006 Subject: F-Prot update fails after upgrade Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FD11@mail.gardenbotanika.com> After another thorough review, I located one of your *.rpmnew files. I renamed it and the update took off accordingly. Thanks again. Perseverance pays. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, September 09, 2003 8:44 PM > To: > Subject: Re: F-Prot update fails after upgrade > > If you look in /usr/lib/MailScanner, you will find one or more files whose > names end with ".rpmnew". These need to be moved over the top of the old > files. > This is documented on the downloads page on the website, right at the top. > > At 01:07 10/09/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Maybe I missed it if this was listed before, but I upgraded to 4.23-11 > >from 4.22-? and since the upgrade, I'm getting this message from cron. > >====================================================== > >/etc/cron.hourly/update_virus_scanners: > > > >find: invalid predicate `-IsItInstalled' > >Error: /AUTO may not be specified unless /DELETE, /DISINF or /RENAME > >are included on the command line as well. > >Virus scanning report - 7 September 2003 @ 5:01 > > > >F-PROT ANTIVIRUS > >Program version: 3.13 > >Engine version: 3.13.1 > > > >VIRUS SIGNATURE FILES > >SIGN.DEF created 1 September 2003 > >SIGN2.DEF created 2 September 2003 > >MACRO.DEF created 1 September 2003 > > > >Search: /usr/local/f-prot > >Action: Report only > >Files: "Dumb" scan of all files > >Switches: -ARCHIVE -AI -OLD > > > > > >Results of virus scanning: > > > >Files: 23 > >MBRs: 0 > >Boot sectors: 0 > >Objects scanned: 23 > > > >Time: 0:01 > > > >No viruses or suspicious files/boot sectors were found. > > > >Is there a patch to take care of this? > > > >Mike W > >- -- > >Registered Linux - 256979 > >NRA Life > >ARS: W0TMW > > > > > > > > > > > > > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.7 (GNU/Linux) > > > >iD8DBQE/Xmtc5fq6h2uDDlQRAgCaAJ4pi49iZuB1p3gNvuytA32VerTf9QCePNR6 > >DdEa2/K+GRSPp8XUmEGPz7k= > >=DSPy > >-----END PGP SIGNATURE----- > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by F-Prot and MailScanner, > >and is believed to be clean. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From peter at UCGBOOK.COM Wed Sep 10 22:06:59 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: buglet in update_virus_scanners Message-ID: <3F5F9273.8070302@ucgbook.com> Fixed the grep thing but had another small problem with the update script. I got an error from the F-secure test. It correctly identified only Clam being installed but it erred on F-secure. I did some tests and found this line to be at fault (however I don't know why): if ${WRAPPER} "${PACKAGEDIR}" -IsItInstalled I removed the F-secure line from the virus list and all was well. I don't see why the F-secure line was any different. Anyone else having this? /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV 20030829 >At 13:56 08/09/2003, you wrote: >>Julian, >> I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners >>gagged the first time cron ran it on my Solaris 9 box. It turns out >>the /usr/bin/grep on Sun does not support the "-e" option, while >>GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. >>So I had to tweak my copy to use GNU grep. I don't how you want to >>fix this for all permutations of grep. What a pain. > >It seems to be just a Solaris problem at the moment, I have already >added a >bit extra to the script so that it puts /usr/xpg4/bin (or is it >/usr/bin/xpg4) in the path before /usr/bin so that the correct version >of >grep is found. You don't need the GNU version, the xpg4 version is just >fine. From jaearick at COLBY.EDU Wed Sep 10 22:23:15 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:53 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: <3F5F9273.8070302@ucgbook.com> References: <3F5F9273.8070302@ucgbook.com> Message-ID: Hi, Yes, I too saw the same thing and just commented out the f-secure line in virus.scanners.conf. Similar setup: SunFire V1280, Sol 9, MailScanner 4.23-11, sophossavi 3.72, clamav 0.60, SpamAssassin 2.60, Razor. --- Jeff On Wed, 10 Sep 2003, Peter Bonivart wrote: > Date: Wed, 10 Sep 2003 23:06:59 +0200 > From: Peter Bonivart > Reply-To: MAILSCANNER@JISCMAIL.AC.UK > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MS 4.23-11: buglet in update_virus_scanners > > Fixed the grep thing but had another small problem with the update > script. I got an error from the F-secure test. It correctly identified > only Clam being installed but it erred on F-secure. I did some tests and > found this line to be at fault (however I don't know why): > > if ${WRAPPER} "${PACKAGEDIR}" -IsItInstalled > > I removed the F-secure line from the virus list and all was well. I > don't see why the F-secure line was any different. Anyone else having this? > > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV > 20030829 > > >At 13:56 08/09/2003, you wrote: > >>Julian, > >> I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners > >>gagged the first time cron ran it on my Solaris 9 box. It turns out > >>the /usr/bin/grep on Sun does not support the "-e" option, while > >>GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. > >>So I had to tweak my copy to use GNU grep. I don't how you want to > >>fix this for all permutations of grep. What a pain. > > > >It seems to be just a Solaris problem at the moment, I have already > >added a > >bit extra to the script so that it puts /usr/xpg4/bin (or is it > >/usr/bin/xpg4) in the path before /usr/bin so that the correct version >of > >grep is found. You don't need the GNU version, the xpg4 version is > just >fine. > From baldguy33165 at YAHOO.COM Wed Sep 10 22:35:16 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:19:53 2006 Subject: spam.assassin.prefs file customization help Message-ID: <20030910213516.52066.qmail@web20803.mail.yahoo.com> I have the following rule on my spam.assassin.prefs file: header FOUL_WORD Subject =~ /foulword/i body FOUL_WORD /foulword/i score FOUL_WORD 100.0 The problem is that certain foul words are contained within other words example. -ANALyst -doCUMentation -SHITtakke Mushrooms -gRAPEs I want to create a rule that looks for a certain word by itself. Any ideas? __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From lists at STHOMAS.NET Wed Sep 10 22:40:13 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:53 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <20030910213516.52066.qmail@web20803.mail.yahoo.com>; from baldguy33165@YAHOO.COM on Wed, Sep 10, 2003 at 02:35:16PM -0700 References: <20030910213516.52066.qmail@web20803.mail.yahoo.com> Message-ID: <20030910144013.A13851@sthomas.net> On Wed, Sep 10, 2003 at 02:35:16PM -0700, Juan C. Quesada is rumored to have said: > > header FOUL_WORD Subject =~ /foulword/i > body FOUL_WORD /foulword/i > > I want to create a rule that looks for a certain word > by itself. Any ideas? > /\bfoulword\b/i The \b means "word boundary". -- "I can write better than anybody who can write faster, and I can write faster than anybody who can write better." - A. J. Liebling (1904-1963) From xpoint at JUNC.ORG Wed Sep 10 22:34:14 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:19:53 2006 Subject: Huh? In-Reply-To: <08146035CA49D6119A36009027AC822A0264E738@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E738@CITY-EXCH-NTS> Message-ID: <3F5F98D6.1070304@junc.org> Kevin Miller wrote: > MailScanner 4.14-9 > F-prot 3.12a (I know, I need to upgrade. It's on the list.) i use f-prot 3.x aswell as you, it finds and works ok here. if it a'int :-) From peter at UCGBOOK.COM Wed Sep 10 22:43:35 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:19:53 2006 Subject: Feature request Message-ID: <3F5F9B07.6000500@ucgbook.com> As most sysadmins I want my systems to run with little or no manual work. However, systems like BIND and MailScanner must be maintained to be correct/efficient. Second best thing is letting someone else do the manual work. :-) But there's a lack of official tools to do the job. I would like a script for adding and removing to the whitelist for example, complete with syntax check and reloading of MailScanner. Then I could trust someone else to do it for me. The same goes for the quarantined files, releasing them without intervention would also be desired. It would also be cool to, via an option, be able to simulate a MailScanner start with a syntax check of all configuration files, rules, etc. That way you could test if a new config/version upgrade is sane while it's running with the old working config. I know some of you have implemented similar things yourselves but they are probably pretty tied to your environment and needs updating when MailScanner is upgraded. These tools within the MailScanner package would benefit us all and it would be easier to implement web based administration on top of them. I love editing text files with vi but most others don't. :-( What do you others think? Does anyone have good generic scripts (not bodyparts :-) for the most common tasks you could donate to Julian? /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV 20030829 From kevins at BMRB.CO.UK Wed Sep 10 22:45:12 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:53 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AF1@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AF1@pascal.priv.bmrb.co.uk> Message-ID: <1063230313.2420.15.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-10 at 22:35, Juan C. Quesada wrote: >I have the following rule on my spam.assassin.prefs >file: >header FOUL_WORD Subject =~ /foulword/i >body FOUL_WORD /foulword/i >score FOUL_WORD 100.0 >The problem is that certain foul words are contained >within other words example. >-ANALyst >-doCUMentation >-SHITtakke Mushrooms >-gRAPEs >I want to create a rule that looks for a certain word >by itself. Any ideas? /(^|\W)foulword(\W|$)/i BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Sep 10 22:47:00 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:53 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7AF5@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7AF5@pascal.priv.bmrb.co.uk> Message-ID: <1063230420.2420.17.camel@bach.kevinspicer.co.uk> On Wed, 2003-09-10 at 22:45, Spicer, Kevin wrote: > /(^|\W)foulword(\W|$)/i Steves is better! I forgot about \b BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From baldguy33165 at YAHOO.COM Wed Sep 10 22:52:13 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:19:53 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <20030910144013.A13851@sthomas.net> Message-ID: <20030910215213.97335.qmail@web20804.mail.yahoo.com> Thanks a lot Steve, it worked. Regards, Juan C. Quesada --- Steve Thomas wrote: > On Wed, Sep 10, 2003 at 02:35:16PM -0700, Juan C. > Quesada is rumored to have said: > > > > header FOUL_WORD Subject =~ /foulword/i > > body FOUL_WORD /foulword/i > > > > I want to create a rule that looks for a certain > word > > by itself. Any ideas? > > > > /\bfoulword\b/i > > The \b means "word boundary". > > > -- > "I can write better than anybody who can write > faster, and I can write faster than anybody who can > write better." > - A. J. Liebling (1904-1963) __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 10 22:55:19 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:53 2006 Subject: Feature request In-Reply-To: <3F5F9B07.6000500@ucgbook.com> Message-ID: <200309102155.h8ALt7P11497@camelot.blacknightsolutions.com> Have you looked at the webmin module? Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From mkettler at EVI-INC.COM Wed Sep 10 23:02:16 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:54 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <20030910215213.97335.qmail@web20804.mail.yahoo.com> References: <20030910144013.A13851@sthomas.net> Message-ID: <5.2.1.1.0.20030910175831.02338200@xanadu.evi-inc.com> At 02:52 PM 9/10/2003 -0700, Juan C. Quesada wrote: >Thanks a lot Steve, it worked. Juan you seem to be struggling with some basics of rule writing. At the risk of being a bit self promoting, I do have a fairly comprehensive howto about writing your own spamassassin rules. Eventually this is going to be mirrored by the spamassassin.org website, but I've been tinkering with some of the text still so I asked Justin to hold off on that. In the interim, you can get the howto directly from my home-account website. http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt You might find it useful . I tried to include a lot of tips, tricks, and common mistakes that I made while going through the "school of hard knocks" learning to tweak SA. From peter at UCGBOOK.COM Wed Sep 10 23:09:19 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:19:54 2006 Subject: Feature request In-Reply-To: <200309102155.h8ALt7P11497@camelot.blacknightsolutions.com> References: <200309102155.h8ALt7P11497@camelot.blacknightsolutions.com> Message-ID: <3F5FA10F.1060504@ucgbook.com> I haven't tried it but I have looked into it and if I'm not mistaken you need a web server running on the MailScanner. I don't like big apps running on the same server, like MySQL and Apache. It's also not official and therefor is behind on updates. I don't know if you can control access or if it's "all or nothing"..? The Webmin concept is a great idea but it's not right for me when it comes to MailScanner. I would like small scripts that are distributed with MailScanner. Only the most common tasks and working with the current version of MailScanner. I could myself build a simple "Webmin" that's more suited to my environment and still be comfortable about the handling of important files. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV 20030829 Michele Neylon:: Blacknight Solutions wrote: > Have you looked at the webmin module? > > Mr. Michele Neylon > Blacknight Solutions > http://www.blacknightsolutions.ie/ > Probably the cheapest ie's in Ireland > Tel. +353 (0)59 9139897 > Fax. +353 (0)59 9139897 > > > > ######################################################### > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance to it is prohibited. > From michele at BLACKNIGHTSOLUTIONS.COM Wed Sep 10 23:17:20 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:54 2006 Subject: Feature request In-Reply-To: <3F5FA10F.1060504@ucgbook.com> Message-ID: <200309102217.h8AMH8P22842@camelot.blacknightsolutions.com> Peter Webmin runs its own 'web' server, but you can restrict access to it and to the modules that a person can access without much difficulty. We allow some of our dedicated clients, for example, to access their DNS zone files, but not those of other clients. All this with standard configuration ie. Nothing special on our side. I know that the webmin module is not official, but it does give you access to most of the important areas. Maybe you could build on it. There are a lot of things that it would be nice to see. But I don't know who will procduce them :P M Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From dan at OXNARDSD.ORG Wed Sep 10 23:15:22 2003 From: dan at OXNARDSD.ORG (Dan Kubilos) Date: Thu Jan 12 21:19:54 2006 Subject: spam.assassin.prefs file customization help In-Reply-To: <5.2.1.1.0.20030910175831.02338200@xanadu.evi-inc.com> Message-ID: Super! Thanks for sharing. On Wed, 10 Sep 2003, Matt Kettler wrote: > At 02:52 PM 9/10/2003 -0700, Juan C. Quesada wrote: > > >Thanks a lot Steve, it worked. > > Juan you seem to be struggling with some basics of rule writing. > > At the risk of being a bit self promoting, I do have a fairly comprehensive > howto about writing your own spamassassin rules. Eventually this is going > to be mirrored by the spamassassin.org website, but I've been tinkering > with some of the text still so I asked Justin to hold off on that. > > In the interim, you can get the howto directly from my home-account website. > > http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt > > You might find it useful . I tried to include a lot of tips, tricks, and > common mistakes that I made while going through the "school of hard knocks" > learning to tweak SA. > -- Dan Kubilos __\o_ ^ K-8 Tech Coord http://www.oxnardsd.org From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Sep 11 00:03:55 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AF6@eqmail1.efni.vpn> This is a bit weird. One of my users emailed me about a message that was incorrectly marked as SPAM. I took a look and noticed that SpamAssassin had assigned the score as follows: SpamAssassin (score=5.2, required 5, AWL 0.00, NO_REAL_NAME 1.15, OPPORTUNITY 0.68) Now, unless this is some bizarre form of math I've never seen before, something just doesn't seem right ;-) Anyone seen this before? The server is MS 4.23-11 with SA 2.55. Cheers, -Joshua From hciss at HCIWS.COM Thu Sep 11 02:28:16 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:19:54 2006 Subject: Spam Tagging Opt In Filtering Wish Message-ID: <001701c37803$fa1549c0$6500a8c0@matthewmpqowmc> The feature I would like. By default MailScanner scans all email for viruses and also with SpamAssassin. It puts the Spam score in the header of the message. For some stupid reason Outlook Express cannot filter by header contents(I know Outlook can). If the user desires they can enable tagging the end of the message body with a Spam score. They do this by going to a webpage and submitting there email address in a form. After that they get email message and if they click on a link in it its turned on. They can do a similiar thing to turn it off later if they don't like it. All this WITHOUT the email admins intervention. With me tagging the subject is irritating and they will just be asking you whitelist this and that email and I want no intervention on my end. If they want aggressive filtering all messages are tagged with a signature and they can create there own whitelists if they want. Unless perhaps another form to whitelist certain addresses. I would only allow my IP pools access to that form. I think I could write some perl scripts to do this I am just not very good at it. The scripts would need to manipulate the MailScanner config files and would only take effect when restarted, what every 4 hours? Would this fit anyone elses need? Seems ideal to me to give the decisions to the end user. A signature at the end that says "virus scanned and spam score" does not seem that bad to me. Again if Outlook Express like Outlook allowed filtering by header content this would be already possible. Matt From mailscanner at ecs.soton.ac.uk Thu Sep 11 04:10:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:54 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: References: <3F5F9273.8070302@ucgbook.com> <3F5F9273.8070302@ucgbook.com> Message-ID: <5.2.1.1.2.20030911040829.031b7dd0@imap.ecs.soton.ac.uk> Have you made sure there aren't any .rpmnew files in the /usr/lib/MailScanner directory? The f-secure-wrapper and f-secure-autoupdate scripts should support all the command line options necessary. If you are convinced otherwise, please let me know. At 22:23 10/09/2003, you wrote: >Hi, > Yes, I too saw the same thing and just commented out the f-secure >line in virus.scanners.conf. Similar setup: SunFire V1280, Sol 9, >MailScanner 4.23-11, sophossavi 3.72, clamav 0.60, SpamAssassin 2.60, >Razor. > >--- Jeff > >On Wed, 10 Sep 2003, Peter Bonivart wrote: > > > Date: Wed, 10 Sep 2003 23:06:59 +0200 > > From: Peter Bonivart > > Reply-To: MAILSCANNER@JISCMAIL.AC.UK > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: MS 4.23-11: buglet in update_virus_scanners > > > > Fixed the grep thing but had another small problem with the update > > script. I got an error from the F-secure test. It correctly identified > > only Clam being installed but it erred on F-secure. I did some tests and > > found this line to be at fault (however I don't know why): > > > > if ${WRAPPER} "${PACKAGEDIR}" -IsItInstalled > > > > I removed the F-secure line from the virus list and all was well. I > > don't see why the F-secure line was any different. Anyone else having this? > > > > /Peter Bonivart > > > > --Unix lovers do it in the Sun > > > > Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV > > 20030829 > > > > >At 13:56 08/09/2003, you wrote: > > >>Julian, > > >> I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners > > >>gagged the first time cron ran it on my Solaris 9 box. It turns out > > >>the /usr/bin/grep on Sun does not support the "-e" option, while > > >>GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. > > >>So I had to tweak my copy to use GNU grep. I don't how you want to > > >>fix this for all permutations of grep. What a pain. > > > > > >It seems to be just a Solaris problem at the moment, I have already > > >added a > > >bit extra to the script so that it puts /usr/xpg4/bin (or is it > > >/usr/bin/xpg4) in the path before /usr/bin so that the correct > version >of > > >grep is found. You don't need the GNU version, the xpg4 version is > > just >fine. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 11 04:13:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:54 2006 Subject: SOLVED Filename Subject Text vs. Content Subject Text In-Reply-To: <3F5EFE4C.8567.4F9FECB@localhost> References: <000701c37723$cec67860$0a010a0a@prometheus> Message-ID: <5.2.1.1.2.20030911041325.031e2ea8@imap.ecs.soton.ac.uk> Done. Thanks for that. At 14:34 10/09/2003, you wrote: >Alright... I look at the code and the bug is quite trivial. > >The following patch solves it: > >===================================CUT HERE================================== >--- Message.pm.orig Wed Sep 10 10:27:53 2003 >+++ Message.pm Wed Sep 10 10:29:45 2003 >@@ -1923,7 +1923,7 @@ > !$this->{nameinfected} && # They want the tagging & not already tagged > !$global::MS->{mta}->TextStartsHeader($this, 'Subject:', > $contenttag)) >{ > if (MailScanner::Config::Value('contentprependsubject',$this)) { >- $global::MS->{mta}->PrependHeader($this, 'Subject:', $nametag, ' '); >+ $global::MS->{mta}->PrependHeader($this, 'Subject:', $contenttag, ' >'); > $subjectchanged = 1; > } > } else { >===================================CUT HERE================================== > >Julian, > >would you apply it to the next release? > > > >El 9 Sep 2003 a las 23:43, Ulysees escribi?: > > > I'm getting the same thing, MS 4.23-11 no SA and any mail being caught with > > a html form is coming up with filename? > > > > uly > > > > ----- Original Message ----- > > From: "Mariano Absatz" > > To: > > Sent: Tuesday, September 09, 2003 10:35 PM > > Subject: [MAILSCANNER] Filename Subject Text vs. Content Subject Text > > > > > > Hi, > > > > I'm using MS 4.23-11 with SA 2.55. > > > > It seems MS is somehow confusing "Filename Subject Text" "Content Subject > > Text". > > > > I have the following settings: > > Allow IFrame Tags = no > > Log IFrame Tags = yes > > Allow Form Tags = no > > Allow Object Codebase Tags = no > > Filename Modify Subject = no > > Filename Subject Text = {Nombre de archivo anexo prohibido} > > Content Modify Subject = yes > > Content Subject Text = {Contenido potencialmente peligroso} > > > > And, when getting a message with IFrame, it added the "Filename Subject > > Text" instead of the "Content Subject Text" I expected. > > > > Here's the log: > > > > Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes > > Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting > > Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting > > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html > > (no rule matched) > > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt > > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt > > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html > > Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from > > boletininformar@redinformar.com.ar > > Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific > > exploits in 1221617 > > Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems > > Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 > > Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent > > viruses > > > > > > And the modified was: > > {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: > A?o 1 - > > N?mero 51 - SEPTIEMBRE 5, 2003 > > > > > > Are these entries mixed up? > > > > > > -- > > Mariano Absatz > > El Baby > > ---------------------------------------------------------- > > Don't worry about the world coming to an end today.It's already tomorrow in > > Australia. -- Charles Schulz > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >I must confess, I was born at a very early age. > -- Groucho Marx -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Sep 11 04:36:35 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:54 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309110336.h8B3aZJ2015590@seer.ecs.soton.ac.uk> New Guestbook-Entry from Steve Hitchman We are running MailScanner with Spamassasin on our email server in the Dept. of Mechanical Engineering at the University of Waterloo. A very reliable and effective product with excellent support. I highly recommend it. From brent.addis at ROAMAD.COM Thu Sep 11 04:27:05 2003 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:19:54 2006 Subject: [Fwd: mysql logging issues] Message-ID: <1592.202.180.106.54.1063250825.squirrel@webmail.roamad.com> Hey there. Im new to the list, and had a quick look through the archives and couldnt find much on it. Im having a few problems getting mailscanner logging to an sql database. for some reason mailscanner inists on putting NULL into mysql rather than what the results should have been. IE: 155 Query INSERT INTO maillog_mail (time, msg_id, size, from_user, from_domain, subject, clientip, archives, isspam, ishighspam, sascore, spamreport) VALUES ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL') 156 Query INSERT INTO maillog_mail (time, msg_id, size, from_user, from_domain, subject, clientip, archives, isspam, ishighspam, sascore, spamreport) VALUES ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL') 155 Quit 156 Quit 157 Query INSERT INTO maillog_mail (time, msg_id, size, from_user, from_domain, subject, clientip, archives, isspam, ishighspam, sascore, spamreport) VALUES ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL') 157 Quit mysql> SELECT time, msg_id, size, from_user, from_domain FROM maillog_mail; +----------------+--------+------+-----------+-------------+ | time | msg_id | size | from_user | from_domain | +----------------+--------+------+-----------+-------------+ | 00000000000000 | NULL | 0 | NULL | NULL | +----------------+--------+------+-----------+-------------+ 1 row in set (0.00 sec) I am using version 4.23-11. To create the tables I used a slightly modified version of what comes with mailscanner in the readme-sql. I had to remove the binary part from the msg_id lines as it would not work. I dont see that causing the current problems I am seeing however. Everything else was followed as per. I also had to alter the CustomConfig.pm, as it had the wrong ip address entered, and also needed a password: use DBI; # Create database connection my($dbh); $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", "mailscanner", "password", {'PrintError' => 0}) Is there somewhere I have to actually speicify what to log? I have unyet been able to find out exactly what it requires. Any help would be appeciated. Thanks. -- Brent Addis Systems Administrator RoamAD From errol.neal at ENHTECH.COM Thu Sep 11 05:53:11 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:54 2006 Subject: Spam Whitelisting Message-ID: <1063255991.3f5fffb7c5c99@webmail.resume.com> Is it possible to use spam.whitelist.rules so that you can store whitelist info in a per-domain-file? Something like this: # Begin spam.whitelist.rules To: enhtech.com /opt/MailScanner/etc/rules/spam.whitelist.rules.enhtech_com # End spam.whitelist.rules and in the file referenced: # Begin spam.whitelist.rules.enhtech_com From: postmaster@enhtech.com yes # End spam.whitelist.rules That does not seem to work, however in other config files you are able to do such a thing. MailScanner tells me that it cannot continue because of a syntax error. Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From errol.neal at ENHTECH.COM Thu Sep 11 06:05:52 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:54 2006 Subject: Feature request In-Reply-To: <3F5F9B07.6000500@ucgbook.com> References: <3F5F9B07.6000500@ucgbook.com> Message-ID: <1063256752.3f6002b013904@webmail.resume.com> My company is beginning development of a client-side interface for use with MailScanner. Just a simple web-based interface for our client that have spam and virus filtering added to their existing mail service can configure their unique options such as bounce back messages, white lists, blacklists and etc. They will also be able to view any quarantined spam/viri through this interface. Webmin provides alot of this functionality already. Borrowing from that will make our job alot easier. Errol ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From gerry at dorfam.ca Thu Sep 11 06:16:42 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5AF6@eqmail1.efni.vpn> References: <75FEDC422E2309419A9303E7B18F206E04DB5AF6@eqmail1.efni.vpn> Message-ID: <1783.10.0.10.1.1063257402.squirrel@tiger.dorfam.ca> > This is a bit weird. One of my users emailed me about a message that was > incorrectly marked as SPAM. I took a look and noticed that SpamAssassin > had > assigned the score as follows: > > SpamAssassin (score=5.2, required 5, AWL 0.00, NO_REAL_NAME 1.15, > OPPORTUNITY 0.68) > > Now, unless this is some bizarre form of math I've never seen before, > something just doesn't seem right ;-) > > Anyone seen this before? The server is MS 4.23-11 with SA 2.55. > > > > Cheers, > > -Joshua > I have had the same problem for ages. I have tried running with MailScanner calling SpamAssassin and with procmail calling SpamAssassin. The scores don't add up when MailScanner calls SA. They do add up when SA is called from procmail or when SA is run separately (ie passing the sample-spam.txt message to SA from the command line). I believe this is a MailScanner problem not interfacing correctly with SA. However, when I posted this to the list Julian responded by saying not to blame him if SA can't add. On the other hand, I do believe the the total score is correct. The individual items with a 0.0 score really do have a score that is being counted. Gerry From mailscanner at ecs.soton.ac.uk Thu Sep 11 07:23:22 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:54 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309110623.h8B6NMki001473@seer.ecs.soton.ac.uk> New Guestbook-Entry from Chris Sweeney Just wanted to say how great your program is! Keep up the excellent work. I just installed your program and I love it. Wish I had known about it earlier! From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 09:24:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? In-Reply-To: <1783.10.0.10.1.1063257402.squirrel@tiger.dorfam.ca> References: <75FEDC422E2309419A9303E7B18F206E04DB5AF6@eqmail1.efni.vpn> <1783.10.0.10.1.1063257402.squirrel@tiger.dorfam.ca> Message-ID: <200309110824.h8B8OQR11617@agate.rockstone.co.uk> On Thursday 11 September 2003 6:16 am, Gerry Doris wrote: > > SpamAssassin (score=5.2, required 5, AWL 0.00, NO_REAL_NAME 1.15, > > OPPORTUNITY 0.68) > > > > Now, unless this is some bizarre form of math I've never seen before, > > something just doesn't seem right ;-) > I have had the same problem for ages. I have tried running with > MailScanner calling SpamAssassin and with procmail calling SpamAssassin. > The scores don't add up when MailScanner calls SA. They do add up when SA > is called from procmail or when SA is run separately (ie passing the > sample-spam.txt message to SA from the command line). It would be interesting to push the same message through SA in these two ways and see what the difference in score assignments is: - do the scores 0.00 in one method count as something else in the other method? - are the individual scores for the tests the same, and only the total comes out differently? I wonder if perhaps SA is getting confused about whether it should be using its local/network/plain/Bayes scores because of the way MS calls it? Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi From yahel at REDBEND.COM Thu Sep 11 10:18:28 2003 From: yahel at REDBEND.COM (Yahel Ron) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 Message-ID: Hi, I noticed that sometimes when i paste html page to email message Mailscanner would mark this as a virus (but nor virus and attachment are there). what do you seggast me to do in order to solve this problem? Here is the log Sep 10 18:16:33 titanium MailScanner[16963]: Virus and Content Scanning: Startin g Sep 10 18:16:34 titanium MailScanner[16963]: Content Checks: Detected HTML- speci fic exploits in h8AGGVSe016972 Sep 10 18:16:34 titanium MailScanner[16963]: Content Checks: Found 1 problems Sep 10 18:16:34 titanium MailScanner[16963]: Saved infected "msg-16963- 2.html" t o /var/spool/MailScanner/quarantine/20030910/h8AGGVSe016972 Sep 10 18:16:34 titanium MailScanner[16963]: Cleaned: Delivered 1 cleaned messag es......... Sep 10 18:16:34 titanium sendmail[16982]: h8AGGY6p016982: from=<>, size=701, cla ss=0, nrcpts=1, msgid=<200309101616.h8AGGY6p016982@redbend.com>, .. mailer=local, pri=150612, dsn=2.0.0, stat=Sent Sep 10 18:16:34 titanium sendmail[16987]: h8AGGYSe016987: from=<>, size=928, cla ss=0, nrcpts=1, msgid=<200309101616.h8AGGY6p016982@redbend.com>, proto=ESMTP, da emon=MTA, relay=titanium [127.0.0.1] Sep 10 18:16:34 titanium sendmail[16982]: h8AGGY6p016982: to=yahel@redbend.com, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30123, relay=[127.0.0.1] [127 .0.0.1], dsn=2.0.0, stat=Sent (h8AGGYSe016987 Message accepted for delivery) Sep 10 18:16:34 titanium MailScanner[16963]: Sender Warnings: Delivered 1 warnin gs to virus senders Thanks, From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 10:30:28 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: <20030910162328.3f0124f6.kim@schulz.dk> References: <20030910162328.3f0124f6.kim@schulz.dk> Message-ID: <200309110930.h8B9UXR11824@agate.rockstone.co.uk> On Wednesday 10 September 2003 3:23 pm, Kim Schulz wrote: > On Wed, 10 Sep 2003 10:14:09 -0400 Matthew Bowman wrote: > > > Sobig.F end of life is/was today? > > > > I've seen a massive reduction in sobig.f detections which is a good > > thing. Anyone else seeing that too? > > yes it is supposed to die today. Lets see if it actually happens. Well, I must say I'm not seeing any great reduction in them yet :( I run a lightly loaded mail server handling several domains, but one of those domains in particular has been getting very heavily hit by Sobig since it first started. I've seen a gradual reduction over the past couple of weeks, presumably as people have cleaned their machines up, but I've seen no great decrease over the past 24-48 hours. Still getting something like 500 a day (which, thankfully, is 10% of what it was when it first started). I would speculate that the idiots who still have Sobig on their machines may have the clock set to the wrong date, except that Sobig sets the clock right for them.... Oh well, Antony. -- If at first you don't succeed, destroy all the evidence that you tried. From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 10:34:02 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: References: Message-ID: <200309110934.h8B9Y6R11841@agate.rockstone.co.uk> On Thursday 11 September 2003 10:18 am, Yahel Ron wrote: > Hi, > > I noticed that sometimes when i paste html page to email message > Mailscanner would mark this as a virus (but nor virus and attachment are > there). > > what do you seggast me to do in order to solve this problem? I suggest you don't paste html into email messages :) Seriously, though - why are you doing that? The 'dangerous html content' checks will only get triggered if you paste in some potentially dangerous html - it won't pick up on plain markup tags or hyperlinks. If you need to send somebody some strange html because you're designing web pages etc then I suggest you put it in a .zip or .gz file and send it like that. Regards, Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner From mk at quadstone.com Thu Sep 11 10:41:48 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:19:54 2006 Subject: Installed DCC, but is MS/SA using it? Message-ID: <20030911094148.GA14976@quadstone.com> I installed dcc-dccproc-1.2.6 on our MailScanner machine. Opened the outgoing port on our Firewall. Running "cdcc 'info'" gives the result below, so everything seems ok. I uncommented these lines in spam.assassin.prefs.conf: score DCC_CHECK 0.0 dcc_path /usr/local/bin/dccproc How do I know if DCC is working? No spam is getting any DCC scores added. % cdcc 'info' # 09/11/03 10:40:51 BST /home/dcc/map # Re-resolve names after 12:37:59 Check RTTs after 10:53:00 # 155.44 ms threshold, 190.09 ms average 12 total, 11 working servers IPv6 off dcc1.dcc-servers.net,- RTT+0 ms anon # 38.144.80.31- Servercave ID 1183 # 100% of 2 requests ok 522.09+0 ms RTT 3292 ms queue wait # 137.118.60.88- neonova ID 1127 # 100% of 2 requests ok 367.33+0 ms RTT 161 ms queue wait # 153.19.44.233- WEiAPG ID 1072 # 100% of 3 requests ok 2063.16+0 ms RTT 351 ms queue wait # 194.85.132.210- SPAMCHECK.NET ID 1168 # 100% of 2 requests ok 308.35+0 ms RTT 202 ms queue wait # * 194.109.153.82- NIET ID 1080 # 100% of 2 requests ok 147.78+0 ms RTT 103 ms queue wait # 198.137.254.71- Misty ID 1170 # 100% of 2 requests ok 1493.88+0 ms RTT 128 ms queue wait # 203.147.165.193- MessageCare ID 1108 # 100% of 2 requests ok 770.98+0 ms RTT 58 ms queue wait # 206.169.162.65- servers ID 1049 # 100% of 2 requests ok 348.03+0 ms RTT 131 ms queue wait # 212.95.66.23- SdV ID 1179 # 100% of 2 requests ok 155.44+0 ms RTT 108 ms queue wait # 216.240.97.63- dmv.com ID 1181 # 100% of 2 requests ok 213.80+0 ms RTT 104 ms queue wait # 216.244.192.216- SINECTIS ID 1114 # 100% of 2 requests ok 406.95+0 ms RTT 124 ms queue wait dcc2.dcc-servers.net,- RTT+0 ms anon dcc3.dcc-servers.net,- RTT+0 ms anon dcc4.dcc-servers.net,- RTT+0 ms anon dcc5.dcc-servers.net,- RTT+0 ms anon 127.0.0.1,- RTT-1000 ms 32768 1777851062x234 # 127.0.0.1- # not answering ################ # 09/11/03 10:40:51 BST GreyList /home/dcc/map # Re-resolve names after 12:38:00 # 1 total, 0 working servers 127.0.0.1,- Greylist 32768 1777851062x234 # 127.0.0.1- # not answering -- Michael Keightley Tel: +44 131 240 3137 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From David.While at UCE.AC.UK Thu Sep 11 10:44:42 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:19:54 2006 Subject: Installed DCC, but is MS/SA using it? Message-ID: <107DE25EC0216C45AEF670016024245F6F29@exchangea.staff.uce.ac.uk> I think you should leave the first line commented out - SpamAssassin won't use a rule if it has a score of 0. Also make sure that the dcc_path does indeed point to dccproc. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Michael Keightley [mailto:mk@QUADSTONE.COM] Sent: 11 September 2003 10:42 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Installed DCC, but is MS/SA using it? I installed dcc-dccproc-1.2.6 on our MailScanner machine. Opened the outgoing port on our Firewall. Running "cdcc 'info'" gives the result below, so everything seems ok. I uncommented these lines in spam.assassin.prefs.conf: score DCC_CHECK 0.0 dcc_path /usr/local/bin/dccproc How do I know if DCC is working? No spam is getting any DCC scores added. % cdcc 'info' # 09/11/03 10:40:51 BST /home/dcc/map # Re-resolve names after 12:37:59 Check RTTs after 10:53:00 # 155.44 ms threshold, 190.09 ms average 12 total, 11 working servers IPv6 off dcc1.dcc-servers.net,- RTT+0 ms anon # 38.144.80.31- Servercave ID 1183 # 100% of 2 requests ok 522.09+0 ms RTT 3292 ms queue wait # 137.118.60.88- neonova ID 1127 # 100% of 2 requests ok 367.33+0 ms RTT 161 ms queue wait # 153.19.44.233- WEiAPG ID 1072 # 100% of 3 requests ok 2063.16+0 ms RTT 351 ms queue wait # 194.85.132.210- SPAMCHECK.NET ID 1168 # 100% of 2 requests ok 308.35+0 ms RTT 202 ms queue wait # * 194.109.153.82- NIET ID 1080 # 100% of 2 requests ok 147.78+0 ms RTT 103 ms queue wait # 198.137.254.71- Misty ID 1170 # 100% of 2 requests ok 1493.88+0 ms RTT 128 ms queue wait # 203.147.165.193- MessageCare ID 1108 # 100% of 2 requests ok 770.98+0 ms RTT 58 ms queue wait # 206.169.162.65- servers ID 1049 # 100% of 2 requests ok 348.03+0 ms RTT 131 ms queue wait # 212.95.66.23- SdV ID 1179 # 100% of 2 requests ok 155.44+0 ms RTT 108 ms queue wait # 216.240.97.63- dmv.com ID 1181 # 100% of 2 requests ok 213.80+0 ms RTT 104 ms queue wait # 216.244.192.216- SINECTIS ID 1114 # 100% of 2 requests ok 406.95+0 ms RTT 124 ms queue wait dcc2.dcc-servers.net,- RTT+0 ms anon dcc3.dcc-servers.net,- RTT+0 ms anon dcc4.dcc-servers.net,- RTT+0 ms anon dcc5.dcc-servers.net,- RTT+0 ms anon 127.0.0.1,- RTT-1000 ms 32768 1777851062x234 # 127.0.0.1- # not answering ################ # 09/11/03 10:40:51 BST GreyList /home/dcc/map # Re-resolve names after 12:38:00 # 1 total, 0 working servers 127.0.0.1,- Greylist 32768 1777851062x234 # 127.0.0.1- # not answering -- Michael Keightley Tel: +44 131 240 3137 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Kevin.Spicer at BMRB.CO.UK Thu Sep 11 10:45:11 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:54 2006 Subject: Installed DCC, but is MS/SA using it? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496C4@pascal.priv.bmrb.co.uk> Michael Keightley wrote: > How do I know if DCC is working? No spam is getting any DCC scores > added. Check that you've not got it turned off in spam.assassin.prefs.conf, then... Check the output of spamassassin -D --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From yahel at REDBEND.COM Thu Sep 11 10:50:00 2003 From: yahel at REDBEND.COM (Yahel Ron) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 Message-ID: How can i tell Mailscanner not to do this kind of test? From michele at BLACKNIGHTSOLUTIONS.COM Thu Sep 11 10:56:09 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: Message-ID: <200309110956.h8B9u1605601@camelot.blacknightsolutions.com> Read through the configuration file. You can tell it to ignore a lot of these things Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yahel Ron > Sent: 11 September 2003 10:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Content Checks: Detected HTML-specic exploits in > h8AGGVSe016972 > > How can i tell Mailscanner not to do this kind of test? > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 10:56:13 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: References: Message-ID: <200309110956.h8B9uIR11921@agate.rockstone.co.uk> On Thursday 11 September 2003 10:50 am, Yahel Ron wrote: > How can i tell Mailscanner not to do this kind of test? Depending on which test your html is triggering on, Allow IFrame Tags = yes or Allow Object Codebase Tags = yes Antony. -- Mahatma Gandhi was once asked what he thought of Western Civilisation. He replied, "That would be a very good idea." From dot at DOTAT.AT Thu Sep 11 11:24:13 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: Message-ID: Matthew Bowman wrote: > >Sobig.F end of life is/was today?< > >I've seen a massive reduction in sobig.f detections which is a good >thing. Anyone else seeing that too? Yup. http://www.cus.cam.ac.uk/~fanf2/hermes/doc/talks/2003-09-techlinks/mgp00016.html Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: VARIABLE 3 OR LESS BECOMING WEST OR SOUTHWEST 4 OR 5, VEERING NORTH LATER. OCCASIONAL RAIN, CLEARING LATER. MODERATE OR GOOD. SMOOTH OR SLIGHT, OCCASIONALLY MODERATE LATER. From mikea at MIKEA.ATH.CX Thu Sep 11 12:49:23 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: ; from dot@DOTAT.AT on Thu, Sep 11, 2003 at 11:24:13AM +0100 References: Message-ID: <20030911064923.A4622@mikea.ath.cx> On Thu, Sep 11, 2003 at 11:24:13AM +0100, Tony Finch wrote: > Matthew Bowman wrote: > > > >Sobig.F end of life is/was today?< > > > >I've seen a massive reduction in sobig.f detections which is a good > >thing. Anyone else seeing that too? > > Yup. > > http://www.cus.cam.ac.uk/~fanf2/hermes/doc/talks/2003-09-techlinks/mgp00016.html Massive reduction is correct. 8-day stats: Mails spamassassin rejected scanner total mails Total says 'spam' by ruleset says virus undelivered Sep 10 6495 1777 (27.36%) 418 ( 6.44%) 15 ( 0.23%) 2210 (34.03%) Sep 9 6605 1785 (27.02%) 411 ( 6.22%) 439 ( 6.65%) 2635 (39.89%) Sep 8 7100 1551 (21.85%) 456 ( 6.42%) 1017 (14.32%) 3024 (42.59%) Sep 7 2734 1053 (38.51%) 181 ( 6.62%) 390 (14.26%) 1624 (59.40%) Sep 6 2764 1144 (41.39%) 196 ( 7.09%) 303 (10.96%) 1643 (59.44%) Sep 5 5555 1450 (26.10%) 447 ( 8.05%) 363 ( 6.53%) 2260 (40.68%) Sep 4 6629 1815 (27.38%) 499 ( 7.53%) 412 ( 6.22%) 2726 (41.12%) Sep 3 6194 1543 (24.91%) 471 ( 7.60%) 651 (10.51%) 2665 (43.03%) Most of yesterday's are Klez-with-Iframe, which produces _two_ "FOUND", and so the real number of viruses sent in to work is 8 for yesterday. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From jaearick at COLBY.EDU Thu Sep 11 12:49:50 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:54 2006 Subject: MS 4.23-11: buglet in update_virus_scanners In-Reply-To: <5.2.1.1.2.20030911040829.031b7dd0@imap.ecs.soton.ac.uk> References: <3F5F9273.8070302@ucgbook.com> <3F5F9273.8070302@ucgbook.com> <5.2.1.1.2.20030911040829.031b7dd0@imap.ecs.soton.ac.uk> Message-ID: Julian, I did a "find / -name '*rpm*' -print" on my Solaris box, and the only thing I discovered was that Solaris 9 has the rpm2cpio command to convert Red Hat rpm packages into cpio format. I didn't know that. But I'm a tarfile/source code guy anyway. No stinkin' rpm files in my setup. And I don't use f-secure. --- Jeff On Thu, 11 Sep 2003, Julian Field wrote: > Date: Thu, 11 Sep 2003 04:10:31 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MS 4.23-11: buglet in update_virus_scanners > > Have you made sure there aren't any .rpmnew files in the > /usr/lib/MailScanner directory? The f-secure-wrapper and > f-secure-autoupdate scripts should support all the command line options > necessary. > If you are convinced otherwise, please let me know. > > At 22:23 10/09/2003, you wrote: > >Hi, > > Yes, I too saw the same thing and just commented out the f-secure > >line in virus.scanners.conf. Similar setup: SunFire V1280, Sol 9, > >MailScanner 4.23-11, sophossavi 3.72, clamav 0.60, SpamAssassin 2.60, > >Razor. > > > >--- Jeff > > > >On Wed, 10 Sep 2003, Peter Bonivart wrote: > > > > > Date: Wed, 10 Sep 2003 23:06:59 +0200 > > > From: Peter Bonivart > > > Reply-To: MAILSCANNER@JISCMAIL.AC.UK > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: MS 4.23-11: buglet in update_virus_scanners > > > > > > Fixed the grep thing but had another small problem with the update > > > script. I got an error from the F-secure test. It correctly identified > > > only Clam being installed but it erred on F-secure. I did some tests and > > > found this line to be at fault (however I don't know why): > > > > > > if ${WRAPPER} "${PACKAGEDIR}" -IsItInstalled > > > > > > I removed the F-secure line from the virus list and all was well. I > > > don't see why the F-secure line was any different. Anyone else having this? > > > > > > /Peter Bonivart > > > > > > --Unix lovers do it in the Sun > > > > > > Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.55, ClamAV > > > 20030829 > > > > > > >At 13:56 08/09/2003, you wrote: > > > >>Julian, > > > >> I just upgraded from 4.22-5 to 4.23-11, and update_virus_scanners > > > >>gagged the first time cron ran it on my Solaris 9 box. It turns out > > > >>the /usr/bin/grep on Sun does not support the "-e" option, while > > > >>GNU grep (/usr/local/bin on my box) or /usr/xpg4/bin/grep does. > > > >>So I had to tweak my copy to use GNU grep. I don't how you want to > > > >>fix this for all permutations of grep. What a pain. > > > > > > > >It seems to be just a Solaris problem at the moment, I have already > > > >added a > > > >bit extra to the script so that it puts /usr/xpg4/bin (or is it > > > >/usr/bin/xpg4) in the path before /usr/bin so that the correct > > version >of > > > >grep is found. You don't need the GNU version, the xpg4 version is > > > just >fine. > > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From chris at TRUDEAU.ORG Thu Sep 11 13:01:38 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:54 2006 Subject: mysql logging issues] References: <1592.202.180.106.54.1063250825.squirrel@webmail.roamad.com> Message-ID: <004a01c3785c$74aee850$ca17000a@ATLCPW13671> Take a look here: http://sourceforge.net/projects/mailwatch/ Mailwatch uses a different SQL loging function that is called from a seperate module. It works well from everything I have seen. Steve has also built a decent PHP front end that produces some JPGraph plotted graphs and such. instead of three seperate tables message related detail is all in a single table, with other relvant information in the other adjoining tables. Maybe this project will hepl you?...just a thought. CT ----- Original Message ----- From: "Brent Addis" To: Sent: Wednesday, September 10, 2003 11:27 PM Subject: [Fwd: mysql logging issues] > Hey there. > > Im new to the list, and had a quick look through the archives and couldnt > find much on it. > Im having a few problems getting mailscanner logging to an sql database. > > for some reason mailscanner inists on putting NULL into mysql rather than > what the results should have been. > IE: > > 155 Query INSERT INTO maillog_mail (time, > msg_id, size, from_user, from_domain, subject, > clientip, archives, isspam, ishighspam, sascore, > spamreport) VALUES > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL ','NULL') 156 Query INSERT INTO maillog_mail (time, > msg_id, size, from_user, from_domain, subject, > clientip, archives, isspam, ishighspam, sascore, > spamreport) VALUES > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL ','NULL') 155 Quit > 156 Quit > 157 Query INSERT INTO maillog_mail (time, > msg_id, size, from_user, from_domain, subject, > clientip, archives, isspam, ishighspam, sascore, > spamreport) VALUES > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL ','NULL') 157 Quit > > > > > mysql> SELECT time, msg_id, size, from_user, from_domain FROM > maillog_mail; > +----------------+--------+------+-----------+-------------+ > | time | msg_id | size | from_user | from_domain | > +----------------+--------+------+-----------+-------------+ > | 00000000000000 | NULL | 0 | NULL | NULL | > +----------------+--------+------+-----------+-------------+ > 1 row in set (0.00 sec) > > I am using version 4.23-11. > > To create the tables I used a slightly modified version of what comes > with mailscanner in the readme-sql. I