From faq at mailscanner.info Sun Feb 1 00:28:01 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:14 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402010028.i110S1j4025597@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-01-26-01-41-43 2.717 error editPart 23959 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 2; in item: 3) 2004-01-26-02-15-42 2.717 error faq 30705 <(noID)> The file (16>) doesn't exist. 2004-01-27-19-17-17 2.717 error editPart 32359 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 6) 2004-01-28-14-50-48 2.717 error faq 2380 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-53-39 2.717 error faq 2871 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-53-58 2.717 error editPart 2884 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 10000; in item: 0) 2004-01-28-14-54-43 2.717 error editPart 2989 <(noID)> Part number "-1" in "211" doesn't exist. 2004-01-28-14-57-00 2.717 error editPart 3632 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: -1; in item: 2) 2004-01-28-14-57-45 2.717 error faq 3893 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-59-40 2.717 note editPart 4227 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/editPart.pm line 62. 2004-01-28-14-59-40 2.717 note editPart 4227 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic.pm line 1769. 2004-01-28-15-04-22 2.717 error editPart 5546 <(noID)> Part number "-1" in "57" doesn't exist. 2004-01-28-15-21-46 2.717 note editPart 8998 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/editPart.pm line 62. 2004-01-28-15-21-46 2.717 note editPart 8998 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic.pm line 1769. 2004-01-28-15-21-46 2.717 error editPart 8998 <(noID)> Part number 0 in 136 doesn't exist. From ejb at QL.ORG Sun Feb 1 04:44:33 2004 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 Message-ID: <200402010444.i114iXif014991@soup.in.ql.org> I see in the release announcement for 4.26.7 that the "bounce" spam action has been removed. I'm curious about this. We use this feature for spam that scores in the 5 to 10 range and send a bounce that instructs the user to send mail to a special mailbox which is not filtered. This allows us to let false positives through. We probably get about 5 messages a week for a 50 person company, and most of the messages are important. This is enough to convince me that this is an important feature. I can only guess that it's been removed because such a huge amount of spam has invalid addresses. I know our mail queue has 500 undeliverable spam bounces in it at any given time. Still, I doubt I will succeed in convincing the powers that be at my company that we can do without that feature. Have I understood this item in the announcement correctly? Is it true that "bounce" is no longer a valid spam action? If so, has something replaced it to achieve similar functionality? I suppose I could always implement this my self by forwarding to an address that uses procmail to send the bounce, but that would be a shame. I apologize if I've missed an earlier discussion on this. -- Jay Berkenbilt http://www.ql.org/q/ From ugob at CAMO-ROUTE.COM Sun Feb 1 04:58:33 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 Message-ID: <54C38A0B814C8E438EF73FC76F36292741088D@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Jay Berkenbilt [mailto:ejb@QL.ORG] > Envoy? : Saturday, January 31, 2004 11:45 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : removal of "bounce" spam action in 4.26.7 > > > I see in the release announcement for 4.26.7 that the "bounce" spam > action has been removed. I'm curious about this. We use this feature > for spam that scores in the 5 to 10 range and send a bounce that > instructs the user to send mail to a special mailbox which is not > filtered. This allows us to let false positives through. We probably > get about 5 messages a week for a 50 person company, and most of the > messages are important. This is enough to convince me that this is an > important feature. I can only guess that it's been removed because > such a huge amount of spam has invalid addresses. I know our mail > queue has 500 undeliverable spam bounces in it at any given time. > Still, I doubt I will succeed in convincing the powers that be at my > company that we can do without that feature. > > Have I understood this item in the announcement correctly? Is it true > that "bounce" is no longer a valid spam action? Yes > If so, has something > replaced it to achieve similar functionality? No > I suppose I could > always implement this my self by forwarding to an address that uses > procmail to send the bounce, but that would be a shame. > > I apologize if I've missed an earlier discussion on this. Yes, there has been a long thread about this. hth Ugo > > -- > Jay Berkenbilt > http://www.ql.org/q/ > From kevins at BMRB.CO.UK Sun Feb 1 10:41:07 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <200401311910.LAA12534@sheridan.sibble.net> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> On Sat, 2004-01-31 at 18:48, Harondel J. Sibble wrote: > The plan is to switch the primary MX to the MS box and have isp as secondary > and the MS box will forward the test accounts to the internal server and any > other mail with go to the isp. Telneting into the MS box, this all works > fine. Now however I am wondering how to have the MS box send mail for the 2 > test accounts to both the internal server and isp mailserver. > I think you can make Non Spam actions a ruleset, with the default being deliver and specific rule for those two accounts to be 'deliver forward user@othermachine' I do hope when you mentioned telneting you really meant sshing, not telnet using the telnet command. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Feb 1 10:51:23 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 In-Reply-To: <200402010444.i114iXif014991@soup.in.ql.org> References: <200402010444.i114iXif014991@soup.in.ql.org> Message-ID: <1075632693.18054.8.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 04:44, Jay Berkenbilt wrote: > Have I understood this item in the announcement correctly? Is it true > that "bounce" is no longer a valid spam action? If so, has something > replaced it to achieve similar functionality? I suppose I could > always implement this my self by forwarding to an address that uses > procmail to send the bounce, but that would be a shame. > You want to do some analysis on why the false positives are being generated. I managed to virtually eliminate them with a combination or whitelisting, tuning the threshold and adding rules to match the names of our products and assign negative scores. Typically false positive will be right at the bottom end of the score threshold, so either a) raise the lower threshold or b) lower the high score threshold and use the attachment deliver option for the low scoring spam. As someone who has recently had his address used as the forged sender of a spam run and woke up to find hundreds of such bounce messages in his inbox I welcome the removal of the bounce option, and would encourage anyone thinking of finding a way around it to think again. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Sun Feb 1 11:03:17 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <200401311910.LAA12534@sheridan.sibble.net> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <401CDCF5.9060901@themarshalls.co.uk> Harondel J. Sibble wrote: >Is there an easy way in postfix or in MS to send mail to 2 locations? > >Situation, isp currently hosts dns and email accounts for client. We have an >internal mailserver with an MS box as the mail relay for the internal server. >We want to test with a few of the accounts that currently exist with the isp, >so the we have the following transport map on the MS box > >username1@domain.com smtp:[192.168.x.x] >username2@domain.com smtp:[192.168.x.x] >domain.com smtp:isp mailserver (primary mx for domain) > >The plan is to switch the primary MX to the MS box and have isp as secondary >and the MS box will forward the test accounts to the internal server and any >other mail with go to the isp. Telneting into the MS box, this all works >fine. Now however I am wondering how to have the MS box send mail for the 2 >test accounts to both the internal server and isp mailserver. > > Just make an alias map some thing like: testuser1: test1 test1@ispdomain testuser2: test2 test2@ispdomain Then $ newaliases Should do the trick >The reason we are going this way is that we want to keep all the current mail >running as it is while still be able to test and use the internal mailserver >until we are satisfied that it is ready for production use. Can anyone >suggest a better method of accomplishing the same goal? > >-- >Harondel J. Sibble >Sibble Computer Consulting >Creating solutions for the small business and home computer user. >help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com >(604) 739-3709 (voice/fax) (604) 686-2253 (pager) > > Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From kevins at BMRB.CO.UK Sun Feb 1 11:18:27 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <401CDCF5.9060901@themarshalls.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <401CDCF5.9060901@themarshalls.co.uk> Message-ID: <1075634307.18054.25.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 11:03, Drew Marshall wrote: > Just make an alias map some thing like: > > testuser1: test1 test1@ispdomain > testuser2: test2 test2@ispdomain > This will only work if the addresses (testuser1 and testuser2) are destined for mailboxes on the local machine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Sun Feb 1 11:32:03 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075634307.18054.25.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <401CDCF5.9060901@themarshalls.co.uk> <1075634307.18054.25.camel@bach.kevinspicer.co.uk> Message-ID: <401CE3B3.6030305@themarshalls.co.uk> Kevin Spicer wrote: >On Sun, 2004-02-01 at 11:03, Drew Marshall wrote: > > >>Just make an alias map some thing like: >> >>testuser1: test1 test1@ispdomain >>testuser2: test2 test2@ispdomain >> >> >> >This will only work if the addresses (testuser1 and testuser2) are >destined for mailboxes on the local machine. > > > You are right. I miss read the original post :-( but the same principle could be used for a virtual user map I would have thought just using full addresses. > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/779971ab/attachment.html From goleotti at MISAG.IT Sun Feb 1 12:09:20 2004 From: goleotti at MISAG.IT (Gabriele Oleotti) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? Message-ID: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> I have to apologize for the last patch I sent you as the autoupdate script has a little bug (I forget the --update switch, so vexira isn't really doing the update). Sorry for that. I corrected this bug and I have adjusted the output coming from the scanner as the vexira seems to use dos/windows CR+LF new line characters which causes bad looking output to be logged on my files. Last, I have added time-out support (for the most copied from the alarm perldoc page and from the clamav-autoupdate) which I have tested and seemed to work fine. Buy for now, Gabriele -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: venerd? 30 gennaio 2004 18.00 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Vexira AV Support in 4.26.6? At 16:53 30/01/2004, you wrote: >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? No, sorry. I haven't had time to test it myself. It will have to wait for 4.27. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: vexira.patch Type: application/octet-stream Size: 8456 bytes Desc: vexira.patch Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/373b37ce/vexira.obj From Janssen at RZ.UNI-FRANKFURT.DE Sun Feb 1 12:16:45 2004 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 In-Reply-To: <200402010444.i114iXif014991@soup.in.ql.org> References: <200402010444.i114iXif014991@soup.in.ql.org> Message-ID: On Sat, 31 Jan 2004, Jay Berkenbilt wrote: > I see in the release announcement for 4.26.7 that the "bounce" spam > action has been removed. I'm curious about this. We use this feature > for spam that scores in the 5 to 10 range and send a bounce that > instructs the user to send mail to a special mailbox which is not > filtered. This allows us to let false positives through. We probably > get about 5 messages a week for a 50 person company, and most of the > messages are important. This is enough to convince me that this is an > important feature. I can only guess that it's been removed because > such a huge amount of spam has invalid addresses. *valid* addresses are the worse thing: spammer faking their from-address to the address of another person. This is why you can't bounce spam without making a possibly huge number of persons nervous, angry, lethargic about all the false spam-bounces they get. It's simply no good style because you would leave the work of sorting out bounces of true-negative and false-positive spam. You can do this work on your own when you forward low score spam to a special, "ugly", account and sort out false-positives by your own. Which is lot of stupid work but can be tackled down with better whitelisting and such. On our site, we provide daily informations about received spam for each account and leave it to each user to take this serious and check these spamlists for seldom false-positves (this means instead of deleting several spam per day you search one mail for ham list-entries). Works quite well because a human can distinct anonymous spam from personal important mail very fast. Michael From mailscanner at ecs.soton.ac.uk Sun Feb 1 13:41:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <1075632074.28761.69.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040201133928.038d76e8@imap.ecs.soton.ac.uk> At 10:41 01/02/2004, you wrote: >On Sat, 2004-01-31 at 18:48, Harondel J. Sibble wrote: > > The plan is to switch the primary MX to the MS box and have isp as > secondary > > and the MS box will forward the test accounts to the internal server > and any > > other mail with go to the isp. Telneting into the MS box, this all works > > fine. Now however I am wondering how to have the MS box send mail for the 2 > > test accounts to both the internal server and isp mailserver. > > >I think you can make Non Spam actions a ruleset, with the default being >deliver and specific rule for those two accounts to be 'deliver forward >user@othermachine' If you need to copy the mail to more than one address, you can specify "forward user@address.com" more than once in the rulesets. Don't forget to do the same thing to the Spam Actions and the High Scoring Spam Actions settings as well, if you want to duplicate the spam too. But you don't need 3 identical files. You can of course make all 3 settings use the same ruleset file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 1 13:49:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? In-Reply-To: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> References: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> Message-ID: <6.0.1.1.2.20040201134926.04480128@imap.ecs.soton.ac.uk> Hopefully I'll get this in to 4.27. At 12:09 01/02/2004, you wrote: >I have to apologize for the last patch I sent you as the autoupdate script >has a little bug (I forget the --update switch, so vexira isn't really >doing the update). Sorry for that. > >I corrected this bug and I have adjusted the output coming from the >scanner as the vexira seems to use dos/windows CR+LF new line characters >which causes bad looking output to be logged on my files. > >Last, I have added time-out support (for the most copied from the alarm >perldoc page and from the clamav-autoupdate) which I have tested and >seemed to work fine. > >Buy for now, >Gabriele > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: venerd? 30 gennaio 2004 18.00 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Vexira AV Support in 4.26.6? > > >At 16:53 30/01/2004, you wrote: > >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? > >No, sorry. I haven't had time to test it myself. It will have to wait for >4.27. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 1 15:52:53 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:15 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402011552.i11FqrZZ030027@seer.ecs.soton.ac.uk> New Guestbook-Entry from Reinier We run MailScanner plus Spamassassin with Exim, McAfee en Bitdefender.

Work greats, keep up the good work.

One wish allthough...can zip files be extracted and be checked for dangerous filetypes such as .pif and .scr ?

In case your scanner isn\'\'t up2date you don\'\'t have too worry that user\'\'s are opening zips containing .pifs and other executeble stuff.

From mike at CAMAROSS.NET Sun Feb 1 17:12:50 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <401CDCF5.9060901@themarshalls.co.uk> Message-ID: <200402011711.i11HBCH2025165@avwall.bladeware.com> On the MS box, you *could* use the Archive function to send mail to more than one user: FromTo: user1@yourdomain.com otheruser@somedomain.org Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Drew Marshall > Sent: Sunday, February 01, 2004 5:03 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sending mail to 2 locations > > Harondel J. Sibble wrote: > > >Is there an easy way in postfix or in MS to send mail to 2 locations? > > > >Situation, isp currently hosts dns and email accounts for client. We > >have an internal mailserver with an MS box as the mail relay > for the internal server. > >We want to test with a few of the accounts that currently exist with > >the isp, so the we have the following transport map on the MS box > > > >username1@domain.com smtp:[192.168.x.x] username2@domain.com > >smtp:[192.168.x.x] > >domain.com smtp:isp mailserver (primary mx for domain) > > > >The plan is to switch the primary MX to the MS box and have isp as > >secondary and the MS box will forward the test accounts to > the internal > >server and any other mail with go to the isp. Telneting into the MS > >box, this all works fine. Now however I am wondering how to > have the MS > >box send mail for the 2 test accounts to both the internal > server and isp mailserver. > > > > > Just make an alias map some thing like: > > testuser1: test1 test1@ispdomain > testuser2: test2 test2@ispdomain > > Then > > $ newaliases > > Should do the trick > > >The reason we are going this way is that we want to keep all the > >current mail running as it is while still be able to test > and use the > >internal mailserver until we are satisfied that it is ready for > >production use. Can anyone suggest a better method of > accomplishing the same goal? > > > >-- > >Harondel J. Sibble > >Sibble Computer Consulting > >Creating solutions for the small business and home computer user. > >help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > >(604) 739-3709 (voice/fax) (604) 686-2253 (pager) > > > > > Regards > > Drew > > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by MailScanner, and is believed > to be clean. > www.themarshalls.co.uk/policy > From dannyz at belgonet.com Sun Feb 1 16:56:28 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: join mailscanner danny zak Message-ID: <190197488894.20040201175628@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/4ce6036a/attachment.html From dannyz at belgonet.com Sun Feb 1 16:59:42 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <71197683674.20040201175942@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/00ba0590/attachment.html From ugob at CAMO-ROUTE.COM Sun Feb 1 18:04:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Danny Zak [mailto:dannyz@belgonet.com] Envoy? : Sunday, February 01, 2004 12:00 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : ZIP files seems not to be scanned (mydoom) Hello MAILSCANNER list; it seems that my mailscanner isn't scanning zip attaches for virusses. [Ugo Bellavance] It is the job of your anti-virus, not mailscanner's it does filter out the mydoom virus by files that are standardly attached although. -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. From kevins at BMRB.CO.UK Sun Feb 1 18:10:34 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <71197683674.20040201175942@belgonet.com> References: <71197683674.20040201175942@belgonet.com> Message-ID: <1075659034.21098.34.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 16:59, Danny Zak wrote: Hello MAILSCANNER list; >it seems that my mailscanner isn't scanning zip attaches for virusses. >it does filter out the mydoom virus by files that are standardly >attached although. As Ugo says this is the job of your antivirus, which one are you using. Have you checked that the unfiltered mails actually contain the virus in their zips (run past another virus scanner) - there are some broken copies around sending out non infected zips. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rwmailscanner at LACASITA.DEMON.CO.UK Sun Feb 1 20:31:19 2004 From: rwmailscanner at LACASITA.DEMON.CO.UK (Robert Richard Wallace) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: Also i believe some of the bounces are comming back with the whole bounce msg including virus set in a plain text mime type. All the clients i use dont therefore allow me to save off the infected attachment. NOT SURE WHAT OUTLOOK DOES ON THESE. My INBOX is becoming spammed silly with these reject Messages with a copy of the virus attached in MIME format. Question is should MailScanner be able to break up the msg and find these bounces and filter them out as well ? Anyone care to comment ? On Sun, 1 Feb 2004 18:10:34 +0000, Kevin Spicer wrote: >On Sun, 2004-02-01 at 16:59, Danny Zak wrote: Hello MAILSCANNER list; > >>it seems that my mailscanner isn't scanning zip attaches for virusses. > >>it does filter out the mydoom virus by files that are standardly >>attached although. > >As Ugo says this is the job of your antivirus, which one are you using. > >Have you checked that the unfiltered mails actually contain the virus in >their zips (run past another virus scanner) - there are some broken >copies around sending out non infected zips. > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From jaearick at COLBY.EDU Sun Feb 1 20:39:31 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Julian, I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. I got gobs of: Skipping SpamAssassin while waiting for Bayes database to rebuild messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock appeared after I restarted MS, and it never seems to go away. I tried things with both "Rebuild Bayes Every = 0" and with this set to 86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" because if it never rebuilds then no mail gets delivered, right? A rebuild should only take a few seconds, right? I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no luck. I've fallen back to 4.25-14 for the moment. BTW, I have a cron job to do bayes spam/ham learning with $SALEARN --prefs-file=$PREFS --rebuild --force-expire at the top. Should I still do this rebuild and force-expire in this script? From mailscanner at ecs.soton.ac.uk Sun Feb 1 21:33:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. In-Reply-To: References: Message-ID: <6.0.1.1.2.20040201211323.037b9598@imap.ecs.soton.ac.uk> At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, >SA 2.63. I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set >to 86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dannyz at belgonet.com Sun Feb 1 21:19:46 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> Message-ID: <125213287401.20040201221946@belgonet.com> Hello Ugo, thanks for your reponse; as also to kevin and robert... i use fprot antivirus with it; although its strange that it is't configured in my mailscanner config file .. i assume it is working although; since i notice this in my maillog Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, 1076 bytes Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. Sunday, February 1, 2004, 7:04:26 PM, you wrote: UB> -----Message d'origine----- UB> De : Danny Zak [mailto:dannyz@belgonet.com] UB> Envoy? : Sunday, February 01, 2004 12:00 PM UB> ? : MAILSCANNER@JISCMAIL.AC.UK UB> Objet : ZIP files seems not to be scanned (mydoom) UB> Hello MAILSCANNER list; UB> it seems that my mailscanner isn't scanning zip attaches for virusses. UB> [Ugo Bellavance] UB> It is the job of your anti-virus, not mailscanner's UB> it does filter out the mydoom virus by files that are standardly attached although. From mailscanner at ecs.soton.ac.uk Sun Feb 1 21:37:38 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <125213287401.20040201221946@belgonet.com> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> Message-ID: <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> At 21:19 01/02/2004, you wrote: >Hello Ugo, > >thanks for your reponse; as also to kevin and robert... > >i use fprot antivirus with it; although its strange that it is't >configured in my mailscanner config file .. > >i assume it is working although; since i notice this in my maillog No, that log section means exactly what it says. It has found it installed and is keeping it up to date for you. Unless you mention it in MailScanner.conf it won't be using it. >Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, >1076 bytes >Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting >Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed >Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot >Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting >Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages > > >-- >Best regards, > Danny mailto:dannyz@belgonet.com > >belGOnet.com a Euro-pictures division - internet solutions >place princesse elisabeth 9/11 - 1030 Brussels - Belgium >Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 > >domains - hosting - hardware - VoiP - consultancy - backuping >CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL > > >No legal consequences can be derived from the contents of the email >neither is belGOnet.com committed to them. The content of this email >is exclusively intended for adressee(s) and information purposes. >belGOnet.com accepts no liability for any damage resulting from the >use and/or acceptation of the content of this email. > > >Sunday, February 1, 2004, 7:04:26 PM, you wrote: > >UB> -----Message d'origine----- >UB> De : Danny Zak [mailto:dannyz@belgonet.com] >UB> Envoy? : Sunday, February 01, 2004 12:00 PM >UB> ? : MAILSCANNER@JISCMAIL.AC.UK >UB> Objet : ZIP files seems not to be scanned (mydoom) > > >UB> Hello MAILSCANNER list; > >UB> it seems that my mailscanner isn't scanning zip attaches for virusses. >UB> [Ugo Bellavance] >UB> It is the job of your anti-virus, not mailscanner's > >UB> it does filter out the mydoom virus by files that are standardly >attached although. > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Sun Feb 1 21:38:11 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <125213287401.20040201221946@belgonet.com> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> Message-ID: <401D71C3.2080402@ucgbook.com> Danny Zak wrote: > Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed > Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot This just means that it found F-prot so it could update the signatures for it, no need to configure that. It does *not* mean that it will use F-prot to scan messages unless you configure it to do so. > Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting This is for all kinds of checks. Does not mean it will actually virus scan with your virus scanner. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From mailscanner at pdscc.com Mon Feb 2 07:40:09 2004 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <200402020801.AAA19480@sheridan.sibble.net> On 1 Feb 2004 at 10:41, Kevin Spicer wrote: > I do hope when you mentioned telneting you really meant sshing, not > telnet using the telnet command. no.... I meant telneting, I was testing an smtp connection, ssh is _generally_ of no use in that situation. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From dannyz at belgonet.com Sun Feb 1 21:53:09 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> Message-ID: <190215290651.20040201225309@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/a1d634ab/attachment.html From nathan at TCPNETWORKS.NET Sun Feb 1 22:21:48 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:15 2006 Subject: many spamassassin timeouts Message-ID: Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From brose at MED.WAYNE.EDU Sun Feb 1 23:42:21 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: I get the same thing, even if Rebuild Bayes Every is set to 0. I've even removed by bayes and started over from scratch. The bayes files haven't been touched at all since I recreated them. If I disabled Bayes in the SA conf, it still says it's skipping for that reason. I'm also on Solaris but v8 with SA 2.63 -=B -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 01, 2004 4:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. >I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set to >86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From brose at MED.WAYNE.EDU Mon Feb 2 00:25:14 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: It looks like MS is trying to run a rebuild on every scan. Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore MailScanner[13610]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:32 eeyore MailScanner[13615]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:42 eeyore MailScanner[13617]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:52 eeyore MailScanner[13630]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:03 eeyore MailScanner[13676]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:12 eeyore MailScanner[13710]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:22 eeyore MailScanner[13742]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:32 eeyore MailScanner[13748]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:42 eeyore MailScanner[13755]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:52 eeyore MailScanner[13762]: SpamAssassin Bayes database rebuild starting Feb 1 18:21:02 eeyore MailScanner[13771]: SpamAssassin Bayes database rebuild starting -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Sunday, February 01, 2004 6:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. I get the same thing, even if Rebuild Bayes Every is set to 0. I've even removed by bayes and started over from scratch. The bayes files haven't been touched at all since I recreated them. If I disabled Bayes in the SA conf, it still says it's skipping for that reason. I'm also on Solaris but v8 with SA 2.63 -=B -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 01, 2004 4:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. >I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set to >86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Feb 2 00:32:00 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. In-Reply-To: Message-ID: Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting > Feb 1 18:19:12 eeyore MailScanner[13587]: SpamAssassin Bayes database > rebuild starting > Feb 1 18:19:22 eeyore MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled Bayes > in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From brose at MED.WAYNE.EDU Mon Feb 2 01:52:56 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: No change. It's been an hour and MailScanner is still skipping SA checks. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Sunday, February 01, 2004 7:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: > SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore > MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled > Bayes in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From james at DENY.ORG Mon Feb 2 02:50:22 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:15 2006 Subject: Razor and tmp files in the "In Queue" Message-ID: <401DBAEE.8070603@deny.org> I have noticed that in Mailscanner 4.26-5, Razor is putting some files in the "Incoming Queue Dir" : drwx------ 2 postfix postfix 4096 Feb 1 20:26 r -rw------- 1 postfix postfix 215580 Feb 1 20:48 razor-agent.log Can this be changed? It makes it hard to get an ideal of the number of incoming messages if the queue directory has 15-30 megs of crap in it! From brose at MED.WAYNE.EDU Mon Feb 2 03:14:01 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Also if I set the "Wait on Rebuild" to yes and the rebuild option is 0, then the logs say "At start of SA checks could not get shared lock on /tmp/MS.bayes.rebuild.lock, Bad file number" and it does the SA Checks anyway. Could their be a bug in the locking or the clearing of the lock file? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Sunday, February 01, 2004 8:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. No change. It's been an hour and MailScanner is still skipping SA checks. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Sunday, February 01, 2004 7:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: > SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore > MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled > Bayes in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From steve.swaney at FSL.COM Mon Feb 2 03:40:20 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:15 2006 Subject: Razor and tmp files in the "In Queue" In-Reply-To: <401DBAEE.8070603@deny.org> Message-ID: <20040202034020.1625A21C135@mail.fsl.com> Look at the ~/.razor/razor-agent.conf file. This is where you specify things like: Where to put log files Debug level (yours is probably too high) On a Linux system where razor runs as root, this is typically: /root/.razor Very good documentation at: http://razor.sourceforge.net/docs/ Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of James Sizemore > Sent: Sunday, February 01, 2004 9:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Razor and tmp files in the "In Queue" > > I have noticed that in Mailscanner 4.26-5, Razor is putting some files > in the > "Incoming Queue Dir" : > > drwx------ 2 postfix postfix 4096 Feb 1 20:26 r > -rw------- 1 postfix postfix 215580 Feb 1 20:48 razor-agent.log > > Can this be changed? It makes it hard to get an ideal of the number of > incoming messages if the queue directory has 15-30 megs of crap in it! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From ugob at CAMO-ROUTE.COM Mon Feb 2 03:42:22 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <54C38A0B814C8E438EF73FC76F362927410891@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Danny Zak [mailto:dannyz@belgonet.com] Envoy? : Sunday, February 01, 2004 4:53 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: ZIP files seems not to be scanned (mydoom) best; indeed .. i did change Virus Scanners = none to Virus Scanners = f-prot and it is working :) thanks .. i did assume that the reportign was enough [Ugo Bellavance] That was only the update script reporting, not mailscanner's. hth Ugo .. but it wasn't thanks ! -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. Sunday, February 1, 2004, 10:37:38 PM, you wrote: JF> At 21:19 01/02/2004, you wrote: >>Hello Ugo, >> >>thanks for your reponse; as also to kevin and robert... >> >>i use fprot antivirus with it; although its strange that it is't >>configured in my mailscanner config file .. >> >>i assume it is working although; since i notice this in my maillog JF> No, that log section means exactly what it says. It has found it installed JF> and is keeping it up to date for you. Unless you mention it in JF> MailScanner.conf it won't be using it. >>Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, >>1076 bytes >>Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting >>Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed >>Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot >>Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting >>Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages >> >> >>-- >>Best regards, >> Danny mailto:dannyz@belgonet.com >> >>belGOnet.com a Euro-pictures division - internet solutions >>place princesse elisabeth 9/11 - 1030 Brussels - Belgium >>Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 >> >>domains - hosting - hardware - VoiP - consultancy - backuping >>CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL >> >> >>No legal consequences can be derived from the contents of the email >>neither is belGOnet.com committed to them. The content of this email >>is exclusively intended for adressee(s) and information purposes. >>belGOnet.com accepts no liability for any damage resulting from the >>use and/or acceptation of the content of this email. >> >> >>Sunday, February 1, 2004, 7:04:26 PM, you wrote: >> >>UB> -----Message d'origine----- >>UB> De : Danny Zak [mailto:dannyz@belgonet.com] >>UB> Envoy? : Sunday, February 01, 2004 12:00 PM >>UB> ? : MAILSCANNER@JISCMAIL.AC.UK >>UB> Objet : ZIP files seems not to be scanned (mydoom) >> >> >>UB> Hello MAILSCANNER list; >> >>UB> it seems that my mailscanner isn't scanning zip attaches for virusses. >>UB> [Ugo Bellavance] >>UB> It is the job of your anti-virus, not mailscanner's >> >>UB> it does filter out the mydoom virus by files that are standardly >>attached although. >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/1e2fd649/attachment.html From mickey-ml at GREENGLOW.ORG Mon Feb 2 04:02:54 2004 From: mickey-ml at GREENGLOW.ORG (Mickey Everts) Date: Thu Jan 12 21:22:15 2006 Subject: many spamassassin timeouts In-Reply-To: Message-ID: <002c01c3e941$6f728cb0$630a0a0a@gyruss> Damn...there were a ton of *lock* and *expire* files and I deleted them all. I'll give it a couple days to see if the problem is really solved, but it sounds likely. Thanks again for the tip! I haven't looked in that directory for ages since I didn't even realize the locking issue existed and every time I looked in the past, it just had the typical files: auto-whitelist bayes_journal bayes_seen bayes_toks I just found the "Bayesian shenanigans" thread but it sounds like people haven't exactly gotten to the bottom of this issue yet. It sounds like the general opinion is it is some issue with spamassassin itself...right? Mickey -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Sunday, February 01, 2004 2:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From Pascal.Maes at ELEC.UCL.AC.BE Mon Feb 2 07:56:14 2004 From: Pascal.Maes at ELEC.UCL.AC.BE (Pascal Maes) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Hello, I have the same behaviour with the rebuild of bayes database and I get it every time MailScanner is launched. To avoid the "Skipping", I have to "manually" remove the lock file (for me it's not important since I do not use bayes !) In SA.pm, the lock file is created before the test on "$RebuildBayes" and the lock is removed only if the bayes database has been rebuild. If $RebuildBayes == 0, the lock will never be removed. if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish or don't begin ??? I see the "Skipping" line in the logfile but I don't see any line such as "SpamAssassin Bayes database rebuild preparing" even with $RebuildBAYES <> 0 -- -- Pascal -- -- From Kevin.Spicer at BMRB.CO.UK Mon Feb 2 08:22:07 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A1B@pascal.priv.bmrb.co.uk> Harondel J. Sibble wrote: > On 1 Feb 2004 at 10:41, Kevin Spicer wrote: > > no.... I meant telneting, I was testing an smtp connection, ssh is > _generally_ of no use in that situation. Ahh, you meant using telnet to connect to the SMTP port, rather than to login. My mistake. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 2 09:40:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. -- Urgent test please In-Reply-To: References: Message-ID: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Please could you try the attached SA.pm and see if it helps. Changes: - Set "Rebuild Bayes Every = 0" should disable all this code. - Locking code changed to more closely match the virus scanner locking code. The trouble is, it all works for me. But that's on a Linux system, and the underlying locking behaviour may well be different on Solaris. At 07:56 02/02/2004, you wrote: >Hello, > >I have the same behaviour with the rebuild of bayes database and I get it >every time MailScanner is launched. > >To avoid the "Skipping", I have to "manually" remove the lock file >(for me it's not important since I do not use bayes !) > >In SA.pm, the lock file is created before the test on "$RebuildBayes" >and the lock is removed only if the bayes database has been rebuild. > >If $RebuildBayes == 0, the lock will never be removed. > >if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >or don't begin ??? > > I see the "Skipping" line in the logfile but I don't see any line > such as "SpamAssassin Bayes database rebuild preparing" even with > $RebuildBAYES <> 0 > >-- >-- Pascal -- > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm Type: application/octet-stream Size: 19516 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/cec41f47/SA.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mbm+mailscanner at colondot.net Mon Feb 2 09:50:39 2004 From: mbm+mailscanner at colondot.net (Matthew Byng-Maddick) Date: Thu Jan 12 21:22:15 2006 Subject: mailscanner exim patch Message-ID: <20040202095039.GA37477@colon.colondot.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The attached patch changes the behaviour of mailscanner to deal with exim4 (>4.23) queue files, where ACL variables get stored. Unfortunately, this part of the queue files doesn't appear to be documented in the Exim Specification (I'll be posting this to the exim-users list too). Previously, such queue files would be rejected as invalid, due to the difference in the way that ACL variables are handled (as a part of the "dashvars" section). This patch seems to be happy with reading, and re-outputting such queue files, with ACL data intact. db93dae7eb0c34468f8324e7a9fd9c71 mailscanner-exim.patch Although the patch is against MailScanner-4.25-14, I believe it should also apply cleanly against 4.26.7 (with an offset of 6 lines). Cheers Matthew - -- hmmm - what's the term that comes between "tweak" and "frob"? "small, controlled change"? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFAHh1ciGjP99nB6xERAvtNAJ40AckCXoNcI5Lkwbx/nVerYomU2QCeI6+z X0+33XN4JeK94hyMnj5VpI8= =zb6Y -----END PGP SIGNATURE----- -------------- next part -------------- diff -uNr lib/MailScanner/Exim.pm.orig lib/MailScanner/Exim.pm --- lib/MailScanner/Exim.pm.orig 2003-11-26 16:35:29.000000000 +0000 +++ lib/MailScanner/Exim.pm 2004-02-02 09:20:54.000000000 +0000 @@ -244,7 +244,7 @@ my($RQf) = $message->{store}{inhhandle}; my %metadata; - my($InHeader, $InSubject, $InDel, @headers, $msginfo, $from, @to, $subject); + my($InHeader, $InSubject, $InDel, @headers, $msginfo, $from, @to, $subject, @acl); my($ip, $sender); my($line); @@ -276,12 +276,34 @@ # and tracking them in %{$metadata{dashvars}} while (chomp($line = <$RQf>)) { $line =~ s/^-(\w+) ?// or last; - $metadata{dashvars}{$1} = 0; - $line eq "" and $metadata{"dv_$1"} = 1, next; - $metadata{"dv_$1"} = $line; - $metadata{dashvars}{$1} = 1; + if($1 eq "acl") { + # we need to handle acl vars differently + if($line =~ /^(\d+) (\d+)$/) { + my $buf; + my $pos=$1; + my $len=$2; + $acl[$pos]=[]; + (read($RQf, $buf, $len + 1)==$len+1) or last; + if($buf=~/\n$/) { + chomp $buf; + } else { + # invalid format + last; + } + $acl[$pos]->[0]=$buf; + } else { + # this is a weird format, and we're not sure how to handle it + last; + } + } else { + $metadata{dashvars}{$1} = 0; + $line eq "" and $metadata{"dv_$1"} = 1, next; + $metadata{"dv_$1"} = $line; + $metadata{dashvars}{$1} = 1; + } next; } + $metadata{aclvars}=\@acl; # If it was an invalid queue file, log a warning and tell caller unless (defined $line) { @@ -959,6 +981,7 @@ sub CreateQf { my($message) = @_; + my $i; my $Qfile = ""; my $metadata = $message->{metadata}; @@ -986,6 +1009,15 @@ $Qfile .= "\n"; } + # Add the separate ACL Vars + my @acl=@{$metadata->{aclvars}}; + for($i=0; $i<=$#acl; $i++) { + if($acl[$i]) { + $Qfile .= "-acl " . $i . " " . length($acl[$i]->[0]) . "\n"; + $Qfile .= $acl[$i]->[0] . "\n"; + } + } + # Add non-recipients $Qfile .= BTreeString($metadata->{nonrcpts}); From mailscanner at ecs.soton.ac.uk Mon Feb 2 09:52:37 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:15 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402020952.i129qbV3006407@seer.ecs.soton.ac.uk> New Guestbook-Entry from sync i\'\'ve some trouble with RH9

mail with subject like this

DiasoftCLIENT:REGFIN :rf _o0008

sended from local user to local received with subject like this

DiasoftCLIENT:REGFIN:rf

any comments??? From mailscanner at ecs.soton.ac.uk Mon Feb 2 10:23:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. -- (2) Urgent test please In-Reply-To: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Inevitably I put a config name wrong in that one. At 09:40 02/02/2004, you wrote: >Please could you try the attached SA.pm and see if it helps. > >Changes: > - Set "Rebuild Bayes Every = 0" should disable all this code. > - Locking code changed to more closely match the virus scanner >locking code. > >The trouble is, it all works for me. But that's on a Linux system, and the >underlying locking behaviour may well be different on Solaris. > >At 07:56 02/02/2004, you wrote: >>Hello, >> >>I have the same behaviour with the rebuild of bayes database and I get it >>every time MailScanner is launched. >> >>To avoid the "Skipping", I have to "manually" remove the lock file >>(for me it's not important since I do not use bayes !) >> >>In SA.pm, the lock file is created before the test on "$RebuildBayes" >>and the lock is removed only if the bayes database has been rebuild. >> >>If $RebuildBayes == 0, the lock will never be removed. >> >>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >>or don't begin ??? >> >> I see the "Skipping" line in the logfile but I don't see any line >> such as "SpamAssassin Bayes database rebuild preparing" even with >> $RebuildBAYES <> 0 >> >>-- >>-- Pascal -- >> -- > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm Type: application/octet-stream Size: 19511 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/e8490401/SA.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dee at ASYOUNEED.COM Mon Feb 2 10:28:49 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning In-Reply-To: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Message-ID: <000001c3e977$58d4b1a0$0201a8c0@lappy> Hi All, I am trying to recover a message that had the iframe tags in it but all I get in the folder it directs me to is the warning message why? Dee From mailscanner at ecs.soton.ac.uk Mon Feb 2 11:01:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning In-Reply-To: <000001c3e977$58d4b1a0$0201a8c0@lappy> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <000001c3e977$58d4b1a0$0201a8c0@lappy> Message-ID: <6.0.1.1.2.20040202110113.07ae3608@imap.ecs.soton.ac.uk> At 10:28 02/02/2004, you wrote: >Hi All, > > I am trying to recover a message that had the iframe tags in it >but all I get in the folder it directs me to is the warning message why? This is a bug I have not yet tracked down. I have been unable to rectify it. If you could post me your MailScanner.conf settings, that would help. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From goleotti at MISAG.IT Mon Feb 2 11:31:07 2004 From: goleotti at MISAG.IT (Gabriele Oleotti) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? Message-ID: <1488394A34F6A0408FDA3841418D1442183D4B@scorpio.auron.mi> Ok, there's no problem for me!! If I can do anything else, please let me know. Bye, Gabriele -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: domenica 1 febbraio 2004 14.50 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Vexira AV Support in 4.26.6? Hopefully I'll get this in to 4.27. At 12:09 01/02/2004, you wrote: >I have to apologize for the last patch I sent you as the autoupdate script >has a little bug (I forget the --update switch, so vexira isn't really >doing the update). Sorry for that. > >I corrected this bug and I have adjusted the output coming from the >scanner as the vexira seems to use dos/windows CR+LF new line characters >which causes bad looking output to be logged on my files. > >Last, I have added time-out support (for the most copied from the alarm >perldoc page and from the clamav-autoupdate) which I have tested and >seemed to work fine. > >Buy for now, >Gabriele > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: venerd? 30 gennaio 2004 18.00 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Vexira AV Support in 4.26.6? > > >At 16:53 30/01/2004, you wrote: > >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? > >No, sorry. I haven't had time to test it myself. It will have to wait for >4.27. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dee at ASYOUNEED.COM Mon Feb 2 12:38:28 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning {Scanned} In-Reply-To: <6.0.1.1.2.20040202110113.07ae3608@imap.ecs.soton.ac.uk> Message-ID: <000001c3e989$75a0f520$0201a8c0@lappy> Hi Julian, I sent it to your email address rather than list did you get it? Yours, Dee > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: 02 February 2004 11:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to recover msg but all I get is the warning {Scanned} > > At 10:28 02/02/2004, you wrote: > >Hi All, > > > > I am trying to recover a message that had the iframe tags in it > >but all I get in the folder it directs me to is the warning message why? > > This is a bug I have not yet tracked down. I have been unable to rectify > it. If you could post me your MailScanner.conf settings, that would help. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From AndreaC at GOTECH.IT Mon Feb 2 12:30:27 2004 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:22:15 2006 Subject: NDR strategy Message-ID: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> We use MailScanner (with Sendmail) as a mail relay to protect our Exchange Mail Server from Viruses, Spam and other threats. We configured the MS+Sendmail gateway to relay all messages for our SMTP domains to our Exchange Server. The problem is with NDRs. Every time we receive a message for a non-existing mailbox, MailScanner still scans it then Sendmail relays it to Exchange that generates an NDR. Now, as most of the messages are generated by Worms/Viruses/Spammers using fake addresses, the NDRs either remain in mail queues until timeouts or the NDR is received by some unwilling party or, worse, another NDR is generated and received by our gateway. Anyway, the process is not efficient as lots of messages are needlessly processed at least twice. We found two possible workarounds: 1. Disable NDR generation on Exchange server, which solves part of the issue to the detriment of RFC compliancy; 2. Enable relay at mailbox level instead of domain level on Sendmail (using access_db). The second solution seems the best as it solves the whole problem maintaining full RFC compliancy. Unfortunately, it's completely manual as every time we modify a mailbox on Exchange we have to modify Sendmail configuration accordingly. Anybody solved the issue with a better approach? TIA, Andrea From dh at UPTIME.AT Mon Feb 2 12:45:46 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:15 2006 Subject: [OT] Re: NDR strategy In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> Message-ID: <401E467A.7060903@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Andrea Cogliati wrote: | Anybody solved the issue with a better approach? | Can Exchange read its Account data from LDAP? If so, setup LDAP routing for Sendmail, that way non existant user accounts for the domains you serve will not even be accepted by the gateway sendmail - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFAHkZ6PMoaMn4kKR4RA0VzAJ9r4g2LyUjHqln4UvFctmzwVF5XCQCVEYjD oIWblWnFOCyIvR6M2Vd/hA== =9eZ2 -----END PGP SIGNATURE----- From raymond at PROLOCATION.NET Mon Feb 2 12:47:28 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:16 2006 Subject: Trying to recover msg but all I get is the warning {Scanned} In-Reply-To: <000001c3e989$75a0f520$0201a8c0@lappy> Message-ID: Hi! > > This is a bug I have not yet tracked down. I have been unable to > > it. If you could post me your MailScanner.conf settings, that would I get them daily, so capturing my mailflow for one day and processing it most likely will give some hits. Or is there any other debugging i could do ? bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Mon Feb 2 13:44:16 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> Message-ID: <401E5430.2050004@solid-state-logic.com> Andrea There is way of setting up sendmail so it read from an Active Directory server to validate the email address. have a google around for 'how to'. This way the inbound sendmail will reject the email for non-existant email addresses before it hit's MailScanner. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Feb 2 14:06:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> I have just posted version 4.26.8. The problem did not appear on Linux, but does appear on Solaris. You can now disable all the relevant code by setting Rebuild Bayes Every = 0 I will look into fixing this as a priority, but it is highly OS-specific and may even be Perl-version specific. It refuses to lock a file it has just successfully opened, but seems happy when I do it elsewhere :-( Jules. P.S. thanks for your patience.... At 10:23 02/02/2004, you wrote: >Inevitably I put a config name wrong in that one. > >At 09:40 02/02/2004, you wrote: >>Please could you try the attached SA.pm and see if it helps. >> >>Changes: >> - Set "Rebuild Bayes Every = 0" should disable all this code. >> - Locking code changed to more closely match the virus scanner >>locking code. >> >>The trouble is, it all works for me. But that's on a Linux system, and the >>underlying locking behaviour may well be different on Solaris. >> >>At 07:56 02/02/2004, you wrote: >>>Hello, >>> >>>I have the same behaviour with the rebuild of bayes database and I get it >>>every time MailScanner is launched. >>> >>>To avoid the "Skipping", I have to "manually" remove the lock file >>>(for me it's not important since I do not use bayes !) >>> >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" >>>and the lock is removed only if the bayes database has been rebuild. >>> >>>If $RebuildBayes == 0, the lock will never be removed. >>> >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >>>or don't begin ??? >>> >>> I see the "Skipping" line in the logfile but I don't see any line >>> such as "SpamAssassin Bayes database rebuild preparing" even with >>> $RebuildBAYES <> 0 >>> >>>-- >>>-- Pascal -- >>> -- >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From nathan at TCPNETWORKS.NET Mon Feb 2 14:44:34 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:16 2006 Subject: many spamassassin timeouts Message-ID: As I understand it, SpamAssassin opportunistically rebuilds the database and expires old tokens. In some cases, SpamAssassin times out (as configured in MailScanner) before the rebuilding completes. Ultimately, this leads to more timeouts and an accumulation of *.lock and *.expiry files. You may also see a bayes_toks.new file. It's not really a SpamAssassin or MailScanner issue, but more of a timing issue (presumably on slower systems). I've been closely monitoring my database and rebuilding it manually (with the --force-expire option). I also increased my SpamAssassin time out, but I've still had the same problems (although not as frequently). As mentioned below, this has been an issue for others in the list and Julian added some code that will generate the rebuild for us. I'm planning to upgrade in a few days. Fortunately, it's not really an urgent problem (as it doesn't corrupt my bayes database), just more of an inconvenience. Nathan -----Original Message----- From: Mickey Everts [mailto:mickey-ml@GREENGLOW.ORG] Sent: Sunday, February 01, 2004 8:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Damn...there were a ton of *lock* and *expire* files and I deleted them all. I'll give it a couple days to see if the problem is really solved, but it sounds likely. Thanks again for the tip! I haven't looked in that directory for ages since I didn't even realize the locking issue existed and every time I looked in the past, it just had the typical files: auto-whitelist bayes_journal bayes_seen bayes_toks I just found the "Bayesian shenanigans" thread but it sounds like people haven't exactly gotten to the bottom of this issue yet. It sounds like the general opinion is it is some issue with spamassassin itself...right? Mickey -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Sunday, February 01, 2004 2:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mailscanner at ecs.soton.ac.uk Mon Feb 2 14:47:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: many spamassassin timeouts In-Reply-To: References: Message-ID: <6.0.1.1.2.20040202144605.06f7b820@imap.ecs.soton.ac.uk> The code to do this for you currently doesn't work on Solaris, but it does appear to work fine on Linux. It's a locking semantics problem which I haven't got to the bottom of yet. See the Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 thread for more discussion on this. At 14:44 02/02/2004, you wrote: >As I understand it, SpamAssassin opportunistically rebuilds the database >and expires old tokens. In some cases, SpamAssassin times out (as >configured in MailScanner) before the rebuilding completes. Ultimately, >this leads to more timeouts and an accumulation of *.lock and *.expiry >files. You may also see a bayes_toks.new file. It's not really a >SpamAssassin or MailScanner issue, but more of a timing issue >(presumably on slower systems). > >I've been closely monitoring my database and rebuilding it manually >(with the --force-expire option). I also increased my SpamAssassin time >out, but I've still had the same problems (although not as frequently). >As mentioned below, this has been an issue for others in the list and >Julian added some code that will generate the rebuild for us. I'm >planning to upgrade in a few days. > >Fortunately, it's not really an urgent problem (as it doesn't corrupt my >bayes database), just more of an inconvenience. > >Nathan > > >-----Original Message----- >From: Mickey Everts [mailto:mickey-ml@GREENGLOW.ORG] >Sent: Sunday, February 01, 2004 8:03 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > > >Damn...there were a ton of *lock* and *expire* files and I deleted them >all. >I'll give it a couple days to see if the problem is really solved, but >it >sounds likely. Thanks again for the tip! > >I haven't looked in that directory for ages since I didn't even realize >the >locking issue existed and every time I looked in the past, it just had >the >typical files: > >auto-whitelist >bayes_journal >bayes_seen >bayes_toks > >I just found the "Bayesian shenanigans" thread but it sounds like people >haven't exactly gotten to the bottom of this issue yet. It sounds like >the >general opinion is it is some issue with spamassassin itself...right? > >Mickey > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf >Of Nathan Johanson >Sent: Sunday, February 01, 2004 2:22 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > >Make sure you aren't havin Bayes locking issues. My timeouts were >attributable to this more than once. Check /var/spool/spamassassin (or >wherever your Baye's database resides) for extra bayes lock files and >delete them (you may also need to delete the *.expiry files). Try >running a manual rebuild of the database like so: > >sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild >--force-expire > >If this is the cause of the problem, consider taking advantage of the >bayes rebuild options available in the latest release of MailScanner (or >run the command regularly via cron). > >Nathan > > > >-----Original Message----- >From: Stephen Swaney [mailto:steve.swaney@FSL.COM] >Sent: Saturday, January 31, 2004 12:07 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Mickey Everts > > Sent: Saturday, January 31, 2004 2:54 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: many spamassassin timeouts > > > > Here is something very weird I just noticed in trying to track this >down. > > Here is just a small sample of my logs, but notice the time outs >happen > > almost exactly every ten minutes? I am running mailscanner-4.25-14. > > >[SKS] >Do you have an event that is slowing down you network every 10 minutes. >Try a sniffer and see. > >This is the typical cause for SpamAssassin timeouts. > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > > > Mickey > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > Of Julian Field > > Sent: Saturday, January 31, 2004 6:37 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: many spamassassin timeouts > > > > At 21:17 30/01/2004, you wrote: > > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not >seeing > > >output similar to below in maillog. Should I be looking elsewhere >else? > > I > > >am trying to track down the source of some spamassassin timeouts I >have > > been > > >having. Ideally I need to log the equivalent of "spamassassin -D" >for a > > few > > >hours. > > > > Those 2 options will cause "check_mailscanner" to log all the SA >output to > > the terminal. It will process 1 batch of messages and then quit. > > I have been getting a lot of Razor timeouts recently, and have >currently > > disabled it. You can do this by adding > > use_razor2 0 > > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > > > > > >Thanks! > > > > > >Mickey > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > >Of Piet Bos > > >Sent: Monday, January 26, 2004 3:02 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: many spamassassin timeouts > > > > > >a part of the debug output. > > >I find the 0 behind Net::DNS resolver unavailable rather curious > > >do you agree? > > > > > >grtz Piet > > > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > > >debug: running uri tests; score so far=4.3 > > >debug: uri tests: Done uriRE > > >debug: running full-text regexp tests; score so far=4.3 > > >debug: Razor2 is not available > > >debug: DCC is not available: dccproc not found > > >debug: Razor1 is not available > > >debug: Pyzor is not available: pyzor not found > > >debug: is Net::DNS::Resolver unavailable? 