had to remove the binary part from > the msg_id lines as it would not work. I dont see that causing the > current problems I am seeing however. Everything else was followed as > per. > > I also had to alter the CustomConfig.pm, as it had the wrong ip address > entered, and also needed a password: > > use DBI; > > # Create database connection > my($dbh); > $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", > "mailscanner", "password", > {'PrintError' => 0}) > > > > Is there somewhere I have to actually speicify what to log? I have unyet > been able to find out exactly what it requires. > Any help would be appeciated. > > Thanks. > > > > > > > -- > Brent Addis > Systems Administrator > RoamAD From chris at TRUDEAU.ORG Thu Sep 11 13:03:09 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:54 2006 Subject: Feature request References: <3F5F9B07.6000500@ucgbook.com> <1063256752.3f6002b013904@webmail.resume.com> Message-ID: <005501c3785c$ab575ea0$ca17000a@ATLCPW13671> Your comapny planning on releasing the source of this frontend? CT ----- Original Message ----- From: "Errol Neal" To: Sent: Thursday, September 11, 2003 1:05 AM Subject: Re: Feature request > My company is beginning development of a client-side interface for use with > MailScanner. Just a simple web-based interface for our client that have spam > and virus filtering added to their existing mail service can configure their > unique options such as bounce back messages, white lists, blacklists and etc. > They will also be able to view any quarantined spam/viri through this interface. > Webmin provides alot of this functionality already. Borrowing from that will > make our job alot easier. > > > Errol > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ From gerry at dorfam.ca Thu Sep 11 12:02:58 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? In-Reply-To: <200309110824.h8B8OQR11617@agate.rockstone.co.uk> References: <75FEDC422E2309419A9303E7B18F206E04DB5AF6@eqmail1.efni.vpn> <1783.10.0.10.1.1063257402.squirrel@tiger.dorfam.ca> <200309110824.h8B8OQR11617@agate.rockstone.co.uk> Message-ID: <3110.10.0.10.1.1063278178.squirrel@tiger.dorfam.ca> > On Thursday 11 September 2003 6:16 am, Gerry Doris wrote: > >> > SpamAssassin (score=5.2, required 5, AWL 0.00, NO_REAL_NAME 1.15, >> > OPPORTUNITY 0.68) >> > >> > Now, unless this is some bizarre form of math I've never seen before, >> > something just doesn't seem right ;-) > >> I have had the same problem for ages. I have tried running with >> MailScanner calling SpamAssassin and with procmail calling SpamAssassin. >> The scores don't add up when MailScanner calls SA. They do add up when >> SA >> is called from procmail or when SA is run separately (ie passing the >> sample-spam.txt message to SA from the command line). > > It would be interesting to push the same message through SA in these two > ways > and see what the difference in score assignments is: > > - do the scores 0.00 in one method count as something else in the other > method? > > - are the individual scores for the tests the same, and only the total > comes > out differently? > > I wonder if perhaps SA is getting confused about whether it should be > using > its local/network/plain/Bayes scores because of the way MS calls it? > > Antony. I ran the message through MS + SA and then processed the message through procmail + SA. The scores were different. I didn't have the 0.0 scores in the second pass through SA but the totals were the same. Gerry From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Sep 11 14:31:05 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AF7@eqmail1.efni.vpn> I've just been combing through my logs. It looks like in my case AWL (Auto-Whitelist) always turns up with a score of 0.00, even though it is added to the final total. I sent the same message through SA manually with auto-whitelist enabled and it reported a score for AWL where it was listed as 0 previously. Now then.. is this an SA problem or a MS problem? Is anyone else having problems with AWL showing up as 0 when it shouldn't? Cheers, -Joshua From david at PLATFORMHOSTING.COM Thu Sep 11 14:35:25 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: <200309110930.h8B9UXR11824@agate.rockstone.co.uk> References: <20030910162328.3f0124f6.kim@schulz.dk> <200309110930.h8B9UXR11824@agate.rockstone.co.uk> Message-ID: <3F607A1D.2070701@platformhosting.com> We are barely seeing any Sobig traffic. Our last one was 16 hours ago. Now we're seeing more Klez than ever before however?! -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com Antony Stone wrote: > On Wednesday 10 September 2003 3:23 pm, Kim Schulz wrote: > > >>On Wed, 10 Sep 2003 10:14:09 -0400 Matthew Bowman wrote: >> >> >>>Sobig.F end of life is/was today? >>> >>>I've seen a massive reduction in sobig.f detections which is a good >>>thing. Anyone else seeing that too? >> >>yes it is supposed to die today. Lets see if it actually happens. > > > Well, I must say I'm not seeing any great reduction in them yet :( > > I run a lightly loaded mail server handling several domains, but one of those > domains in particular has been getting very heavily hit by Sobig since it > first started. > > I've seen a gradual reduction over the past couple of weeks, presumably as > people have cleaned their machines up, but I've seen no great decrease over > the past 24-48 hours. Still getting something like 500 a day (which, > thankfully, is 10% of what it was when it first started). > > I would speculate that the idiots who still have Sobig on their machines may > have the clock set to the wrong date, except that Sobig sets the clock right > for them.... > > Oh well, > > Antony. > > -- > > If at first you don't succeed, destroy all the evidence that you tried. ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Report incorrectly tagged messages to: notspam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From raymond at PROLOCATION.NET Thu Sep 11 14:36:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: <3F607A1D.2070701@platformhosting.com> Message-ID: Hi! > We are barely seeing any Sobig traffic. > > Our last one was 16 hours ago. Now we're seeing more Klez than ever > before however?! Same here, and a new one is comming up in our stats : W32/Gibe.B@mm Bye, Raymond. From david at PLATFORMHOSTING.COM Thu Sep 11 14:39:04 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <200309110934.h8B9Y6R11841@agate.rockstone.co.uk> References: <200309110934.h8B9Y6R11841@agate.rockstone.co.uk> Message-ID: <3F607AF8.90906@platformhosting.com> Antony Stone wrote: > I suggest you don't paste html into email messages :) Spoken like a true technician! > Seriously, though - why are you doing that? The 'dangerous html content' > checks will only get triggered if you paste in some potentially dangerous > html - it won't pick up on plain markup tags or hyperlinks. > > If you need to send somebody some strange html because you're designing web > pages etc then I suggest you put it in a .zip or .gz file and send it like > that. Come on!! we all have customers and those customers do tend to try doing anything that they can do to make life hard for us! This is hardly a practical solution. We have quite a few legitimate messages a day blocked by this rule, it actually wound up being such a problem that we had to disable it. What _exactly_ is this rule looking for? And if this is a commonly exploited thing, why are so many large mailing lists actually using that code in their mailouts? -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Report incorrectly tagged messages to: notspam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From kevins at BMRB.CO.UK Thu Sep 11 14:44:14 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B15@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B15@pascal.priv.bmrb.co.uk> Message-ID: <1063287854.4691.49.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 14:31, Hirsh, Joshua wrote: > I've just been combing through my logs. It looks like in my case AWL >(Auto-Whitelist) always turns up with a score of 0.00, even though it >is >added to the final total. I sent the same message through SA manually >with >auto-whitelist enabled and it reported a score for AWL where it was >listed >as 0 previously. You should turn auto-whitelisting off with MailScanner, see the archives for the reason. [basically AWL only works properly when used on a per-user basis] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kim at SCHULZ.DK Thu Sep 11 14:54:40 2003 From: kim at SCHULZ.DK (Kim Schulz) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Sobig EOL ? In-Reply-To: References: <3F607A1D.2070701@platformhosting.com> Message-ID: <20030911155440.1bdca404.kim@schulz.dk> On Thu, 11 Sep 2003 15:36:49 +0200 Raymond Dijkxhoorn wrote: > Hi! > > > We are barely seeing any Sobig traffic. > > > > Our last one was 16 hours ago. Now we're seeing more Klez than ever > > before however?! > > Same here, and a new one is comming up in our stats : W32/Gibe.B@mm > > Bye, > Raymond. two newcomers here that has hit top10 of viruses here within the last 24 hours: W32/Dumaro.A@mm W32/Ganda.A@mm From kevins at BMRB.CO.UK Thu Sep 11 14:58:53 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B18@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B18@pascal.priv.bmrb.co.uk> Message-ID: <1063288733.4690.64.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 14:39, David Hooton wrote: >What _exactly_ is this rule looking for? And if this is a commonly >exploited thing, why are so many large mailing lists actually using >that >code in their mailouts? There are three types of html tags that are picked up... object codebase and iframe tags, often used by viruses to try and get Outlook to run an attachment without the users intervention. form tags - there have recently been a spate of scams which work by persuading gullable users to enter personal details (such as credit cards, passwords) into forms in email messages. My approach is to strip html from all incoming messages of these types, and block outgoing messages. The principle being that often the essential information is still communicated by a stripped message (for the few that are actually anything important) and that blocking outgoing mail that breaks the rules is better than having our mails stripped or blocked by the recipients mail server, as it allows the internal sender to reformat in a way they control. My only issue with this is that I'd rather there was a smart html stripper [no jokes about smart strippers please!] which only removed the offending tags. I'd also like some way to remove web bugs from email, without having to strip all html. I really don't see the point of sending web-pages by email, isn't that the point of having the web. Of course, if I had my way, I'd block all attachments. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Sep 11 14:56:17 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5AF8@eqmail1.efni.vpn> Doh. I must have missed that message. Thanks for the help. -Joshua -----Original Message----- From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] Sent: Thursday, September 11, 2003 9:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin can't add? You should turn auto-whitelisting off with MailScanner, see the archives for the reason. [basically AWL only works properly when used on a per-user basis] From david at PLATFORMHOSTING.COM Thu Sep 11 15:05:09 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <1063288733.4690.64.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B18@pascal.priv.bmrb.co.uk> <1063288733.4690.64.camel@bach.kevinspicer.co.uk> Message-ID: <3F608115.4060805@platformhosting.com> Kevin Spicer wrote: > My only issue with this is that I'd rather there was a smart html > stripper [no jokes about smart strippers please!] which only removed the > offending tags. Agreed, perhaps "neutering" - ala the tags rather than converting the whole message would be a cleaner solution. > I'd also like some way to remove web bugs from email, without having to > strip all html. Again - would be tidy and I can't imagine overly hard to do if you've got the smarts to code the HTML to text conversion.. > I really don't see the point of sending web-pages by email, isn't that > the point of having the web. Of course, if I had my way, I'd block all > attachments. Of course the web is supposed to be pretty and email is supposed to be email, but whilever mail clients can do something, users are going to want to do it! I love mailscanner, maybe a few of these little tweaks might help me love it more! Julian - a virtual case of beer for you and anyone else who's contributed! -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Report incorrectly tagged messages to: notspam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From raymond at PROLOCATION.NET Thu Sep 11 15:06:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <3F608115.4060805@platformhosting.com> Message-ID: Hi! > > My only issue with this is that I'd rather there was a smart html > > stripper [no jokes about smart strippers please!] which only removed the > > offending tags. > > Agreed, perhaps "neutering" - ala the tags rather > than converting the whole message would be a cleaner solution. Then use the HTML->TEXT ones =) Bye, Raymond. From kevins at BMRB.CO.UK Thu Sep 11 15:07:11 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: SpamAssassin can't add? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B1C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B1C@pascal.priv.bmrb.co.uk> Message-ID: <1063289231.4691.66.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 14:56, Hirsh, Joshua wrote: >Doh. I must have missed that message. I was a _long_ time ago! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikea at MIKEA.ATH.CX Thu Sep 11 15:08:23 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <3F607AF8.90906@platformhosting.com>; from david@PLATFORMHOSTING.COM on Thu, Sep 11, 2003 at 11:39:04PM +1000 References: <200309110934.h8B9Y6R11841@agate.rockstone.co.uk> <3F607AF8.90906@platformhosting.com> Message-ID: <20030911090823.B4931@mikea.ath.cx> On Thu, Sep 11, 2003 at 11:39:04PM +1000, David Hooton wrote: > Antony Stone wrote: > > I suggest you don't paste html into email messages :) > > Spoken like a true technician! > > > Seriously, though - why are you doing that? The 'dangerous html content' > > checks will only get triggered if you paste in some potentially dangerous > > html - it won't pick up on plain markup tags or hyperlinks. > > > > If you need to send somebody some strange html because you're designing web > > pages etc then I suggest you put it in a .zip or .gz file and send it like > > that. > > Come on!! we all have customers and those customers do tend to try doing > anything that they can do to make life hard for us! This is hardly a > practical solution. > > We have quite a few legitimate messages a day blocked by this rule, it > actually wound up being such a problem that we had to disable it. > > What _exactly_ is this rule looking for? And if this is a commonly > exploited thing, why are so many large mailing lists actually using that > code in their mailouts? There are some HTML thingies (to use a Perlism) that can invoke arbitrary programs; these include the ones caught by the "dangerous HTML content" rules. But as far as I can see, they're only dangerous if you're running a mailer that is stupid enough to let them do these things -- e.g., Outlook, Outlook Express, and their ilk. A friend came up with a statement that describes the behavior of these mailers very exactly: If books were designed by Microsoft, the Anarchist's Cookbook would explode when you read it. -- Mark W. Schumann To the best of my knowledge, other mailers (e.g., Eudora, Lotus Notes, etc.) don't do this, and so it may be less unsafe -- but still not necessarily *safe* -- to let these HTML thingies through if you can be sure that the MUA is not Outlook or Outlook Express. Note that I'm working from memory, and I may have missed some details, but I think and hope I have the major details right. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Thu Sep 11 15:08:39 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B1E@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B1E@pascal.priv.bmrb.co.uk> Message-ID: <1063289319.4691.68.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 15:06, Raymond Dijkxhoorn wrote: >Then use the HTML->TEXT ones =) Raymond, could you explain what you mean by that please. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Thu Sep 11 15:12:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <1063289319.4691.68.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > >Then use the HTML->TEXT ones =) > > Raymond, could you explain what you mean by that please. If you dont want those tags use the HTML -> TEXT conversion options. =) And dont forget the smiley there. I personally hate HTML crapo in mails. Bye, Raymond. From kevins at BMRB.CO.UK Thu Sep 11 15:15:09 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B20@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B20@pascal.priv.bmrb.co.uk> Message-ID: <1063289709.4690.75.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 15:08, mikea wrote: > as far as I can see, they're only dangerous >if you're running a mailer that is stupid enough to let them do these >things -- e.g., Outlook, Outlook Express, and their ilk. I think that (certainly in a corporate environment like mine) it is best to block any outgoing mail which is likely to be blocked, filtered or altered by a large number of receiving servers. My reasoning to users always centers around "Many sites block mails of that type, you don't want your clients getting notified that we tried to send them mail that may have contained a virus, do you..." By blocking content that other mail filters are likely to find objectionable I protect my company from presenting itself in an unprofessional way through the format of its email. Thats my story & I'm sticking to it! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From yahel at REDBEND.COM Thu Sep 11 15:18:55 2003 From: yahel at REDBEND.COM (Yahel Ron) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 Message-ID: Thanks a lot to Antony and to everyone that tried to help. From kevins at BMRB.CO.UK Thu Sep 11 15:23:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B22@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B22@pascal.priv.bmrb.co.uk> Message-ID: <1063290239.4691.85.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 15:12, Raymond Dijkxhoorn wrote: >> >Then use the HTML->TEXT ones =) >> >> Raymond, could you explain what you mean by that please. >If you dont want those tags use the HTML -> TEXT conversion options. Thats what I thought you meant. What I was actually trying to say was that the current html stripping option has some drawbacks and that I would have less hassle about it from users if it only stripped the offending tags. I agree that html in emails is not desirable, but whether you or I hate it is immaterial, we're stuck with it. [ oh yes... =( ] The issue is how walk the fine line of dealing with potential problems without being a complete BOFH and getting our users backs up (which is generally not great for job security). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 15:28:39 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: References: Message-ID: <200309111428.h8BESjR12625@agate.rockstone.co.uk> On Thursday 11 September 2003 3:18 pm, Yahel Ron wrote: > Thanks a lot to Antony and to everyone that tried to help. I find the distinction there between me, and the people who tried to help, quite amusing :) Well done :) Antony. -- Agnostics do not believe in God. Atheists believe there is no God. Does that make me an agnostic atheist if I do not believe there is no God? From raymond at PROLOCATION.NET Thu Sep 11 15:29:56 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <1063290239.4691.85.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > I agree that html in emails is not desirable, but whether you or I hate > it is immaterial, we're stuck with it. [ oh yes... =( ] > The issue is how walk the fine line of dealing with potential problems > without being a complete BOFH and getting our users backs up (which is > generally not great for job security). Personally i love the BOFH approach :) http://bofh.ntk.net/Bastard.html But i guess most of my customers dont. Bye, Raymond. From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 15:33:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <1063288733.4690.64.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B18@pascal.priv.bmrb.co.uk> <1063288733.4690.64.camel@bach.kevinspicer.co.uk> Message-ID: <200309111433.h8BEXdR12648@agate.rockstone.co.uk> On Thursday 11 September 2003 2:58 pm, Kevin Spicer wrote: > My approach is to strip html from all incoming messages of these types, > and block outgoing messages. The principle being that often the > essential information is still communicated by a stripped message (for > the few that are actually anything important) and that blocking outgoing > mail that breaks the rules is better than having our mails stripped or > blocked by the recipients mail server, as it allows the internal sender > to reformat in a way they control. > > My only issue with this is that I'd rather there was a smart html > stripper [no jokes about smart strippers please!] which only removed the > offending tags. Surely this is precisely what "Convert Dangerous HTML to Text = yes" is for? Or am I misunderstanding that MS option? Antony. -- It suddenly dawns on the observer that there is no end to the creativity that these mindless hackers can come up with. - Kevin Kelly, Out of Control From mailscanner at LISTS.COM.AR Thu Sep 11 15:34:47 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <20030911090823.B4931@mikea.ath.cx> References: <3F607AF8.90906@platformhosting.com>; from david@PLATFORMHOSTING.COM on Thu, Sep 11, 2003 at 11:39:04PM +1000 Message-ID: <3F605DD7.22150.A574A7B@localhost> El 11 Sep 2003 a las 9:08, mikea escribi?: > > > I suggest you don't paste html into email messages :) > > Spoken like a true technician! He sure did! > > There are some HTML thingies (to use a Perlism) that can invoke > arbitrary programs; these include the ones caught by the "dangerous > HTML content" rules. But as far as I can see, they're only dangerous > if you're running a mailer that is stupid enough to let them do these > things -- e.g., Outlook, Outlook Express, and their ilk. A friend came > up with a statement that describes the behavior of these mailers very > exactly: > > If books were designed by Microsoft, the Anarchist's > Cookbook would explode when you read it. > > -- Mark W. Schumann Loved this quote... I just added to my file of auto-added quotes for my signature (if you or Mark Schumann don't oppose) :-) > > To the best of my knowledge, other mailers (e.g., Eudora, Lotus Notes, > etc.) don't do this, and so it may be less unsafe -- but still not > necessarily *safe* -- to let these HTML thingies through if you can be > sure that the MUA is not Outlook or Outlook Express. The point is that the more stubborn and mindless the user, the higher the probability that (s)he _demands_ to use OE 'cause (s)he is used to it and it is _definitely_ better to his/her mind... what's more, for sure (s)he has OE configured to use HTML by default with a 50Kb gif as background :-( -- Mariano Absatz El Baby ---------------------------------------------------------- It's hard to be humble when you're perfect. From ugob at CAMO-ROUTE.COM Thu Sep 11 15:36:29 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 Message-ID: <54C38A0B814C8E438EF73FC76F3629273034AC@mtlnt501fs.CAMOROUTE.COM> >> I think he means that he would like to have the HTML cleaned from harmful tags, but without converting into text. Ugo Surely this is precisely what "Convert Dangerous HTML to Text = yes" is for? Or am I misunderstanding that MS option? Antony. -- From david at PLATFORMHOSTING.COM Thu Sep 11 15:37:44 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <200309111433.h8BEXdR12648@agate.rockstone.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B18@pascal.priv.bmrb.co.uk> <1063288733.4690.64.camel@bach.kevinspicer.co.uk> <200309111433.h8BEXdR12648@agate.rockstone.co.uk> Message-ID: <3F6088B8.8070706@platformhosting.com> Antony Stone wrote: >>My only issue with this is that I'd rather there was a smart html >>stripper [no jokes about smart strippers please!] which only removed the >>offending tags. > Surely this is precisely what "Convert Dangerous HTML to Text = yes" is for? > Or am I misunderstanding that MS option? Don't think he objects to that feature, merely it's implementation. If the was neutered rather than totally converting the message to text, users would still get the majority of their pretty message. I have users object pretty loudly to getting an email in text when it's normally in HTML. If the was commented out or replaced with maybe they would be happier :) -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Report incorrectly tagged messages to: notspam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From dh at UPTIME.AT Thu Sep 11 15:38:36 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Is there Interest in a "recently seen Viruses Mailing list" Message-ID: Hello all. There has been a discussion on focus-virus@bugtraq about creating a blacklist for virus sending hosts. Personally I do not believe that is the way to go. It might help some of us though if we knew what the "big fishes" are seeing. Not all of us process a million mails daily and those high volume mail servers might be bound to seeing virus trends way before the smaller ones do. So I was wondering if there is interest in a Mailing list where MailScanner administrators could post some Virus statistics in a certain Interval. Maybe a Web Based system like incidents.org might help as well. I think it would be good to have something like an early warning system (Yes I know there are several but still, this would be very Mail+viri specific) Anyone that is interested , please do contact me off list -d -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030911/82628e0f/attachment.bin From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 15:39:08 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <3F605DD7.22150.A574A7B@localhost> References: <3F607AF8.90906@platformhosting.com> <3F605DD7.22150.A574A7B@localhost> Message-ID: <200309111439.h8BEdFR12652@agate.rockstone.co.uk> On Thursday 11 September 2003 3:34 pm, Mariano Absatz wrote: > El 11 Sep 2003 a las 9:08, mikea escribi?: > > > > I suggest you don't paste html into email messages :) > > > Spoken like a true technician! > He sure did! And proud of it :) > > If books were designed by Microsoft, the Anarchist's > > Cookbook would explode when you read it. > > > > -- Mark W. Schumann > > Loved this quote... I just added to my file of auto-added quotes for my > signature (if you or Mark Schumann don't oppose) Me too ! Antony -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. From mikea at MIKEA.ATH.CX Thu Sep 11 15:41:49 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <200309111439.h8BEdFR12652@agate.rockstone.co.uk>; from Antony@SOFT-SOLUTIONS.CO.UK on Thu, Sep 11, 2003 at 03:39:08PM +0100 References: <3F607AF8.90906@platformhosting.com> <3F605DD7.22150.A574A7B@localhost> <200309111439.h8BEdFR12652@agate.rockstone.co.uk> Message-ID: <20030911094149.B5251@mikea.ath.cx> On Thu, Sep 11, 2003 at 03:39:08PM +0100, Antony Stone wrote: > On Thursday 11 September 2003 3:34 pm, Mariano Absatz wrote: > > > El 11 Sep 2003 a las 9:08, mikea escribi?: > > > > > I suggest you don't paste html into email messages :) > > > > Spoken like a true technician! > > He sure did! > > And proud of it :) > > > > If books were designed by Microsoft, the Anarchist's > > > Cookbook would explode when you read it. > > > > > > -- Mark W. Schumann > > > > Loved this quote... I just added to my file of auto-added quotes for my > > signature (if you or Mark Schumann don't oppose) > > Me too ! It has been in common use by a great many people for more than a year, and I think that Mark wouldn't object. Certainly I don't. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Thu Sep 11 16:08:13 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B2A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B2A@pascal.priv.bmrb.co.uk> Message-ID: <1063292894.4691.94.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 15:36, Ugo Bellavance wrote: >>> I think he means that he would like to have the HTML cleaned from harmful tags, but without converting into text. >Ugo >Surely this is precisely what "Convert Dangerous HTML to Text = yes" is >for? >Or am I misunderstanding that MS option? "Convert Dangerous HTML to Text" converts the _entire_ html message to text if any of the objectionable tags are found. What I was suggesting was that a better filter would only remove the dangerous/objectionable tags. This however is not as simple as it sounds, and there are all sorts of things that need thinking about, for example its possible to create a form (or other html content) using embedded javascript etc. therfore all script content should be removed etc. etc. By the way I'm not 'objecting' to the current implementation as someone suggested, for the most part it works well and has definitely stopped some otherwise dangerous content. I'm just saying that a more involved process may improve the user experience. Personally I'm thinking about applying a ruleset so all my incoming message get converted to text, which might stop the exchange admin bothering me about the size of my mailbox so often! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at LISTS.COM.AR Thu Sep 11 16:08:33 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:54 2006 Subject: SOLVED Filename Subject Text vs. Content Subject Text In-Reply-To: <5.2.1.1.2.20030911041325.031e2ea8@imap.ecs.soton.ac.uk> References: <3F5EFE4C.8567.4F9FECB@localhost> Message-ID: <3F6065C1.4730.A7637EC@localhost> Great! thanx. BTW, you did notice the new Spanish translations I sent in http://tinyurl.com/n09l did you? I was away for half a way after that and only noticed a thread about the rightness (or wrongness) of sending archive attachments to the list. Anyway, the tgz archive seems to have made it even to the list archive, so you can take it from there... next time, I'll upload it and post the URL. Regards. El 11 Sep 2003 a las 4:13, Julian Field escribi?: > Done. Thanks for that. > > At 14:34 10/09/2003, you wrote: > >Alright... I look at the code and the bug is quite trivial. > > > >The following patch solves it: > > > >===================================CUT HERE================================== > >--- Message.pm.orig Wed Sep 10 10:27:53 2003 > >+++ Message.pm Wed Sep 10 10:29:45 2003 > >@@ -1923,7 +1923,7 @@ > > !$this->{nameinfected} && # They want the tagging & not already tagged > > !$global::MS->{mta}->TextStartsHeader($this, 'Subject:', > > $contenttag)) > >{ > > if (MailScanner::Config::Value('contentprependsubject',$this)) { > >- $global::MS->{mta}->PrependHeader($this, 'Subject:', $nametag, ' '); > >+ $global::MS->{mta}->PrependHeader($this, 'Subject:', $contenttag, ' > >'); > > $subjectchanged = 1; > > } > > } else { > >===================================CUT HERE================================== > > > >Julian, > > > >would you apply it to the next release? > > > > > > > >El 9 Sep 2003 a las 23:43, Ulysees escribi?: > > > > > I'm getting the same thing, MS 4.23-11 no SA and any mail being caught with > > > a html form is coming up with filename? > > > > > > uly > > > > > > ----- Original Message ----- > > > From: "Mariano Absatz" > > > To: > > > Sent: Tuesday, September 09, 2003 10:35 PM > > > Subject: [MAILSCANNER] Filename Subject Text vs. Content Subject Text > > > > > > > > > Hi, > > > > > > I'm using MS 4.23-11 with SA 2.55. > > > > > > It seems MS is somehow confusing "Filename Subject Text" "Content Subject > > > Text". > > > > > > I have the following settings: > > > Allow IFrame Tags = no > > > Log IFrame Tags = yes > > > Allow Form Tags = no > > > Allow Object Codebase Tags = no > > > Filename Modify Subject = no > > > Filename Subject Text = {Nombre de archivo anexo prohibido} > > > Content Modify Subject = yes > > > Content Subject Text = {Contenido potencialmente peligroso} > > > > > > And, when getting a message with IFrame, it added the "Filename Subject > > > Text" instead of the "Content Subject Text" I expected. > > > > > > Here's the log: > > > > > > Sep 5 14:43:51 or MX[4995]: New Batch: Scanning 1 messages, 43452 bytes > > > Sep 5 14:43:51 or MX[4995]: Spam Checks: Starting > > > Sep 5 14:43:54 or MX[4995]: Virus and Content Scanning: Starting > > > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-156.html > > > (no rule matched) > > > Sep 5 14:43:54 or MX[4995]: Filename Checks: Allowing msg-4995-155.txt > > > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-155.txt > > > Sep 5 14:43:54 or MX[4995]: Filetype Checks: Allowing msg-4995-156.html > > > Sep 5 14:43:54 or MX[4995]: HTML IFrame tag found in message 1221617 from > > > boletininformar@redinformar.com.ar > > > Sep 5 14:43:54 or MX[4995]: Content Checks: Detected HTML-specific > > > exploits in 1221617 > > > Sep 5 14:43:54 or MX[4995]: Content Checks: Found 1 problems > > > Sep 5 14:43:54 or MX[4995]: ZM: message 1221617 renamed into 1156463 > > > Sep 5 14:43:54 or MX[4995]: Silent: Delivered 1 messages containing silent > > > viruses > > > > > > > > > And the modified was: > > > {Nombre de archivo anexo prohibido} RI-Bolet?n Informar Computaci?n: > > A?o 1 - > > > N?mero 51 - SEPTIEMBRE 5, 2003 > > > > > > > > > Are these entries mixed up? -- Mariano Absatz El Baby ---------------------------------------------------------- Ever notice how fast Windows runs? Neither did I. From christo at IT4AFRICA.CO.ZA Thu Sep 11 16:24:50 2003 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:19:54 2006 Subject: File size exceeded but attachment not removed. Message-ID: <006f01c37878$d7aaf5e0$660210ac@christo> MS conf file entry. Maximum Message Size = %rules-dir%/messagesize.rule I have the following rule file for message size limits that I'm testing. FromOrTo: agtvl@* 50000 FromOrTo: default 10000000 I see the message has been picked up as to big when I send a 64K attachment. Postmaster get the message that it has been blocked. The sender get the message that it has been blocked, but the receiver get the warning message with the attached 64K file instead of the VirusWarning.txt Warning message to it. I'm running MS 4.23.11 on RH9 with Sendmail 8.12.9 Any ideas? Christo Disclaimer ---------------- This message and any attachment/s are confidential and intended solely for the addressee. If you have received this message in error, please notify AG Industries Limited immediately. Any unauthorised use, alteration or dissemination is prohibited. Whilst every effort has been made to ensure no viruses are present in this e-mail and/or attachments, we strongly recommend that you subject this e-mail and attachment/s to your own virus checking procedures prior to opening. AG Industries Limited accepts no liability whatsoever for any loss, whether direct, indirect or consequential, arising from information made available and actions resulting there from. Messages sent via this medium may be subject to delays, non-delivery and unauthorised alteration. Any recipient of an unacceptable communication, a chain letter or offensive material of any nature is requested to report it to Postmaster@ag-industries.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030911/cf657a78/attachment.html From xpoint at JUNC.ORG Thu Sep 11 16:37:19 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <1063290239.4691.85.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B22@pascal.priv.bmrb.co.uk> <1063290239.4691.85.camel@bach.kevinspicer.co.uk> Message-ID: <3F6096AF.10306@junc.org> Kevin Spicer wrote: > without being a complete BOFH and getting our users backs up (which is > generally not great for job security). is it not posible to make convert html to text into a rules set with do convert html on maillist to text dito, i like if stripped make the html inline with the text part if both a sent, or only the html part strib the text part, most of us do not need both, but can sometimes be fun :-) and the rule set default to not convert the rest, it should work, no ? ps: maybe the maillist it self would change to use a maillist server that strips mime :-) From mbowman at UDCOM.COM Thu Sep 11 16:33:55 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:54 2006 Subject: By Domain White/Black list Question Message-ID: An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030911/a0ead357/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 16:44:33 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:54 2006 Subject: Content Checks: Detected HTML-specic exploits in h8AGGVSe016972 In-Reply-To: <3F6096AF.10306@junc.org> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B22@pascal.priv.bmrb.co.uk> <1063290239.4691.85.camel@bach.kevinspicer.co.uk> <3F6096AF.10306@junc.org> Message-ID: <200309111544.h8BFid512541@onyx.rockstone.co.uk> On Thursday 11 September 2003 4:37 pm, Benny Pedersen wrote: > ps: maybe the maillist it self would change to use a maillist server > that strips mime :-) Yes please! Antony :) -- If you think you see a Heffalump in a trap, make sure it isn't really a Bear with an empty honey jar stuck on his head. From Y.Hodson at BCUC.AC.UK Thu Sep 11 17:07:53 2003 From: Y.Hodson at BCUC.AC.UK (Yvonne Hodson) Date: Thu Jan 12 21:19:54 2006 Subject: Filetype Rules Message-ID: On Tue, 2 Sep 2003 14:21:41 +0300, Nerijus Baliunas wrote: >No. >I commented that line out, and it works now, but there is still probably a bug. > >On Tue, 2 Sep 2003 08:59:30 +0100 Julian Field wrote: > >> Check you haven't got a >> ConfigDefs.pl.rpmnew in /usr/lib/MailScanner/MailScanner. >> >> At 03:16 02/09/2003, you wrote: >> >Hello, >> > >> >according to the comment in MailScanner.conf I set >> >Filetype Rules = >> >i.e. I deleted everything from the = (" %etc-dir%/filetype.rules.conf") >> > >> >But then MailScanner does not start: >> >Syntax error(s) in configuration file: >> >Unrecognised keyword "filetyperules" at line 443 >> >Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. Hi, I get the same syntax error message as Nerijus on starting up Version 4.23-11 with Filetype Rules = in the conf. This is on Solaris 2.6 There is no ConfigDefs.pl.rpmnew as I've used the tar install. This is the first Version 4 on my system. Any other suggestions please. Yvonne Hodson BCUC From jaearick at COLBY.EDU Thu Sep 11 18:34:39 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:54 2006 Subject: Whoa!! "Virus Scan failed" What? Message-ID: Julian, I had these two interesting cases today (grepped from my email syslogs): (16)> grep h8BGdlAn026143 0 Sep 11 12:39:52 basalt sendmail[26143]: [ID 801593 mail.info] h8BGdlAn026143: from=, size=210808, class=0, nrcpts=1, msgid=<001301c37883$3f382980$a56fa8c0@aliyahpc3>, proto=ESMTP, daemon=MTA, relay=server.jazo.org.il [194.90.65.90] Sep 11 12:40:07 basalt <22>MailScanner[17224]: ERROR:: Virus scan failed (514):: ./h8BGdlAn026143/.pdf Sep 11 12:40:08 basalt sendmail[26278]: [ID 801593 mail.info] h8BGdlAn026143: to=, delay=00:00:21, xdelay=00:00:00, mailer=local, pri=120593, dsn=2.0.0, stat=Sent Sep 11 12:40:08 basalt sendmail[26278]: [ID 801593 mail.info] h8BGdlAn026143: done; delay=00:00:21, ntries=1 [basalt:root:/var/adm/syslog] (17)> grep h8BGgEAn027104 0 Sep 11 12:42:19 basalt sendmail[27104]: [ID 801593 mail.info] h8BGgEAn027104: from=, size=210808, class=0, nrcpts=1, msgid=<000501c37883$3f3395a0$a56fa8c0@aliyahpc3>, proto=ESMTP, daemon=MTA, relay=server.jazo.org.il [194.90.65.90] Sep 11 12:42:31 basalt <22>MailScanner[17224]: ERROR:: Virus scan failed (514):: ./h8BGgEAn027104/.pdf Sep 11 12:42:32 basalt sendmail[27239]: [ID 801593 mail.info] h8BGgEAn027104: to=, delay=00:00:18, xdelay=00:00:00, mailer=local, pri=120593, dsn=2.0.0, stat=Sent Sep 11 12:42:32 basalt sendmail[27239]: [ID 801593 mail.info] h8BGgEAn027104: done; delay=00:00:18, ntries=1 Whoa... The virus scan failed, so the email got delivered? This seems like a Bad Thing (tm). Setup: SunFire V1280, Solaris 9, MS 4.23-11, SA 2.60, Razor. Using sophossavi (sophos 3.72), clamav 0.60. Is this something to worry about? Searching my syslogs, this has happened a few time over the past week+, meaning both MS 4.23-11 and 4.22-5. --- Jeff From kevins at BMRB.CO.UK Thu Sep 11 19:01:27 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:54 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> Message-ID: <1063303287.4691.122.camel@bach.kevinspicer.co.uk> On Thu, 2003-09-11 at 18:34, Jeff A. Earickson wrote: >Sep 11 12:40:07 basalt <22>MailScanner[17224]: ERROR:: Virus scan >failed >(514):: ./h8BGdlAn026143/.pdf This has been discussed in the last few days, there are certain pdfs Sophos has problems with. >Whoa... The virus scan failed, so the email got delivered? This seems >like a Bad Thing (tm). It might also seem like a bad thing if a regular update screwed your scanner and so all mail was rejected? You're running clam too, which presumably didn't fail and returned a clean result? I think the answer is to run multiple scanners, but I'd be interested in knowing the logic here. We know that any scanner finds a virus the mail is 'infected', but presumably if one fails to scan but the other one doesn't find anything it assumes clean? That seems sensible to me. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From TGFurnish at HERFF-JONES.COM Thu Sep 11 19:12:49 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:54 2006 Subject: Defang'ing HTML - was RE: Content Checks: Detected HTML-specic ex ploits in h8AGGVSe016972 Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BD8@inex1.herffjones.hj-int> > -----Original Message----- > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Sent: Thursday, September 11, 2003 10:08 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Content Checks: Detected HTML-specic exploits in > h8AGGVSe016972 {Scanned by HJMS} > > > On Thu, 2003-09-11 at 15:36, Ugo Bellavance wrote: > > >>> I think he means that he would like to have the HTML cleaned from > harmful tags, but without converting into text. > > >Ugo > > >Surely this is precisely what "Convert Dangerous HTML to > Text = yes" is > >for? > >Or am I misunderstanding that MS option? > > "Convert Dangerous HTML to Text" converts the _entire_ html message to > text if any of the objectionable tags are found. What I was > suggesting > was that a better filter would only remove the dangerous/objectionable > tags. This however is not as simple as it sounds, and there are all > sorts of things that need thinking about, for example its possible to > create a form (or other html content) using embedded javascript etc. > therfore all script content should be removed etc. etc. Completely agreed here - I would much, much, MUCH rather have a list of tags that I can "defang" and customize as I see fit. These tags would just get some predictable string prepended to them (which also ought to be customizeable). For example, if the defang string were "Defanged_by_HJMS_", and I put "form" and "script" on my list of tags to defang, then these tags:
...would get turned into these tags: Then really knowledgeable people can even re-fang a file (as long as it didn't originally include a string matching the defang string). This defanging is one of the features I miss from the procmail filter I used to run: http://www.impsec.org/email-tools/procmail-security.html To be fair though I haven't even *tried* MS's HTML conversion stuff yet since I thought it would strip the entire message, which is absolutely NOT what I need. From errol.neal at ENHTECH.COM Thu Sep 11 19:55:30 2003 From: errol.neal at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:19:54 2006 Subject: OT: Is there Interest in a "recently seen Viruses Mailing list" In-Reply-To: Message-ID: <5.1.0.14.0.20030911145454.0468df28@mail.enhtech.com> At 04:38 PM 9/11/2003 +0200, you wrote: >Hello all. > >There has been a discussion on focus-virus@bugtraq about creating a >blacklist for virus sending hosts. Personally I do not believe that is the >way to go. > >It might help some of us though if we knew what the "big fishes" are >seeing. Not all of us process a million mails daily and those high volume >mail servers might be bound to seeing virus trends way before the smaller >ones do. > >So I was wondering if there is interest in a Mailing list where >MailScanner administrators could post some Virus statistics in a certain >Interval. Maybe a Web Based system like incidents.org might help as well. >I think it would be good to have something like an early warning system >(Yes I know there are several but still, this would be very Mail+viri specific) > >Anyone that is interested , please do contact me off list > >-d > >-- nee amata wo mitsukete soshite midoto wasrezu > domma mi mumega itakutemo soba mi iru mo > zutto...zutto...zutto > Funny, when i saw the "OT" in the subject line. I immediately though of Omni-Tek.. been playing to much Anarchy-Online lol Errol Errol Neal, Systems/Network Administrator eneal@enhtech.com Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax From Denis.Beauchemin at USHERBROOKE.CA Thu Sep 11 20:59:23 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:55 2006 Subject: How can I drop all emails containing an attachment for user X? Message-ID: <1063310362.3309.1325.camel@dbeauchemin.sti.usherbrooke.ca> Hello, I have a user that would like not to receive any email containing an attachment (the emails are processed by a DOS program that is not very robust and prints loads of pages when it gets something not fitting its requirements). I tried to figure out how to do it using Filename Rules, but if I block all attachments for that user (assuming I can chain rules files here), they still will be delivered... I want those emails to be dropped... Any ideas? Thanks again! -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 21:34:26 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:55 2006 Subject: How can I drop all emails containing an attachment for user X? In-Reply-To: <1063310362.3309.1325.camel@dbeauchemin.sti.usherbrooke.ca> References: <1063310362.3309.1325.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <200309112034.h8BKYY513620@onyx.rockstone.co.uk> On Thursday 11 September 2003 8:59 pm, Denis Beauchemin wrote: > Hello, > > I have a user that would like not to receive any email containing an > attachment (the emails are processed by a DOS program that is not very > robust and prints loads of pages when it gets something not fitting its > requirements). > > I tried to figure out how to do it using Filename Rules, but if I block > all attachments for that user (assuming I can chain rules files here), > they still will be delivered... I want those emails to be dropped... > > Any ideas? Er, just thinking out loud here, but wouldn't it be easier to create a SpamAssassin rule which matches the MIME header giving the details of an attachment, and then give that rule a sufficiently high score that it exceeds your Spam High Score and gets dropped (assuming that's what you do with Real Spam)? Alternatively you could try Julian's new content filtering MCP rules, looking for the same sort of thing, but bear in mind that's not even classified as alpha code yet (although saying that, I'd have a lot more confidence in Julian's alpha code than in some other vendors' delivered code...) Just my 2p, Antony. -- Most people have more than the average number of legs. From lists at TRCINTL.COM Thu Sep 11 21:54:14 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: I have been looking into pricing on different virus scanners and I have found something that I think others might be interested in. First, it should be noted that I have not yet used this software. I believe they do have a downloadable demo on their web site that I am about to check out. However, what is interesting is their pricing. I just got off the phone with someone at CA and have the following deal on their eTrust Antivirus 7.0 software. I think it beats just about everything else I have seen, at least on price. Here is the deal: 1 - 5 node license of eTrust Antivirus 7.0 w/3 year support @ 19.95 per license for a total of $99.75 1 - Media Kit $13.95 (Note: This is an upgrade price. They gave it to me when I told them I was currently using another product. This is also what they call their "corporate open license" (at least I think that is what she called it). It is a little better price than the retail version plus it includes the 3 year support. TOTAL $113.70 plus tax, and S&H. Here is the best part. The software runs on just about all versions of Windows, Linux, Netware, Mac, & Sun Solaris. Furthermore, it includes a version for Exchange Server & Lotus Notes. Plus many others. I confirmed with the sales person that I can load one copy on my Exchange Server (no cost per client), one copy on my Linux box running MailScanner, one copy on my Server (again, no per client cost), and two others. I get any upgrades that may come out for three years and all virus signature updates for life. Plus I believe Julian just added support for this product to MailScanner. Sounds like a pretty good deal to me! I'm am curious if anyone has any bad expierences with this software. From nathan at TCPNETWORKS.NET Thu Sep 11 22:13:56 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: I think another posted by the name of Alan is also enamored with eTrust. They've certainly got my attention. -Nathan -----Original Message----- From: Kyle Harris [mailto:lists@TRCINTL.COM] Sent: Thu 9/11/2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: eTrust Virus Scanner I have been looking into pricing on different virus scanners and I have found something that I think others might be interested in. First, it should be noted that I have not yet used this software. I believe they do have a downloadable demo on their web site that I am about to check out. However, what is interesting is their pricing. I just got off the phone with someone at CA and have the following deal on their eTrust Antivirus 7.0 software. I think it beats just about everything else I have seen, at least on price. Here is the deal: 1 - 5 node license of eTrust Antivirus 7.0 w/3 year support @ 19.95 per license for a total of $99.75 1 - Media Kit $13.95 (Note: This is an upgrade price. They gave it to me when I told them I was currently using another product. This is also what they call their "corporate open license" (at least I think that is what she called it). It is a little better price than the retail version plus it includes the 3 year support. TOTAL $113.70 plus tax, and S&H. Here is the best part. The software runs on just about all versions of Windows, Linux, Netware, Mac, & Sun Solaris. Furthermore, it includes a version for Exchange Server & Lotus Notes. Plus many others. I confirmed with the sales person that I can load one copy on my Exchange Server (no cost per client), one copy on my Linux box running MailScanner, one copy on my Server (again, no per client cost), and two others. I get any upgrades that may come out for three years and all virus signature updates for life. Plus I believe Julian just added support for this product to MailScanner. Sounds like a pretty good deal to me! I'm am curious if anyone has any bad expierences with this software. From lists at TRCINTL.COM Thu Sep 11 22:49:42 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: I can't say I am "enamored" with it as I haven't yet used it. I just liked the price and what you get for it. Sorry I didn't catch the previous post by Alan so if this is repeated info, please disregard. From nerijus at USERS.SOURCEFORGE.NET Thu Sep 11 22:57:44 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:55 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <1063303287.4691.122.