0 > > >debug: trying (3) gwdg.de... > > >debug: looking up MX for 'gwdg.de' > > >debug: MX for 'gwdg.de' exists? 1 > > >debug: MX lookup of gwdg.de succeeded => Dns available (set >dns_available > > to > > >hardcode) > > >debug: is DNS available? 1 > > >debug: running meta tests; score so far=5.3 > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Monday, January 26, 2004 9:39 AM > > >Subject: Re: many spamassassin timeouts > > > > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where >the > > > > slow-down is. > > > > > > > > At 08:33 26/01/2004, you wrote: > > > > >Experiencing many spamassassin timeouts lately. > > > > >Is there a valid reason for that? > > > > >I'm using version 4.26-1 starting > > > > >my settings in MailScanner.conf are: > > > > >SpamAssassin Timeout = 40 > > > > >Max SpamAssassin Timeouts = 50 > > > > > > > > > >Any suggestions? > > > > >brgds Piet > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Fortress Systems Ltd. >www.fsl.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at colby.edu Mon Feb 2 15:08:29 2004 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: Julian, Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA 2.63, Razor). No more complaints about Bayes, but no SpamAssassin messages either. I ran a batch in debug mode for both MS and SA, and it looked like stuff in the debug batch got tagged by SA: debug: is spam? score=10.95 required=5 tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK but nothing in the syslog regarding SA. I also set the log level for razor to 4 and razor is busy. How to check it 4.26.8 is really using SA, if nothing appears in syslog? I'm back to running 4.25-14. Jeff Earickson Colby College On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 2 Feb 2004 14:06:40 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting > > Rebuild Bayes Every = 0 > > I will look into fixing this as a priority, but it is highly OS-specific > and may even be Perl-version specific. It refuses to lock a file it has > just successfully opened, but seems happy when I do it elsewhere :-( > > Jules. > > P.S. thanks for your patience.... > > At 10:23 02/02/2004, you wrote: > >Inevitably I put a config name wrong in that one. > > > >At 09:40 02/02/2004, you wrote: > >>Please could you try the attached SA.pm and see if it helps. > >> > >>Changes: > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > >> - Locking code changed to more closely match the virus scanner > >>locking code. > >> > >>The trouble is, it all works for me. But that's on a Linux system, and the > >>underlying locking behaviour may well be different on Solaris. > >> > >>At 07:56 02/02/2004, you wrote: > >>>Hello, > >>> > >>>I have the same behaviour with the rebuild of bayes database and I get it > >>>every time MailScanner is launched. > >>> > >>>To avoid the "Skipping", I have to "manually" remove the lock file > >>>(for me it's not important since I do not use bayes !) > >>> > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > >>>and the lock is removed only if the bayes database has been rebuild. > >>> > >>>If $RebuildBayes == 0, the lock will never be removed. > >>> > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > >>>or don't begin ??? > >>> > >>> I see the "Skipping" line in the logfile but I don't see any line > >>> such as "SpamAssassin Bayes database rebuild preparing" even with > >>> $RebuildBAYES <> 0 > >>> > >>>-- > >>>-- Pascal -- > >>> -- > >> > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From jaearick at COLBY.EDU Mon Feb 2 15:08:29 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: Julian, Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA 2.63, Razor). No more complaints about Bayes, but no SpamAssassin messages either. I ran a batch in debug mode for both MS and SA, and it looked like stuff in the debug batch got tagged by SA: debug: is spam? score=10.95 required=5 tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK but nothing in the syslog regarding SA. I also set the log level for razor to 4 and razor is busy. How to check it 4.26.8 is really using SA, if nothing appears in syslog? I'm back to running 4.25-14. Jeff Earickson Colby College On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 2 Feb 2004 14:06:40 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting > > Rebuild Bayes Every = 0 > > I will look into fixing this as a priority, but it is highly OS-specific > and may even be Perl-version specific. It refuses to lock a file it has > just successfully opened, but seems happy when I do it elsewhere :-( > > Jules. > > P.S. thanks for your patience.... > > At 10:23 02/02/2004, you wrote: > >Inevitably I put a config name wrong in that one. > > > >At 09:40 02/02/2004, you wrote: > >>Please could you try the attached SA.pm and see if it helps. > >> > >>Changes: > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > >> - Locking code changed to more closely match the virus scanner > >>locking code. > >> > >>The trouble is, it all works for me. But that's on a Linux system, and the > >>underlying locking behaviour may well be different on Solaris. > >> > >>At 07:56 02/02/2004, you wrote: > >>>Hello, > >>> > >>>I have the same behaviour with the rebuild of bayes database and I get it > >>>every time MailScanner is launched. > >>> > >>>To avoid the "Skipping", I have to "manually" remove the lock file > >>>(for me it's not important since I do not use bayes !) > >>> > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > >>>and the lock is removed only if the bayes database has been rebuild. > >>> > >>>If $RebuildBayes == 0, the lock will never be removed. > >>> > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > >>>or don't begin ??? > >>> > >>> I see the "Skipping" line in the logfile but I don't see any line > >>> such as "SpamAssassin Bayes database rebuild preparing" even with > >>> $RebuildBAYES <> 0 > >>> > >>>-- > >>>-- Pascal -- > >>> -- > >> > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Feb 2 15:32:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> I just fell foul of not having "Log Spam = yes" so you might want to double-check that. It appears to be logging fine on a Solaris 2.8 box. At 15:08 02/02/2004, you wrote: >Julian, > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA >2.63, Razor). No more complaints about Bayes, but no SpamAssassin >messages either. I ran a batch in debug mode for both MS and SA, and >it looked like stuff in the debug batch got tagged by SA: > >debug: is spam? score=10.95 required=5 >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > >but nothing in the syslog regarding SA. I also set the log level >for razor to 4 and razor is busy. How to check it 4.26.8 is really >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > >Jeff Earickson >Colby College > >On Mon, 2 Feb 2004, Julian Field wrote: > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > I have just posted version 4.26.8. > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > now disable all the relevant code by setting > > > > Rebuild Bayes Every = 0 > > > > I will look into fixing this as a priority, but it is highly OS-specific > > and may even be Perl-version specific. It refuses to lock a file it has > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > Jules. > > > > P.S. thanks for your patience.... > > > > At 10:23 02/02/2004, you wrote: > > >Inevitably I put a config name wrong in that one. > > > > > >At 09:40 02/02/2004, you wrote: > > >>Please could you try the attached SA.pm and see if it helps. > > >> > > >>Changes: > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > >> - Locking code changed to more closely match the virus scanner > > >>locking code. > > >> > > >>The trouble is, it all works for me. But that's on a Linux system, > and the > > >>underlying locking behaviour may well be different on Solaris. > > >> > > >>At 07:56 02/02/2004, you wrote: > > >>>Hello, > > >>> > > >>>I have the same behaviour with the rebuild of bayes database and I > get it > > >>>every time MailScanner is launched. > > >>> > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > >>>(for me it's not important since I do not use bayes !) > > >>> > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > >>>and the lock is removed only if the bayes database has been rebuild. > > >>> > > >>>If $RebuildBayes == 0, the lock will never be removed. > > >>> > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > >>>or don't begin ??? > > >>> > > >>> I see the "Skipping" line in the logfile but I don't see any > line > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > with > > >>> $RebuildBAYES <> 0 > > >>> > > >>>-- > > >>>-- Pascal -- > > >>> -- > > >> > > >> > > >>-- > > >>Julian Field > > >>www.MailScanner.info > > >>MailScanner thanks transtec Computers for their support > > >> > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >MailScanner thanks transtec Computers for their support > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at colby.edu Mon Feb 2 15:42:36 2004 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: Doh! Sorry. I had commented my change in the .conf file, then forgot to make it. Soooo.... With "Rebuild Bayes Every = 0", I guess we still need to run our Bayes-rebuild cron jobs until all this gets sorted out, right? Jeff On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 02 Feb 2004 15:32:49 +0000 > From: Julian Field > To: MailScanner mailing list > Cc: Jeff A. Earickson > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I just fell foul of not having "Log Spam = yes" so you might want to > double-check that. > It appears to be logging fine on a Solaris 2.8 box. > > At 15:08 02/02/2004, you wrote: > >Julian, > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > >messages either. I ran a batch in debug mode for both MS and SA, and > >it looked like stuff in the debug batch got tagged by SA: > > > >debug: is spam? score=10.95 required=5 > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > >but nothing in the syslog regarding SA. I also set the log level > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > >Jeff Earickson > >Colby College > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > I have just posted version 4.26.8. > > > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > > now disable all the relevant code by setting > > > > > > Rebuild Bayes Every = 0 > > > > > > I will look into fixing this as a priority, but it is highly OS-specific > > > and may even be Perl-version specific. It refuses to lock a file it has > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > Jules. > > > > > > P.S. thanks for your patience.... > > > > > > At 10:23 02/02/2004, you wrote: > > > >Inevitably I put a config name wrong in that one. > > > > > > > >At 09:40 02/02/2004, you wrote: > > > >>Please could you try the attached SA.pm and see if it helps. > > > >> > > > >>Changes: > > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > > >> - Locking code changed to more closely match the virus scanner > > > >>locking code. > > > >> > > > >>The trouble is, it all works for me. But that's on a Linux system, > > and the > > > >>underlying locking behaviour may well be different on Solaris. > > > >> > > > >>At 07:56 02/02/2004, you wrote: > > > >>>Hello, > > > >>> > > > >>>I have the same behaviour with the rebuild of bayes database and I > > get it > > > >>>every time MailScanner is launched. > > > >>> > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > >>>(for me it's not important since I do not use bayes !) > > > >>> > > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > >>> > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > >>> > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > > >>>or don't begin ??? > > > >>> > > > >>> I see the "Skipping" line in the logfile but I don't see any > > line > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > with > > > >>> $RebuildBAYES <> 0 > > > >>> > > > >>>-- > > > >>>-- Pascal -- > > > >>> -- > > > >> > > > >> > > > >>-- > > > >>Julian Field > > > >>www.MailScanner.info > > > >>MailScanner thanks transtec Computers for their support > > > >> > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > >-- > > > >Julian Field > > > >www.MailScanner.info > > > >MailScanner thanks transtec Computers for their support > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From jaearick at COLBY.EDU Mon Feb 2 15:42:36 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: Doh! Sorry. I had commented my change in the .conf file, then forgot to make it. Soooo.... With "Rebuild Bayes Every = 0", I guess we still need to run our Bayes-rebuild cron jobs until all this gets sorted out, right? Jeff On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 02 Feb 2004 15:32:49 +0000 > From: Julian Field > To: MailScanner mailing list > Cc: Jeff A. Earickson > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I just fell foul of not having "Log Spam = yes" so you might want to > double-check that. > It appears to be logging fine on a Solaris 2.8 box. > > At 15:08 02/02/2004, you wrote: > >Julian, > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > >messages either. I ran a batch in debug mode for both MS and SA, and > >it looked like stuff in the debug batch got tagged by SA: > > > >debug: is spam? score=10.95 required=5 > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > >but nothing in the syslog regarding SA. I also set the log level > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > >Jeff Earickson > >Colby College > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > I have just posted version 4.26.8. > > > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > > now disable all the relevant code by setting > > > > > > Rebuild Bayes Every = 0 > > > > > > I will look into fixing this as a priority, but it is highly OS-specific > > > and may even be Perl-version specific. It refuses to lock a file it has > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > Jules. > > > > > > P.S. thanks for your patience.... > > > > > > At 10:23 02/02/2004, you wrote: > > > >Inevitably I put a config name wrong in that one. > > > > > > > >At 09:40 02/02/2004, you wrote: > > > >>Please could you try the attached SA.pm and see if it helps. > > > >> > > > >>Changes: > > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > > >> - Locking code changed to more closely match the virus scanner > > > >>locking code. > > > >> > > > >>The trouble is, it all works for me. But that's on a Linux system, > > and the > > > >>underlying locking behaviour may well be different on Solaris. > > > >> > > > >>At 07:56 02/02/2004, you wrote: > > > >>>Hello, > > > >>> > > > >>>I have the same behaviour with the rebuild of bayes database and I > > get it > > > >>>every time MailScanner is launched. > > > >>> > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > >>>(for me it's not important since I do not use bayes !) > > > >>> > > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > >>> > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > >>> > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > > >>>or don't begin ??? > > > >>> > > > >>> I see the "Skipping" line in the logfile but I don't see any > > line > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > with > > > >>> $RebuildBAYES <> 0 > > > >>> > > > >>>-- > > > >>>-- Pascal -- > > > >>> -- > > > >> > > > >> > > > >>-- > > > >>Julian Field > > > >>www.MailScanner.info > > > >>MailScanner thanks transtec Computers for their support > > > >> > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > >-- > > > >Julian Field > > > >www.MailScanner.info > > > >MailScanner thanks transtec Computers for their support > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Feb 2 16:13:55 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202161158.03a6ee68@imap.ecs.soton.ac.uk> At 15:42 02/02/2004, you wrote: >Doh! Sorry. I had commented my change in the .conf file, then forgot >to make it. > >Soooo.... With "Rebuild Bayes Every = 0", I guess we still need >to run our Bayes-rebuild cron jobs until all this gets sorted out, >right? Correct. >Jeff > >On Mon, 2 Feb 2004, Julian Field wrote: > > > Date: Mon, 02 Feb 2004 15:32:49 +0000 > > From: Julian Field > > To: MailScanner mailing list > > Cc: Jeff A. Earickson > > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > I just fell foul of not having "Log Spam = yes" so you might want to > > double-check that. > > It appears to be logging fine on a Solaris 2.8 box. > > > > At 15:08 02/02/2004, you wrote: > > >Julian, > > > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > > >messages either. I ran a batch in debug mode for both MS and SA, and > > >it looked like stuff in the debug batch got tagged by SA: > > > > > >debug: is spam? score=10.95 required=5 > > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE, > MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > > > >but nothing in the syslog regarding SA. I also set the log level > > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > > > >Jeff Earickson > > >Colby College > > > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > > From: Julian Field > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > > > I have just posted version 4.26.8. > > > > > > > > The problem did not appear on Linux, but does appear on Solaris. > You can > > > > now disable all the relevant code by setting > > > > > > > > Rebuild Bayes Every = 0 > > > > > > > > I will look into fixing this as a priority, but it is highly > OS-specific > > > > and may even be Perl-version specific. It refuses to lock a file it has > > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > > > Jules. > > > > > > > > P.S. thanks for your patience.... > > > > > > > > At 10:23 02/02/2004, you wrote: > > > > >Inevitably I put a config name wrong in that one. > > > > > > > > > >At 09:40 02/02/2004, you wrote: > > > > >>Please could you try the attached SA.pm and see if it helps. > > > > >> > > > > >>Changes: > > > > >> - Set "Rebuild Bayes Every = 0" should disable all this > code. > > > > >> - Locking code changed to more closely match the virus > scanner > > > > >>locking code. > > > > >> > > > > >>The trouble is, it all works for me. But that's on a Linux system, > > > and the > > > > >>underlying locking behaviour may well be different on Solaris. > > > > >> > > > > >>At 07:56 02/02/2004, you wrote: > > > > >>>Hello, > > > > >>> > > > > >>>I have the same behaviour with the rebuild of bayes database and I > > > get it > > > > >>>every time MailScanner is launched. > > > > >>> > > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > > >>>(for me it's not important since I do not use bayes !) > > > > >>> > > > > >>>In SA.pm, the lock file is created before the test on > "$RebuildBayes" > > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > > >>> > > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > > >>> > > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris > don't finish > > > > >>>or don't begin ??? > > > > >>> > > > > >>> I see the "Skipping" line in the logfile but I don't see any > > > line > > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > > with > > > > >>> $RebuildBAYES <> 0 > > > > >>> > > > > >>>-- > > > > >>>-- Pascal -- > > > > >>> -- > > > > >> > > > > >> > > > > >>-- > > > > >>Julian Field > > > > >>www.MailScanner.info > > > > >>MailScanner thanks transtec Computers for their support > > > > >> > > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > > > >-- > > > > >Julian Field > > > > >www.MailScanner.info > > > > >MailScanner thanks transtec Computers for their support > > > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From robin at PRIMUS.CA Mon Feb 2 16:50:46 2004 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:22:16 2006 Subject: small change in the init script Message-ID: Hi Julian small thing.. can you please modify the init script so that line 234 reads $POSTFIX -c $POSTFIXINCF stop 2>/dev/null instead of $POSTFIX -c /etc/postfix.in stop 2>/dev/null and line 263 reads $POSTFIX -c $POSTFIXOUTCF stop 2>/dev/null instead of $POSTFIX -c /etc/postfix stop 2>/dev/null I can send a patch if you prefer, but I have not much expereince with requesting modification so I thought this would be a good place to start. :) From tduvally at BROWN.EDU Mon Feb 2 17:06:06 2004 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:22:16 2006 Subject: Silent virus delete ruleset Message-ID: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> I'm trying to create a ruleset for "Silent Viruses" but it isn't working. From what I've read I would have this: MailScanner.conf: Silent Viruses = /path/to/silent.virus.rules Still Deliver Silent Viruses = no silent.virus.rules: To: *@* klez To: *@* mydoom "klez" and mydoom being what would normally be on the Silent Viruses line if I didn't use a ruleset. Do I have this right? -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/3548a78a/attachment.bin From mailscanner at ecs.soton.ac.uk Mon Feb 2 17:07:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Silent virus delete ruleset In-Reply-To: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> References: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20040202170632.073563c8@imap.ecs.soton.ac.uk> At 17:06 02/02/2004, you wrote: >I'm trying to create a ruleset for "Silent Viruses" but it isn't >working. > > From what I've read I would have this: > >MailScanner.conf: >Silent Viruses = /path/to/silent.virus.rules >Still Deliver Silent Viruses = no > >silent.virus.rules: >To: *@* klez >To: *@* mydoom > >"klez" and mydoom being what would normally be on the Silent Viruses >line if I didn't use a ruleset. Do I have this right? No, you have 2 "default" rules. What you mean is this: To: default klez mydoom *@* == default -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Mon Feb 2 17:19:05 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour Message-ID: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co.uk> Hi All, Quick question for those of you that might be using rules_du_jour for updating your custom SA rulesets. I've configured 'my_rules_du_jour' with an SA_RESTART command of "/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure if this is right - does MailScanner re-compile SpamAssassin on a reload (thus re-reading the custom rules) or does it actually require a 'restart' instead??? Cheers, Steve. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/823a3de4/attachment.html From AndreaC at GOTECH.IT Mon Feb 2 17:36:38 2004 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy, [OT] In-Reply-To: <401E5430.2050004@solid-state-logic.com> Message-ID: > From: Martin Hepworth > Reply-To: MailScanner mailing list > Date: Mon, 2 Feb 2004 13:44:16 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: NDR strategy > > There is way of setting up sendmail so it read from an Active Directory > server to validate the email address. have a google around for 'how to'. Martin (& David), Thanks for the excellent suggestion. I'll definitely look into it. Just a preliminary thought: I need to expose at least one DC onto the DMZ through LDAP. What are the possible security risks, if any, of this approach? Andrea From martinh at SOLID-STATE-LOGIC.COM Mon Feb 2 17:42:29 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy, [OT] In-Reply-To: References: Message-ID: <401E8C05.5040705@solid-state-logic.com> Andrea Cogliati wrote: >>From: Martin Hepworth >>Reply-To: MailScanner mailing list >>Date: Mon, 2 Feb 2004 13:44:16 +0000 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: NDR strategy >> >>There is way of setting up sendmail so it read from an Active Directory >>server to validate the email address. have a google around for 'how to'. > > > Martin (& David), > > Thanks for the excellent suggestion. I'll definitely look into it. Just a > preliminary thought: I need to expose at least one DC onto the DMZ through > LDAP. What are the possible security risks, if any, of this approach? > > Andrea ANdrea pretty minimal as it only needs read access on the LDAP port. Another idea might be to build an access file once a day from the DC, at a set time and only open the port around that set time - (eg 1am-1.15am). Depends on how 'risky' you decide this is, and how quickly you want email changed to propagate. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at LISTS.COM.AR Mon Feb 2 17:57:47 2004 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Message-ID: <401E656B.16959.13A0CE4@localhost> Gee... FWIW, it happened a couple of centuries ago, but I recall having serious trouble making Perl's flock() work on Solaris... same situation, all development done under linux without a hitch and Solaris ignored all the locking... and it wasn't an interoperability problem, since I was competing against my own script... The point is I don't quite remember what we did to solve it (we is an understatement, since it wasn't me programming, I was just the designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure either... Seems like you'll need a Solaris box to test it thoroughly... I wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc :-( El 2 Feb 2004 a las 14:06, Julian Field escribi?: > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting -- Mariano Absatz El Baby ---------------------------------------------------------- Oops. My brain just hit a bad sector. From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:03:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour In-Reply-To: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co. uk> References: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co.uk> Message-ID: <6.0.1.1.2.20040202180219.03bc2bb0@imap.ecs.soton.ac.uk> You should only require a reload, as that re-initialises SA. But doing a restart has very little impact that doesn't happen when doing a restart. So feel to restart if you prefer. At 17:19 02/02/2004, you wrote: >Hi All, > >Quick question for those of you that might be using rules_du_jour for >updating your custom SA rulesets. > >I've configured 'my_rules_du_jour' with an SA_RESTART command of >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure >if this is right - does MailScanner re-compile SpamAssassin on a reload >(thus re-reading the custom rules) or does it actually require a 'restart' >instead??? > >Cheers, >Steve. >-- >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you have received this email in error please notify the sender and >delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <401E656B.16959.13A0CE4@localhost> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> Message-ID: <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> At 17:57 02/02/2004, you wrote: >Gee... > >FWIW, it happened a couple of centuries ago, but I recall having serious >trouble making Perl's flock() work on Solaris... same situation, all >development done under linux without a hitch and Solaris ignored all the >locking... and it wasn't an interoperability problem, since I was >competing against my own script... > >The point is I don't quite remember what we did to solve it (we is an >understatement, since it wasn't me programming, I was just the >designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure >either... > >Seems like you'll need a Solaris box to test it thoroughly... I wouldn't >even trust Solaris-x86 to behave identically to Solaris-Sparc :-( I've got an Ultra-5 so I can do a real test. If necessary, I can build a Solaris-x86 box too. But as you say, the best place to try it is a real sparc. >El 2 Feb 2004 a las 14:06, Julian Field escribi?: > > > I have just posted version 4.26.8. > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > now disable all the relevant code by setting > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Oops. My brain just hit a bad sector. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From FCaen at CI.LAKEWOOD.WA.US Mon Feb 2 18:16:40 2004 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy Message-ID: -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > There is way of setting up sendmail so it read from an Active > Directory server to validate the email address. have a google around for 'how to'. I suspect this is done by doing an LDAP lookup. If someone gets this to work or has a URL to post, I'd be interested. --------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 NOTICE: The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone. City of Lakewood From dwinkler at ALGORITHMICS.COM Mon Feb 2 18:33:42 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmics.com> Does allowing the MailScanner restart via "Restart Every" also re-initialize SA? Thanks, Derek -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 02, 2004 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Rules_du_jour You should only require a reload, as that re-initialises SA. But doing a restart has very little impact that doesn't happen when doing a restart. So feel to restart if you prefer. At 17:19 02/02/2004, you wrote: >Hi All, > >Quick question for those of you that might be using rules_du_jour for >updating your custom SA rulesets. > >I've configured 'my_rules_du_jour' with an SA_RESTART command of >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure >if this is right - does MailScanner re-compile SpamAssassin on a reload >(thus re-reading the custom rules) or does it actually require a 'restart' >instead??? > >Cheers, >Steve. >-- >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you have received this email in error please notify the sender and >delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:43:38 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmi cs.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmics.com> Message-ID: <6.0.1.1.2.20040202184330.03ce7f68@imap.ecs.soton.ac.uk> Yes. At 18:33 02/02/2004, you wrote: >Does allowing the MailScanner restart via "Restart Every" also re-initialize >SA? > >Thanks, > >Derek > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, February 02, 2004 1:04 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Rules_du_jour > > >You should only require a reload, as that re-initialises SA. But doing a >restart has very little impact that doesn't happen when doing a restart. So >feel to restart if you prefer. > >At 17:19 02/02/2004, you wrote: > >Hi All, > > > >Quick question for those of you that might be using rules_du_jour for > >updating your custom SA rulesets. > > > >I've configured 'my_rules_du_jour' with an SA_RESTART command of > >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure > >if this is right - does MailScanner re-compile SpamAssassin on a reload > >(thus re-reading the custom rules) or does it actually require a 'restart' > >instead??? > > > >Cheers, > >Steve. > >-- > >This email and any files transmitted with it are confidential and intended > >solely for the use of the individual or entity to whom they are addressed. > >If you have received this email in error please notify the sender and > >delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of computer viruses. > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From test at NEXTMILL.NET Mon Feb 2 19:05:41 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? Message-ID: I am interested in installing Mailscanner and testing it, but I would like to implement CLAM-AV to scan for viruses as well. Has anyone documented the procedure to install and use ClamAV with Mailscanner? Sorry I am not a linux expert but I get around. I plan to use Redhat Fedora, will that work? From sysadmin at FLEETONE.COM Mon Feb 2 19:20:15 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? References: Message-ID: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> First, download the latest CLAMAV and extract it. Then: The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. If you're using `csh' on an old version of System V, you might need to type `sh ./configure' instead to prevent `csh' from trying to execute `configure' itself. Running `configure' takes awhile. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. Now, edit your MailScanner.conf file and look for the line: Virus Scanners = Add clamav to the end of this line, save it, and restart MailScanner. Rob ----- Original Message ----- From: "Brian Lewis" To: Sent: Monday, February 02, 2004 1:05 PM Subject: CLAMAV installation instructions? > I am interested in installing Mailscanner and testing it, but I would like > to implement CLAM-AV to scan for viruses as well. Has anyone documented > the procedure to install and use ClamAV with Mailscanner? Sorry I am not > a linux expert but I get around. I plan to use Redhat Fedora, will that > work? > From jbuda at NOTICIASARGENTINAS.COM Mon Feb 2 19:22:49 2004 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? References: Message-ID: <002101c3e9c1$f7c700c0$6000a8c0@noticiasargentinas.com> did u see this site ? http://clamav.sourceforge.net/doc/html-0.65/ ----- Original Message ----- From: "Brian Lewis" To: Sent: Monday, February 02, 2004 4:05 PM Subject: CLAMAV installation instructions? > I am interested in installing Mailscanner and testing it, but I would like > to implement CLAM-AV to scan for viruses as well. Has anyone documented > the procedure to install and use ClamAV with Mailscanner? Sorry I am not > a linux expert but I get around. I plan to use Redhat Fedora, will that > work? From lenaig at WANADOO.FR Mon Feb 2 19:44:07 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail Message-ID: <20040202194407.GA4752@maelenn> hello, I am a little bit confused with sendmail/Mailscanner ... i just install sendmail this afternoon, i test it, everything is runnig find. I install it on my laptop, i can send ans receive mail ... I am using mutt, procmail and fetchmail. I read some documentations about exim and postfix, and about the exim one, i read something very interesting, that mailscanner was moving (scanning) from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails received. How can i do the same thing with sendmail ?? I put the right path in my MailScanner.conf: Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/incoming Quarantine Dir = /var/spool/quarantine But my mqueue.in still empty ... something to do with sendmai/fetchmail ? Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From shrek-m at GMX.DE Mon Feb 2 19:50:20 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? In-Reply-To: References: Message-ID: <401EA9FC.9030703@gmx.de> Brian Lewis wrote: >ClamAV with Mailscanner? Sorry I am not >a linux expert but I get around. I plan to use Redhat Fedora, will that >work? > yes :-) eg. At Sun Feb 1 05:32:04 2004 the virus scanner said: Sophos: >>> Virus 'W32/MyDoom-A' found in file test.scr ClamAV: test.scr contains Worm.SCO.A MailScanner: Windows Screensavers are often used to hide viruses (test.scr) $ cat /etc/fedora-release Fedora Core release 1 (Yarrow) $ rhn-applet-tui Ignoring No package updates are needed. $ clamscan --version clamscan / ClamAV version 0.65 $ rpm -q mailscanner mailscanner-4.26.5-1 $ grep "Virus Scanners" /etc/MailScanner/MailScanner.conf # then set "Virus Scanners = none" instead. # Virus Scanners = sophos f-prot mcafee Virus Scanners = sophos clamav -- shrek-m From peter at UCGBOOK.COM Mon Feb 2 19:41:39 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? In-Reply-To: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> References: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> Message-ID: <401EA7F3.9040408@ucgbook.com> Try this RPM instead: http://crash.fce.vutbr.cz/crash-hat/1/clamav/ -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From kevins at BMRB.CO.UK Mon Feb 2 19:57:24 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail In-Reply-To: <20040202194407.GA4752@maelenn> References: <20040202194407.GA4752@maelenn> Message-ID: <1075751844.14737.22.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 19:44, Thierry wrote: > hello, > I am a little bit confused with sendmail/Mailscanner ... > i just install sendmail this afternoon, i test it, everything is runnig find. > I install it on my laptop, i can send ans receive mail ... > I am using mutt, procmail and fetchmail. > I read some documentations about exim and postfix, and about the exim one, i read something very interesting, that mailscanner was moving (scanning) from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails received. > How can i do the same thing with sendmail ?? > I put the right path in my MailScanner.conf: > But my mqueue.in still empty ... something to do with sendmai/fetchmail ? You need to stop sendmail then start mailscanner which will start the sendmail processes itself. Here are the commands (assuming redhat or similar...) service MailScanner stop service sendmail stop chkconfig --level 2345 sendmail off shkconfig --level 345 MailScanner on service MailScanner start I can confirm this works fine with fetchmail as this is one of my setups. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From bpumphrey at WOODMACLAW.COM Mon Feb 2 20:38:51 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person Message-ID: I have a user that doesn't want his mailbox scanned. How do I go about disabling the scanning for one or more people specifically? From dustin.baer at IHS.COM Mon Feb 2 20:40:48 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:16 2006 Subject: Skip scan for viruses References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk> <401AA032.8FC7E858@ihs.com> <401AA25B.5050801@ucgbook.com> <1075488152.17925.7.camel@bach.kevinspicer.co.uk> <401AAB40.856224@ihs.com> Message-ID: <401EB5D0.411C1A6E@ihs.com> Dustin Baer wrote: > > Kevin Spicer wrote: > > > > Wouldn't it be better to spam whitelist the IP address of the > > MailScanner machine (which is presumably where the message would be sent > > from)? > > The MailScanner machine is whitelisted, but I add the header to the > original qf, and send the df/qf pair back through. That way, the logs > remain consistent. > > Although now that you bring it up, I might mess with changing the $_ > flag in the qf file, rather than adding the header. Which should make it: #!/bin/ksh sed -e 's/^.$/H??X-SpamRequested-Email: Requested\ ./' \ -e 's/^\$_.*/$_[PUT YOUR WHITELISTED IP HERE]/' $emailID > qf$emailID.$$ && mv qf$emailID.$$ qf$emailID cp *$i /var/spool/mqueue.in I have left the SpamRequested header in there, just for info purposes, but removed the rule from spam.assassin.prefs.conf. That way, spammers can't benefit from it. Again, thanks for mentioning it, Kevin! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From steve.swaney at FSL.COM Mon Feb 2 20:51:56 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail In-Reply-To: <20040202194407.GA4752@maelenn> Message-ID: <20040202205156.2382021C139@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Thierry > Sent: Monday, February 02, 2004 2:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: questions using sendmail > > hello, > I am a little bit confused with sendmail/Mailscanner ... > i just install sendmail this afternoon, i test it, everything is runnig > find. > I install it on my laptop, i can send ans receive mail ... > I am using mutt, procmail and fetchmail. > I read some documentations about exim and postfix, and about the exim one, > i read something very interesting, that mailscanner was moving (scanning) > from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails > received. > How can i do the same thing with sendmail ?? > I put the right path in my MailScanner.conf: > > Incoming Queue Dir = /var/spool/mqueue.in > Outgoing Queue Dir = /var/spool/mqueue > Incoming Work Dir = /var/spool/incoming [SKS] Is mail being accepted by your system from other systems? Can you telnet to port 25 from another system? I also note that the incoming work directory should match your setting in MailScanner.conf Typically this is Incoming Work Dir = /var/spool/MailScanner/incoming The directory must exist and have the right permissions, typically for sendmail on linux: # ls -dl /var/spool/MailScanner/incoming drwxrwxrwt 2 root root 40 Feb 1 15:34 /var/spool/MailScanner/incoming Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Quarantine Dir = /var/spool/quarantine > > But my mqueue.in still empty ... something to do with sendmai/fetchmail ? > > Thx > > -- > Thierry > Ne faites jamais un "apt-get install new-wife" avant > un "apt-get remove --purge current-wife" > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From merkel at METALINK.NET Mon Feb 2 21:01:11 2004 From: merkel at METALINK.NET (Eric J Merkel) Date: Thu Jan 12 21:22:16 2006 Subject: Performance problems...(SOLVED) References: <54C38A0B814C8E438EF73FC76F362927410885@mtlnt501fs.CAMOROUTE.COM> Message-ID: <010701c3e9cf$b06e8140$22c8a8c0@staff.metalink.net> After loading caching DNS servers on all of our mail-relay's and changing the sendmail queue runner to about an hour, the servers were able to catch up. They're all running a load around 1.0-3.0 and only a few emails in the mqueue.in at any time. Thanks to everyone who gave me suggestions. MailScanner is now rocking along with no lag! :) Eric ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Friday, January 30, 2004 4:24 PM Subject: Re: Performance problems... > I *really* recommend running a caching DNS server on your > box (and adding the physical memory to support it). Between the > MTA, RBLs, MailScanner, SA, etc, etc, you will do a bzillion DNS > lookups to get the mail delivered. Local caching is vital. > > Jeff Earickson > Colby College > > From mike at CAMAROSS.NET Mon Feb 2 21:10:33 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person In-Reply-To: Message-ID: <200402022108.i12L8pH2008141@avwall.bladeware.com> You can do this for virus scans AND spam. Just point the directive in MailScanner.conf at a ruleset. In the ruleset: FromTo: user@nottoscan.org no FromTo: default yes Reload MailScanner and you are done. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey Sent: Monday, February 02, 2004 2:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Disabling scanning for one person I have a user that doesn't want his mailbox scanned. How do I go about disabling the scanning for one or more people specifically? From ycayer at 3WEBMEDIA.COM Mon Feb 2 22:47:30 2004 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. Message-ID: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since last week, MailScanner has been bringing the server almost to a complete halt, loads are skyrocking very suddently to 200! It is also taking at that time about 25MB per MailScanner process. It does this for several minutes to a few hours and then suddently comes back. I really don't know what can be causing this. I have read the mail archives for this problem but the solutions I found were not appropriate to my specific problem/condition. My config has the max attachments set to 5 and the MailScanner processes set to 10 (5 per CPU). Can anyone help? Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/e9cf6bdc/attachment.html From kevins at BMRB.CO.UK Mon Feb 2 23:11:10 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> References: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> Message-ID: <1075763470.21194.53.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 22:47, Yannick Cayer wrote: > We have about a 100 small sites configured for mail mostly and some, > web. > > This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp > > We have been running MailScanner on that machine for almost 2 years now > without any problems. > > Since last week, MailScanner has been bringing the server almost to a > complete halt, loads are skyrocking very suddently to 200! It is also > taking at that time about 25MB per MailScanner process. > > It does this for several minutes to a few hours and then suddently comes > back. > 'Since Last Week' - are you sure this isn't anything to do with the MyDoom outbreak and its associated bounce messages (the load on my production server doubled and it struggled to keep up at times). If you're not already doing so I suggest taking steps to block subjects/ email addresses used by this virus at your MTA (sendmail rulesets have ben posted several times in the last week - search the archives for 'LOCAL RULESET') BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ycayer at 3webmedia.com Mon Feb 2 23:13:55 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: A<1075763470.21194.53.camel@bach.kevinspicer.co.uk> Message-ID: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> I guess I could set a rule with spamassassin to block the subjects.... > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Monday, February 02, 2004 6:11 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner suddently taking all the CPU and a > lot of memory. > > On Mon, 2004-02-02 at 22:47, Yannick Cayer wrote: > > > We have about a 100 small sites configured for mail mostly > and some, > > web. > > > > This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp > > > > We have been running MailScanner on that machine for almost 2 years > > now without any problems. > > > > Since last week, MailScanner has been bringing the server > almost to a > > complete halt, loads are skyrocking very suddently to 200! > It is also > > taking at that time about 25MB per MailScanner process. > > > > It does this for several minutes to a few hours and then suddently > > comes back. > > > > 'Since Last Week' - are you sure this isn't anything to do > with the MyDoom outbreak and its associated bounce messages > (the load on my production server doubled and it struggled to > keep up at times). If you're not already doing so I suggest > taking steps to block subjects/ email addresses used by this > virus at your MTA (sendmail rulesets have ben posted several > times in the last week - search the archives for 'LOCAL RULESET') > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > From kevins at BMRB.CO.UK Mon Feb 2 23:21:07 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> References: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> Message-ID: <1075764071.21509.5.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 23:13, Yannick Cayer wrote: > > 'Since Last Week' - are you sure this isn't anything to do > > with the MyDoom outbreak and its associated bounce messages > > (the load on my production server doubled and it struggled to > > keep up at times). If you're not already doing so I suggest > > taking steps to block subjects/ email addresses used by this > > virus at your MTA (sendmail rulesets have ben posted several > > times in the last week - search the archives for 'LOCAL RULESET') > > I guess I could set a rule with spamassassin to block the subjects.... > That won't make much difference to the load on your system, you need to do it at the MTA, so that the mail is rejected at the rcpt or data stage of the SMTP transaction. That will save your mail server the trouble of scanning it for viruses and spam and the hassle of attempting delivery to non-existent users/domains. If you post which MTA you are using maybe someone could help. Have you established that this is what is causing your problem? (If you don't have any monitoring in place even just doing a wc -l on your daily maillog over the last couple of weeks should give you a flavour of what your mail load is like. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ycayer at 3webmedia.com Mon Feb 2 23:25:07 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: A<1075764071.21509.5.camel@bach.kevinspicer.co.uk> Message-ID: <200402022325.i12NPIO17614@3webserv2.3webmedia.com> My MTA is sendmail I guess I could use some help in setting it up to block this... > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Monday, February 02, 2004 6:21 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner suddently taking all the CPU and a > lot of memory. > > On Mon, 2004-02-02 at 23:13, Yannick Cayer wrote: > > > 'Since Last Week' - are you sure this isn't anything to > do with the > > > MyDoom outbreak and its associated bounce messages (the > load on my > > > production server doubled and it struggled to keep up at > times). If > > > you're not already doing so I suggest taking steps to block > > > subjects/ email addresses used by this virus at your MTA > (sendmail > > > rulesets have ben posted several times in the last week - > search the > > > archives for 'LOCAL RULESET') > > > > I guess I could set a rule with spamassassin to block the > subjects.... > > > > That won't make much difference to the load on your system, > you need to do it at the MTA, so that the mail is rejected at > the rcpt or data stage of the SMTP transaction. That will > save your mail server the trouble of scanning it for viruses > and spam and the hassle of attempting delivery to > non-existent users/domains. If you post which MTA you are > using maybe someone could help. > > Have you established that this is what is causing your problem? (If > you don't have any monitoring in place even just doing a wc > -l on your daily maillog over the last couple of weeks should > give you a flavour of what your mail load is like. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > From gareth at BIM7.COM Mon Feb 2 23:29:23 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist Message-ID: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> Hi Guys I've installed MailScanner on Debain Woody, and configured Postfix to work with it using instructions at http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml. Everything seemed to go okay, and I am still receiving mail, but nothing is been filtered for spam and I have the following entries in /var/log/mail.log (about every 10 seconds!) Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner version 4.26.7 starting... Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory /var/spool/MailScanner/incoming Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) /var/spool/MailScanner/incoming does exist, and is owned by postfix and the group postfix. Permissions are 750. drwxr-x--- 2 mail mail 48 Feb 1 17:12 archive drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 incoming drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 quarantine Can anyone tell me what's going wrong? I've googled, and can't find anyone else with this problem. Thanks Gareth From rzewnickie at RFA.ORG Mon Feb 2 23:49:04 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist In-Reply-To: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> Message-ID: <20040202234904.GC4984@rfa.org> did you remember to set: Run As User = postfix Run As Group = postfix ? -Eric Rz. On Mon, Feb 02, 2004 at 11:29:23PM -0000, Gareth wrote: > Hi Guys > > I've installed MailScanner on Debain Woody, and configured Postfix to work > with it using instructions at > http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml. > > Everything seemed to go okay, and I am still receiving mail, but nothing is > been filtered for spam and I have the following entries in /var/log/mail.log > (about every 10 seconds!) > > Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner > version 4.26.7 starting... > Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory > /var/spool/MailScanner/incoming > Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line > 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not > exist (or is not readable) > > /var/spool/MailScanner/incoming does exist, and is owned by postfix and the > group postfix. Permissions are 750. > > drwxr-x--- 2 mail mail 48 Feb 1 17:12 archive > drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 incoming > drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 quarantine > > Can anyone tell me what's going wrong? I've googled, and can't find anyone > else with this problem. > > Thanks > > > Gareth From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 00:17:27 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:16 2006 Subject: Perl modules in rpm Message-ID: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> I know from a previous inquiry months ago that the perl security patches are included in the .rpm package, but I'm not sure if all the other Perl modules (listed on the .tar page) are. I'm trying to document our setup so others can build/upgrade as seamlessly as possible; do I need to download/install the Perl modules prior to installing the rpm package or is it one stop shopping? Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From test at NEXTMILL.NET Tue Feb 3 00:44:51 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:16 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: Ok, I have installed Fedora Core 1, MailScanner 4.26, SpamAssassin 2.63, and ClamAV .065, what I want to do is configure it so I can change the MX record on multiple domains to point to this server, and then after a message passes the spam/virus check, its sent on to the real server. domain1.com ----> server1.whatever.com domain2.com ----> server6.whatever.com domainsoandso.com ----> server2.whatever.com domainwhatnot.com ----> 192.168.0.101 How would I do this? From steve.freegard at LBSLTD.CO.UK Tue Feb 3 00:44:45 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Hi All, I'm pleased to finally release 0.5 which you can download from http://www.sourceforge.net/projects/mailwatch. CHANGE LOG - Updated indexes for much greater performance (again!). - Added preliminary support for per-user filters (see USER_FILTERS file). - Added the ability to view quarantined items. - All tables now enable a pager when returning more than 50 rows and allow ordering by any of the displayed columns. - New tool to run SpamAssassin --lint and time the output for debugging SA. - New F-Secure status page (like Sophos). - Required PEAR modules now included. - Added reporting of Blacklisted mails. - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. - Quoted printable strings are now automatically decoded before display. - Configuration options moved from functions.php into conf.php - Automatically works out VIRUS_REGEX by using the first value in MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would activate the regexp for SophosSAVI. - New 'Virus Report' allows comparison of multiple scanners (if you run more than one) and allows you to see 1st detection date/time of each virus by each scanner. - Integration with Fortress Systems Secure Mail Gateway. FIXES - Multiple clean-ups of mailq.php to make it more robust. - Greatly improved debugging of SQL statments. - Quarantine now correctly looks in the non-spam quarantine directories. - SA Rules Description Update now reads custom rules as well. - sendmail_relay.php now works across log rotations. - Increased memory_limit to 128M for quarantine functions. Kind regards, Steve. -- MailWatch for MailScanner http://mailwatch.sourceforge.net -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From ugob at CAMO-ROUTE.COM Tue Feb 3 00:52:36 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail Message-ID: <54C38A0B814C8E438EF73FC76F362927410897@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Envoy? : Monday, February 02, 2004 2:57 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: questions using sendmail > > > On Mon, 2004-02-02 at 19:44, Thierry wrote: > > hello, > > I am a little bit confused with sendmail/Mailscanner ... > > i just install sendmail this afternoon, i test it, > everything is runnig find. > > I install it on my laptop, i can send ans receive mail ... > > I am using mutt, procmail and fetchmail. > > I read some documentations about exim and postfix, and > about the exim one, i read something very interesting, that > mailscanner was moving (scanning) from /var/spool/incoming > queue to /var/spool/mqueue.in queue all mails received. > > How can i do the same thing with sendmail ?? > > I put the right path in my MailScanner.conf: > > > But my mqueue.in still empty ... something to do with > sendmai/fetchmail ? > > You need to stop sendmail then start mailscanner which will start the > sendmail processes itself. Here are the commands (assuming redhat or > similar...) > service MailScanner stop > service sendmail stop > chkconfig --level 2345 sendmail off > shkconfig --level 345 MailScanner on > service MailScanner start > > I can confirm this works fine with fetchmail as this is one of my > setups. I use fetchmail as well. No prob. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From ugob at CAMO-ROUTE.COM Tue Feb 3 00:54:13 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person Message-ID: <54C38A0B814C8E438EF73FC76F362927410898@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] > Envoy? : Monday, February 02, 2004 3:39 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Disabling scanning for one person > > > I have a user that doesn't want his mailbox scanned. How do > I go about > disabling the scanning for one or more people specifically? You can see the rules tutorial in the faqs. > From ugob at CAMO-ROUTE.COM Tue Feb 3 00:56:19 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: <54C38A0B814C8E438EF73FC76F362927410899@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Brian Lewis [mailto:test@NEXTMILL.NET] > Envoy? : Monday, February 02, 2004 7:45 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Redirecting multiple domains to multiple mail servers > > > Ok, I have installed Fedora Core 1, MailScanner 4.26, > SpamAssassin 2.63, > and ClamAV .065, what I want to do is configure it so I can > change the MX > record on multiple domains to point to this server, and then after a > message passes the spam/virus check, its sent on to the real server. > > domain1.com ----> server1.whatever.com > domain2.com ----> server6.whatever.com > domainsoandso.com ----> server2.whatever.com > domainwhatnot.com ----> 192.168.0.101 > > How would I do this? What mta? sendmail and postfix tutorial are available in the faqs. > From g.pentland at SOTON.AC.UK Tue Feb 3 00:52:42 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy Message-ID: I'm looking at this issue and some other routing problems at the moment... For now go to sendmail.org and search for "LDAP" it describes the LASER schema extension, sadly it appears that getting sendmail to work with the "mail" attribute is a little hard. If you are not the AD admin at your site then they might be concerned... in AD 2000 you cannot remove a schema change! 