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <1063303287.4691.122.camel@bach.kevinspicer.co.uk> Message-ID: <200309112159.h8BLxgr04541@ori.rl.ac.uk> On Thu, 11 Sep 2003 19:01:27 +0100 Kevin Spicer wrote: > >Whoa... The virus scan failed, so the email got delivered? This seems > >like a Bad Thing (tm). > > It might also seem like a bad thing if a regular update screwed your > scanner and so all mail was rejected? IMHO we need an option for that - I don't like to deliver mail when virus scanning fails, but others might. Regards, Nerijus From Antony at SOFT-SOLUTIONS.CO.UK Thu Sep 11 23:18:03 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:55 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <200309112159.h8BLxgr04541@ori.rl.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <1063303287.4691.122.camel@bach.kevinspicer.co.uk> <200309112159.h8BLxgr04541@ori.rl.ac.uk> Message-ID: <200309112218.h8BMIA513915@onyx.rockstone.co.uk> On Thursday 11 September 2003 10:57 pm, Nerijus Baliunas wrote: > On Thu, 11 Sep 2003 19:01:27 +0100 Kevin Spicer wrote: > > >Whoa... The virus scan failed, so the email got delivered? This seems > > >like a Bad Thing (tm). > > > > It might also seem like a bad thing if a regular update screwed your > > scanner and so all mail was rejected? > > IMHO we need an option for that - I don't like to deliver mail when virus > scanning fails, but others might. I think it's worth remembering that virus scanners don't *guarantee* to identify viruses anyway, so even if scanning was successful, and the scanner says "nothing found", it just might still not be safe to deliver the email. You can be pretty sure that if your virus scanner says "I found virus XYZ", then you've got an infected file which shouldn't be delivered. But if the virus scanner says "I didn't find anything" (or if it was unsuccessful in attempting the scan) then you still can't be completely sure either way - it might be a virus, it might not. There's no way to say for certain "this is *not* a virus". I think the "unsuccessful scan" situation ought to be treated just the same as a virus scanner saying "I didn't find anything to report" - there's no reason to treat the file being scanned as infected unless another virus scanner says "I found something". If you get too high a proportion of files which your virus scanner can't scan, then that's a reason to change (or supplement) your virus scanner, not a reason to change MailScanner. In any case, your filename extension rules should be taking care of any files which unsuspecting users might open inadvertently - that's how several people on this list (includng myself) first started picking up Sobig.F before we had anti-virus signatures for it. Regards, Antony. -- This is not a rehearsal. This is Real Life. From jrudd at UCSC.EDU Fri Sep 12 00:55:06 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:55 2006 Subject: MailScanner <-> Communigate Pro Gateway Update (Re: Bounce Processing Bug) References: Message-ID: <3F610B5A.9A925920@ucsc.edu> John Rudd wrote: > > On Thursday, Sep 11, 2003, at 10:07 US/Pacific, Bret Miller wrote: > > > > > Wait... Are you sure the return path didn't get munged by MailScanner > > or > > SpamAssassin? In a normal list message the return path is different > > from > > Sender and Reply-to. Are you sure it was the same BEFORE passing > > through > > MailScanner? > > > > It shouldn't be, since all it does is add headers and preserve the > envelope information (Mail From: and Rcpt To: data). But I'll double > check that this afternoon (I'll add a subscriber whose destination > doesn't involve any mailscanner set up). > > *hangs head in shame* It wasn't a problem with MailScanner, but with my ms2cgp script not propperly preserving the envelope sender (I was deferring to the From: header, instead of putting in a return-path header). I have fixed it, and posted the new version of ms2cgp to the web page: http://people.ucsc.edu/~jrudd/MailScanner I'll also double check how this affects the behavior of the other thing I mentioned (about whether or not bounce reports are going into the listname/reports folder, in CGP). Thanks for everyone's patience (and the comments that helped me track it down). John From ddreid at PILOTCAT.COM Fri Sep 12 01:02:55 2003 From: ddreid at PILOTCAT.COM (Daniel D. Reid) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: >------------------------------ > >Date: Thu, 11 Sep 2003 21:54:14 +0100 >From: Kyle Harris >Subject: eTrust Virus Scanner > > >I get any upgrades that may come out for three years and all virus >signature updates for life. Plus I believe Julian just added support for >this product to MailScanner. Sounds like a pretty good deal to me! I'm am >curious if anyone has any bad expierences with this software. As we use eTrust corporate wide, this was the option I took. So far, it has worked well for us. The install is easy and MailScanner takes care of automating the signature updates. The only thing to be aware of is that unless you have Apache and some other components installed, eTrust's install script might complain. You don't have to have them installed to use just the command line scanner which is all that MailScanner needs but it is needed if you want to take advantage of eTrust's real-time monitoring features. Real-time monitoring also requires a kernel rebuild. Anyway that me two cents worth, Daniel D. Reid MIS Technical Administrator Pilot Catastrophe Services, Inc. http://www.pilotcat.com From bbutle02 at NEXUSITG.COM Fri Sep 12 01:33:20 2003 From: bbutle02 at NEXUSITG.COM (Benny Butler) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: <004b01c378c5$7ac92980$4c3b3f44@bluebird> I recently put it on one of my client's NT servers and have been very happy with it. I've been waiting for some "gotcha" on the price and haven't seen one yet. I'm about to migrate their entire organization to it, from NAV 2003. I'm sick of this yearly upgrade for NAV. The price doesn't bother me nearly as much as the fact I have to visit each machine, uninstall the old, reboot, reinstall the new,reboot, run Live Update, reboot, reboot, reboot... And lets not forget the cost of their server product (equivilant to an unborn child!) -----Original Message----- From: Nathan Johanson [mailto:nathan@TCPNETWORKS.NET] Sent: Thursday, September 11, 2003 4:14 PM Subject: Re: eTrust Virus Scanner I think another posted by the name of Alan is also enamored with eTrust. They've certainly got my attention. -Nathan -----Original Message----- From: Kyle Harris [mailto:lists@TRCINTL.COM] Sent: Thu 9/11/2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: eTrust Virus Scanner I have been looking into pricing on different virus scanners and I have found something that I think others might be interested in. First, it should be noted that I have not yet used this software. I believe they do have a downloadable demo on their web site that I am about to check out. However, what is interesting is their pricing. I just got off the phone with someone at CA and have the following deal on their eTrust Antivirus 7.0 software. I think it beats just about everything else I have seen, at least on price. Here is the deal: 1 - 5 node license of eTrust Antivirus 7.0 w/3 year support @ 19.95 per license for a total of $99.75 1 - Media Kit $13.95 (Note: This is an upgrade price. They gave it to me when I told them I was currently using another product. This is also what they call their "corporate open license" (at least I think that is what she called it). It is a little better price than the retail version plus it includes the 3 year support. TOTAL $113.70 plus tax, and S&H. Here is the best part. The software runs on just about all versions of Windows, Linux, Netware, Mac, & Sun Solaris. Furthermore, it includes a version for Exchange Server & Lotus Notes. Plus many others. I confirmed with the sales person that I can load one copy on my Exchange Server (no cost per client), one copy on my Linux box running MailScanner, one copy on my Server (again, no per client cost), and two others. I get any upgrades that may come out for three years and all virus signature updates for life. Plus I believe Julian just added support for this product to MailScanner. Sounds like a pretty good deal to me! I'm am curious if anyone has any bad expierences with this software. From mailscanner at ecs.soton.ac.uk Fri Sep 12 02:49:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:55 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <1063303287.4691.122.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.2.20030912024705.03388ec8@imap.ecs.soton.ac.uk> At 19:01 11/09/2003, you wrote: >On Thu, 2003-09-11 at 18:34, Jeff A. Earickson wrote: > > >Sep 11 12:40:07 basalt <22>MailScanner[17224]: ERROR:: Virus scan > >failed > >(514):: ./h8BGdlAn026143/.pdf > >This has been discussed in the last few days, there are certain pdfs >Sophos has problems with. > > >Whoa... The virus scan failed, so the email got delivered? This seems > >like a Bad Thing (tm). > >It might also seem like a bad thing if a regular update screwed your >scanner and so all mail was rejected? >You're running clam too, which presumably didn't fail and returned a >clean result? I think the answer is to run multiple scanners, but I'd >be interested in knowing the logic here. We know that any scanner finds >a virus the mail is 'infected', but presumably if one fails to scan but >the other one doesn't find anything it assumes clean? That seems >sensible to me. Given all the above, what would you like it to do? At the moment it logs the fact that something nasty happened, but doesn't actually remove the file from the message. I guess you would like it to be removed, am I correct? The snag is that with SophosSAVI you can't specify the "allowed error messages" so all files it didn't like (such as quite a lot of non-Acrobat-generated PDF files) would always get trapped. Let me know your thoughts... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 12 02:44:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:55 2006 Subject: File size exceeded but attachment not removed. In-Reply-To: <006f01c37878$d7aaf5e0$660210ac@christo> Message-ID: <5.2.1.1.2.20030912024249.033bb3a0@imap.ecs.soton.ac.uk> Let me test this out tomorrow morning, and I'll get back to you. At 16:24 11/09/2003, you wrote: >MS conf file entry. > >Maximum Message Size = %rules-dir%/messagesize.rule >I have the following rule file for message size limits that I'm testing. >FromOrTo: agtvl@* 50000 >FromOrTo: default 10000000 >I see the message has been picked up as to big when I send a 64K >attachment. Postmaster get the message that it has been blocked. The >sender get the message that it has been blocked, but the receiver get the >warning message with the attached 64K file instead of the VirusWarning.txt >Warning message to it. > >I'm running MS 4.23.11 on RH9 with Sendmail 8.12.9 > >Any ideas? > >Christo >Disclaimer ---------------- > >This message and any attachment/s are confidential and intended solely for >the addressee. >If you have received this message in error, please notify AG Industries >Limited immediately. >Any unauthorised use, alteration or dissemination is prohibited. >Whilst every effort has been made to ensure no viruses are present in this >e-mail and/or attachments, we strongly recommend that you subject this >e-mail and attachment/s to your own virus checking procedures prior to opening. >AG Industries Limited accepts no liability whatsoever for any loss, >whether direct, indirect or consequential, arising from information made >available and actions resulting there from. >Messages sent via this medium may be subject to delays, non-delivery and >unauthorised alteration. >Any recipient of an unacceptable communication, a chain letter or >offensive material of any nature is requested to report it to >Postmaster@ag-industries.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Sep 12 02:51:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:55 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <200309112159.h8BLxgr04541@ori.rl.ac.uk> References: <1063303287.4691.122.camel@bach.kevinspicer.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <1063303287.4691.122.camel@bach.kevinspicer.co.uk> Message-ID: <5.2.1.1.2.20030912025105.03332e40@imap.ecs.soton.ac.uk> At 22:57 11/09/2003, you wrote: >On Thu, 11 Sep 2003 19:01:27 +0100 Kevin Spicer wrote: > > > >Whoa... The virus scan failed, so the email got delivered? This seems > > >like a Bad Thing (tm). > > > > It might also seem like a bad thing if a regular update screwed your > > scanner and so all mail was rejected? > >IMHO we need an option for that - I don't like to deliver mail when virus >scanning fails, but others might. Why do I feel configuration option number n+1 coming into existence...? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From forbes at HGIGA.COM Fri Sep 12 03:49:22 2003 From: forbes at HGIGA.COM (forbes) Date: Thu Jan 12 21:19:55 2006 Subject: Notify only sender and administrator not notify to receiver Message-ID: <002601c378d8$782dc380$ce07a8c0@forbes> Hi I install redhat + sendmail + mailscanner ¡Alots of users from my company complain they receive too many virus Notification I wondering how to set Notification only to administrator and sender in mailscanner.conf ( Never mail Notification to reciver ) ? I would appreaciate any suggestions forbes TEL: 03-5726899-115 FAX: 03-5727899 E-mail : forbes@hgiga.com http://www.hgiga.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030912/6f6ad6f7/attachment.html From greyhair at GREYHAIR.NET Fri Sep 12 04:59:00 2003 From: greyhair at GREYHAIR.NET (Greyhair) Date: Thu Jan 12 21:19:55 2006 Subject: n+1 Re: Re: Whoa!! "Virus Scan failed" What? Message-ID: <003601c378e2$360560d0$3704010a@laptop> I know this would be a BIG effort but... How about an option (call it option n+1), when upon failed virus scan, the file is stripped from the message and saved as "user@emailaddress.com.file.name" in a temp directory. Then the admin could scan the files with an alternate method and forward to the users. (maybe a script...) What to do with the email that had a file stripped? Either send it along with "stripped.txt" in place of the stripped file or, maybe (like AOL), do nothing... i dunno. This IMHO would increase security, but again it would be a BIG effort (what do i know, I'm no programmer). I think MailScanner is doing an AWESOME job!! Thanks to the MailScanner Team!! greyhair >Given all the above, what would you like it to do? At the moment it logs >the fact that something nasty happened, but doesn't actually remove the >file from the message. I guess you would like it to be removed, am I >correct? The snag is that with SophosSAVI you can't specify the "allowed >error messages" so all files it didn't like (such as quite a lot of >non-Acrobat-generated PDF files) would always get trapped. > >Why do I feel configuration option number n+1 coming into existence...? From richard.siddall at ELIRION.NET Fri Sep 12 05:10:39 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner In-Reply-To: References: Message-ID: <3F61473F.40206@elirion.net> Daniel D. Reid wrote: [snip] > The only thing to be aware of is that unless you have Apache and some other > components installed, eTrust's install script might complain. You don't > have to have them installed to use just the command line scanner which is > all that MailScanner needs but it is needed if you want to take advantage of > eTrust's real-time monitoring features. Real-time monitoring also requires > a kernel rebuild. The other thing to be aware of is that the Linux version of eTrust comes in a 37 MB .tar.Z file (most of which you don't need or use). It's a bit of a shock when you're used to F-prot RPMs of less than 2 MB. Regards, Richard. From brent.addis at ROAMAD.COM Fri Sep 12 06:20:08 2003 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:19:55 2006 Subject: mysql logging issues] In-Reply-To: <004a01c3785c$74aee850$ca17000a@ATLCPW13671> References: <1592.202.180.106.54.1063250825.squirrel@webmail.roamad.com> <004a01c3785c$74aee850$ca17000a@ATLCPW13671> Message-ID: <1318.202.180.108.108.1063344008.squirrel@webmail.roamad.com> Hey Thanks for the idea, however none of the download sites work, I tried it yesterday (and when I received this just in case anythings changed). Have you got a copy at all? I would really like to get some form of sql logging working. It doesnt need a frontend as we can write out own (although it would be handy)Any idea why the built in sql logging doesnt work? Chris Trudeau said: > Take a look here: > > http://sourceforge.net/projects/mailwatch/ > > Mailwatch uses a different SQL loging function that is called from a > seperate module. It works well from everything I have seen. Steve has > also built a decent PHP front end that produces some JPGraph plotted > graphs and such. > > instead of three seperate tables message related detail is all in a > single table, with other relvant information in the other adjoining > tables. > > Maybe this project will hepl you?...just a thought. > > CT > > > ----- Original Message ----- > From: "Brent Addis" > To: > Sent: Wednesday, September 10, 2003 11:27 PM > Subject: [Fwd: mysql logging issues] > > >> Hey there. >> >> Im new to the list, and had a quick look through the archives and >> couldnt find much on it. >> Im having a few problems getting mailscanner logging to an sql >> database. >> >> for some reason mailscanner inists on putting NULL into mysql rather >> than what the results should have been. >> IE: >> >> 155 Query INSERT INTO maillog_mail (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 156 Query INSERT INTO maillog_mail > (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 155 Quit >> 156 Quit >> 157 Query INSERT INTO maillog_mail (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 157 Quit >> >> >> >> >> mysql> SELECT time, msg_id, size, from_user, from_domain FROM >> maillog_mail; >> +----------------+--------+------+-----------+-------------+ >> | time | msg_id | size | from_user | from_domain | >> +----------------+--------+------+-----------+-------------+ >> | 00000000000000 | NULL | 0 | NULL | NULL | >> +----------------+--------+------+-----------+-------------+ >> 1 row in set (0.00 sec) >> >> I am using version 4.23-11. >> >> To create the tables I used a slightly modified version of what comes >> with mailscanner in the readme-sql. I had to remove the binary part >> from the msg_id lines as it would not work. I dont see that causing >> the current problems I am seeing however. Everything else was followed >> as per. >> >> I also had to alter the CustomConfig.pm, as it had the wrong ip >> address entered, and also needed a password: >> >> use DBI; >> >> # Create database connection >> my($dbh); >> $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", >> "mailscanner", "password", >> {'PrintError' => 0}) >> >> >> >> Is there somewhere I have to actually speicify what to log? I have >> unyet been able to find out exactly what it requires. >> Any help would be appeciated. >> >> Thanks. >> >> >> >> >> >> >> -- >> Brent Addis >> Systems Administrator >> RoamAD -- Brent Addis Systems Administrator RoamAD From eja at URBAKKEN.DK Fri Sep 12 06:42:01 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner In-Reply-To: References: Message-ID: <3F615CA9.20307@urbakken.dk> Hi. I have seen many infos on the Virus Scanner for linux from eTrust. But what's the name of it, and can it be found on the homepage og eTrust ?. Daniel D. Reid wrote: >>------------------------------ >> >>Date: Thu, 11 Sep 2003 21:54:14 +0100 >>From: Kyle Harris >>Subject: eTrust Virus Scanner >> >> >>I get any upgrades that may come out for three years and all virus >>signature updates for life. Plus I believe Julian just added support for >>this product to MailScanner. Sounds like a pretty good deal to me! I'm am >>curious if anyone has any bad expierences with this software. > > > As we use eTrust corporate wide, this was the option I took. So far, it has > worked well for us. The install is easy and MailScanner takes care of > automating the signature updates. > > The only thing to be aware of is that unless you have Apache and some other > components installed, eTrust's install script might complain. You don't > have to have them installed to use just the command line scanner which is > all that MailScanner needs but it is needed if you want to take advantage of > eTrust's real-time monitoring features. Real-time monitoring also requires > a kernel rebuild. > > Anyway that me two cents worth, > > Daniel D. Reid > MIS Technical Administrator > Pilot Catastrophe Services, Inc. > http://www.pilotcat.com > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From JEN at AH.DK Fri Sep 12 08:01:24 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:19:55 2006 Subject: Vedr.: Re: mysql logging issues] Message-ID: It's at http://www.sourceforge.net/projects/mailwatch now /Jan Elmwvist Nielsen >>> brent.addis@ROAMAD.COM 12-09-2003 07:20:08 >>> Hey Thanks for the idea, however none of the download sites work, I tried it yesterday (and when I received this just in case anythings changed). Have you got a copy at all? I would really like to get some form of sql logging working. It doesnt need a frontend as we can write out own (although it would be handy)Any idea why the built in sql logging doesnt work? Chris Trudeau said: > Take a look here: > > http://sourceforge.net/projects/mailwatch/ > > Mailwatch uses a different SQL loging function that is called from a > seperate module. It works well from everything I have seen. Steve has > also built a decent PHP front end that produces some JPGraph plotted > graphs and such. > > instead of three seperate tables message related detail is all in a > single table, with other relvant information in the other adjoining > tables. > > Maybe this project will hepl you?...just a thought. > > CT > > > ----- Original Message ----- > From: "Brent Addis" > To: > Sent: Wednesday, September 10, 2003 11:27 PM > Subject: [Fwd: mysql logging issues] > > >> Hey there. >> >> Im new to the list, and had a quick look through the archives and >> couldnt find much on it. >> Im having a few problems getting mailscanner logging to an sql >> database. >> >> for some reason mailscanner inists on putting NULL into mysql rather >> than what the results should have been. >> IE: >> >> 155 Query INSERT INTO maillog_mail (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 156 Query INSERT INTO maillog_mail > (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 155 Quit >> 156 Quit >> 157 Query INSERT INTO maillog_mail (time, >> msg_id, size, from_user, from_domain, subject, >> clientip, archives, isspam, ishighspam, sascore, >> spamreport) VALUES >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL> ','NULL') 157 Quit >> >> >> >> >> mysql> SELECT time, msg_id, size, from_user, from_domain FROM >> maillog_mail; >> +----------------+--------+------+-----------+-------------+ >> | time | msg_id | size | from_user | from_domain | >> +----------------+--------+------+-----------+-------------+ >> | 00000000000000 | NULL | 0 | NULL | NULL | >> +----------------+--------+------+-----------+-------------+ >> 1 row in set (0.00 sec) >> >> I am using version 4.23-11. >> >> To create the tables I used a slightly modified version of what comes >> with mailscanner in the readme-sql. I had to remove the binary part >> from the msg_id lines as it would not work. I dont see that causing >> the current problems I am seeing however. Everything else was followed >> as per. >> >> I also had to alter the CustomConfig.pm, as it had the wrong ip >> address entered, and also needed a password: >> >> use DBI; >> >> # Create database connection >> my($dbh); >> $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", >> "mailscanner", "password", >> {'PrintError' => 0}) >> >> >> >> Is there somewhere I have to actually speicify what to log? I have >> unyet been able to find out exactly what it requires. >> Any help would be appeciated. >> >> Thanks. >> >> >> >> >> >> >> -- >> Brent Addis >> Systems Administrator >> RoamAD -- Brent Addis Systems Administrator RoamAD From JEN at AH.DK Fri Sep 12 08:17:48 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:19:55 2006 Subject: A long gap in a name is often used to hide part of it Message-ID: How long has the cap to be, before MS is rejecting the attachment? It's a .doc file /jan Elmqvist Nielsen From denis at IMSLTD.COM Fri Sep 12 08:58:46 2003 From: denis at IMSLTD.COM (Denis Croombs) Date: Thu Jan 12 21:19:55 2006 Subject: Are ALL hotmail address blacklisted ? Message-ID: <01ee01c37903$bb5c0a60$9601a8c0@cel1700> Are ALL hotmail address blacklisted ? Because so far I have had to go through and add a lot of valid hotmail accounts to my whitelist as they are being tagged as blacklisted but are NOT in my mailscanner blacklist and I do not use the spamassassin blacklist/whitelist. RedHat 7.3, MS 4.22-11 SA 2.55 Many thanks Denis From raymond at PROLOCATION.NET Fri Sep 12 09:14:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:55 2006 Subject: Are ALL hotmail address blacklisted ? In-Reply-To: <01ee01c37903$bb5c0a60$9601a8c0@cel1700> Message-ID: Hi! > Are ALL hotmail address blacklisted ? > Because so far I have had to go through and add a lot of valid hotmail > accounts to my whitelist as they are being tagged as blacklisted but are NOT > in my mailscanner blacklist and I do not use the spamassassin > blacklist/whitelist. > RedHat 7.3, MS 4.22-11 SA 2.55 Why dont you look in your logs ? Its tells exactly why and what. Turn details on spam logging on ... Bye, Raymond. From kim at SCHULZ.DK Fri Sep 12 09:20:31 2003 From: kim at SCHULZ.DK (Kim Schulz) Date: Thu Jan 12 21:19:55 2006 Subject: blacklisting of adresses at runtime Message-ID: <20030912102031.7c0f25e1.kim@schulz.dk> hi is there a smart way to blacklist (entirely block) an email address/domain when MS is running without having to restart it? setup: sendmail, MS 4.23-9, spamassassin, f-prot From vlgm at OIEAU.FR Fri Sep 12 09:16:18 2003 From: vlgm at OIEAU.FR (Vincent LE GOUIC-MARTUN) Date: Thu Jan 12 21:19:55 2006 Subject: 2 pbs Message-ID: <008e01c37906$3484f800$a6b239c2@NT2.oieau.fr> Hi every body, I've just upgrading my server with the last mailscanner et the last spamassassin. Now I have 2 problems (with the old versions no pb): 1) all messages are mark as spam : Return-Path: Received: from ruisseau.oieau.fr (ruisseau.oieau.fr [194.57.178.1]) by ns1.oieau.fr (8.12.8/gwbitnet.cnusc.fr) with ESMTP id h8C8F9tI020690 for ; Fri, 12 Sep 2003 10:15:09 +0200 Return-Path: Received: from ruisseau.oieau.fr (ruisseau.oieau.fr [194.57.178.1]) by ns1.oieau.fr (8.12.8/jtpda-5.3.1) with ESMTP id h8C8F9tI020690 for ; Fri, 12 Sep 2003 10:15:09 +0200 Received: from PCVLGM ([194.57.178.166]) by ruisseau.oieau.fr (8.9.1a/jtpda-5.3.1) with SMTP id IAA02944 for ; Fri, 12 Sep 2003 08:57:37 +0100 (GMT) Message-ID: <005501c37905$1cf34c10$a6b239c2@NT2.oieau.fr> From: "Vincent LE GOUIC-MARTUN" To: Subject: {spam?} test Date: Fri, 12 Sep 2003 10:08:00 +0200 Organization: Office International de L'Eau MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-oieau-MailScanner-Information: Contactez votre ISP pour plus de d?tails X-oieau-MailScanner: Non infect? X-oieau-MailScanner-SpamCheck: polluriel (inscrit sur la liste noire) Status: test de mail @+ Vincent LE GOUIC-MARTUN Ing?nieur S?curit?, Syst?me, R?seau Office International de l'EAU SNIDE 15, Rue Edouard CHAMBERLAND 87065 Limoges Cedex - France Tel. : +33 (0) 5 55 11 47 71 Tel. mobile : +33 (0) 6 73 98 04 82 Fax. : +33 (0) 5 55 11 47 48 E-mail : v.le-gouic-martun@oieau.fr E-mail mobile : v.le-gouic-martun@orange.fr Web : http://www.oieau.fr -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. 2) When I send an email infected by a virus, the sender (me for ex) never recive a notification of virus. Is there someone who can help me Best regards. Vincent LE GOUIC-MARTUN Ing?nieur S?curit?, Syst?me, R?seau Office International de l'EAU SNIDE 15, Rue Edouard CHAMBERLAND 87065 Limoges Cedex - France Tel. : +33 (0) 5 55 11 47 71 Tel. mobile : +33 (0) 6 73 98 04 82 Fax. : +33 (0) 5 55 11 47 48 E-mail : v.le-gouic-martun@oieau.fr E-mail mobile : v.le-gouic-martun@orange.fr Web : http://www.oieau.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030912/e163f953/attachment.html From raymond at PROLOCATION.NET Fri Sep 12 09:28:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:55 2006 Subject: blacklisting of adresses at runtime In-Reply-To: <20030912102031.7c0f25e1.kim@schulz.dk> Message-ID: Hi! > is there a smart way to blacklist (entirely block) an email > address/domain when MS is running without having to restart it? > > setup: sendmail, MS 4.23-9, spamassassin, f-prot Cant you block that on MTA level ? And if not, you can use MailScanner reload to reload it with the new configs. Bye. Raymond. From raymond at PROLOCATION.NET Fri Sep 12 09:32:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:55 2006 Subject: 2 pbs In-Reply-To: <008e01c37906$3484f800$a6b239c2@NT2.oieau.fr> Message-ID: Hi! > I've just upgrading my server with the last mailscanner et the last > spamassassin. > Now I have 2 problems (with the old versions no pb): > > 1) all messages are mark as spam : Did you remove the Osirusoft lists in both SA and MS ? That list is dead and marking all mail as spam. Bye, Raymond. From denis at IMSLTD.COM Fri Sep 12 09:35:52 2003 From: denis at IMSLTD.COM (Denis Croombs) Date: Thu Jan 12 21:19:55 2006 Subject: Are ALL hotmail address blacklisted ? References: Message-ID: <021101c37908$e39025c0$9601a8c0@cel1700> I have already done that, which is why I asked the question, but it states it is blacklisted both in the e-mail header & the maillog but I have not blacklisted any hotmail.com accounts ! Thanks Denis > Hi! > > > Are ALL hotmail address blacklisted ? > > Because so far I have had to go through and add a lot of valid hotmail > > accounts to my whitelist as they are being tagged as blacklisted but are NOT > > in my mailscanner blacklist and I do not use the spamassassin > > blacklist/whitelist. > > RedHat 7.3, MS 4.22-11 SA 2.55 > > Why dont you look in your logs ? Its tells exactly why and what. > Turn details on spam logging on ... > > Bye, > Raymond. From david at PLATFORMHOSTING.COM Fri Sep 12 09:59:13 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:19:55 2006 Subject: virus update scripts. In-Reply-To: <5.2.0.9.2.20030904144523.07700098@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030904144523.07700098@imap.ecs.soton.ac.uk> Message-ID: <3F618AE1.9040707@platformhosting.com> Julian Field wrote: > When I ran your new version, I get this: > > > uvscan --version --dat . > uvscan: error while loading shared libraries: liblnxfv.so.4: cannot open > shared object file: No such file or directory > Fetch or test failed -- removing bad McAfee data files Did we ever find a solution to this issue? I am seeing this problem now too.. -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Report incorrectly tagged messages to: notspam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From brent.addis at ROAMAD.COM Fri Sep 12 10:25:03 2003 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:19:55 2006 Subject: Vedr.: Re: mysql logging issues] In-Reply-To: References: Message-ID: <2018.202.180.111.153.1063358703.squirrel@webmail.roamad.com> yes I realised that much, however if you follow the download links off the page, nothing works. check out http://prdownloads.sourceforge.net/mailwatch/mailwatch-0.3beta.tar.gz?download Jan Elmqvist Nielsen said: > It's at http://www.sourceforge.net/projects/mailwatch now > > /Jan Elmwvist Nielsen > >>>> brent.addis@ROAMAD.COM 12-09-2003 07:20:08 >>> > Hey > > Thanks for the idea, however none of the download sites work, I tried > it > yesterday (and when I received this just in case anythings changed). > Have you got a copy at all? > > I would really like to get some form of sql logging working. It doesnt > need a frontend as we can write out own (although it would be handy)Any > idea why the built in sql logging doesnt work? > > Chris Trudeau said: >> Take a look here: >> >> http://sourceforge.net/projects/mailwatch/ >> >> Mailwatch uses a different SQL loging function that is called from a >> seperate module. It works well from everything I have seen. Steve > has >> also built a decent PHP front end that produces some JPGraph plotted >> graphs and such. >> >> instead of three seperate tables message related detail is all in a >> single table, with other relvant information in the other adjoining >> tables. >> >> Maybe this project will hepl you?...just a thought. >> >> CT >> >> >> ----- Original Message ----- >> From: "Brent Addis" >> To: >> Sent: Wednesday, September 10, 2003 11:27 PM >> Subject: [Fwd: mysql logging issues] >> >> >>> Hey there. >>> >>> Im new to the list, and had a quick look through the archives and >>> couldnt find much on it. >>> Im having a few problems getting mailscanner logging to an sql >>> database. >>> >>> for some reason mailscanner inists on putting NULL into mysql > rather >>> than what the results should have been. >>> IE: >>> >>> 155 Query INSERT INTO maillog_mail (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 156 Query INSERT INTO maillog_mail >> (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 155 Quit >>> 156 Quit >>> 157 Query INSERT INTO maillog_mail (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 157 Quit >>> >>> >>> >>> >>> mysql> SELECT time, msg_id, size, from_user, from_domain FROM >>> maillog_mail; >>> +----------------+--------+------+-----------+-------------+ >>> | time | msg_id | size | from_user | from_domain | >>> +----------------+--------+------+-----------+-------------+ >>> | 00000000000000 | NULL | 0 | NULL | NULL | >>> +----------------+--------+------+-----------+-------------+ >>> 1 row in set (0.00 sec) >>> >>> I am using version 4.23-11. >>> >>> To create the tables I used a slightly modified version of what > comes >>> with mailscanner in the readme-sql. I had to remove the binary part >>> from the msg_id lines as it would not work. I dont see that causing >>> the current problems I am seeing however. Everything else was > followed >>> as per. >>> >>> I also had to alter the CustomConfig.pm, as it had the wrong ip >>> address entered, and also needed a password: >>> >>> use DBI; >>> >>> # Create database connection >>> my($dbh); >>> $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", >>> "mailscanner", "password", >>> {'PrintError' => 0}) >>> >>> >>> >>> Is there somewhere I have to actually speicify what to log? I have >>> unyet been able to find out exactly what it requires. >>> Any help would be appeciated. >>> >>> Thanks. >>> >>> >>> >>> >>> >>> >>> -- >>> Brent Addis >>> Systems Administrator >>> RoamAD > > > -- > Brent Addis > Systems Administrator > RoamAD -- Brent Addis Systems Administrator RoamAD From vlgm at oieau.fr Fri Sep 12 10:34:23 2003 From: vlgm at oieau.fr (Vincent LE GOUIC-MARTUN) Date: Thu Jan 12 21:19:55 2006 Subject: 2 pbs References: Message-ID: <00ad01c37911$1ed7f420$a6b239c2@NT2.oieau.fr> ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Friday, September 12, 2003 10:32 AM Subject: Re: 2 pbs > Hi! > > > I've just upgrading my server with the last mailscanner et the last > > spamassassin. > > Now I have 2 problems (with the old versions no pb): > > > > 1) all messages are mark as spam : > > Did you remove the Osirusoft lists in both SA and MS ? > That list is dead and marking all mail as spam. > > Bye, > Raymond. Yes the Osirusoft lits are no present ! From JEN at AH.DK Fri Sep 12 10:52:08 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:19:55 2006 Subject: Vedr.: Re: mysql logging issues] Message-ID: My link works! I am using easynews.dl.sourceforge.net for mirror download But I include the file /Jan Elmqvist Nielsen >>> brent.addis@ROAMAD.COM 12-09-2003 11:25:03 >>> yes I realised that much, however if you follow the download links off the page, nothing works. check out http://prdownloads.sourceforge.net/mailwatch/mailwatch-0.3beta.tar.gz?download Jan Elmqvist Nielsen said: > It's at http://www.sourceforge.net/projects/mailwatch now > > /Jan Elmwvist Nielsen > >>>> brent.addis@ROAMAD.COM 12-09-2003 07:20:08 >>> > Hey > > Thanks for the idea, however none of the download sites work, I tried > it > yesterday (and when I received this just in case anythings changed). > Have you got a copy at all? > > I would really like to get some form of sql logging working. It doesnt > need a frontend as we can write out own (although it would be handy)Any > idea why the built in sql logging doesnt work? > > Chris Trudeau said: >> Take a look here: >> >> http://sourceforge.net/projects/mailwatch/ >> >> Mailwatch uses a different SQL loging function that is called from a >> seperate module. It works well from everything I have seen. Steve > has >> also built a decent PHP front end that produces some JPGraph plotted >> graphs and such. >> >> instead of three seperate tables message related detail is all in a >> single table, with other relvant information in the other adjoining >> tables. >> >> Maybe this project will hepl you?...just a thought. >> >> CT >> >> >> ----- Original Message ----- >> From: "Brent Addis" >> To: >> Sent: Wednesday, September 10, 2003 11:27 PM >> Subject: [Fwd: mysql logging issues] >> >> >>> Hey there. >>> >>> Im new to the list, and had a quick look through the archives and >>> couldnt find much on it. >>> Im having a few problems getting mailscanner logging to an sql >>> database. >>> >>> for some reason mailscanner inists on putting NULL into mysql > rather >>> than what the results should have been. >>> IE: >>> >>> 155 Query INSERT INTO maillog_mail (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 156 Query INSERT INTO maillog_mail >> (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 155 Quit >>> 156 Quit >>> 157 Query INSERT INTO maillog_mail (time, >>> msg_id, size, from_user, from_domain, subject, >>> clientip, archives, isspam, ishighspam, > sascore, >>> spamreport) VALUES >>> >> > ('NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL','NULL>> ','NULL') 157 Quit >>> >>> >>> >>> >>> mysql> SELECT time, msg_id, size, from_user, from_domain FROM >>> maillog_mail; >>> +----------------+--------+------+-----------+-------------+ >>> | time | msg_id | size | from_user | from_domain | >>> +----------------+--------+------+-----------+-------------+ >>> | 00000000000000 | NULL | 0 | NULL | NULL | >>> +----------------+--------+------+-----------+-------------+ >>> 1 row in set (0.00 sec) >>> >>> I am using version 4.23-11. >>> >>> To create the tables I used a slightly modified version of what > comes >>> with mailscanner in the readme-sql. I had to remove the binary part >>> from the msg_id lines as it would not work. I dont see that causing >>> the current problems I am seeing however. Everything else was > followed >>> as per. >>> >>> I also had to alter the CustomConfig.pm, as it had the wrong ip >>> address entered, and also needed a password: >>> >>> use DBI; >>> >>> # Create database connection >>> my($dbh); >>> $dbh = DBI->connect("DBI:mysql:mailscanner:localhost", >>> "mailscanner", "password", >>> {'PrintError' => 0}) >>> >>> >>> >>> Is there somewhere I have to actually speicify what to log? I have >>> unyet been able to find out exactly what it requires. >>> Any help would be appeciated. >>> >>> Thanks. >>> >>> >>> >>> >>> >>> >>> -- >>> Brent Addis >>> Systems Administrator >>> RoamAD > > > -- > Brent Addis > Systems Administrator > RoamAD -- Brent Addis Systems Administrator RoamAD -------------- next part -------------- A non-text attachment was scrubbed... Name: mailwatch-0.3beta.tar.gz Type: application/x-gzip Size: 1951054 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030912/30e3c9c2/mailwatch-0.3beta.tar.gz From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 11:23:56 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:55 2006 Subject: Vedr.: Re: mysql logging issues] In-Reply-To: References: Message-ID: <200309121024.h8CAOAR14949@agate.rockstone.co.uk> On Friday 12 September 2003 10:52 am, Jan Elmqvist Nielsen wrote: > My link works! > I am using easynews.dl.sourceforge.net for mirror download > > But I include the file Yes, thanks very much - 2.5Mbytes of it, to a mailing list :( Please in future, if you have a large file which you think other people might want, announce it on the list and then send it privately to people who say they want it, or else put it on an ftp/http server and post a URL to it. Thanks. Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. From hugo.1000 at GMX.NET Fri Sep 12 11:35:39 2003 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:19:55 2006 Subject: No subject Message-ID: <20030912103540.594F43EED0@routa.far2cool.de> Subject: /var is a symbolic link Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, why is mailscanner not working correctly when /var is a symbolic link to /raid/var ? I know that /var/spool/mqueue* must be on the same filesystem but I didn't know that symlinks are forbidden too. -- regards hugo From Goodmant at DOR.STATE.FL.US Fri Sep 12 14:05:14 2003 From: Goodmant at DOR.STATE.FL.US (Tim Goodman) Date: Thu Jan 12 21:19:55 2006 Subject: MailScanner Setup problem Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf Type: application/octet-stream Size: 53878 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030912/1e873615/MailScanner.obj From plottrup at APTEK.COM.AR Fri Sep 12 14:25:38 2003 From: plottrup at APTEK.COM.AR (Peter Lottrup) Date: Thu Jan 12 21:19:55 2006 Subject: NewBie Question! Message-ID: Hi, I am scanning with sophos and have multiple virtual domains on the server. On one of these domains, I either need to: a) Exclude the domain entirely from the virus scanner, that is, all files should pass as they are or b) All files with ZIP extension should pass without being touched or scanned at all. I understand this is done with certain rules, but I am still quite lost, being new to this! Any help appreciated! Thanks, Peter From mkipness at GENIANT.COM Fri Sep 12 14:42:26 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:55 2006 Subject: Virus Update Schedule Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CFA56@dalsxc01.geniant.net> Hello - Can someone tell me what controls the time interval for updating the virus scripts, in particular running sophos-autoupdate? Am I not looking hard enough in MailScanner.conf? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030912/715f0154/attachment.html From Kevin.Spicer at BMRB.CO.UK Fri Sep 12 14:44:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:55 2006 Subject: Virus Update Schedule Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496C9@pascal.priv.bmrb.co.uk> Max Kipness wrote: > Hello - > > Can someone tell me what controls the time interval for updating the > virus scripts, in particular running sophos-autoupdate? Am I not > looking hard enough in MailScanner.conf? > > Thanks, > Max /etc/cron.hourly BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From HancockS at MORGANCO.COM Fri Sep 12 14:46:05 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:55 2006 Subject: eTrust Virus Scanner Message-ID: <3EA1A302A4978A4C970D2C63F327156ED5443B@worc-mail2.int.morganco.com> We've been on Etrust for years now here are my gotcha's from the last version V6. 1. Windows: An early release of V6 install script wiped out all files in the Programs Files directory. This occurred depending on the previous installation so it didn't show up on the one machine tested by my coworker. He managed to wipe out 55 laptops in 3 countries with that one. They fixed the problem by sending new CD's. I guess he wasn't curious about the new CD's and thought the old ones worked just fine. He is no longer with us for this and other reasons. 2. Windows: The discovery feature is failing over IPSEC connections to our remote offices. Looks like that problem is in my lap now. It looks like manual intervention of an admin account is required. 3. Linux: Their command line scanner needs to run as root. So my exim MTA will not work. 4. Exchange: V6 exchange option would render offline folder synchronization useless because it would mark all email for scanning every time the signatures were updated. I haven't had time to test V7 yet. Mailscanner has been more effective at stopping virus attacks than the etrust exchange option. We went from 1 incident a month to 0 incidents in 14 months. 5. Windows: When installing programs, be prepared to turn the real-time monitor off. I guess this is understandable. So the bottom line is we'll be looking closely at alternatives at end of contract. FWIW Scott >-----Original Message----- >From: Benny Butler [mailto:bbutle02@NEXUSITG.COM] >Sent: Thursday, September 11, 2003 8:33 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: eTrust Virus Scanner > > >I recently put it on one of my client's NT servers and have >been very happy with it. I've been waiting for some "gotcha" >on the price and haven't seen one yet. I'm about to migrate >their entire organization to it, from NAV 2003. I'm sick of >this yearly upgrade for NAV. The price doesn't bother me >nearly as much as the fact I have to visit each machine, >uninstall the old, reboot, reinstall the new,reboot, run Live >Update, reboot, reboot, reboot... > >And lets not forget the cost of their server product >(equivilant to an unborn child!) > > > > >-----Original Message----- >From: Nathan Johanson [mailto:nathan@TCPNETWORKS.NET] >Sent: Thursday, September 11, 2003 4:14 PM >Subject: Re: eTrust Virus Scanner > > >I think another posted by the name of Alan is also enamored >with eTrust. They've certainly got my attention. -Nathan > > -----Original Message----- > From: Kyle Harris [mailto:lists@TRCINTL.COM] > Sent: Thu 9/11/2003 1:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: eTrust Virus Scanner > > > > I have been looking into pricing on different virus >scanners and I have > found something that I think others might be >interested in. First, it > should be noted that I have not yet used this >software. I believe they do > have a downloadable demo on their web site that I am >about to check out. > However, what is interesting is their pricing. I >just got off the phone > with someone at CA and have the following deal on >their eTrust Antivirus > 7.0 software. I think it beats just about everything >else I have seen, at > least on price. Here is the deal: > > 1 - 5 node license of eTrust Antivirus 7.0 w/3 year >support @ 19.95 per > license for a total of $99.75 > 1 - Media Kit $13.95 > > (Note: This is an upgrade price. They gave it to me >when I told them I > was currently using another product. This is also >what they call > their "corporate open license" (at least I think that >is what she called > it). It is a little better price than the retail >version plus it includes > the 3 year support. > > TOTAL $113.70 plus tax, and S&H. > > Here is the best part. The software runs on just >about all versions of > Windows, Linux, Netware, Mac, & Sun Solaris. >Furthermore, it includes a > version for Exchange Server & Lotus Notes. Plus many >others. I confirmed > with the sales person that I can load one copy on my >Exchange Server (no > cost per client), one copy on my Linux box running >MailScanner, one copy on > my Server (again, no per client cost), and two others. > > I get any upgrades that may come out for three years >and all virus > signature updates for life. Plus I believe Julian >just added support for > this product to MailScanner. Sounds like a pretty >good deal to me! I'm am > curious if anyone has any bad expierences with this software. > > From Kevin.Spicer at BMRB.CO.UK Fri Sep 12 14:51:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496CA@pascal.priv.bmrb.co.uk> Hancock, Scott wrote: > 3. Linux: Their command line scanner needs to run as root. So my > exim MTA will not work. > There are ways and means, create a group (say etrust) then chmod the exe to setuid root, group etrust, permissions 750 and add the exim user to the etrust group. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From M.Ray at ULCC.AC.UK Fri Sep 12 14:55:05 2003 From: M.Ray at ULCC.AC.UK (Malcolm Ray) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions Message-ID: A minor nit: If 'Quarantine Whole Message' is set to 'yes', the original message is quarantined in a file called 'message' in the same directory as the quarantined attachments. But there seems to be no attempt (in MS 4.23-11) to avoid a name collision between these, so if an attachment is called 'message', this overwrites the quarantined original message. From HancockS at MORGANCO.COM Fri Sep 12 14:56:34 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:56 2006 Subject: F-prot revisited - Linux workstation license agreement. Message-ID: <3EA1A302A4978A4C970D2C63F327156ED5443C@worc-mail2.int.morganco.com> Below is the license agreement emailed with the download instructions for f-prot linux workstation product. IANAL either, but have a look at 1.2. Scott ---------------------------------------------------------------------- END-USER LICENSE AGREEMENT FOR F-PROT ANTIVIRUS This is a binding, legal agreement between the end user (the "licensee") and Frisk Software International ("FSI") for the F-Prot Antivirus software product, which includes the software program, material and online or electronic documentation. By installing, copying, downloading, accessing or otherwise using the F-Prot Antivirus software you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this agreement you may not download, install or use the F-Prot Antivirus software product, but return it to your place of purchase. Software Product License 1. Grant of License: 1.1. Software Product: FSI grants the licensee a non-exclusive, non-transferable license to use the F-Prot Antivirus software product on any computer/computers owned by the licensee, effective from the date of purchase until the date of expiry, as stated above. The licensee may make one copy solely for backup and archival purposes. Except as otherwise expressly provided in this agreement the licensee may not otherwise make copies of the F-Prot Antivirus software product or the printed material accompanying therewith. 1.2. Installation: You may install the F-Prot Antivirus software product for the number of users, mailboxes, computers or servers purchased from FSI, as stated above. 2. Description of other Rights and Limitations 2.1. Not for resale: The F-Prot Antivirus is limited for your personal or professional use only, and not for resale, or otherwise to transfer for value the software product. 2.2. Limitation on Reverse Engineering, Decompilation and Disassembly: The licensee may not reverse engineer, decompile, or disassemble the software product, except and only to the extent such activity is expressly permitted by applicable law. 2.3. Rental: Licensee may not rent, lease or lend the software product. 2.4. Services and Technical support: FSI may provide you with support services related to the software product as deemed necessary. 2.5. Termination: Without prejudice to any other rights, FSI may terminate this Agreement if you fail to comply with the terms and conditions of the Agreement. In such event, you must destroy and remove all copies of the software product and all of its component parts. 2.6. Updates: You may discover a new virus, unknown to FSI, and send it to FSI, who will provide the licensee with an updated version of the F-Prot Antivirus software program as soon as possible. 3. Copyright: All title and intellectual property right in and to the F-Prot Antivirus, the accompanying printed materials and any copies obtained from the Internet are owned by FSI. All title and intellectual property right in and to the content, which may be accessed through use of the F-Prot Antivirus, is the property of the respective content owner and may be protected by applicable copyright or other intellectual property laws. This Agreement grants no right to use such content. All rights not expressly granted are reserved by FSI. 4. Limited Warranty: FSI warrants that the F-Prot Antivirus will perform substantially in accordance with any specifications provided for the period of time established by applicable law from the date of purchase. The Licensee understands and agrees that the software product is provided "as is", with all faults that may accompany software products. FSI warrants that any diskettes provided are free of any physical defects. 5. Warranty Exclusions: FSI makes no other express or implied warranties, regarding the performance of the software included in the F-Prot Antivirus software program, but will use its best efforts to promptly correct any errors in the said software that are reported by Licensee. FSI may attempt to correct errors through the means it determines to be most appropriate. Errors caused by hardware malfunctions or failure, or by loss of data or disruption of services over the Internet due to third party, are expressly excluded. 6. Limitation of Liability: FSI shall not be liable for any indirect, consequential, incidental, or punitive damages or attorney fees for any cause of action, in tort or contract, regardless of whether FSI was aware of the possibility of such damages. Licensee's exclusive remedy shall be the amounts licensee paid FSI. 7. Disputes: Any disputes arising out of the inception, application or interpretation of this agreement shall be settled in accordance with the laws of Iceland and the exclusive jurisdiction of the applicable court in Iceland. >-----Original Message----- >From: Richard Ahlquist [mailto:newsletters@PCSITES.COM] >Sent: Wednesday, September 10, 2003 1:43 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: F-prot revisited > > >Alan, > >First let me stat IANAL. I have followed comments on the list >about F-prot since they changed their license. I have been >running the workstation command line version since day one >and will most likely continue to do so until something better >comes along. > >Here is my issue with what you said though. I looked at the >workstation license and to say its vague is an >understatement, nowhere in the page I saw ( >http://www.f-prot.com/support/helpfiles/unix/linux_ws/license. >html ) did it state you cannot use the product in conjunction >with MailScanner or in any type of automated system or even >on a system running a mail server/daemon/thingamabob. > >As a matter of fact on this page ( >http://www.f-prot.com/support/helpfiles/unix/linux_ws/comm_sca >n.html ) it specifically mentions that it can be called from >other applications. > >Also please note, no where in the license for the product do >they mention a definition of what the difference is between a >workstation and anything else. > >So unless F-prot has posted the wrong licensing info to their >site there is nothing in writing that I see that says I cant >use their command line scanner to scan the files on my >system. Whether they are being copied from one folder to >another by hand or by sendmail. > >Just my 2cents. Take them or leave them. > >Richard > From chris at TRUDEAU.ORG Fri Sep 12 15:00:39 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions References: Message-ID: <020501c37936$3fb22420$ca17000a@ATLCPW13671> Mine does this as well,but I think if you look you will notice that the directory name that the message file and attachments are in IS the messageID.... at least thats the way its working for me. I could be wrong... CT ----- Original Message ----- From: "Malcolm Ray" To: Sent: Friday, September 12, 2003 9:55 AM Subject: Quarantine file collisions > A minor nit: > > If 'Quarantine Whole Message' is set to 'yes', the original message is > quarantined in a file called 'message' in the same directory as the > quarantined attachments. But there seems to be no attempt (in MS 4.23-11) > to avoid a name collision between these, so if an attachment is called > 'message', this overwrites the quarantined original message. From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 15:09:05 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions In-Reply-To: References: Message-ID: <200309121409.h8CE98516919@onyx.rockstone.co.uk> On Friday 12 September 2003 2:55 pm, Malcolm Ray wrote: > A minor nit: > > If 'Quarantine Whole Message' is set to 'yes', the original message is > quarantined in a file called 'message' in the same directory as the > quarantined attachments. But there seems to be no attempt (in MS 4.23-11) > to avoid a name collision between these, so if an attachment is called > 'message', this overwrites the quarantined original message. ? What MTA are you using? I don't see any 'message' files - just the df/qf pairs corresponding to sendmail's normal system, plus the attachments. Maybe this is different if you're not running sendmail? Just as a check, I just sent myself two different viruses in one email, but both with the filename "eicar.com". One got saved in the quarantine directory as "eicar.com", the other as "eicar-1.com". Seems pretty intelligent to me. Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From HancockS at MORGANCO.COM Fri Sep 12 15:21:56 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <3EA1A302A4978A4C970D2C63F327156ED5443D@worc-mail2.int.morganco.com> Kevin, I've been meaning to reply to your previous post. I've followed your suggestion as outlined below. I did not have success. If I test through putty and su as mail I get the following. :/usr/src$ /opt/eTrustAntivirus/ino/bin/inocmd32 /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared libraries: libarclib.so: cannot open shared object file: No such file or directory If I putty in as a user then su to root, I also get the same error. If I Putty in as root (bad I know), I do not get an error. Mailscanner does not report etrust scanning with clam in the txt file with an eicar test attachment. Is there a better test? I read about the required reboot associated with this message. Without a reboot even a direct root logon will not work conversely with a reboot root works. My config >From etc/group: etrust:x:51:mail bambam:/opt/eTrustAntivirus# ls -la /opt/eTrustAntivirus/ino/bin/ total 1284 drwxr-xr-x 2 root root 4096 Feb 13 2003 . drwxr-xr-x 13 root root 4096 Feb 13 2003 .. -r-xr-xr-x 1 root root 6128 Feb 10 2003 AVProductName -r-xr-xr-x 1 root root 6644 Feb 10 2003 Decript -r-xr--r-- 1 root root 315912 Feb 13 2003 InoNmSrv -r-xr--r-- 1 root root 163372 Feb 13 2003 InoRT -r-xr--r-- 1 root root 109620 Feb 13 2003 InoRpc -r-xr--r-- 1 root root 161772 Feb 13 2003 InoTask -r-xr-xr-x 1 root root 50169 Feb 13 2003 caipconfig -r-xr-xr-x 1 root root 5204 Feb 10 2003 cawhence -r-xr-xr-x 1 root root 45716 Feb 13 2003 eavdisc -rwsr-x--- 1 root etrust 70056 Feb 13 2003 inocmd32 -r-xr-xr-x 1 root root 12668 Feb 4 2003 inolgset -r-xr-xr-x 1 root root 5068 Feb 10 2003 inoregbin -r-xr--r-- 1 root root 252848 Feb 13 2003 inoweb -r-xr-xr-x 1 root root 12404 Feb 13 2003 regutil -r-xr-xr-x 1 root root 9428 Feb 13 2003 servutil -r-xr-xr-x 1 root root 3316 Feb 10 2003 shmnattach -r-xr-xr-x 1 root root 5200 Feb 10 2003 threadtest :/opt/eTrustAntivirus# printenv |grep CAI CAIGLBL0002=CACRITMON CAIGLBL0000=/opt/eTrustAntivirus CAIUNIDB=caiunidb CAIGLBL0006=CASNMPMGR CA_CAILANGUAGE=enu CAI_CAMSGF_OPRDIRECT= CAI_DATEFMT=MMM-DD-YYYY CA_CAIMESSAGE=/opt/eTrustAntivirus/messages/american Are you running etrust and exim? If so, I'd be very grateful if you could help me find the error in my setup. Maybe email off list if appropriate. Thanks Scott >From you first email... ls -l /path/to/inocmd32 > some-file # In case is doesn't work & you # wanta to change it back! groupadd -g 51 etrust # I picked 51, you said below 500. usermod -G etrust mail chown root:etrust /path/to/inocmd32 chmod 4750 /path/to/inocmd32 (Whilst SUID isn't often a good idea this at least restricts it to only the one user.) CAIGLBL0000=; export CAIGLBL0000 >-----Original Message----- >From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] >Sent: Friday, September 12, 2003 9:52 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: eTrust Virus Scanner > > >Hancock, Scott wrote: >> 3. Linux: Their command line scanner needs to run as root. So my >> exim MTA will not work. >> >There are ways and means, create a group (say etrust) then >chmod the exe to setuid root, group etrust, permissions 750 >and add the exim user to the etrust group. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > From Kevin.Spicer at BMRB.CO.UK Fri Sep 12 15:31:06 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE01@pascal.priv.bmrb.co.uk> Hancock, Scott wrote: > Kevin, > > I've been meaning to reply to your previous post. I've followed your > suggestion as outlined below. I did not have success. > > If I test through putty and su as mail I get the following. > > :/usr/src$ /opt/eTrustAntivirus/ino/bin/inocmd32 > /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared > libraries: libarclib.so: cannot open shared object file: No such file > or directory Right, I assumed the run as root 'requirement' was from the docs, not experimentation. This is presumably something to do with the environment. When you say su presumably you mean.. su ...not... su - su - will pick up roots environment and should work. Odds are there is something missing from the user environment, my money is on the settings for LD_LIBRARY_PATH, try this first as root than as 'other user' echo $LD_LIBRARY_PATH and post the results. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From M.Ray at ULCC.AC.UK Fri Sep 12 15:32:03 2003 From: M.Ray at ULCC.AC.UK (Malcolm Ray) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions In-Reply-To: Your message of "Fri, 12 Sep 2003 15:09:05 BST." <200309121409.h8CE98516919@onyx.rockstone.co.uk> Message-ID: > On Friday 12 September 2003 2:55 pm, Malcolm Ray wrote: > > > A minor nit: > > > > If 'Quarantine Whole Message' is set to 'yes', the original message is > > quarantined in a file called 'message' in the same directory as the > > quarantined attachments. But there seems to be no attempt (in MS 4.23-11) > > to avoid a name collision between these, so if an attachment is called > > 'message', this overwrites the quarantined original message. > > ? What MTA are you using? > > I don't see any 'message' files - just the df/qf pairs corresponding to > sendmail's normal system, plus the attachments. > > Maybe this is different if you're not running sendmail? > > Just as a check, I just sent myself two different viruses in one email, but > both with the filename "eicar.com". One got saved in the quarantine > directory as "eicar.com", the other as "eicar-1.com". Seems pretty > intelligent to me. > > Antony. Sorry, I should have said that I'm using exim. For example, if I send myself a message with Eicar attached as 'eicar.com', I get a directory: /var/spool/MailScanner/quarantine/20030912/19xor8-0000nX-4Y containing two files: one called 'eicar.com', containing the decoded attachment, and the other called 'message', containing the original message headers and body. However, if I send the message again, but name the attachment 'message' (in the content-type and content-disposition headers), the per-message quarantine directory contains only one file, called 'message', containing the decoded attachment. This is with: MailScanner 4.23-11 exim 4.22 Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 15:36:37 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions In-Reply-To: References: Message-ID: <200309121436.h8CEae517059@onyx.rockstone.co.uk> On Friday 12 September 2003 3:32 pm, Malcolm Ray wrote: > > I don't see any 'message' files - just the df/qf pairs corresponding to > > sendmail's normal system, plus the attachments. > > > > Maybe this is different if you're not running sendmail? > Sorry, I should have said that I'm using exim. > > This is with: > > MailScanner 4.23-11 > exim 4.22 > Quarantine Infections = yes > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no Ah - another difference from my setup - I have Queue Files = yes, because I'm more interested in being able to release things from quarantine easily by moving the df/qf file pairs, than having a neatly-headered email to read :) Antony. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. - Damian Conway, Perl God From jaearick at COLBY.EDU Fri Sep 12 15:40:19 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:56 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: <5.2.1.1.2.20030912024705.03388ec8@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <5.2.1.1.2.20030912024705.03388ec8@imap.ecs.soton.ac.uk> Message-ID: Julian, I suppose you could have a configurable switch that controls what to do with a message if the virus scanner coughs up a "failed" message, ie deliver, quarantine, delete, bounce, forward, etc. In thinking about it I would have the default be deliver (what happens now), because if a virus scanner got screwed up and failed on everything -- all of the other settings would be a train wreck. I would rather have some infected PCs to clean up instead of 20K messages falling on the floor. Probably your headache is determining what a failed virus scan is from each of the many anti-virus products out there. Probably all of them have different return codes for failure situations. Then there is the case of what to do anti-virus "a" fails but anti-virus "b" says the message is ok. Then what? --- Jeff Earickson Colby College On Fri, 12 Sep 2003, Julian Field wrote: > Date: Fri, 12 Sep 2003 02:49:18 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Whoa!! "Virus Scan failed" What? > > At 19:01 11/09/2003, you wrote: > >On Thu, 2003-09-11 at 18:34, Jeff A. Earickson wrote: > > > > >Sep 11 12:40:07 basalt <22>MailScanner[17224]: ERROR:: Virus scan > > >failed > > >(514):: ./h8BGdlAn026143/.pdf > > > >This has been discussed in the last few days, there are certain pdfs > >Sophos has problems with. > > > > >Whoa... The virus scan failed, so the email got delivered? This seems > > >like a Bad Thing (tm). > > > >It might also seem like a bad thing if a regular update screwed your > >scanner and so all mail was rejected? > >You're running clam too, which presumably didn't fail and returned a > >clean result? I think the answer is to run multiple scanners, but I'd > >be interested in knowing the logic here. We know that any scanner finds > >a virus the mail is 'infected', but presumably if one fails to scan but > >the other one doesn't find anything it assumes clean? That seems > >sensible to me. > > Given all the above, what would you like it to do? At the moment it logs > the fact that something nasty happened, but doesn't actually remove the > file from the message. I guess you would like it to be removed, am I > correct? The snag is that with SophosSAVI you can't specify the "allowed > error messages" so all files it didn't like (such as quite a lot of > non-Acrobat-generated PDF files) would always get trapped. > > Let me know your thoughts... From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 15:46:39 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: Whoa!! "Virus Scan failed" What? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0015A7B36@pascal.priv.bmrb.co.uk> <5.2.1.1.2.20030912024705.03388ec8@imap.ecs.soton.ac.uk> Message-ID: <200309121446.h8CEkh517112@onyx.rockstone.co.uk> On Friday 12 September 2003 3:40 pm, Jeff A. Earickson wrote: > Then there is the > case of what to do anti-virus "a" fails but anti-virus "b" says the > message is ok. Then what? I think this is just the same as if one AV engine says "OK" and another says "Virus" - you ignore the one which said "OK" because it doesn't really mean "this file is good" - it means "I didn't find anything bad". You can have as many AV engines as you like, and only if they *all* say "didn't find anything suspicious" should you assume the file might be alright. If any of them say anything else then you work on that. "Virus found" is easy; "scanner failed" is more challenging, but should override "OK", I think. It's then up to each of us configuring MS to decide what should happen when the scanner fails, assuming it acquires this new option :) Antony. -- Ramdisk is not an installation procedure. From jaearick at COLBY.EDU Fri Sep 12 15:52:27 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:56 2006 Subject: MailScanner vs Sobig-f: Job well done! Message-ID: Julian, In the lifetime of Sobig-F, we killed slightly more the 120K Sobigs with MailScanner. Even with students returning from off-campus with their computers during this time period, we had exactly ONE (1) Sobig-F infected computer on-campus during the virus lifetime. With MailScanner, I could quickly spot the culprit and remove from the network. I consider the protection provided by MailScanner (and sophossavi and clam) to be outstanding, during the worst virus outbreak in history. Great Job! --- Jeff Earickson Colby College From raymond at PROLOCATION.NET Fri Sep 12 15:59:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:56 2006 Subject: MailScanner vs Sobig-f: Job well done! In-Reply-To: Message-ID: Hi! > In the lifetime of Sobig-F, we killed slightly more the 120K > Sobigs with MailScanner. Even with students returning from > off-campus with their computers during this time period, we had > exactly ONE (1) Sobig-F infected computer on-campus during the > virus lifetime. With MailScanner, I could quickly spot the culprit > and remove from the network. I consider the protection provided > by MailScanner (and sophossavi and clam) to be outstanding, during > the worst virus outbreak in history. Great Job! Add that on the website =) http://www.sng.ecs.soton.ac.uk/mailscanner/book/guestbook.php Bye, Raymond. From HancockS at MORGANCO.COM Fri Sep 12 16:13:33 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <3EA1A302A4978A4C970D2C63F327156ED5443E@worc-mail2.int.morganco.com> First, thanks for your help. This first section I putty in as myself, then su, then exit, then su -. ************************************* scott@bambam:~$ echo $LD_LIBRARY_PATH /opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config:/opt/eTrus tAntivirus/ino/lib scott@bambam:~$ su Password: bambam:/home/scott# echo $LD_LIBRARY_PATH bambam:/home/scott# exit exit scott@bambam:~$ su - Password: -su: /opt/eTrustAntivirus/scripts/envusr: No such file or directory bambam:~# echo $LD_LIBRARY_PATH bambam:~# echo $LD_LIBRARY_PATH bambam:~# /opt/eTrustAntivirus/ino/bin/inocmd32 /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared libraries: libarclib.so: cannot open shared object file: No such file or directory ************************************* In the next section, I putty login as root I get the following. ************************************* bambam:~# echo $LD_LIBRARY_PATH bambam:~# /opt/eTrustAntivirus/ino/bin/inocmd32 /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared libraries: libarclib.so: cannot open shared object file: No such file or directory ************************************* Evidently something has gone wrong (probably my hacking) since I first got root to work. Looks like your suspicions are correct. I'm a bit of a linux newbie but I'm guessing. LD_LIBRARY_PATH=/opt/eTrustAntivirus/ino/lib; export LD_LIBRARY_PATH Logged in as root? Is that correct? Thanks Scott >-----Original Message----- >From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] >Sent: Friday, September 12, 2003 10:31 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: eTrust Virus Scanner > > >Hancock, Scott wrote: >> Kevin, >> >> I've been meaning to reply to your previous post. I've >followed your >> suggestion as outlined below. I did not have success. >> >> If I test through putty and su as mail I get the following. >> >> :/usr/src$ /opt/eTrustAntivirus/ino/bin/inocmd32 >> /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared >> libraries: libarclib.so: cannot open shared object file: No >such file >> or directory > >Right, I assumed the run as root 'requirement' was from the >docs, not experimentation. This is presumably something to >do with the environment. When you say su presumably you mean.. > >su > >...not... > >su - > >su - will pick up roots environment and should work. Odds >are there is something missing from the user environment, my >money is on the settings for LD_LIBRARY_PATH, try this first >as root than as 'other user' echo $LD_LIBRARY_PATH > >and post the results. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > From HancockS at MORGANCO.COM Fri Sep 12 16:24:10 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <3EA1A302A4978A4C970D2C63F327156E012EF1E9@worc-mail2.int.morganco.com> Correction to last post. Kevin, Please ignor last post quoted below. Posting new results in a minute. Scott >-----Original Message----- >From: Hancock, Scott >Sent: Friday, September 12, 2003 11:14 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: eTrust Virus Scanner > > >First, thanks for your help. > >This first section I putty in as myself, then su, then exit, >then su -. > >************************************* >scott@bambam:~$ echo $LD_LIBRARY_PATH >/opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config: >/opt/eTrus >tAntivirus/ino/lib >scott@bambam:~$ su >Password: >bambam:/home/scott# echo $LD_LIBRARY_PATH > >bambam:/home/scott# exit >exit >scott@bambam:~$ su - >Password: >-su: /opt/eTrustAntivirus/scripts/envusr: No such file or >directory bambam:~# echo $LD_LIBRARY_PATH > > > >bambam:~# echo $LD_LIBRARY_PATH > >bambam:~# /opt/eTrustAntivirus/ino/bin/inocmd32 >/opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared >libraries: libarclib.so: cannot open shared object file: No >such file or directory > >************************************* > > >In the next section, I putty login as root I get the following. > >************************************* >bambam:~# echo $LD_LIBRARY_PATH > >bambam:~# /opt/eTrustAntivirus/ino/bin/inocmd32 >/opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared >libraries: libarclib.so: cannot open shared object file: No >such file or directory > >************************************* > >Evidently something has gone wrong (probably my hacking) >since I first got root to work. > >Looks like your suspicions are correct. I'm a bit of a linux >newbie but I'm guessing. > >LD_LIBRARY_PATH=/opt/eTrustAntivirus/ino/lib; export LD_LIBRARY_PATH > >Logged in as root? Is that correct? > >Thanks > >Scott > > > > >-----Original Message----- > >From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > >Sent: Friday, September 12, 2003 10:31 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: eTrust Virus Scanner > > > > > >Hancock, Scott wrote: > >> Kevin, > >> > >> I've been meaning to reply to your previous post. I've > >followed your > >> suggestion as outlined below. I did not have success. > >> > >> If I test through putty and su as mail I get the following. >> > >> :/usr/src$ /opt/eTrustAntivirus/ino/bin/inocmd32 > >> /opt/eTrustAntivirus/ino/bin/inocmd32: error while >loading shared >> libraries: libarclib.so: cannot open >shared object file: No > >such file > >> or directory > > > >Right, I assumed the run as root 'requirement' was from the > >docs, not experimentation. This is presumably something to > >do with the environment. When you say su presumably you >mean.. > >su > >...not... > >su - > >su - will pick >up roots environment and should work. Odds > >are there is something missing from the user environment, my > >money is on the settings for LD_LIBRARY_PATH, try this first > >as root than as 'other user' echo $LD_LIBRARY_PATH > > > >and post the results. > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 >>_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > > From M.Ray at ULCC.AC.UK Fri Sep 12 16:36:51 2003 From: M.Ray at ULCC.AC.UK (Malcolm Ray) Date: Thu Jan 12 21:19:56 2006 Subject: Quarantine file collisions In-Reply-To: Your message of "Fri, 12 Sep 2003 15:36:37 BST." <200309121436.h8CEae517059@onyx.rockstone.co.uk> Message-ID: > On Friday 12 September 2003 3:32 pm, Malcolm Ray wrote: > > > > I don't see any 'message' files - just the df/qf pairs corresponding to > > > sendmail's normal system, plus the attachments. > > > > > > Maybe this is different if you're not running sendmail? > > > Sorry, I should have said that I'm using exim. > > > > This is with: > > > > MailScanner 4.23-11 > > exim 4.22 > > Quarantine Infections = yes > > Quarantine Whole Message = yes > > Quarantine Whole Messages As Queue Files = no > > Ah - another difference from my setup - I have Queue Files = yes, because I'm > more interested in being able to release things from quarantine easily by > moving the df/qf file pairs, than having a neatly-headered email to read :) > > Antony. Excellent point. I was just testing the various options, but I've settled on '...Queue Files' for this reason. From ugob at CAMO-ROUTE.COM Fri Sep 12 16:52:46 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:19:56 2006 Subject: Spamassassin Message-ID: <54C38A0B814C8E438EF73FC76F362927313221@mtlnt501fs.CAMOROUTE.COM> Hi, I installed Spamassassin 2.55, changed the "Use SpamAssassin = no" for " Use SpamAssassin = yes" But when I start mailscanner afterwards, I always this message: "SpamAssassin timed out and was killed, consecutive failure 1 of 20" There is no SpamAssassin header in my received e-mails, so I don't think Spamassassin processes the incoming mail. I'm using ClamAV on MS 4.23-11. w/Postfix on RH9 Here are some of my settings of MailScanner.conf Spam Checks = yes Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL Easynet-DNSBL Easynet-Proxies Easynet-Dynablock Infinite-Monkeys Max SpamAssassin Size = 90000 Required SpamAssassin Score = 9 High SpamAssassin Score = 20 SpamAssassin Auto Whitelist = no SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf^@/var/spool/MailScanner/spamassassin^@/usr/bin^@^@ SpamAssassin Timeout = 20 Max SpamAssassin Timeouts = 20 Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = no Spam Score = yes SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = Does MS use spamd daemon or the executable? spamd is started at boot (maybe because I first installed it with the rpm). I haven't touched any SpamAssassin-related files yet. Thanks, Ugo Bellavance From TGFurnish at HERFF-JONES.COM Fri Sep 12 16:58:25 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:56 2006 Subject: Are ALL hotmail address blacklisted ? {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BE8@inex1.herffjones.hj-int> Posting the actual log entries in question would be helpful... > -----Original Message----- > From: Denis Croombs [mailto:denis@IMSLTD.COM] > Sent: Friday, September 12, 2003 3:36 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Are ALL hotmail address blacklisted ? {Scanned by HJMS} > > > I have already done that, which is why I asked the question, > but it states > it is blacklisted both in the e-mail header & the maillog but > I have not > blacklisted any hotmail.com accounts ! > Thanks > Denis > > > Hi! > > > > > Are ALL hotmail address blacklisted ? > > > Because so far I have had to go through and add a lot of > valid hotmail > > > accounts to my whitelist as they are being tagged as > blacklisted but are > NOT > > > in my mailscanner blacklist and I do not use the spamassassin > > > blacklist/whitelist. > > > RedHat 7.3, MS 4.22-11 SA 2.55 > > > > Why dont you look in your logs ? Its tells exactly why and what. > > Turn details on spam logging on ... > > > > Bye, > > Raymond. > From HancockS at MORGANCO.COM Fri Sep 12 17:05:26 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:56 2006 Subject: eTrust Virus Scanner Message-ID: <3EA1A302A4978A4C970D2C63F327156ED5443F@worc-mail2.int.morganco.com> Kevin, I was reporting against the wrong server. My mistake. Sorry. "Pebbles" is working according to my descriptions. Server "Bambam" needs more help. The following shows the environment variables as you suspected. However, I "su mail" to find the variable looks good, but attempting to run inocmd32 fails (marked with "# KEVIN SEE FAILED HERE"). I cannot test etrust via mailscanner operation with the server "pebbles". I need time to bring etrust on "Bambam", my testing server, back to working as it is on pebbles. Quickly browse below but let me get my testing server "Bambam" working. I'll post to your attention ASAP. Thanks again, Scott scott@pebbles:~$ /opt/eTrustAntivirus/ino/bin/inocmd32 inocmd32 may only be used by the root user scott@pebbles:~$ su Password: pebbles:/home/scott# /opt/eTrustAntivirus/ino/bin/inocmd32 /opt/eTrustAntivirus/ino/bin/inocmd32: error while loading shared libraries: libarclib.so: cannot open shared object file: No such file or directory pebbles:/home/scott# exit exit scott@pebbles:~$ su - Password: pebbles:~# exit logout scott@pebbles:~$ echo $LD_LIBRARY_PATH /opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config:/opt/eTrus tAntivirus/ino/lib scott@pebbles:~$ su Password: pebbles:/home/scott# echo $LD_LIBRARY_PATH pebbles:/home/scott# exit exit scott@pebbles:~$ su - Password: pebbles:~# echo $LD_LIBRARY_PATH /opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config:/opt/eTrus tAntivirus/ino/lib pebbles:~# /opt/eTrustAntivirus/ino/bin/inocmd32 InoculateIT Engine version: 23.59.00 2002/12/10 InoculateIT Signature version: virsig.dat 23.59.00 2002/12/16 pebbles:~# su mail pebbles:/root$ echo $LD_LIBRARY_PATH /opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config:/opt/eTrus tAntivirus/ino/lib pebbles:/root$ pebbles:/root$ /opt/eTrustAntivirus/ino/bin/inocmd32 inocmd32 may only be used by the root user # KEVIN SEE FAILED HERE" pebbles:/root$ pebbles:/root$ exit exit pebbles:~# /opt/eTrustAntivirus/ino/bin/inocmd32 InoculateIT Engine version: 23.59.00 2002/12/10 InoculateIT Signature version: virsig.dat 23.59.00 2002/12/16 ******************************* ******************************* Post of Pebbles config just to ensure proper reporting. ******************************* pebbles:~# ls -la /opt/eTrustAntivirus/ino/bin/ total 1284 drwxr-xr-x 2 root root 4096 Feb 13 2003 . drwxr-xr-x 15 root root 4096 Sep 8 09:41 .. -r-xr-xr-x 1 root root 6128 Feb 10 2003 AVProductName -r-xr-xr-x 1 root root 6644 Feb 10 2003 Decript -r-xr--r-- 1 root root 315912 Feb 13 2003 InoNmSrv -r-xr--r-- 1 root root 163372 Feb 13 2003 InoRT -r-xr--r-- 1 root root 109620 Feb 13 2003 InoRpc -r-xr--r-- 1 root root 161772 Feb 13 2003 InoTask -r-xr-xr-x 1 root root 50169 Feb 13 2003 caipconfig -r-xr-xr-x 1 root root 5204 Feb 10 2003 cawhence -r-xr-xr-x 1 root root 45716 Feb 13 2003 eavdisc -rwsr-x--- 1 root etrust 70056 Feb 13 2003 inocmd32 -r-xr-xr-x 1 root root 12668 Feb 4 2003 inolgset -r-xr-xr-x 1 root root 5068 Feb 10 2003 inoregbin -r-xr--r-- 1 root root 252848 Feb 13 2003 inoweb -r-xr-xr-x 1 root root 12404 Feb 13 2003 regutil -r-xr-xr-x 1 root root 9428 Feb 13 2003 servutil -r-xr-xr-x 1 root root 3316 Feb 10 2003 shmnattach -r-xr-xr-x 1 root root 5200 Feb 10 2003 threadtest /etc/group => etrust:x:51:mail pebbles:~# su mail pebbles:/root$ printenv HZ=100 TERM=xterm SHELL=/bin/sh USER=mail LD_LIBRARY_PATH=/opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/c onfig:/opt/eTrustAntivirus/ino/lib CAIGLBL0002=CACRITMON CAIGLBL0000=/opt/eTrustAntivirus CAIUNIDB=caiunidb CAIGLBL0006=CASNMPMGR PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games MAIL=/var/mail/root CA_CAILANGUAGE=enu _=/usr/bin/printenv PWD=/root LANG=C PS1=\h:\w\$ HOME=/var/mail SHLVL=2 LOGNAME=root CAI_CAMSGF_OPRDIRECT= CA_REPORT=/opt/eTrustAntivirus/report/ CAI_DATEFMT=MMM-DD-YYYY CAPB_PATH=/opt/eTrustAntivirus/prb/config/ CA_CAIMESSAGE=/opt/eTrustAntivirus/messages/american From TGFurnish at HERFF-JONES.COM Fri Sep 12 17:20:02 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:56 2006 Subject: A long gap in a name is often used to hide part of it {Scanne d by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1BEC@inex1.herffjones.hj-int> See filename.rules.conf. Mine has a line like so: deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages May be different in whatever version you have installed, but if not, then the limit is 149 characters total - 150 characters will match that rule. -t. > -----Original Message----- > From: Jan Elmqvist Nielsen [mailto:JEN@AH.DK] > Sent: Friday, September 12, 2003 2:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: A long gap in a name is often used to hide part of > it {Scanned > by HJMS} > > > How long has the cap to be, before MS is rejecting the attachment? > > It's a .doc file > > /jan Elmqvist Nielsen > From baldguy33165 at YAHOO.COM Fri Sep 12 17:36:41 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:19:56 2006 Subject: Spamassasin scanning sporadically, please help. Message-ID: <20030912163641.90880.qmail@web20807.mail.yahoo.com> Hello, I have customized rules like this one on my spam.assassin.prefs file: header FOUL_WORD Subject =~ /\bfoulword\b/i body FOUL_WORD /\bfoulword\b/i score FOUL_WORD 100.0 header THE_FWORD Subject =~ /fword/i body THE_FWORD /fword/i score THE_FWORD 100.0 I have done email tests from the outside and spam assasin will catch them most of the time, but sometimes they leak through and are marked as "not spam, spamassasin". In other words, the email is scanned for spam and scored, but it missed the rules above. I hope I'm clear. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From mailscanner at ecs.soton.ac.uk Fri Sep 12 17:43:32 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:56 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200309121643.h8CGhWeP013586@seer.ecs.soton.ac.uk> New Guestbook-Entry from Jeff Earickson In the lifetime of Sobig-F, we killed slightly more the 120K

Sobigs with MailScanner. Even with students returning from

off-campus with their computers during this time period, we had

exactly ONE (1) Sobig-F infected computer on-campus during the

virus lifetime. With MailScanner, I could quickly spot the culprit

and remove from the network. I consider the protection provided

by MailScanner (and sophossavi and clam) to be outstanding, during

the worst virus outbreak in history. Great Job!



--- Jeff Earickson

Colby College

From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 17:49:59 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: Notify Senders pb In-Reply-To: <01dc01c37947$07703960$a6b239c2@NT2.oieau.fr> References: <01dc01c37947$07703960$a6b239c2@NT2.oieau.fr> Message-ID: <200309121650.h8CGo3R15797@agate.rockstone.co.uk> On Friday 12 September 2003 5:00 pm, Vincent LE GOUIC-MARTUN wrote: > Hi, > > I have the "Notify Senders = yes" parameter, but I never receive a > notification of a virus I send in an e-mail. Show us the entries from your syslog when the machine processes such an email. Also, posting your MailScanner.conf (minus blank lines and comments) would be helpful. Regards, Antony. -- This email was created using 100% recycled electrons. From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 17:53:19 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: Spamassasin scanning sporadically, please help. In-Reply-To: <20030912163641.90880.qmail@web20807.mail.yahoo.com> References: <20030912163641.90880.qmail@web20807.mail.yahoo.com> Message-ID: <200309121653.h8CGrOR15801@agate.rockstone.co.uk> On Friday 12 September 2003 5:36 pm, Juan C. Quesada wrote: > Hello, > > I have customized rules like this one on my > spam.assassin.prefs file: > > header FOUL_WORD Subject =~ /\bfoulword\b/i > body FOUL_WORD /\bfoulword\b/i > score FOUL_WORD 100.0 > > header THE_FWORD Subject =~ /fword/i > body THE_FWORD /fword/i > score THE_FWORD 100.0 > > I have done email tests from the outside and spam > assasin will catch them most of the time, but > sometimes they leak through and are marked as "not > spam, spamassasin". > > In other words, the email is scanned for spam and > scored, but it missed the rules above. Do you mean that exactly the same email is sometimes caught, and sometimes not, or do you mean that some emails are caught and others aren't? If the latter, what is the difference between the ones which are caught and the ones which are not? How large are the emails you are trying to scan? What version of MailScanner are you using? Antony. -- Having been asked to provide a reference for this man, I can confidently state that you will be very lucky indeed if you can get him to work for you. From m.sapsed at BANGOR.AC.UK Fri Sep 12 17:57:51 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:56 2006 Subject: A long gap in a name is often used to hide part of it {Scanne d by HJMS} References: <8FFC76593085ED4A80D3601BC41EFCDF8E1BEC@inex1.herffjones.hj-int> Message-ID: <3F61FB0F.8000600@bangor.ac.uk> Furnish, Trever G wrote: > See filename.rules.conf. Mine has a line like so: > > deny .{150,} Very long filename, possible OE attack > Very long filenames are good signs of attacks against Microsoft e-mail > packages > > May be different in whatever version you have installed, but if not, then > the limit is 149 characters total - 150 characters will match that rule. I have seen some messages that got rejected by this rule here recently which would have been ok except that the file names were: TdUkDisplayPro.ICC Promotion_Prop.pif New Text Docum.scr science_ob=MIm.url CARS_popup.asp.dat Contaminated w.doc Press Release .doc Press Release -1.doc Press Release -2.doc Press Release -3.doc Mostly 18 characters. Anyone else seeing this? It's happening on 3 different hubs, and all have the standard 150 line in filename rules. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Antony at SOFT-SOLUTIONS.CO.UK Fri Sep 12 18:03:15 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:56 2006 Subject: A long gap in a name is often used to hide part of it {Scanne d by HJMS} In-Reply-To: <3F61FB0F.8000600@bangor.ac.uk> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1BEC@inex1.herffjones.hj-int> <3F61FB0F.8000600@bangor.ac.uk> Message-ID: <200309121703.h8CH3JR15814@agate.rockstone.co.uk> On Friday 12 September 2003 5:57 pm, Martin Sapsed wrote: > > deny .{150,} Very long filename, possible OE attack > I have seen some messages that got rejected by this rule here recently > which would have been ok except that the file names were: > > TdUkDisplayPro.ICC > Promotion_Prop.pif > New Text Docum.scr > science_ob=MIm.url > CARS_popup.asp.dat > Contaminated w.doc > Press Release .doc > Press Release -1.doc > Press Release -2.doc > Press Release -3.doc > > Mostly 18 characters. Anyone else seeing this? It's happening on 3 > different hubs, and all have the standard 150 line in filename rules. These names look truncated to me. Are you certain that these are the attachment names as they were in the original emails which got scanned? Also, are you sure there's no white space before / after / during the filenames, as .{150,} will match 150 of any character, including spaces, tabs, etc... Antony. -- What is this talk of software 'release' ? Our software evolves and matures until it becomes capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. From vlgm at oieau.fr Fri Sep 12 17:58:26 2003 From: vlgm at oieau.fr (Vincent LE GOUIC-MARTUN) Date: Thu Jan 12 21:19:56 2006 Subject: Notify Senders pb References: <01dc01c37947$07703960$a6b239c2@NT2.oieau.fr> <200309121650.h8CGo3R15797@agate.rockstone.co.uk> Message-ID: <02b801c3794f$279131b0$a6b239c2@NT2.oieau.fr> Mailman conf : # Main configuration file for the MailScanner E-Mail Virus Scanner # # It's good practice to check through configuration files to make sure # they fit with your system and your needs, whatever you expect them to # contain. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # # Note for Version 4.00 and above: # A lot of the settings can take a ruleset as well as just simple # values. These rulesets are files containing rules which are applied # to the current message to calculate the value of the configuration # option. The rules are checked in the order they appear in the ruleset. # # Note for Version 4.03 and above: # As well as rulesets, you can now include your own functions in # here. Look at the directory containing Config.pm and you will find # CustomConfig.pm. In here, you can add your own "value" function and # an Initvalue function to set up any global state you need such as # database connections. Then for a setting below, you can put: # Configuration Option = &ValueFunction # where "ValueFunction" is the name of the function you have # written in CustomConfig.pm. # # # Definition of variables which are substituted into definitions below # # Set the directory containing all the reports in the required language %report-dir% = /etc/MailScanner/reports/fr # Configuration directory containing this file %etc-dir% = /etc/MailScanner # Rulesets directory containing your ".rules" files %rules-dir% = /etc/MailScanner/rules # Enter a short identifying name for your organisation below, this is # used to make the X-MailScanner headers unique for your organisation. # Multiple servers within one site should use an identical value here # to avoid adding multiple redundant headers where mail has passed # through several servers within your organisation. %org-name% = yoursite # # System settings # --------------- # # How many MailScanner processes do you want to run at a time? # There is no point increasing this figure if your MailScanner server # is happily keeping up with your mail traffic. # If you are running on a server with more than 1 CPU, or you have a # high mail load (and/or slow DNS lookups) then you should see better # performance if you increase this figure. # If you are running on a small system with limited RAM, you should # note that each child takes just over 20MB. # # As a rough guide, try 5 children per CPU. But read the notes above. Max Children = 5 # User to run as (not normally used for sendmail) #Run As User = mail #Run As User = postfix Run As User = # Group to run as (not normally used for sendmail) #Run As Group = mail #Run As Group = postfix Run As Group = # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 5 # Set location of incoming mail queue # # This can be any one of # 1. A directory name # Example: /var/spool/mqueue.in # 2. A wildcard giving directory names # Example: /var/spool/mqueue.in/* # 3. The name of a file containing a list of directory names, # which can in turn contain wildcards. # Example: /etc/MailScanner/mqueue.in.list.conf # Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /var/run/MailScanner.pid # To avoid resource leaks, re-start periodically Restart Every = 14400 # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = sendmail # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf sendmail2 = /usr/sbin/sendmail # # Processing Incoming Mail # ------------------------ # # In every batch of virus-scanning, limit the maximum # a) number of unscanned messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of unscanned messages to deliver # d) total size of potentially infected messages to unpack and scan Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. #TNEF Expander = internal # This can also be the filename of a ruleset. TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file # The maximum length of time the "file" command is allowed to run for 1 # batch of messages (in seconds) File Timeout = 20 # The maximum size of any message including the headers. If this is set to # zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = 0 # # Virus Scanning and Vulnerability Testing # ---------------------------------------- # # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # NOTE: This switch actually switches on/off all processing of the email # messages. If you just want to switch off actual virus scanning, # then set "Virus Scanners = none" instead. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = yes # Which Virus Scanning package to use: # sophos from www.sophos.com, or # sophossavi (also from www.sophos.com, using the SAVI perl module), or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # kavdaemonclient from www.kaspersky.com, or # etrust from http://www3.ca.com/Solutions/Product.asp?ID=156, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com, or # panda from www.pandasoftware.com, or # rav from www.ravantivirus.com, or # antivir from www.antivir.de, or # clamav from clamav.elektrapro.com, or # trend from www.trendmicro.com, or # none (no virus scanning at all) # # Note for McAfee users: do not use any symlinks with McAfee at all. It is # very strange but may not detect all viruses when # started from a symlink or scanning a directory path # including symlinks. # # Note: If you want to use multiple virus scanners, then this should be a # space-separated list of virus scanners. For example: # Virus Scanners = sophos f-prot mcafee # # Note: Make sure that you check that the base installation directory in the # 3rd column of virus.scanners.conf matches the location you have # installed each of your virus scanners. The supplied # virus.scanners.conf file assumes the default installation locations # recommended by each of the virus scanner installation guides. # Virus Scanners = f-prot # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 3 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Ganda Mimail # Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient? # Setting this to "yes" is good because it shows management that MailScanner # is protecting them, but it is bad because they have to filter/delete all # the incoming virus warnings. # This can also be the filename of a ruleset. Still Deliver Silent Viruses = yes # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no # Should unencrypted messages be blocked? # This could be used to ensure all your users send messages outside your # company encrypted to avoid snooping of mail to your business partners. # This can be a ruleset so you can just check mail to certain users/domains. Block Unencrypted Messages = no # # Options specific to Sophos Anti-Virus # ------------------------------------- # # Anything on the next line that appears in brackets at the end of a line # of output from Sophos will cause the error/infection to be ignored. # Use of this option is dangerous, and should only be used if you are having # trouble with lots of corrupt PDF files, for example. # If you need to specify more than 1 string to find in the error message, # then put each string in quotes and separate them with a comma. # For example: #Allowed Sophos Error Messages = "corrupt", "format not supported" # The directory (or a link to it) containing all the Sophos *.ide files. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos IDE Dir = /usr/local/Sophos/ide # The directory (or a link to it) containing all the Sophos *.so libraries. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos Lib Dir = /usr/local/Sophos/lib # SophosSAVI only: monitor each of these files for changes in size to # detect when a Sophos update has happened. The date of the Sophos Lib Dir # is also monitored. # This is only used by the "sophossavi" virus scanner, not the "sophos" # scanner setting. #Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip # # Removing/Logging dangerous or potentially offensive content # ----------------------------------------------------------- # # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no # Do you want to allow messages whose body is stored somewhere else on the # internet, which is downloaded separately by the user's email package? # There is no way to guarantee that the file fetched by the user's email # package is free from viruses, as MailScanner never sees it. # This feature is dangerous as it can allow viruses to be fetched from # other Internet sites by a user's email package. The user would just # think it was a normal email attachment and would have been scanned by # MailScanner. # It is only currently supported by Netscape 6 anyway, and the only people # who it are the IETF. So I would strongly advise leaving this switched off. # This can also be the filename of a ruleset. Allow External Message Bodies = no # Do you want to allow