2003 allegedly fixes that. I'll post a howto when I have it all in place and working... Good luck -----Original Message----- From: Francois Caen [mailto:FCaen@CI.LAKEWOOD.WA.US] Sent: 02 February 2004 18:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: NDR strategy -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > There is way of setting up sendmail so it read from an Active > Directory server to validate the email address. have a google around for 'how to'. I suspect this is done by doing an LDAP lookup. If someone gets this to work or has a URL to post, I'd be interested. --------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 NOTICE: The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone. City of Lakewood From gdoris at ROGERS.COM Tue Feb 3 03:48:17 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <1075780097.5978.9.camel@jaguar.dorfam.ca> On Mon, 2004-02-02 at 19:44, Steve Freegard wrote: > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. I've just upgraded from 0.4 on a Fedora system. All seems to be working as advertised! -- Gerry Doris From gareth at BIM7.COM Tue Feb 3 08:15:32 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> Message-ID: <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> > did you remember to set: > > Run As User = postfix > Run As Group = postfix > > > Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner > > version 4.26.7 starting... > > Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory > > /var/spool/MailScanner/incoming > > Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line > > 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not > > exist (or is not readable) > > > > /var/spool/MailScanner/incoming does exist, and is owned by postfix and the > > group postfix. Permissions are 750. > > Yeah.. I did that in /etc/MailScanner/MailScanner.conf Any other suggestions much appreciated. Gareth From steve at INTELIPORT.COM Tue Feb 3 08:05:40 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:16 2006 Subject: Need some help Hijacked Returned domain Message-ID: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> Hi everyone, We have in recent days been the recipient of spammers using our domain name as a return address. They use all kinds of names etc.. I could really use some assistance in trying to stop this or at least handle the bounce mail better, we are also getting a extreme amount of mail from null senders logs are filled with from=<> on one of our server we have 20,000 entries in the last 15 hours. Any hints, comments, ideas on stopping this I just added dnsbl.sorbs.net to sendmail and it's already starting to help (BTW great job Matthew) are others having this problem also? it seems this started up a couple of days ago after MyDoom hit. Is anyone else having this happen or has seen this before. below is an example of the a org message that was returned I left off the information from where it was bounced. Thanks in advance Steve --- Start Content-Type: message/rfc822 Message-ID: From: Roseanna Escalante To: webmaster@northernbus.com Subject: FWD: Available All. X@nax , v|agR@ _ \ Va:l:ium = S0ma , Pn:t:er min 4v5tR Date: Wed, 4 Feb 2004 02:23:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" We believe ordering medication should be as simple as ordering anything else on the Internet: Private, secure, and easy. On stock: \ Xan|a|x ) Val/i/um = So+m+a = Pntermin $ V1Agr@ Plus: A'cyc|0vir, Pr0z@.c, P@`xil, Bus:p@r, Ad|p&.x, I0`nam|n, M3ri:dia, X3nic.a|, Am`bi3n, S0na.Ta, F`l3xeril, Ce|3br'ex, Fi0ri`c3t, T'ram@do|, U|t`r@m, L3:v|tra, Pr0p3ci`a Most trusted name brands. Enjoy deep discount meds here ------_=_NextPart_000_01C3EA29.1039B262-- ---End -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/dbffa802/attachment.html From jdbautista at IWSPC.COM Tue Feb 3 08:38:38 2004 From: jdbautista at IWSPC.COM (Joseph C. Bautista) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <00e601c3ea31$255aa360$4c04a8c0@Plnt3domain> Hi All, I think i followed the instruction correct. My Mailscanner is logging to mysql database. But everytime i point my browser to http://localhost/mailscanner it gives me an error: Fatal error: Call to undefined function: mysql_pconnect() in /home/httpd/html/mailscanner/functions.php on line 273 Anyone knows how to fixed this? Thnx. ----- Original Message ----- From: "Steve Freegard" To: Sent: Tuesday, February 03, 2004 8:44 AM Subject: Announce: MailWatch for MailScanner 0.5 > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. > > -- > MailWatch for MailScanner > http://mailwatch.sourceforge.net > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From steve.freegard at LBSLTD.CO.UK Tue Feb 3 09:06:37 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Hi Joseph, You're getting this error because your copy of PHP doesn't have the MySQL module installed or compiled in. If you are running RedHat install the php-mysql RPM from your installation CD's and restart apache and it will start working. Kind regards, Steve. > -----Original Message----- > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > Sent: 03 February 2004 08:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > Hi All, > > I think i followed the instruction correct. My > Mailscanner is logging to mysql database. But everytime i > point my browser to > > http://localhost/mailscanner it gives me an error: > > Fatal error: Call to undefined function: > mysql_pconnect() in > /home/httpd/html/mailscanner/functions.php on line 273 > > Anyone knows how to fixed this? > > Thnx. > > > ----- Original Message ----- > From: "Steve Freegard" > To: > Sent: Tuesday, February 03, 2004 8:44 AM > Subject: Announce: MailWatch for MailScanner 0.5 > > > > Hi All, > > > > I'm pleased to finally release 0.5 which you can download from > > http://www.sourceforge.net/projects/mailwatch. > > > > CHANGE LOG > > - Updated indexes for much greater performance (again!). > > - Added preliminary support for per-user filters (see USER_FILTERS > > file). > > - Added the ability to view quarantined items. > > - All tables now enable a pager when returning more than 50 > rows and allow > > ordering by any of the displayed columns. > > - New tool to run SpamAssassin --lint and time the output > for debugging > SA. > > - New F-Secure status page (like Sophos). > > - Required PEAR modules now included. > > - Added reporting of Blacklisted mails. > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > e-mails. > > - Quoted printable strings are now automatically decoded before > > display. > > - Configuration options moved from functions.php into conf.php > > - Automatically works out VIRUS_REGEX by using the first value in > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > clamavmodule' would > > activate the regexp for SophosSAVI. > > - New 'Virus Report' allows comparison of multiple scanners > (if you run > > more than one) and allows you to see 1st detection > date/time of each > > virus by each scanner. > > - Integration with Fortress Systems Secure Mail Gateway. > > > > FIXES > > - Multiple clean-ups of mailq.php to make it more robust. > > - Greatly improved debugging of SQL statments. > > - Quarantine now correctly looks in the non-spam quarantine > > directories. > > - SA Rules Description Update now reads custom rules as well. > > - sendmail_relay.php now works across log rotations. > > - Increased memory_limit to 128M for quarantine functions. > > > > Kind regards, > > Steve. > > > > -- > > MailWatch for MailScanner > > http://mailwatch.sourceforge.net > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From stephane.branchoux at UNIV-PERP.FR Tue Feb 3 09:41:10 2004 From: stephane.branchoux at UNIV-PERP.FR (stephane BRANCHOUX) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files Message-ID: <467301c3ea39$db6216e0$0688a7c2@belleile> Hello, i use mailscanner 4.12 with mcafee. Zip files are authorized but is there a way to scan zip files ? Last virus is sent in a zip file and i would like to scan it without blocking all zip files. Many thanks in advance. stephane BRANCHOUX Centre de Ressources Informatiques de l'Universit? de Perpignan. Syst?mes/R?seaux mailto:stephane.branchoux@univ-perp.fr 04 68 66 21 24 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3827 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/183c9afd/smime.bin From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 3 10:13:42 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:17 2006 Subject: CLAMAV installation instructions? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4D3@jessica.herefordshire.gov.uk> Or: Virus Scanners = clamavmodule Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of shrek-m@gmx.de > Sent: 02 February 2004 19:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: CLAMAV installation instructions? > > > Brian Lewis wrote: > > >ClamAV with Mailscanner? Sorry I am not > >a linux expert but I get around. I plan to use Redhat > Fedora, will that > >work? > > > > yes :-) > > eg. > > At Sun Feb 1 05:32:04 2004 the virus scanner said: > Sophos: >>> Virus 'W32/MyDoom-A' found in file test.scr > ClamAV: test.scr contains Worm.SCO.A > MailScanner: Windows Screensavers are often used to hide > viruses (test.scr) > > > > > $ cat /etc/fedora-release > Fedora Core release 1 (Yarrow) > > $ rhn-applet-tui > Ignoring > No package updates are needed. > > $ clamscan --version > clamscan / ClamAV version 0.65 > > $ rpm -q mailscanner > mailscanner-4.26.5-1 > > $ grep "Virus Scanners" /etc/MailScanner/MailScanner.conf > # then set "Virus Scanners = none" instead. > # Virus Scanners = sophos f-prot mcafee > Virus Scanners = sophos clamav > > > -- > shrek-m > From mailscanner at ecs.soton.ac.uk Tue Feb 3 09:07:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Perl modules in rpm In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20040203090707.073a8680@imap.ecs.soton.ac.uk> At 00:17 03/02/2004, you wrote: >I know from a previous inquiry months ago that the perl security patches are >included in the .rpm package, but I'm not sure if all the other Perl modules >(listed on the .tar page) are. I'm trying to document our setup so others >can build/upgrade as seamlessly as possible; do I need to download/install >the Perl modules prior to installing the rpm package or is it one stop >shopping? Thanks much... The RPM distributions of MailScanner include everything you need. Just unpack them and "./install.sh". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 09:09:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain In-Reply-To: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> References: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> Message-ID: <6.0.1.1.2.20040203090855.073aba60@imap.ecs.soton.ac.uk> Take a look at using the "access database" in sendmail to block unknown recipients at the SMTP level. It's all documented at www.sendmail.org. At 08:05 03/02/2004, you wrote: >Hi everyone, > >We have in recent days been the recipient of spammers using our domain >name as a return address. They use all kinds of names etc.. >I could really use some assistance in trying to stop this or at least >handle the bounce mail better, we are also getting a extreme amount >of mail from null senders logs are filled with from=<> on one of our >server we have 20,000 entries in the last 15 hours. > >Any hints, comments, ideas on stopping this I just added dnsbl.sorbs.net >to sendmail and it's already starting to help (BTW great job Matthew) >are others having this problem also? it seems this started up a couple of >days ago after MyDoom hit. Is anyone else having this happen or has >seen this before. > >below is an example of the a org message that was returned I left off the >information from where it was bounced. > >Thanks in advance >Steve >--- Start > >Content-Type: message/rfc822 > >Message-ID: ><QVMEELMZZSXALGDVYHSPYZ@fidalgo.net> >From: Roseanna Escalante ><webmaster@inteliport.com> >To: webmaster@northernbus.com >Subject: FWD: Available All. X@nax , v|agR@ _ \ Va:l:ium = >S0ma , Pn:t:er > min 4v5tR >Date: Wed, 4 Feb 2004 02:23:41 -0500 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2656.59) >X-MS-Embedded-Report: >Content-Type: text/plain; > charset="iso-8859-1" > >We believe ordering medication should be as simple as ordering anything else >on the Internet: Private, secure, and easy. >On stock: \ Xan|a|x ) Val/i/um = So+m+a = Pntermin $ V1Agr@ >Plus: A'cyc|0vir, Pr0z@.c, P@`xil, Bus:p@r, >Ad|p&.x, I0`nam|n, M3ri:dia, >X3nic.a|, Am`bi3n, S0na.Ta, F`l3xeril, Ce|3br'ex, Fi0ri`c3t, >T'ram@do|, >U|t`r@m, L3:v|tra, Pr0p3ci`a > >Most trusted name brands. >Enjoy deep discount meds here ><http://www.affordablemeds.biz> >------_=_NextPart_000_01C3EA29.1039B262-- > >---End -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From gareth at BIM7.COM Tue Feb 3 10:42:57 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:17 2006 Subject: incomingworkdir does not exist In-Reply-To: <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> Message-ID: <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com> >> did you remember to set: >> >> Run As User = postfix >> Run As Group = postfix >> > Yeah.. I did that in /etc/MailScanner/MailScanner.conf > I've just changed the owernship /var/spool/MailScanner/ to 'postfix' and this seems to have stopped the error messages in mail.log. However, none of my incoming email has any MailScanner headers appended... how can I test everything is work? Email is still sent and received okay, and MailScanner is running if I do a ps -edf | grep MailScanner. Gareth From Tim.Hadlow at BL.UK Tue Feb 3 10:59:51 2004 From: Tim.Hadlow at BL.UK (Hadlow, Tim) Date: Thu Jan 12 21:22:17 2006 Subject: JANET RBL+ time-outs Message-ID: <5D6AD0E24C704645A0F1F1431B9F21610433A034@NT-LONEX2> Hello, Since yesterday (I think) our MailScanner has been reporting rather a lot of "RBL Check MAPS-RBL+ timed out and was killed" messages. This is the rbl-plus.mail-abuse.ja.net service used by the UK Academic Community. Has anyone else noticed if they are having the same problem? Regards, Tim. ************************************************************************** Experience the British Library online at www.bl.uk Adopt a Book this season ! Help the British Library conserve the world's knowledge. www.bl.uk/adoptabook ************************************************************************* The information contained in this e-mail is confidential and may be legally privileged. It is intended for the addressee(s) only. If you are not the intended recipient, please delete this e-mail and notify the postmaster@bl.uk : The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the British Library. The British Library does not take any responsibility for the views of the author. ************************************************************************* From mailscanner at ecs.soton.ac.uk Tue Feb 3 10:55:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: incomingworkdir does not exist In-Reply-To: <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com > References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com> Message-ID: <6.0.1.1.2.20040203105459.04148758@imap.ecs.soton.ac.uk> At 10:42 03/02/2004, you wrote: > >> did you remember to set: > >> > >> Run As User = postfix > >> Run As Group = postfix > >> > > Yeah.. I did that in /etc/MailScanner/MailScanner.conf > > > >I've just changed the owernship /var/spool/MailScanner/ to 'postfix' and >this seems to have stopped the error messages in mail.log. Can someone add that to the FAQ please? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve at INTELIPORT.COM Tue Feb 3 11:23:38 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain Message-ID: If I do use the access list or sendmail.cf won't that break the DSN rule, and if so what will the affect of doing so be. From steve at INTELIPORT.COM Tue Feb 3 11:23:38 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain Message-ID: If I do use the access list or sendmail.cf won't that break the DSN rule, and if so what will the affect of doing so be. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 11:45:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy Message-ID: > I suspect this is done by doing an LDAP lookup. Correct which is why we are not using it. I would like to have my Exim/Sendmail only talk to Exchange via SMTP. Therefore we push this information towards Exim. We wrote a little script that exports all valid e-mail adresses to the unix box, convert this to a cdb and have exim look this up. Works automatically and flawlessly. Regards, JP From martinh at SOLID-STATE-LOGIC.COM Tue Feb 3 11:50:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy In-Reply-To: References: Message-ID: <401F8B03.7040802@solid-state-logic.com> Jan-Peter Koopmann wrote: >>I suspect this is done by doing an LDAP lookup. > > > Correct which is why we are not using it. I would like to have my > Exim/Sendmail only talk to Exchange via SMTP. Therefore we push this > information towards Exim. We wrote a little script that exports all > valid e-mail adresses to the unix box, convert this to a cdb and have > exim look this up. Works automatically and flawlessly. > > Regards, > JP JP have you got this script and the exim settings? I'd love to setup this on our exim system. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 11:53:15 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: BSD pb running MailScanner Message-ID: Thierry, as you know I answered to your question and in turn asked you several. Again: From what you told me off list I am pretty sure your MTA setup is wrong. Your mail is probably received by ssmtp and delivered right away instead of being stored in a queue. Therefore MailScanner never sees it. Again: Please check if you receive mail if mailscanner is not running. If you do, my assumption is correct. Moreover: Why do you not use sendmail/exim/postfix but ssmtp? That is really not the MTA you would like to use for this kind of purpose. Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 12:05:05 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: SPF and MailScanner Message-ID: > I have yet to see a solution to the problem that actually > will work in real life. SPF requires me to keep track of all > the IP addresses of every outgoing-mail-server used by > BTInternet, for example.They change their setup (for > maintenance or whatever) and all of a sudden all my mail is > rejected. Yeah, great idea :-( Not necessarily true. First of all this is voluntarily. If you decide not to give your domain SPF records nothing will change. If you do you could use things like ptr, mx or include directive: Mx: Allow mail being sent from all hosts that also accept mail for this domain Ptr: Allow mail for this host from all IPs that resolve to your domain. Include: If BTInternet support SPF simply include btinternet and you do not need to worry. I fail to see why BTInternet is a problem for you? Are you behind a dial-up like connection and run your own mailserver? That might be a problem I agree. Companies tend to run their MTAs behind a static IP though and have their remote users use SMTP AUTH to make sure, outgoing mail is proberly scanned etc. Personally I think SPF is a good concept. Not perfect, but good! Regards, JP From ronan at NOC.ULCC.AC.UK Tue Feb 3 12:00:28 2004 From: ronan at NOC.ULCC.AC.UK (Ronan Flood) Date: Thu Jan 12 21:22:17 2006 Subject: JANET RBL+ time-outs In-Reply-To: <5D6AD0E24C704645A0F1F1431B9F21610433A034@NT-LONEX2> from "Hadlow, Tim" at Feb 03, 2004 10:59:51 AM Message-ID: Tim Hadlow wrote: > Since yesterday (I think) our MailScanner has been reporting rather a lot of > "RBL Check MAPS-RBL+ timed out and was killed" messages. This is the > rbl-plus.mail-abuse.ja.net service used by the UK Academic Community. That's probably because one of the servers is currently in transit; sorry about that. Should be back in service tomorrow afternoon. Perhaps I should have taken it out of the zone, but I thought the DNS would cope ... ---**--- Ronan Flood Tel: +44 20 7692 1432 Fax: +44 20 7692 1234 Network Services, University of London Computer Centre From christo at IT4AFRICA.CO.ZA Tue Feb 3 11:16:28 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Message-ID: <015d01c3ea47$2b0b6310$660210ac@christoxp> After I upgraded my Mailwatch I get the following error in my log and no mail is delivered. My queues are filling up. My config RH9 MS latest stable Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert row: Column count doesn't match value count at row 1 From spamtrap71892316634 at ANIME.NET Tue Feb 3 12:27:19 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:17 2006 Subject: SPF and MailScanner In-Reply-To: Message-ID: On Tue, 3 Feb 2004, Jan-Peter Koopmann wrote: > Personally I think SPF is a good concept. Not perfect, but good! Exactly. *my* domain, *my* rules. Period. That's all SPF does, it lets *me* enforce *my* rules on usage of *my* domain. -Dan From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 12:38:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy Message-ID: Hi Martin, > JP > > have you got this script and the exim settings? I'd love to > setup this on our exim system. sure. On the DC we use the following vbs script: const FILENAME= "whitelist-adresses.txt" 'File name for exporting data from AD const LDAPQUERY= "LDAP://yourserver/DC=intern,DC=youractivedirectory,DC=de" 'LDAP query to Active Directory, where Dim con, com, rs, fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(FILENAME, 2, True) ' ForReading = 1, ForWriting = 2, ForAppending = 8 Set con = CreateObject("ADODB.Connection") Set com = CreateObject("ADODB.Command") con.Provider = "ADsDSOObject" con.Open "Active Directory Provider" Set com.ActiveConnection = con com.CommandText = "select proxyAddresses from '" & LDAPQUERY & "' where objectClass= 'user' or objectClass='group' order by sn " com.Properties("Page Size") = 1000 Set rs = com.Execute rs.MoveFirst While Not rs.EOF TProxyAddresses = rs.Fields("proxyAddresses") If Not IsNull(TProxyAddresses) Then TProxyAddressesCount = UBound(TProxyAddresses) For i = 0 To TProxyAddressesCount If LCase(Left(TProxyAddresses(i),4))="smtp" Then f.Write lcase(trim(Mid(TProxyAddresses(i),6))) & VBLf End If Next End iF rs.MoveNext Wend rs.Close f.Close wscript.quit This script is running every 30 minutes. You will have to adjust the LDAPQUERY to suit your DC structure of course. If whitelist-adresses.txt differs from the old version we scp it to our exim server in the DMZ. On that server we check for a new version, convert the .txt into a .map and then convert that to a cdb. The .txt file has the format Validemail@yourdomain.com We simply change that to validemail@yourdomain.com 1 and then convert this to a cdb using this little script (which we use for all kinds of cdbs...) #! /usr/bin/perl while(<>) { # skip comments next if /^\s*#/; # skip empty lines next if /^\s*$/; # chop off trailing newline chop; # delete leading whitespace s/^\s+//; # retrieve key and value from the input line ($key, $value) = split(/:\s*/, $_, 2); # emit cdbmake input line printf "+%d,%d:%s->%s\n", length($key), length($value), $key, $value; } print "\n"; After this all you need to do is run cdbmake and store the cdb to the location you want it. In Exims configure (the incoming one obvisously) we define a domainlist domainlist check_rcpt_domains = yourdomain1 : yourdomain2 Only mails for domains in this list will be checked against the whitelist. In the rcpt_acl you need to put accept domains = +check_rcpt_domains endpass message = user unknown recipients = cdb;/usr/local/etc/exim/whitelist-rcpt.cdb And that's it. Moreover we manually maintain a blacklist for the e-mails that exist in the company but should not be able to receive mails from the internet. I hope this gives you a kick start. Regards, JP From m.sapsed at BANGOR.AC.UK Tue Feb 3 12:53:08 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:17 2006 Subject: Enterprise Library + MailScanner References: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside> <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk> Message-ID: <401F99B4.9090108@bangor.ac.uk> Julian Field wrote: >> Sophos has a replacement for their Enterprise Manager called >> Enterprise Library, and it now supports Linux (and other >> *nix and Novell) instead of just Windows clients. How >> difficult would it be to have MailScanner update Sophos >> from a CID or a web CID? >> >> Or is it a bad idea to automaticaly upgrade the engine? > > The only time I ever automatically upgraded the engine, it broke SAVI. I > had to rebuild the perl SAVI module to get it to work again. > So I'm a little wary of going down that path. I've been using EM Library to update the copy of Sophos I use on my Linux MailScanner testbed for some time now as I was trying out the beta version. It appears to run ok and has upgraded the engine at least once while I've been using it. I cobbled a perl script to use the same lock file as Julian's autoupdate prog while the update ran (or at least I think I did!) but it could probably do with more error checking. Basically there is a script in the EM distribution of Sophos for *ix which maintains a copy of the CID and if anything changes, it updates the cache and then runs Sophos' install.sh. The script reads some settings from a config file in /etc so you can "MailScanner-ise" the folders it uses and it appears to work ok but this is on a lightly loaded server. I'm contemplating setting it up on our 3 Solaris mail hubs but haven't had the bottle yet! Given Julian's comments about SAVI, maybe using EM in conjunction with SAVI isn't wise but if you're just using sweep then it might be of interest, if you're already running EM anyway. We seem to have had a couple of cases where the mail hubs didn't get their engine upgraded promptly enough and hence were unable to get the latest updates with Julian's script - I could do without that happening again...! Julian - have you looked at this stuff at all?? Would you be interested in looking at the scripts etc? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From steve.freegard at LBSLTD.CO.UK Tue Feb 3 12:56:13 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} Message-ID: <67D9E7698329D411936E00508B6590B902773E46@neelix.lbsltd.co.uk> Hi Christo, Make sure that you have copied MailWatch.pm from the mailwatch-0.5 tarball into /usr/lib/MailScanner/MailScanner as this could cause the symptons you report. Kind regards, Steve. > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: 03 February 2004 11:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > After I upgraded my Mailwatch I get the following error in my > log and no mail is delivered. My queues are filling up. > > My config RH9 MS latest stable > > Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert > row: Column count doesn't match value count at row 1 > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From carles at UNLIMITEDMAIL.ORG Tue Feb 3 13:11:08 2004 From: carles at UNLIMITEDMAIL.ORG (Carles Xavier Munyoz =?iso-8859-15?q?Bald=F3?=) Date: Thu Jan 12 21:22:17 2006 Subject: 2 MailScanners, 1 Bayes DataBase. Message-ID: <200402031411.08171.carles@unlimitedmail.org> Hi, I must use two MailScanners for two differents Sendmails installed in the same computer (one for the MX server and the other used as RELAY SMTP for my internet users). I would like that the two MailScanners use the same Bayes DataBase for the SpamAssassin. I will use the bayes_path configuration option in the spam.assassin.prefs.conf file to point to the same bayes database in the two MailScanner instances: bayes_path /var/spool/spamassassin/bayes Is there any problem in this ? Any race condition ? Any suggestion about this 2 MailScanners setup ? May I install only one MailScanner and then run two MailScanner instances using a different MailScanner.conf file for each one (I need two MailScanner because each Sendmail uses its own email queue) ? Which configuration parameters mut I take in account ? Greetings. --- Carles Xavier Munyoz Bald? carles@unlimitedmail.org http://www.unlimitedmail.net/ --- From martinh at SOLID-STATE-LOGIC.COM Tue Feb 3 13:44:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:17 2006 Subject: 2 MailScanners, 1 Bayes DataBase. In-Reply-To: <200402031411.08171.carles@unlimitedmail.org> References: <200402031411.08171.carles@unlimitedmail.org> Message-ID: <401FA5BB.7090409@solid-state-logic.com> Carles Xavier Munyoz Bald? wrote: > Hi, > I must use two MailScanners for two differents Sendmails installed in the same > computer (one for the MX server and the other used as RELAY SMTP for my > internet users). > > I would like that the two MailScanners use the same Bayes DataBase for the > SpamAssassin. > I will use the bayes_path configuration option in the spam.assassin.prefs.conf > file to point to the same bayes database in the two MailScanner instances: > bayes_path /var/spool/spamassassin/bayes > > Is there any problem in this ? > Any race condition ? > > Any suggestion about this 2 MailScanners setup ? > May I install only one MailScanner and then run two MailScanner instances > using a different MailScanner.conf file for each one (I need two MailScanner > because each Sendmail uses its own email queue) ? > Which configuration parameters mut I take in account ? > > Greetings. > --- > Carles Xavier Munyoz Bald? > carles@unlimitedmail.org > http://www.unlimitedmail.net/ > --- Carles there was some talk on this on the spamassassin email list a couple of weeks ago. basically you should be OK provided only of the SA instances (or MS in this case) is writing to the bayes DB for autolearning and manual spam training. Also the MailScanner doing the writing should be the one which has the bayes DB locally. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Ulysees at ULYSEES.COM Tue Feb 3 13:53:44 2004 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:22:17 2006 Subject: [OT ish] converting charsets Message-ID: <000501c3ea5d$2364e9e0$3201010a@nimitz> Running 4.25-14 with sendmail on Fedora passing through to exchange and I've been getting a few funky messages & I'm not sure if it's the MTA or mailscanner that's to blame Mails come through to the exchange box with the following message: This message uses a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set. <> message.txt appears to be the actual email + headers interesting bit is below, any ideas ? Content-Type: text/plain; charset=unknown-8bit Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mailscanner.ulysees.com id i0S9MQxp027610 From steve at INTELIPORT.COM Tue Feb 3 14:05:48 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Located issue Joe-Job attack Was Hijacked Returned domain Message-ID: I've located what this is attack is called "Joe-Job" and I'm trying to figure out how to accept from=<> then discard it at the MTA. Does anyone have a sendmail.cf config rule that shows how to do this. Thanks in advance Steve From ugob at CAMO-ROUTE.COM Tue Feb 3 14:05:55 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files Message-ID: <54C38A0B814C8E438EF73FC76F36292741089E@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : stephane BRANCHOUX [mailto:stephane.branchoux@UNIV-PERP.FR] > Envoy? : Tuesday, February 03, 2004 4:41 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : scan zip files > > > Hello, > > i use mailscanner 4.12 with mcafee. > > Zip files are authorized but is there a way to scan zip files ? The zip files are usually scanned by your virus scanner. > > Last virus is sent in a zip file and i would like to scan it without > > blocking all zip files. > > Many thanks in advance. > > stephane BRANCHOUX > Centre de Ressources Informatiques de l'Universit? de Perpignan. > Syst?mes/R?seaux > mailto:stephane.branchoux@univ-perp.fr > 04 68 66 21 24 > > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 14:07:16 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: [OT ish] converting charsets Message-ID: > exchange and I've been getting a few funky messages & I'm not > sure if it's the MTA or mailscanner that's to blame Most probably not mailscanner and perhaps not your MTA. Is the sender MUA/MTA corretly configured? Is this happening for all mails or just for one sender? Regards, JP From mailscanner at ecs.soton.ac.uk Tue Feb 3 13:51:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: 200,000 downloads of MailScanner Message-ID: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> MailScanner has just passed the 200,000 downloads milestone! Many thanks to all of you for helping to spread the word and make my little bit of code possibly the most widely-used combined email virus scanner and spam detector in the world. Let's see how fast the web site can munch through the next 200,000 :-) Jules. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 13:33:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Enterprise Library + MailScanner In-Reply-To: <401F99B4.9090108@bangor.ac.uk> References: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside> <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk> <401F99B4.9090108@bangor.ac.uk> Message-ID: <6.0.1.1.2.20040203133154.07c3d7b8@imap.ecs.soton.ac.uk> At 12:53 03/02/2004, you wrote: >Julian Field wrote: >>>Sophos has a replacement for their Enterprise Manager called >>>Enterprise Library, and it now supports Linux (and other >>>*nix and Novell) instead of just Windows clients. How >>>difficult would it be to have MailScanner update Sophos >>>from a CID or a web CID? >>> >>>Or is it a bad idea to automaticaly upgrade the engine? >> >>The only time I ever automatically upgraded the engine, it broke SAVI. I >>had to rebuild the perl SAVI module to get it to work again. >>So I'm a little wary of going down that path. > >I've been using EM Library to update the copy of Sophos I use on my >Linux MailScanner testbed for some time now as I was trying out the beta >version. It appears to run ok and has upgraded the engine at least once >while I've been using it. > >I cobbled a perl script to use the same lock file as Julian's autoupdate >prog while the update ran (or at least I think I did!) but it could >probably do with more error checking. > >Basically there is a script in the EM distribution of Sophos for *ix >which maintains a copy of the CID and if anything changes, it updates >the cache and then runs Sophos' install.sh. The script reads some >settings from a config file in /etc so you can "MailScanner-ise" the >folders it uses and it appears to work ok but this is on a lightly >loaded server. I'm contemplating setting it up on our 3 Solaris mail >hubs but haven't had the bottle yet! > >Given Julian's comments about SAVI, maybe using EM in conjunction with >SAVI isn't wise but if you're just using sweep then it might be of >interest, if you're already running EM anyway. We seem to have had a >couple of cases where the mail hubs didn't get their engine upgraded >promptly enough and hence were unable to get the latest updates with >Julian's script - I could do without that happening again...! > >Julian - have you looked at this stuff at all?? Would you be interested >in looking at the scripts etc? No, I haven't looked into it myself, I just do the upgrade by hand every 3 months. My experience with the SAVI perl problem was enough to put me off doing this for a while. I guess I could automate the build and installation of the perl module too. Would be good to take a quick look at the scripts though. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Tue Feb 3 14:34:31 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:17 2006 Subject: a ghost in filetype.rules.conf Message-ID: Julian, I've been scratching my head on this one for several versions of MailScanner now. The head of our athletics dept (who uses a Mac) will send emails to other coaches, plain text. Two coaches who reply (they use Windows) sporadically get their replies rejected with: No programs allowed (msg-8402-111.txt) ^^^^^^^^ numbers differ This same rejection message pops up with other users on rare occasions, but mostly with these two coaches and the Athletic Director. I've had our PC staff look at all three machines for viruses, nothing. I've put my system into quarantine mode, with "Quarantine Whole Message = yes", and stared at the result. There is no attachment. I've run the entire message thru clam and sophos, clean. Nothing there but plain text reply to a plain text message. My only oddball change in MS relating to text is my specification of ISO-8859-1 charset instead of ascii. I've modified my filetype.rules.conf so that I can figure out which rule causes the rejection (ELF or executable). Any ideas or suggestions on this one? I can provide an example if need be. (setup: Sol9, MS 4.26.8, SA 2.63, razor). Jeff Earickson Colby College From christo at IT4AFRICA.CO.ZA Tue Feb 3 13:53:50 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E46@neelix.lbsltd.co.uk> Message-ID: <017501c3ea5d$2754c1b0$660210ac@christoxp> Thanx I missed the part of copying the file. Working like a charm now. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard > Sent: 03 February 2004 02:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > Hi Christo, > > Make sure that you have copied MailWatch.pm from the > mailwatch-0.5 tarball into /usr/lib/MailScanner/MailScanner > as this could cause the symptons you report. > > Kind regards, > Steve. > > > -----Original Message----- > > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > > Sent: 03 February 2004 11:16 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > > > > After I upgraded my Mailwatch I get the following error in > my log and > > no mail is delivered. My queues are filling up. > > > > My config RH9 MS latest stable > > > > Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert > > row: Column count doesn't match value count at row 1 > > > > -- > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the sender and delete the message from > your mailbox. > > This footnote also confirms that this email message has been > swept by MailScanner (www.mailscanner.info) for the presence > of computer viruses. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > From ryan at MARINOCRANE.COM Tue Feb 3 14:42:41 2004 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <401FB361.3030500@marinocrane.com> Thanks Steve, Awesome job, as always! Ryan Pitt Steve Freegard wrote: >Hi All, > >I'm pleased to finally release 0.5 which you can download from >http://www.sourceforge.net/projects/mailwatch. > >CHANGE LOG >- Updated indexes for much greater performance (again!). >- Added preliminary support for per-user filters (see USER_FILTERS file). >- Added the ability to view quarantined items. >- All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. >- New tool to run SpamAssassin --lint and time the output for debugging SA. >- New F-Secure status page (like Sophos). >- Required PEAR modules now included. >- Added reporting of Blacklisted mails. >- Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. >- Quoted printable strings are now automatically decoded before display. >- Configuration options moved from functions.php into conf.php >- Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. >- New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. >- Integration with Fortress Systems Secure Mail Gateway. > >FIXES >- Multiple clean-ups of mailq.php to make it more robust. >- Greatly improved debugging of SQL statments. >- Quarantine now correctly looks in the non-spam quarantine directories. >- SA Rules Description Update now reads custom rules as well. >- sendmail_relay.php now works across log rotations. >- Increased memory_limit to 128M for quarantine functions. > >Kind regards, >Steve. > >-- >MailWatch for MailScanner >http://mailwatch.sourceforge.net > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From taz at AZTEK-ENG.COM Tue Feb 3 15:15:33 2004 From: taz at AZTEK-ENG.COM (taz) Date: Thu Jan 12 21:22:17 2006 Subject: Dual-headed email servers Message-ID: <00f001c3ea68$91c43840$270100bf@backlab> Please don't overpost on this one. You can just email me directly. I would like to know if anyone knows where I can find information about dual-heading an email server, if that is what it is called. (two or more email servers with users spread across them for load-balancing, speed and such). We are needing something like this or similar to test a new email server that is going into the DMZ, but not online yet. We want it to function like a normal email server, but only with 5-10 users on it. This would be in a sendmail configuration. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/25a729a8/attachment.html From mkettler at EVI-INC.COM Tue Feb 3 16:01:00 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files In-Reply-To: <467301c3ea39$db6216e0$0688a7c2@belleile> References: <467301c3ea39$db6216e0$0688a7c2@belleile> Message-ID: <6.0.0.22.0.20040203105953.0270cf60@xanadu.evi-inc.com> At 04:41 AM 2/3/2004, stephane BRANCHOUX wrote: >i use mailscanner 4.12 with mcafee. > >Zip files are authorized but is there a way to scan zip files ? > >Last virus is sent in a zip file and i would like to scan it without > >blocking all zip files. That should work out-of-the-box without any additional configuration.. Have you tested it (ie: email yourself a zipfile containing EICAR or something of the sort?) From email at ace.net.au Tue Feb 3 15:59:57 2004 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:22:17 2006 Subject: Located issue Joe-Job attack Was Hijacked Returned domain In-Reply-To: References: Message-ID: <200402040229570674.0049AF19@smtp1.ace.net.au> I don't think there is any simple way to defeat this. If you want to get brutal, there was some stuff posted last year to add to sendmail.mc that allowed you to block by various words in the subject, so you could for eg block the following undeliverable mail undelivered mail returned mail delivery fail etc etc, breaks the rules though. I got lucky as most of these return addresses had numbers in them, eg joe25r@domain.com and I have never allowed numbers in the first part of the email address - due to a limitation in the opriginal accounting system I used. I managed to make an entry that rejected any To: address here that had a number in it, and that has virtually eliminated the problem. Peter *********** REPLY SEPARATOR *********** On 3/02/2004 at 2:05 PM Stephen Lane wrote: >I've located what this is attack is called "Joe-Job" and I'm trying to >figure out how to accept from=<> then discard it at the MTA. Does anyone >have a sendmail.cf config rule that shows how to do this. > >Thanks in advance > >Steve From jwilliam at KCR.UKY.EDU Tue Feb 3 16:04:52 2004 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.2.20040203105723.01b97460@mail.kcr.uky.edu> Congrats! Just this morning I was talking to Sendmail.com about upgrading our version of Sendmail. While on the phone I was curious and asked them about their anti-spam package. She said it would cost a little over $8000, the minimum 500 user license. I said that being a University and facing budget cuts we couldn't afford it and told her we would continue to use MailScanner and Sophos. She said that she had heard of MailScanner and many of her customers told her the same thing. Just thought you might want to know. Thanks for filling such a great need! With gratitude, John At 08:51 AM 2/3/2004, you wrote: >MailScanner has just passed the 200,000 downloads milestone! > >Many thanks to all of you for helping to spread the word and make my little >bit of code possibly the most widely-used combined email virus scanner and >spam detector in the world. > >Let's see how fast the web site can munch through the next 200,000 :-) > >Jules. John P. Williams, MA Systems Analyst, Sr. University of Kentucky/Kentucky Cancer Registry 2365 Harrodsburg Rd, Suite A230 Lexington, KY 40504-3381 Telephone: (859)219-0773 x283 Fax: (859)219-0557 mailto:jwilliam@kcr.uky.edu http://www.kcr.uky.edu --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From Eric.Doutreleau at INT-EVRY.FR Tue Feb 3 16:26:09 2004 From: Eric.Doutreleau at INT-EVRY.FR (Eric Doutreleau) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <1075825568.6884.9.camel@rezo.int-evry.fr> Does we still have to use the perl-DBD-MySQL 2.1028 version or can we switch to the latest version available? Le mar 03/02/2004 ? 01:44, Steve Freegard a ?crit : > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. > > -- > MailWatch for MailScanner > http://mailwatch.sourceforge.net > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From Ulysees at ULYSEES.COM Tue Feb 3 16:32:53 2004 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:22:18 2006 Subject: [OT ish] converting charsets References: Message-ID: <000701c3ea73$5f951410$3201010a@nimitz> The mails that cause this always come from the same group of sites. I've also found that it happens if I turn on full headers in the virus reports. This doesn't happen on a 4.23-11 on rh7.2 box that I'm retiring. Uly ----- Original Message ----- From: "Jan-Peter Koopmann" To: Sent: Tuesday, February 03, 2004 2:07 PM Subject: Re: [MAILSCANNER] [OT ish] converting charsets > exchange and I've been getting a few funky messages & I'm not > sure if it's the MTA or mailscanner that's to blame Most probably not mailscanner and perhaps not your MTA. Is the sender MUA/MTA corretly configured? Is this happening for all mails or just for one sender? Regards, JP From gdoris at rogers.com Tue Feb 3 16:48:52 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <62310.129.80.22.143.1075826932.squirrel@tiger.dorfam.ca> > MailScanner has just passed the 200,000 downloads milestone! > > Many thanks to all of you for helping to spread the word and make my > little > bit of code possibly the most widely-used combined email virus scanner and > spam detector in the world. > > Let's see how fast the web site can munch through the next 200,000 :-) > > Jules. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support Congratulations! However, I heard a rumour that it was really your mother that downloaded most of those copies...is that true? Gerry From dwinkler at ALGORITHMICS.COM Tue Feb 3 16:50:27 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:18 2006 Subject: MAPS-RBL Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B197@tormail2.algorithmics.com> We're considering paying for MAPS-RBL services. Any comments on it's effectiveness? Thanks, Derek Winkler Security Administrator Algorithmics 185 Spadina Ave Toronto, Ontario Canada M5T 2C6 Phone: 416-217-4107 Fax: 416-971-6100 From bpumphrey at WOODMACLAW.COM Tue Feb 3 17:07:28 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions Message-ID: 1. In the web site about the MailScanner.conf it says (with some text taking out) talking about spam.whitelist.rules: Is Definitely Not Spam You will probably want to include your own site (or your own site's IP addresses) in this ruleset. Does that mean put: From: *@domain.com or FromOrTo *@domain.com It would seem that if it said FromOrTo, that it would treat all mail as not spam and "not" perform any blocking. 2. Is this how to disable blocking for a user ID: FromOrTo: user@domain.com yes 3. Do you have to configure the spamassassin white list also, being that you have to configure the whitelist in 2 places? Spam.whitelist.rules and spam.assassin.prefs.conf? Thank you for any answers. Billy Pumphrey From test at NEXTMILL.NET Tue Feb 3 17:20:05 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error Message-ID: Fresh Install Fedora Core 1 (Perl 5.8.1 selected at installation) MailScanner: mailscanner-4.26.8-1.rpm.tar SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- 1.i386.rpm Antivirus: clamav-0.65-4.i386.rpm Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage /var/log/maillog shows every 10 seconds: Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation could not be found Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted server, still does not help. Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ as the FAQ states and it didn't help. Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in the FAQ under SpamAssassin:installation could not be found Any advise on what next to troubleshoot would be greatly appreciated From marco at MUW.EDU Tue Feb 3 17:42:49 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <1075830169.401fdd9998bdc@webmail.MUW.Edu> Uninstall the SpamAssassin RPMS and install SA from CPAN: perl -MCPAN -e shell o con prerequisites_policy ask install Mail::SpamAssassin This is guaranteed to work !!! Quoting Brian Lewis : > Fresh Install > Fedora Core 1 (Perl 5.8.1 selected at installation) > MailScanner: mailscanner-4.26.8-1.rpm.tar > SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- > 1.i386.rpm > Antivirus: clamav-0.65-4.i386.rpm > Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage > > /var/log/maillog shows every 10 seconds: > Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation > could not be found > > Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), > uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted > server, still does not help. > > Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ > as the FAQ states and it didn't help. > > Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in > the FAQ under SpamAssassin:installation could not be found > > Any advise on what next to troubleshoot would be greatly appreciated > From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 17:27:33 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner Message-ID: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> >Let's see how fast the web site can munch through the next 200,000 :-) It'll be no time at all once we get you knighted! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From marco at MUW.EDU Tue Feb 3 17:44:35 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <1075830274.401fde0303cf4@webmail.MUW.Edu> Please correct this line from my previous response to: o conf prerequisites_policy ask Quoting Brian Lewis : > Fresh Install > Fedora Core 1 (Perl 5.8.1 selected at installation) > MailScanner: mailscanner-4.26.8-1.rpm.tar > SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- > 1.i386.rpm > Antivirus: clamav-0.65-4.i386.rpm > Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage > > /var/log/maillog shows every 10 seconds: > Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation > could not be found > > Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), > uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted > server, still does not help. > > Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ > as the FAQ states and it didn't help. > > Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in > the FAQ under SpamAssassin:installation could not be found > > Any advise on what next to troubleshoot would be greatly appreciated > "I don't know the key to success, but the key to failure is trying to please everybody." -Bill Cosby ____________________________________________________________ _/ _/ _/ _/ _/ _/ | Marco Obaid _/_/ _/_/ _/ _/ _/ _/ | Network Administrator _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 _/ _/ _/_/_/ _/ _/ | Columbus MS 39701 ____________________________________________________________ M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N From marco at MUW.EDU Tue Feb 3 17:46:10 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> Message-ID: <1075830370.401fde6240d87@webmail.MUW.Edu> Hi Jules, 200,000+ thank-yous for your work and efforts !!! Marco > >Let's see how fast the web site can munch through the next 200,000 :-) > From test at NEXTMILL.NET Tue Feb 3 17:33:12 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error Message-ID: Ok I solved my own problem perl-mail-spamassassin-2.63-1.i386.rpm installs in /usr/lib/perl5/site_perl/5.6.1/Mail I had to copy the files in there to /usr/lib/perl5/site_perl/5.8.1/Mail Restarted MailScanner and it worked! Why don't these rpms intelligently figure out what the latest version of Perl is on the machine and install Spamassassin Perl Mail stuff into the correct folder? Uhhggg From m.sapsed at BANGOR.AC.UK Tue Feb 3 17:36:19 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: Silent Virus List References: <005501c3e57d$089a79c0$660210ac@christoxp> <40177E3C.4090903@solid-state-logic.com> <6.0.1.1.2.20040128112404.03e603e0@imap.ecs.soton.ac.uk> Message-ID: <401FDC13.8050302@bangor.ac.uk> Julian Field wrote: > At 10:43 28/01/2004, you wrote: > >> When viruses fake 'from' info, do they just fake the 'From:' header, >> or do >> they fake the envelope sender too? > > Yes. To be slightly picky, this is an over generalisation. Some worms e.g. SirCam, Hybris fake the From: address but leave the sender address as that of the victim. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From steve.freegard at LBSLTD.CO.UK Tue Feb 3 17:40:40 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E4F@neelix.lbsltd.co.uk> Hi Eric, You'll still need 2.1028. However I saw a neat trick done by an admin recently who installed the DBD-MySQL module into /usr/lib/MailScanner/MailScanner/DBD-MySQL and did something like "use lib '/usr/lib/MailScanner/MailScanner/DBD-MySQL/';" to the top of MailWatch.pm to use the older version instead. Kind regards, Steve. > -----Original Message----- > From: Eric Doutreleau [mailto:Eric.Doutreleau@INT-EVRY.FR] > Sent: 03 February 2004 16:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > Does we still have to use the perl-DBD-MySQL 2.1028 version > or can we switch to the latest version available? > > > Le mar 03/02/2004 ? 01:44, Steve Freegard a ?crit : > > Hi All, > > > > I'm pleased to finally release 0.5 which you can download from > > http://www.sourceforge.net/projects/mailwatch. > > > > CHANGE LOG > > - Updated indexes for much greater performance (again!). > > - Added preliminary support for per-user filters (see USER_FILTERS > > file). > > - Added the ability to view quarantined items. > > - All tables now enable a pager when returning more than 50 > rows and allow > > ordering by any of the displayed columns. > > - New tool to run SpamAssassin --lint and time the output > for debugging SA. > > - New F-Secure status page (like Sophos). > > - Required PEAR modules now included. > > - Added reporting of Blacklisted mails. > > - Integrated the reporting of SpamAssassin > Blacklisted/Whitelisted e-mails. > > - Quoted printable strings are now automatically decoded > before display. > > - Configuration options moved from functions.php into conf.php > > - Automatically works out VIRUS_REGEX by using the first value in > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > clamavmodule' would > > activate the regexp for SophosSAVI. > > - New 'Virus Report' allows comparison of multiple scanners > (if you run > > more than one) and allows you to see 1st detection > date/time of each > > virus by each scanner. > > - Integration with Fortress Systems Secure Mail Gateway. > > > > FIXES > > - Multiple clean-ups of mailq.php to make it more robust. > > - Greatly improved debugging of SQL statments. > > - Quarantine now correctly looks in the non-spam quarantine > > directories. > > - SA Rules Description Update now reads custom rules as well. > > - sendmail_relay.php now works across log rotations. > > - Increased memory_limit to 128M for quarantine functions. > > > > Kind regards, > > Steve. > > > > -- > > MailWatch for MailScanner > > http://mailwatch.sourceforge.net > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Tue Feb 3 17:46:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203174502.03f0eea0@imap.ecs.soton.ac.uk> At 17:33 03/02/2004, you wrote: >Ok I solved my own problem >perl-mail-spamassassin-2.63-1.i386.rpm >installs in /usr/lib/perl5/site_perl/5.6.1/Mail >I had to copy the files in there to /usr/lib/perl5/site_perl/5.8.1/Mail > >Restarted MailScanner and it worked! > > >Why don't these rpms intelligently figure out what the latest version of >Perl is on the machine and install Spamassassin Perl Mail stuff into the >correct folder? Uhhggg That's only possible if you rebuild the RPM from the SRPM on your machine, then install your shiny new RPM. You now have a system that isn't consistent with its own RPM database. :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 17:44:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> At 17:07 03/02/2004, you wrote: >1. In the web site about the MailScanner.conf it says (with some text >taking out) talking about spam.whitelist.rules: >Is Definitely Not Spam >You will probably want to include your own site (or your own site's IP >addresses) in this ruleset. > >Does that mean put: >From: *@domain.com or Yes, but it is even better to whitelist your IP addresses. You can put in IP addresses in any of the common syntaxes for specifying netblocks. >FromOrTo *@domain.com No >It would seem that if it said FromOrTo, that it would treat all mail as >not spam and "not" perform any blocking. Correct >2. Is this how to disable blocking for a user ID: >FromOrTo: user@domain.com yes Yes >3. Do you have to configure the spamassassin white list also, being that >you have to configure the whitelist in 2 places? >Spam.whitelist.rules and spam.assassin.prefs.conf? No. The spam.whitelist.rules entries will cause all spam checking to be bypassed, including SpamAssassin. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Tue Feb 3 17:56:49 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed References: <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com> <40183962.1010304@uptime.at> <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com> <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com> <6.0.0.22.0.20040128182805.025c8f48@xanadu.evi-inc.com> Message-ID: <401FE0E1.8010103@bangor.ac.uk> (Catching up with a backlog again - can't let this one go) Matt Kettler wrote: > At 06:09 PM 1/28/2004, Leonard Hermens wrote: > >> >Can you cite an example of when, at the present time, it is a good >> idea to >> >have a mailserver configured to auto respond to a sender and notify them >> >that a message sent contained a live virus infection? >> >> Any virus or macro virus that is sent manually by the sender. > > I'll agree that is a particular email where it is good for a server to > autorespond. > > However, that's not an answer to the question. > > A mailserver can't be configured to tell the difference between a manual > send and an automated one, so your example is a single isolated email > example. I'm asking for a situation where it's a good idea to configure > your mailserver in such a manner, not a single message case. > > Real world, real mailserver, present time, realistic situation where it > would be a good idea to have a server do this. (ie: how can you do it on an > automated basis without inflicting casualties, and still reap some useful > benefit.) I'll give you several examples where it's worth notifying the sender of a virus. 2784 instances of Gibe-F we had in December - the From: address is forged but the sender address isn't. a dozen or so people with no or very old a-v resulting in them having word macro viruses. They attach an infected document and mail it here, they get a wake-up call. People e-mailing so called "Joke" programs to their mates - they're not welcome here. By my reckoning there are just over a dozen families of viruses that fake the sender address. I don't see managing a list of that size to be an issue. I would like to do my bit to reduce the quantity of malware out there where I can. I do agree though that too many people have run with the old default and applaud Julian's move to change the default. I would, however, strongly object to the removal of the code altogether just because some people don't use it properly. I am also mildly fascincated that outfits of the size of messagelabs were sending virus reports to the "senders" of MyDoom.... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Tue Feb 3 18:02:54 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: mailling list subject tag References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS> <1075456331.9785.12.camel@localhost.localdomain> Message-ID: <401FE24E.4020304@bangor.ac.uk> Neil Robst wrote: > Hi Julian et al, > > Would it be possible to setup the mailling list software that manages > this list to tag the subject of each mail with [MailScanner] or > something similiar please so I can see at a glance which mails are from > this list...? Please bear in mind though that if you do this, and leave the tags in the Subject line when you reply you can cause people who filter MailScanner messages to a folder using other methods to have grief following threads (depending on what software they use). (Same applies to foreign language alternatives to Re:, and we won't go in to leaving {Spam} and {Virus} tags in subjects...) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dustin.baer at IHS.COM Tue Feb 3 18:16:29 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B197@tormail2.algorithmics.com> Message-ID: <401FE57D.C4F9E7EC@ihs.com> Derek Winkler wrote: > > We're considering paying for MAPS-RBL services. > > Any comments on it's effectiveness? > > Thanks, > > Derek Winkler > Security Administrator We use RBL+ and reject about 4,000 messages/day. It is quite useful. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 18:19:14 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed Message-ID: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> >By my reckoning there are just over a dozen families of viruses that >fake the sender address. I don't see managing a list of that size to be >an issue. I would like to do my bit to reduce the quantity of malware >out there where I can. Since it's (inter)national beat a dead horse day, , what I'd like to see is for the AV companies to add a flag to their definitions as to whether it's a spooffer or not. Could be as little as a single bit turned on or off in their pattern file database. Not knowing the structure of the database, it may be possible to set it w/o even adding any new fields in some cases. Of course, they would have to reconfigure the scan engine to return true or false and things like MS would have to have a snippet of code added to check it, but as viruses get more sophisticated, maybe it's time for virus scanners/responders to get more sophisticated too. Sadly, the onus has to be on the AV companies at this point and I'm not holding my breath that they're ever gonna read my humble suggestion. But I dunno - maybe someone from that universe does follow this list. Guess I better patent the idea quick! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From cstamas at digitus.itk.ppke.hu Tue Feb 3 18:21:45 2004 From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <20040203182145.GF25916@digitus> Hi On 02/03, Julian Field wrote: > MailScanner has just passed the 200,000 downloads milestone! > This means the downloads from mailscanner.info ? It can be much more (from CPAN, rpm) and I installed it from deb. but, MailScanner works perfectly.... thanks -- cstamas From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 3 18:24:47 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> Message-ID: <009c01c3ea83$00ff69e0$0501a8c0@darkside> >Since it's (inter)national beat a dead horse day, , what >I'd like to see >is for the AV companies to add a flag to their definitions as >to whether FYI: a recent correspondance between myself and Sophos. Hi Jason, We are looking at adding this feature into our definitions as it would be very useful. Watch this space. [name removed]@sophos.com On 28/01/2004 21:31:04 "Jason Balicki" wrote: >Would it be possible to include a "forged sender" Boolean >value in the sophos IDE and have Sophos AV report that >value when a file is scanned (via the appropriate >switches)? I use Sophos with MailScanner and the >ability to send or not send notifications intelligently >would be a godsend. > >I know the vast majority of worms and viruses these >days forge, but it would still be helpful. > >TIA, > >--J(K) > From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 18:29:18 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed Message-ID: <08146035CA49D6119A36009027AC822A0264EDA5@CITY-EXCH-NTS> >FYI: a recent correspondance between myself and Sophos. Dang! See, I knew I should have patented it. Then I could sue everybody like Darl! Now I'll still have to work for a living... ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dot at DOTAT.AT Tue Feb 3 18:31:21 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:18 2006 Subject: SPF and MailScanner In-Reply-To: Message-ID: "Spicer, Kevin" wrote: > >There is a page addressing common objections to SPF on their site http://spf.pobox.com/objections.html I note that their Sender Rewriting Scheme as proposed would turn most mail servers into open relays, in the same way as the % hack does. You need to make the rewritten return path cryptographically unforgeable. The requirement for this in the SRS I-D is laughably weak. http://spf.pobox.com/srs.html Tony. -- f.a.n.finch http://dotat.at/ ROCKALL MALIN: SOUTH OR SOUTHWEST 7 TO SEVERE GALE 9, OCCASIONALLY STORM 10, BECOMING CYCLONIC 5 TO 7 LATER. OCCASIONAL RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. From dot at DOTAT.AT Tue Feb 3 18:33:35 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:18 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current In-Reply-To: References: Message-ID: Eric Dantan Rzewnicki wrote: > >Thank you for clearing this up. I'm still puzzled as to why they weren't >created when I first ran the script, but it seems to be ok now. You might have splatted them afterwards, e.g. by reinstalling uvscan. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT TIMES. MODERATE OR GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. From raymond at PROLOCATION.NET Tue Feb 3 19:33:21 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: <401FE57D.C4F9E7EC@ihs.com> Message-ID: Hi > > Security Administrator > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. Its not bad, we also have a subscription, but we see a multiple of the hits on RBL+ on the NJABL and DSBL lists... I would try lists like that before moving to a payed list. Bye, Raymond. From bpumphrey at WOODMACLAW.COM Tue Feb 3 19:46:37 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:18 2006 Subject: Error in line 3 in filename.rules.conf Message-ID: Thank you for your answers!!!! I have not changed this file, and line 3 looks to be ok. In the log I get this error: Feb 3 14:39:43 MailScanner MailScanner[5743]: Possible syntax error on line 3 o f /etc/MailScanner/filename.rules.conf Feb 3 14:39:43 MailScanner MailScanner[5743]: Remember to separate fields with tab characters! # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info. deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email From mailscanner at ecs.soton.ac.uk Tue Feb 3 20:06:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Error in line 3 in filename.rules.conf In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203200535.044e4308@imap.ecs.soton.ac.uk> At 19:46 03/02/2004, you wrote: >Thank you for your answers!!!! >I have not changed this file, and line 3 looks to be ok. You must have done, this file is correct as shipped, as far as I am aware (and over 2000 people have downloaded and run the latest version). I suggest you have had 1 line either broken into 2 or else the fields are not separated by tabs alone. >In the log I get this error: >Feb 3 14:39:43 MailScanner MailScanner[5743]: Possible syntax error on >line 3 o >f /etc/MailScanner/filename.rules.conf >Feb 3 14:39:43 MailScanner MailScanner[5743]: Remember to separate >fields with >tab characters! > ># See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more >info. >deny \.cnf$ Possible SpeedDial attack > SpeedDials are very dangerous in email >deny \.hta$ Possible Microsoft HTML archive attack > HTML archives are very dangerous in email >deny \.ins$ Possible Microsoft Internet Comm. Settings >attack > Windows Internet Settings are dangerous in email >deny \.jse?$ Possible Microsoft JScript attack > JScript Scripts are dangerous in email >deny \.lnk$ Possible Eudora *.lnk security hole attack > Eudora *.lnk security hole attack >deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut >attack > Microsoft Access Shortcuts are dangerous in >email >deny \.pif$ Possible MS-Dos program shortcut attack > Shortcuts to MS-Dos programs are very dangerous >in email >deny \.scf$ Possible Windows Explorer Command attack > Windows Explorer Commands are dangerous in email >deny \.sct$ Possible Microsoft Windows Script Component >attack > Windows Script Components are dangerous in email >deny \.shb$ Possible document shortcut attack > Shortcuts Into Documents are very dangerous in >email >deny \.shs$ Possible Shell Scrap Object attack > Shell Scrap Objects are very dangerous in email >deny \.vb[es]$ Possible Microsoft Visual Basic script attack > Visual Basic Scripts are dangerous in email >deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack > Windows Script Host files are dangerous in email >deny \.xnk$ Possible Microsoft Exchange Shortcut attack > Microsoft Exchange Shortcuts are dangerous in >email -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 20:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: References: <401FE57D.C4F9E7EC@ihs.com> Message-ID: <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> At 19:33 03/02/2004, you wrote: > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. > >Its not bad, we also have a subscription, but we see a multiple of the >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >before moving to a payed list. And definitely try the combined XBL+SBL list from spamhaus.org too. Very good in my experience. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dwinkler at ALGORITHMICS.COM Tue Feb 3 20:23:04 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B19D@tormail2.algorithmics.com> Already using all 3 mentioned. Would using MAPS-RBL just push scores higher? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, February 03, 2004 3:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Re: MAPS-RBL At 19:33 03/02/2004, you wrote: > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. > >Its not bad, we also have a subscription, but we see a multiple of the >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >before moving to a payed list. And definitely try the combined XBL+SBL list from spamhaus.org too. Very good in my experience. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Feb 3 20:29:09 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Its not bad, we also have a subscription, but we see a multiple of the > >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that > >before moving to a payed list. > > And definitely try the combined XBL+SBL list from spamhaus.org too. Very > good in my experience. Yes, very true. A good new one, if i may plug :) RFC-IGNORANT-BOGUSMX We get nice results with list that just started... Bye, Raymond. From k.raven at FREENET.DE Tue Feb 3 21:15:09 2004 From: k.raven at FREENET.DE (Kai Raven) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour Message-ID: <20040203221509.04730876@raven.localdomain.intern> Hi, today, i have used RulesDuJour the first time. After the first run, all the *.cf files are saved under the /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move or copy them to /etc/mail/spamassassin? -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From hywel at BURRIS.ORG.UK Tue Feb 3 21:20:37 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E4F@neelix.lbsltd.co.uk> Message-ID: <200402032120.i13LKbNS024510@mail.burris.org.uk> Hi Steve, I have run into this problem after upgrading from version 0.4 to 0.5 on fedora, surprisingly it seemed to work ok with perl-DBD-MySQL-2.9002-1 before I upgraded. I am getting the error: - Feb 3 21:16:13 mail MailScanner[23332]: Database ping failure attempting to re-connect Feb 3 21:16:13 mail MailScanner[23332]: Cannot insert row: MySQL server has gone away I assume that this is caused by me using the incorrect version? Would there be any chance of advising how I could install this old version like you seen below as fedora is advising that the above version of perl is required for MySQL. Thanks Hywel -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard Sent: 03 February 2004 17:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Announce: MailWatch for MailScanner 0.5 Hi Eric, You'll still need 2.1028. However I saw a neat trick done by an admin recently who installed the DBD-MySQL module into /usr/lib/MailScanner/MailScanner/DBD-MySQL and did something like "use lib '/usr/lib/MailScanner/MailScanner/DBD-MySQL/';" to the top of MailWatch.pm to use the older version instead. Kind regards, Steve. [snip] From steve.swaney at FSL.COM Tue Feb 3 21:23:17 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203221509.04730876@raven.localdomain.intern> Message-ID: <20040203212319.6AE9D21C142@mail.fsl.com> Nope. Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Kai Raven > Sent: Tuesday, February 03, 2004 4:15 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: RulesDuJour > > Hi, > > today, i have used RulesDuJour the first time. > After the first run, all the *.cf files are saved under the > /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move > or copy them to /etc/mail/spamassassin? > > -- > Ciao > Kai > > HP: http://kai.iks-jena.de/ > Blog: http://rabenhorst.blogg.de/ > GnuPG-Key: 0x76C65282 > ICQ:146714798 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mkettler at EVI-INC.COM Tue Feb 3 21:30:47 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203221509.04730876@raven.localdomain.intern> References: <20040203221509.04730876@raven.localdomain.intern> Message-ID: <6.0.0.22.0.20040203162546.026d22c8@xanadu.evi-inc.com> At 04:15 PM 2/3/2004, Kai Raven wrote: >Hi, > >today, i have used RulesDuJour the first time. >After the first run, all the *.cf files are saved under the >/etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move >or copy them to /etc/mail/spamassassin? SA will not parse the files in subdirectories.. However, if you look closely, the ones in the RulesDuJour subdir should be your *old* files, not the freshly downloaded ones. From the script itself: TMPDIR="${SA_DIR}/RulesDuJour"; # Where we store old rulesets. If you delete # this directory, RuleSets may be detected as # out of date the next time you run rules_du_jour. Also, for reference you're probably better off directing general RulesDuJour questions to the spamassassin mailing list if you can. The author of the RDJ script, Chris Thielen, subscribes to the spamassassin list, but AFAIK not this list. Of course, if your question is about mailscanner-specific things, your're probably better off posting here. From brose at MED.WAYNE.EDU Tue Feb 3 21:28:48 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:18 2006 Subject: [OT]RE: RulesDuJour Message-ID: That's where it downloads them, they should get moved to /etc/mail/spamassassin by the script itself if there are changes. The reason for this is so that if the download fails, you still have working copy. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kai Raven Sent: Tuesday, February 03, 2004 4:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: RulesDuJour Hi, today, i have used RulesDuJour the first time. After the first run, all the *.cf files are saved under the /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move or copy them to /etc/mail/spamassassin? -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From miguelk at KONSULTEX.COM.BR Tue Feb 3 21:35:37 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL References: <401FE57D.C4F9E7EC@ihs.com> <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> Message-ID: <40201429.4080705@konsultex.com.br> Julian; I have to disagree completely with these databases. I think that MAPS has a lot of bad information in it, like a virus scanner with many false alarms, only with graver consequences. A virus scanner maintainer puts a pattern in and mostly forgets about it because that pattern identifies a virus which will most likely never change into a benevolent file. Somebody putting a host or network into a 'pattern' database has a much harder job and an infinitely greater responsability because these 'patterns' (ips or networks) would have to come and go according to correct, dynamic information which decides without a doubt if the ip is 'a virus' (spamming) or not. Imagine a company that finds a virus and identifies that the string '0A' is in the file. So they decide to mark every file with '0A' as a virus. Then they leave it up to the user of a given executable to make the third party developer prove to this hypothetical company that their use of '0A' is justified, not a virus, so that the program is finally able to run for the user. To make the analogy closer to reality, imagine that the user is not allowed to unisntall the virus scanner while he waits for all this to happen. You call themfor help and they say "ask Microsoft to contact us"! I was an innocent victim of the MAPS gang in December during over a month. I had to jump through hoops to get my IP out of a DUL range, which I found out about when all of a sudden some of our users could not communicate with their major customer. I don't have a dynamic IP and I have my reverse DNS configured, even though the ISP probably assigns some dynamic ones in the net range. My influence on what the ISP does tends to zero. Getting an IP "cleared" is very difficult and time consuming because mailabuse.com is not proactive and leaves the problem for the victim to solve. I believe that the reason is that their database appears more valuable if it has more IPs in it. They proved to me that they don't care if I can't communicate. The irony is that you can't communicate by email even with them! I bet most people don't bother to go all the way like I did and just convince the receiving party of the emails to ignore MAPS for their case. And so the database fills up with junk. That's my experience with MAPS. Maybe others are better. Miguel Julian Field wrote: > At 19:33 03/02/2004, you wrote: > >> > We use RBL+ and reject about 4,000 messages/day. It is quite useful. >> >> Its not bad, we also have a subscription, but we see a multiple of the >> hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >> before moving to a payed list. > > > And definitely try the combined XBL+SBL list from spamhaus.org too. Very > good in my experience. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Esta mensagem foi verificada pelo sistema de antiv�rus e acredita-se estar livre de perigo. From steve.swaney at FSL.COM Tue Feb 3 22:04:13 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203212319.6AE9D21C142@mail.fsl.com> Message-ID: <20040203220413.7465E21C13F@mail.fsl.com> Sorry I misread you message. If you haven't changed the rules_du_jour defaults, the rules will be downloaded into the /etc/mail/spamassassin directory. If you haven't changed the MailScanner defaults, they will be read from /etc/mail/spamassassin directory and used when MailScanner calls the SpamAssassin routines. The fact that your rules live in /etc/mail/spamassassin/rules_du_jour directory indicates that the spamassassin --lint command is failing and the downloaded rules are being backed out and stored in /etc/mail/spamassassin/rules_du_jour. What happens when you run the rules_du_jour script from a command line. That should tell you what is happening. Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephen Swaney > Sent: Tuesday, February 03, 2004 4:23 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: RulesDuJour > > Nope. > > Stephen Swaney > President > Fortress Systems Ltd. > Steve.Swaney@FSL.com > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Kai Raven > > Sent: Tuesday, February 03, 2004 4:15 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: RulesDuJour > > > > Hi, > > > > today, i have used RulesDuJour the first time. > > After the first run, all the *.cf files are saved under the > > /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move > > or copy them to /etc/mail/spamassassin? > > > > -- > > Ciao > > Kai > > > > HP: http://kai.iks-jena.de/ > > Blog: http://rabenhorst.blogg.de/ > > GnuPG-Key: 0x76C65282 > > ICQ:146714798 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From roddy at NETSPACE.NET.AU Tue Feb 3 22:19:51 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: <40201E87.8040702@netspace.net.au> Hi, Just installed Mailscanner on Freebsd 5.1, however have ran into some problems. I followed the install.FREEBSD instructions, however on system startup, i get Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 4 08:52:02 mail sm-mta[2129]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 4 08:52:02 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket Feb 4 08:52:02 mail MailScanner[2157]: Using locktype = flock It looks like MailScanner actually loads, but it won't scan any incoming mail. I tried another way by executing the .sh script. This loads MailScanner no problems, but again it doesn't look it scans the mail coming in, did some tests and no headers are added, its as though it isn't passing it onto F-Prot. Thanks P.S A very similar if not the same problem discussed here at the bottom : http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0205&L=mailscanner&P=R10295&I=-1 From raymond at PROLOCATION.NET Tue Feb 3 22:34:08 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <40201E87.8040702@netspace.net.au> Message-ID: Hi! > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket > Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... You didnt stop your original MTA as it seems. The socket was in use like the logs report. Bye, Raymond. From roddy at NETSPACE.NET.AU Tue Feb 3 22:38:04 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <402022CC.2070805@netspace.net.au> > Hi! > > >>Just installed Mailscanner on Freebsd 5.1, however have ran into some >>problems. >> >>I followed the install.FREEBSD instructions, however on system startup, >>i get >> >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): >>opendaemonsocket: daemon MTA: cannot bind: Address already in use >>Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket >>Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner >>version 4.26.8 starting... > > > You didnt stop your original MTA as it seems. The socket was in use like > the logs report. Ok that brings me to the next question, in the install.FREEBSD it says to add certain lines to /etc/rc.conf sendmail_enable="YES" # MailScanner starts here mta_start_script="/opt/MailScanner/bin/rc.MailScanner start" MailScanner_incoming_queue="/var/spool/mqueue.in" MailScanner_queue_time="15m" MailScanner_check="/opt/MailScanner/bin/check_mailscanner" MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid" # MailScanner ends here Thats what my rc.conf looks like, should i make sendmail_enable=NO ? And then allow mailscanner to start it ? From jdbautista at IWSPC.COM Tue Feb 3 22:50:04 2004 From: jdbautista at IWSPC.COM (Joseph C. Bautista) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 References: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Message-ID: <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> Thank you. Its now working... ----- Original Message ----- From: "Steve Freegard" To: Sent: Tuesday, February 03, 2004 5:06 PM Subject: Re: Announce: MailWatch for MailScanner 0.5 > Hi Joseph, > > You're getting this error because your copy of PHP doesn't have the MySQL > module installed or compiled in. > > If you are running RedHat install the php-mysql RPM from your installation > CD's and restart apache and it will start working. > > Kind regards, > Steve. > > > -----Original Message----- > > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > > Sent: 03 February 2004 08:39 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > > > Hi All, > > > > I think i followed the instruction correct. My > > Mailscanner is logging to mysql database. But everytime i > > point my browser to > > > > http://localhost/mailscanner it gives me an error: > > > > Fatal error: Call to undefined function: > > mysql_pconnect() in > > /home/httpd/html/mailscanner/functions.php on line 273 > > > > Anyone knows how to fixed this? > > > > Thnx. > > > > > > ----- Original Message ----- > > From: "Steve Freegard" > > To: > > Sent: Tuesday, February 03, 2004 8:44 AM > > Subject: Announce: MailWatch for MailScanner 0.5 > > > > > > > Hi All, > > > > > > I'm pleased to finally release 0.5 which you can download from > > > http://www.sourceforge.net/projects/mailwatch. > > > > > > CHANGE LOG > > > - Updated indexes for much greater performance (again!). > > > - Added preliminary support for per-user filters (see USER_FILTERS > > > file). > > > - Added the ability to view quarantined items. > > > - All tables now enable a pager when returning more than 50 > > rows and allow > > > ordering by any of the displayed columns. > > > - New tool to run SpamAssassin --lint and time the output > > for debugging > > SA. > > > - New F-Secure status page (like Sophos). > > > - Required PEAR modules now included. > > > - Added reporting of Blacklisted mails. > > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > > e-mails. > > > - Quoted printable strings are now automatically decoded before > > > display. > > > - Configuration options moved from functions.php into conf.php > > > - Automatically works out VIRUS_REGEX by using the first value in > > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > > clamavmodule' would > > > activate the regexp for SophosSAVI. > > > - New 'Virus Report' allows comparison of multiple scanners > > (if you run > > > more than one) and allows you to see 1st detection > > date/time of each > > > virus by each scanner. > > > - Integration with Fortress Systems Secure Mail Gateway. > > > > > > FIXES > > > - Multiple clean-ups of mailq.php to make it more robust. > > > - Greatly improved debugging of SQL statments. > > > - Quarantine now correctly looks in the non-spam quarantine > > > directories. > > > - SA Rules Description Update now reads custom rules as well. > > > - sendmail_relay.php now works across log rotations. > > > - Increased memory_limit to 128M for quarantine functions. > > > > > > Kind regards, > > > Steve. > > > > > > -- > > > MailWatch for MailScanner > > > http://mailwatch.sourceforge.net > > > > > > -- > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual or entity to > > whom they > > > are addressed. If you have received this email in error > > please notify > > > the sender and delete the message from your mailbox. > > > > > > This footnote also confirms that this email message has > > been swept by > > > MailScanner (www.mailscanner.info) for the presence of computer > > > viruses. > > > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From jdavis at CS.ARIZONA.EDU Tue Feb 3 22:35:38 2004 From: jdavis at CS.ARIZONA.EDU (Jim Davis) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <40201E87.8040702@netspace.net.au> References: <40201E87.8040702@netspace.net.au> Message-ID: <4020223A.90603@cs.arizona.edu> Roddy Strachan wrote: > Hi, > > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use Sounds like you already have a sendmail process running, so port 25 is already in use. On my 4.9 system, I ended up putting sendmail_enable="YES" sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" in /etc/rc.conf, and then also ran /usr/sbin/sendmail -q15m (by hand, though I should put that in /usr/local/etc/rc.d or something). Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you should see something like 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for /var/spool/client 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for /var/spool/mqueue if you run a ps -ax | grep sendmail From rzewnickie at RFA.ORG Tue Feb 3 22:47:11 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:18 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current In-Reply-To: References: Message-ID: <20040203224710.GG5626@rfa.org> After further thought, I think someone (possibly myself, possibly not ...) ran the old simple script that just dumped the .dat's in /usr/local/uvscan/ thereby overwriting the links created by your autoupdate script. I have since banished that script to avoid any such future mishaps. Thanks Tony, Eric Rz. On Tue, Feb 03, 2004 at 06:33:35PM +0000, Tony Finch wrote: > Eric Dantan Rzewnicki wrote: > > > >Thank you for clearing this up. I'm still puzzled as to why they weren't > >created when I first ran the script, but it seems to be ok now. > > You might have splatted them afterwards, e.g. by reinstalling uvscan. > > Tony. > -- > f.a.n.finch http://dotat.at/ > THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT TIMES. MODERATE OR > GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. From raymond at PROLOCATION.NET Tue Feb 3 23:00:01 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <402022CC.2070805@netspace.net.au> Message-ID: Hi! > Ok that brings me to the next question, in the install.FREEBSD it says > to add certain lines to /etc/rc.conf > > sendmail_enable="YES" > # MailScanner starts here > mta_start_script="/opt/MailScanner/bin/rc.MailScanner start" > MailScanner_incoming_queue="/var/spool/mqueue.in" > MailScanner_queue_time="15m" > MailScanner_check="/opt/MailScanner/bin/check_mailscanner" > MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid" > # MailScanner ends here > > > Thats what my rc.conf looks like, should i make sendmail_enable=NO ? > And then allow mailscanner to start it ? I am no BSD hero but yes, it seems you now first start SM and then MS, and then it cant bind since there is allready a SM process running on pot 25. Bye, Raymond. From martyn at INVICTAWIZ.COM Tue Feb 3 23:01:31 2004 From: martyn at INVICTAWIZ.COM (Martyn Routley) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <4020223A.90603@cs.arizona.edu> Message-ID: I use 2 cute scripts which run from /usr/local/etc/rc.d, I can't remember where they came from. One is called mta.sh and starts/stops/restarts sendmail. The other (unsurprisingly) is called mailscanner.sh and does the same for mailscanner. I don't have any references to MS in /etc/rc.conf and I have sendmail_enable="NO" I can't get at them at the moment, but if they are wanted, let me know. Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jim Davis Sent: 03 February 2004 22:36 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] Mailscanner & Freebsd Roddy Strachan wrote: > Hi, > > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use Sounds like you already have a sendmail process running, so port 25 is already in use. On my 4.9 system, I ended up putting sendmail_enable="YES" sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" in /etc/rc.conf, and then also ran /usr/sbin/sendmail -q15m (by hand, though I should put that in /usr/local/etc/rc.d or something). Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you should see something like 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for /var/spool/client 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for /var/spool/mqueue if you run a ps -ax | grep sendmail ---------------------------------------------------------------------------- - This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ---------------------------------------------------------------------------- - From roddy at NETSPACE.NET.AU Tue Feb 3 23:22:38 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <40202D3E.6030907@netspace.net.au> Thanks for the help guys. Looks like its working, however am still getting cannot bind messages, but it still sends mail and receives it and mainly scans it, so i'll leave it as is :). Thanks Martyn Routley wrote: > I use 2 cute scripts which run from /usr/local/etc/rc.d, I can't remember > where they came from. > One is called mta.sh and starts/stops/restarts sendmail. > The other (unsurprisingly) is called mailscanner.sh and does the same for > mailscanner. > > I don't have any references to MS in /etc/rc.conf and I have > sendmail_enable="NO" > > I can't get at them at the moment, but if they are wanted, let me know. > > > Martyn Routley > ----------------------------------------------------------------- > InvictaWiz - The Internet in Plain English, Guaranteed > http://www.invictawiz.com > martyn@invictawiz.com > phone: 08707 440180 > fax: 08707 440181 > Ask us about our online Antivirus and Junk mail scanning service. > Ask us how you could save money on your telephone bill. > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jim Davis > Sent: 03 February 2004 22:36 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > > Roddy Strachan wrote: > >>Hi, >> >>Just installed Mailscanner on Freebsd 5.1, however have ran into some >>problems. >> >>I followed the install.FREEBSD instructions, however on system startup, >>i get >> >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): >>opendaemonsocket: daemon MTA: cannot bind: Address already in use > > > Sounds like you already have a sendmail process running, so port 25 is > already in use. > > On my 4.9 system, I ended up putting > > sendmail_enable="YES" > sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn > -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" > > in /etc/rc.conf, and then also ran > > /usr/sbin/sendmail -q15m > > (by hand, though I should put that in /usr/local/etc/rc.d or something). > > Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you > should see something like > > 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for > /var/spool/client > 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) > 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for > /var/spool/mqueue > > if you run a ps -ax | grep sendmail > > > ---------------------------------------------------------------------------- > - > This message has been scanned for viruses and > dangerous content by the http://www.anti84787.com > MailScanner, and is believed to be clean. > ---------------------------------------------------------------------------- > - > From ugob at CAMO-ROUTE.COM Wed Feb 4 00:52:17 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Roddy Strachan [mailto:roddy@NETSPACE.NET.AU] > Envoy? : Tuesday, February 03, 2004 6:23 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Mailscanner & Freebsd > > > Thanks for the help guys. > > Looks like its working, however am still getting cannot bind messages, > but it still sends mail and receives it and mainly scans it, so i'll > leave it as is :). It is probably your standalone sendmail that is trying to start. Can you see mailscanner's headers in your messages? If not, standalone sendmail starts but not mailscanner's. You must disable standalone sendmail and let mailscanner starts its instance. hth Ugo > > Thanks > > > Martyn Routley wrote: > > > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember > > where they came from. > > One is called mta.sh and starts/stops/restarts sendmail. > > The other (unsurprisingly) is called mailscanner.sh and > does the same for > > mailscanner. > > > > I don't have any references to MS in /etc/rc.conf and I have > > sendmail_enable="NO" > > > > I can't get at them at the moment, but if they are wanted, > let me know. > > > > > > Martyn Routley > > ----------------------------------------------------------------- > > InvictaWiz - The Internet in Plain English, Guaranteed > > http://www.invictawiz.com > > martyn@invictawiz.com > > phone: 08707 440180 > > fax: 08707 440181 > > Ask us about our online Antivirus and Junk mail scanning service. > > Ask us how you could save money on your telephone bill. > > ----------------------------------------------------------------- > > > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Jim Davis > > Sent: 03 February 2004 22:36 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > > > > > Roddy Strachan wrote: > > > >>Hi, > >> > >>Just installed Mailscanner on Freebsd 5.1, however have ran > into some > >>problems. > >> > >>I followed the install.FREEBSD instructions, however on > system startup, > >>i get > >> > >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > >>opendaemonsocket: daemon MTA: cannot bind: Address already in use > > > > > > Sounds like you already have a sendmail process running, so > port 25 is > > already in use. > > > > On my 4.9 system, I ended up putting > > > > sendmail_enable="YES" > > sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn > > -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" > > > > in /etc/rc.conf, and then also ran > > > > /usr/sbin/sendmail -q15m > > > > (by hand, though I should put that in /usr/local/etc/rc.d > or something). > > > > Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you > > should see something like > > > > 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for > > /var/spool/client > > 167 ?? Ss 0:29.89 sendmail: accepting connections > (sendmail) > > 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for > > /var/spool/mqueue > > > > if you run a ps -ax | grep sendmail > > > > > > > -------------------------------------------------------------- > -------------- > > - > > This message has been scanned for viruses and > > dangerous content by the http://www.anti84787.com > > MailScanner, and is believed to be clean. > > > -------------------------------------------------------------- > -------------- > > - > > > From postmaster at codestone.sphereosoft.net Wed Feb 4 07:40:15 2004 From: postmaster at codestone.sphereosoft.net (MailScanner) Date: Thu Jan 12 21:22:18 2006 Subject: Unsolicited commercial email rejected Message-ID: <200402040740.i147eFU06445@codestone.sphereosoft.net> Our UCE (spam) detectors have been triggered by a message you sent:- To: adam@sfogs.com Subject: Status Date: Wed Feb 4 15:40:15 2004 This message has been rejected. The detector that triggered is SpamAssassin. The content of your message indicates that it is probably spam e-mail, which is why it has been rejected. We do not accept unsolicited commercial (spam) e-mail and actively work to stop it. If you are sending spam and continue to do so, your Internet Service Provider may be contacted and requested to close your account. If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From oldmaxgit at YAHOO.COM Wed Feb 4 07:34:20 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working Message-ID: Doing a search of the archive I found a similar question asked but I cannot find a resolution, apologies if I have missed it. I am using MailScanner 4.25-11 and ApamAssassin 2.60 on a RaQ4 Problem : Spam is getting through which has come from IP numbers which are listed on Spamcop (maybe listed on others too but I?ve not found them). In mailscanner.conf I have : Spam Checks = yes Spam List = ORDB-RBL Infinite-Monkeys spamcop.net And in spam.lists.conf I have : ORDB-RBL relays.ordb.org. spamhaus.org sbl.spamhaus.org. spamcop.net bl.spamcop.net. Infinite-Monkeys proxies.relays.monkeys.com. I notice that under ?Spam List? in the page about mailscanner.conf says ?These lists are based on the numeric IP address of the server that sent the message to your MailScanner server.? My implementation involves an extra hop for email directly before the server which is running Mailscanner, If Spamcop is only ever checked against the previous IP, it will never find the IP listed. If this is the case, is there a way to specify which hop is checked ? Thanks in advance for any help you can offer. Going quietly nuts ! From P.G.M.Peters at utwente.nl Wed Feb 4 07:57:21 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions In-Reply-To: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> Message-ID: On Tue, 3 Feb 2004 17:44:20 +0000, you wrote: >At 17:07 03/02/2004, you wrote: >>1. In the web site about the MailScanner.conf it says (with some text >>taking out) talking about spam.whitelist.rules: >>Is Definitely Not Spam >>You will probably want to include your own site (or your own site's IP >>addresses) in this ruleset. >> >>Does that mean put: >>From: *@domain.com or > >Yes, but it is even better to whitelist your IP addresses. You can put in >IP addresses in any of the common syntaxes for specifying netblocks. Yes, but only when you are absolutly sure no system on your network is ever going to send spam. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Wed Feb 4 08:00:03 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> Message-ID: <5i9120l21g78g6of72flguh65iohu5lftv@4ax.com> On Tue, 3 Feb 2004 09:19:14 -0900, you wrote: >Sadly, the onus has to be on the AV companies at this point and I'm not >holding my breath that they're ever gonna read my humble suggestion. But I >dunno - maybe someone from that universe does follow this list. Guess I >better patent the idea quick! I think the most change of implementing this would be from the people of clamav. If the technicians of the vendors see it as a good feature, the sales will forbid it because they will lose a lot of free publicity. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Feb 4 08:43:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204084247.0821b6c0@imap.ecs.soton.ac.uk> At 07:34 04/02/2004, you wrote: >Doing a search of the archive I found a similar question asked but I cannot >find a resolution, apologies if I have missed it. > >I am using MailScanner 4.25-11 and ApamAssassin 2.60 on a RaQ4 > >Problem : >Spam is getting through which has come from IP numbers which are listed on >Spamcop (maybe listed on others too but I've not found them). > > >In mailscanner.conf I have : >Spam Checks = yes >Spam List = ORDB-RBL Infinite-Monkeys spamcop.net > >And in spam.lists.conf I have : >ORDB-RBL relays.ordb.org. >spamhaus.org sbl.spamhaus.org. >spamcop.net bl.spamcop.net. >Infinite-Monkeys proxies.relays.monkeys.com. > > > >I notice that under "Spam List" in the page about mailscanner.conf >says "These lists are based on the numeric IP address of the server that >sent the message to your MailScanner server." > >My implementation involves an extra hop for email directly before the >server which is running Mailscanner, If Spamcop is only ever checked >against the previous IP, it will never find the IP listed. That is indeed what is happening. >If this is the case, is there a way to specify which hop is checked ? No, but SpamAssassin checks all the hops. If you find the rules relating to spamcop, you could increase their scores so they have more influence. >Thanks in advance for any help you can offer. > >Going quietly nuts ! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lenaig at WANADOO.FR Wed Feb 4 09:30:00 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> Message-ID: <20040204093000.GA1792@maelenn> I am running sendmai/mailscanner on freebsd 5.1 box too ... (i am not alone hurra !! ) What people told me, is that it should be mailscanner who start sendmail ... but for me, it never works .... Now i am using MTA.sh too start sendmail correctly ... But i do not know where i should see Mailscanner header ..?? /etc/rc.conf : sendmail_enable="NONE" sendmail_outbound_enable="YES" sendmail_submit_enable="YES" sendmail_msp_queue_enable="YES" thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From mailscanner at ecs.soton.ac.uk Wed Feb 4 09:41:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> At 18:05 02/02/2004, you wrote: >At 17:57 02/02/2004, you wrote: >>Gee... >> >>FWIW, it happened a couple of centuries ago, but I recall having serious >>trouble making Perl's flock() work on Solaris... same situation, all >>development done under linux without a hitch and Solaris ignored all the >>locking... and it wasn't an interoperability problem, since I was >>competing against my own script... >> >>The point is I don't quite remember what we did to solve it (we is an >>understatement, since it wasn't me programming, I was just the >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure >>either... >> >>Seems like you'll need a Solaris box to test it thoroughly... I wouldn't >>even trust Solaris-x86 to behave identically to Solaris-Sparc :-( > >I've got an Ultra-5 so I can do a real test. If necessary, I can build a >Solaris-x86 box too. But as you say, the best place to try it is a real sparc. I have found the problem. Attached is a very short patch to SA.pm. This should let you enable the "Rebuild Bayes Every" feature that does scheduled Bayes database rebuilds. If you turn this feature on in MailScanner.conf, you will want to set bayes_auto_expire 0 in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts at letting SpamAssassin rebuild its Bayes database when it feels like it. -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm.patch Type: application/octet-stream Size: 960 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/52e561af/SA.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 09:56:49 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: Hi Roddy, you did not use the port did you? Try /usr/ports/mail/mailscanner (or mailscanner-devel if you want the latest beta). Moreover have a look here: http://www.sng.ecs.soton.ac.uk/mailscanner/FreeBSD.html Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 09:58:00 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: Hi Martyn, > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember where they came from. I do. They are mine and they are part of the FreeBSD port! Disable all MTA stuff in rc.conf and simply use those start/stop scripts. :-) Regards, JP From alan at ESSEX.AC.UK Wed Feb 4 09:56:59 2004 From: alan at ESSEX.AC.UK (Stanier, Alan M) Date: Thu Jan 12 21:22:18 2006 Subject: Curious behaviour of MyDoom Message-ID: <811D385AE1CEBB42839C50DF0B0D38E04D7D53@sernt4.essex.ac.uk> Hi We have two SMTP servers. Our statistics show that roughly 2/3 of mail comes in through smtp0, and 1/3 through smtp1. And until recently, 2/3 of the spam came in through smtp0, and 2/3 of the virus-infected mail, as I would expect. But our logs show that about 50% of MyDoom-A is coming through smtp0, and 50% through smtp1. Has anyone else seen such behaviour? And can anyone explain why it happens ... I can only think that MyDoom gets the MX records of sites, and load balances between all the SMTP servers, but why? Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/5efa46f5/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 10:01:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: > I am running sendmai/mailscanner on freebsd 5.1 box too ... > (i am not alone hurra !! ) What people told me, is that it > should be mailscanner who start sendmail ... but for me, it That is not entirely correct. You need several things: 1. An incoming MTA (Sendmail/Exim) instance that runs independently of MailScanner, accepts incoming mail and puts it in the inbound queue only. It must be configured in a way that it does NOT deliver mail itself. 2. A queue runner MTA which tries to deliver mail that is already in the outbound queue in case the first delivery attempt failed. 3. In the standard mailscanner config, mailscanner will scan your mail and if it is supposed to be delivered it will move the mail to the outbound queue and will run a seperate instance of your MTA to deliver that mail. You are responsible for running part 1 and part 2. The mta.sh script in /usr/local/etc/rc.d will take care of this. MailScanner itself only takes care of part 3! Regards, JP From pmb1 at YORK.AC.UK Wed Feb 4 10:23:25 2004 From: pmb1 at YORK.AC.UK (Mike Brudenell) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working In-Reply-To: References: Message-ID: <2147483647.1075890205@pippin.york.ac.uk> Greetings - Just to reiterate past advice... --On Wednesday, February 4, 2004 7:34 am +0000 Miserable Old Git wrote: > spamhaus.org sbl.spamhaus.org. Consider switching to using the combined SBL and XBL database, which is even more effective: > Infinite-Monkeys proxies.relays.monkeys.com. The Infinite Monkeys database closed down in the Autumn of last year. You should remove it from your list. (Using the Spamhaus XBL will be a useful replacement.) Cheers, Mike Brudenell -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From lenaig at WANADOO.FR Wed Feb 4 10:31:25 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <20040204103125.GA2305@maelenn> On 04/02/04 11:01, Jan-Peter Koopmann wrote: > > I am running sendmai/mailscanner on freebsd 5.1 box too ... > > (i am not alone hurra !! ) What people told me, is that it > > should be mailscanner who start sendmail ... but for me, it > > That is not entirely correct. You need several things: > > 1. An incoming MTA (Sendmail/Exim) instance that runs independently of MailScanner, accepts incoming mail and puts it in the inbound queue only. It must be configured in a way that it does NOT deliver mail itself. > Could you please give more informations about this point : configured in a way that it does NOT deliver mail itself ? How do you do it ? -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 10:48:33 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd Message-ID: > Could you please give more informations about this point : > configured in a way that it does NOT deliver mail itself ? > How do you do it ? What MTA are you using? If you are using exim: http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml (Deferring incoming messages). Postfix: http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml Sendmail: http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml (have a look for -ODeliveryMode=queueonly) I really want to help you, Thierry, but please do me a favour and at least have a look at the information I am giving you. I already sent you these links together with a few questions a week ago... No answers yet. Regards, JP From lenaig at WANADOO.FR Wed Feb 4 10:55:30 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <20040204105530.GA2574@maelenn> yes, that 's right, i forgot to tell you that sendmail was working well ... I am using mta.sh and mailscanner.sh ... so it's using : incoming_args="-L sm-mta-in -bd \ -OPrivacyOptions=noetrn \ -OQueueDirectory=${incoming_queue} \ -ODeliveryMode=queueonly \ -OPidFile=${inpidfile}" so no pb .... Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From k.raven at FREENET.DE Wed Feb 4 11:42:29 2004 From: k.raven at FREENET.DE (Kai Raven) Date: Thu Jan 12 21:22:19 2006 Subject: RulesDuJour In-Reply-To: <20040203220413.7465E21C13F@mail.fsl.com> References: <20040203212319.6AE9D21C142@mail.fsl.com> <20040203220413.7465E21C13F@mail.fsl.com> Message-ID: <20040204124229.2a297707@raven.localdomain.intern> Hi Stephen, On Tue, 3 Feb 2004 17:04:13 -0500 you wrote: > If you haven't changed the rules_du_jour defaults, the rules will be > downloaded into the /etc/mail/spamassassin directory. I have used the rules_du_jour file, modified by Gerry Doris http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R50073&I=-1 and yes, SA_DIR refers to the /etc/mail/spamassassin directory > If you haven't changed the MailScanner defaults, they will be read > from/etc/mail/spamassassin directory and used when MailScanner calls > the SpamAssassin routines. Yes, from my MailScanner.conf: SpamAssassin Site Rules Dir = /etc/mail/spamassassin And I think it works (after i have copied the rules from the rules_du_jour dir): X-MailScanner-SpamCheck: spam, SpamAssassin(Wertung=34.59, benoetigt 3, J_CHICKENPOX_110 0.60,TW_CN 0.08, TW_GB 0.08, TW_GD 0.08, TW_IK 0.08(...) > The fact that your rules live in /etc/mail/spamassassin/rules_du_jour > directory indicates that the spamassassin --lint command is failing mmh, spamassassin --lint works from the command line. > and the downloaded rules are being backed out and stored in > /etc/mail/spamassassin/rules_du_jour. I wrote it was *the first run*, so i haven't any rules like bigevil, tripwire etc. before the run. I think, the script will do an update the next run, if a rule has changed(?), because i have copied the rules from the rules_do_jour directory to the parent directory so the script can compare them(?) > What happens when you run the rules_du_jour script from a command > line. That should tell you what is happening. I get the output for all rules: Old rule.cf already existed in /etc/mail/spamassassin/RulesDuJour... Retrieving file from http://www.somehost/rule.cf... rule.cf was up to date (skipped downloading of http://www.somehost/rule.cf)... No files updated; No restart required. And sorry for the OT posting, but i saw in the MS-ML archive a lot of postings about custom SA rules and the rules_du_jour script so i thought it is OK to ask here on the list. Nevertheless, thx for all responses :) -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:03:33 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> It would be interesting to know how many live sites use MailScanner. Your graphs suggest it is around 11,000, but maybe some users aren't fastidious about upgrading to the latest version. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 03 February 2004 13:51 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: 200,000 downloads of MailScanner > > > MailScanner has just passed the 200,000 downloads milestone! > > Many thanks to all of you for helping to spread the word and > make my little > bit of code possibly the most widely-used combined email > virus scanner and > spam detector in the world. > > Let's see how fast the web site can munch through the next 200,000 :-) > > Jules. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:08:05 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DE@jessica.herefordshire.gov.uk> That's exactly what I did. :-) Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Finch > Sent: 03 February 2004 18:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mcafee uvscan not using > /usr/local/uvscan/datfiles/current > > > Eric Dantan Rzewnicki wrote: > > > >Thank you for clearing this up. I'm still puzzled as to why > they weren't > >created when I first ran the script, but it seems to be ok now. > > You might have splatted them afterwards, e.g. by reinstalling uvscan. > > Tony. > -- > f.a.n.finch http://dotat.at/ > THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT > TIMES. MODERATE OR > GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. > From mailscanner at ecs.soton.ac.uk Wed Feb 4 12:29:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040204122744.08637f20@imap.ecs.soton.ac.uk> At 12:03 04/02/2004, you wrote: >It would be interesting to know how many live sites use MailScanner. > >Your graphs suggest it is around 11,000, but maybe some users aren't >fastidious about upgrading to the latest version. Most people don't upgrade every version, you folks are in a minority. Based on the download figures, and knowing the number of people who contact me directly, and a guess on the proportion of users who would need to email me personally for help (which is small), my best guess is about 40,000 sites. >Cheers, > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 03 February 2004 13:51 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: 200,000 downloads of MailScanner > > > > > > MailScanner has just passed the 200,000 downloads milestone! > > > > Many thanks to all of you for helping to spread the word and > > make my little > > bit of code possibly the most widely-used combined email > > virus scanner and > > spam detector in the world. > > > > Let's see how fast the web site can munch through the next 200,000 :-) > > > > Jules. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Wed Feb 4 12:42:36 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:19 2006 Subject: a ghost in filetype.rules.conf References: Message-ID: <4020E8BC.1060705@bangor.ac.uk> Jeff A. Earickson wrote: > I've been scratching my head on this one for several versions > of MailScanner now. The head of our athletics dept (who uses a > Mac) will send emails to other coaches, plain text. Two coaches > who reply (they use Windows) sporadically get their replies rejected > with: > > No programs allowed (msg-8402-111.txt) > ^^^^^^^^ > numbers differ Bear in mind that the information MailScanner puts into reports is a sanitised version that it generates from the actual attachment file name. Julian's hightened state of paranoia made him cautious about the possibility of a DoS or something in the actual filename. Check the mail logs - I think the actual filename appears in there somewhere and that may show up why it was blocked. I've been bitten by this before!! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From P.G.M.Peters at utwente.nl Wed Feb 4 12:48:49 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: On Wed, 4 Feb 2004 12:03:33 -0000, you wrote: >It would be interesting to know how many live sites use MailScanner. Perhaps changing the X-%site%-MailScanner-Information: header to "Scanned by MailScanner %version%. ..." >Your graphs suggest it is around 11,000, but maybe some users aren't >fastidious about upgrading to the latest version. At least the new installations will show the version and people can contact organizations (they know people at) about upgrading. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:57:31 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4E3@jessica.herefordshire.gov.uk> That's very impressive. Well done. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 04 February 2004 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: 200,000 downloads of MailScanner > > > At 12:03 04/02/2004, you wrote: > >It would be interesting to know how many live sites use MailScanner. > > > >Your graphs suggest it is around 11,000, but maybe some users aren't > >fastidious about upgrading to the latest version. > > Most people don't upgrade every version, you folks are in a > minority. Based > on the download figures, and knowing the number of people who > contact me > directly, and a guess on the proportion of users who would > need to email me > personally for help (which is small), my best guess is about > 40,000 sites. > > > >Cheers, > > > >Phil > > > >--------------------------------------------- > >Phil Randal > >Network Engineer > >Herefordshire Council > >Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: 03 February 2004 13:51 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: 200,000 downloads of MailScanner > > > > > > > > > MailScanner has just passed the 200,000 downloads milestone! > > > > > > Many thanks to all of you for helping to spread the word and > > > make my little > > > bit of code possibly the most widely-used combined email > > > virus scanner and > > > spam detector in the world. > > > > > > Let's see how fast the web site can munch through the > next 200,000 :-) > > > > > > Jules. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Wed Feb 4 14:14:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040204141322.084b4bb0@imap.ecs.soton.ac.uk> I am very against giving out exact version details to anyone who asks. Knowing the precise version number is a classic starting point for hackers as they know exactly what they are up against. At 12:48 04/02/2004, you wrote: >On Wed, 4 Feb 2004 12:03:33 -0000, you wrote: > > >It would be interesting to know how many live sites use MailScanner. > >Perhaps changing the X-%site%-MailScanner-Information: header to >"Scanned by MailScanner %version%. ..." > > >Your graphs suggest it is around 11,000, but maybe some users aren't > >fastidious about upgrading to the latest version. > >At least the new installations will show the version and people can >contact organizations (they know people at) about upgrading. > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailing-oit at tttech.com Wed Feb 4 15:04:01 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had Message-ID: <200402041604.02066.mailing-oit@tttech.com> Hello, recently set up another debian-sarge with MS+SA using exim ... the Virus and delivery part works fine, but icant find out how to help SA to do its work i run testmails with `date` as content and get fine response when parsing it on CLI ... so this works , but from within MS it seems that SA is not running properly ( i run MS with both debug-options and i get nothing useful on log) i used packages to install both software , and then ( after this troubles ) reinstalled all important perl-mod via CPAN .. i also changed in /usr/sbin/MailScanner the require-argument fomr 5.005 to 5.8.2 .. but thats not the problem thanks for any suggestions best regards to all -c- MS-delivered-test: ============ From ralexand at HOODINDUSTRIES.COM Wed Feb 4 15:06:17 2004 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:22:19 2006 Subject: Updated MS/SA now i don't get the mailing list :( Message-ID: I updated my versions of MS/SA on Saturday afternoon and now I'm not receiving my daily MS list email. Anyone no of any issue with the list or why this might have happened. I went to the site and still shows me subscribed. Thanks all for the upgrade advice that helped everything go smoothly. From mailscanner at ecs.soton.ac.uk Wed Feb 4 15:17:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Updated MS/SA now i don't get the mailing list :( In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204151625.084743f8@imap.ecs.soton.ac.uk> At 15:06 04/02/2004, you wrote: >I updated my versions of MS/SA on Saturday afternoon and now I'm not >receiving my daily MS list email. Anyone no of any issue with the list or >why this might have happened. I went to the site and still shows me >subscribed. > >Thanks all for the upgrade advice that helped everything go smoothly. Try adding From: *mailscanner@jiscmail.ac.uk yes to your spam.whitelist.rules file and reload MailScanner. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailing-oit at tttech.com Wed Feb 4 15:36:00 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <40210F55.30804@solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <40210F55.30804@solid-state-logic.com> Message-ID: <200402041636.00869.mailing-oit@tttech.com> hi Martin, thanks for reply well this debug looks quite fine to me .. in the meentime i also fixed the home-dir of the user running exim & MS to a valid path ( there were some changes in the the user-naming from mail to Debian-exim when upgrading to Debian-Sarge ) .. but no change to this behavior it seems that from within MS , SA doent process any config :-/ .. config-file-permissions are ok ( readable ) .. maybe there are some files that are slently refused to be processed due to 'non-private' filepermissions ?? .. almost everything used for mail-dekivery is owned by Debian-exim-user ( JFYI ) thanks -c- > hi > When you say you see nothing useful in the debug, what do you see? Can > you send the output? > Feb 4 16:22:16 tttprime MailScanner[10243]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Feb 4 16:22:17 tttprime MailScanner[10243]: Enabling SpamAssassin auto-whitelist functionality... Feb 4 16:22:18 tttprime MailScanner[10223]: Using locktype = posix Feb 4 16:22:18 tttprime MailScanner[10223]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:22:24 tttprime MailScanner[10175]: New Batch: Scanning 1 messages, 592 bytes Feb 4 16:22:24 tttprime MailScanner[10175]: MCP Checks completed at 592 bytes per second Feb 4 16:22:27 tttprime MailScanner[10243]: Using locktype = posix Feb 4 16:22:27 tttprime MailScanner[10243]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:22:33 tttprime MailScanner[10175]: Spam Checks completed at 65 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Virus and Content Scanning: Starting Feb 4 16:22:33 tttprime MailScanner[10175]: Virus Scanning completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Uninfected: Delivered 1 messages Feb 4 16:22:33 tttprime MailScanner[10175]: Virus Processing completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Disinfection completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Batch completed at 65 bytes per second (592 / 9) From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 15:42:48 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041636.00869.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <40210F55.30804@solid-state-logic.com> <200402041636.00869.mailing-oit@tttech.com> Message-ID: <402112F8.5070001@solid-state-logic.com> Chris Ok like you say - nothing interesting there. Did you also enable the SA-debug a couple of lines after the main DEBUG line in MailScanner.conf. I get lot more info about the SA setup when I set that... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailing-oit at tttech.com Wed Feb 4 16:04:38 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <402112F8.5070001@solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041636.00869.mailing-oit@tttech.com> <402112F8.5070001@solid-state-logic.com> Message-ID: <200402041704.38202.mailing-oit@tttech.com> > MailScanner.conf. I get lot more info about the SA setup when I set that... ;-) thats exactly my problem .. and absolutely no idea why .. shouldnt it lokk like the -D output of spamassassin I attached my config also .. but i think its in the modules within MS= 4.25.14-3 SA= 2.63 -c- SYSLOG: ====== syslog says a bit more , but not really (both debug opts. are given ) Feb 4 16:50:05 tttprime MailScanner[13434]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Feb 4 16:50:06 tttprime MailScanner[13434]: Enabling SpamAssassin auto-whitelist functionality... Feb 4 16:50:14 tttprime MailScanner[13434]: lock.pl sees Config LockType = posix Feb 4 16:50:14 tttprime MailScanner[13434]: lock.pl sees have_module = 0 Feb 4 16:50:14 tttprime MailScanner[13434]: Using locktype = posix Feb 4 16:50:14 tttprime MailScanner[13434]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:50:29 tttprime MailScanner[13434]: New Batch: Scanning 1 messages, 592 bytes Feb 4 16:50:29 tttprime MailScanner[13434]: MCP Checks completed at 592 bytes per second Feb 4 16:50:33 tttprime MailScanner[13434]: SpamAssassin returned 0 Feb 4 16:50:33 tttprime MailScanner[13434]: Spam Checks completed at 148 bytes per second Feb 4 16:50:33 tttprime MailScanner[13434]: Created attachment dirs for 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Virus and Content Scanning: Starting Feb 4 16:50:34 tttprime MailScanner[13434]: Commencing scanning by f-prot... Feb 4 16:50:34 tttprime MailScanner[13434]: Completed scanning by f-prot Feb 4 16:50:34 tttprime MailScanner[13434]: Completed checking by /usr/bin/ file Feb 4 16:50:34 tttprime MailScanner[13434]: Virus Scanning completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: About to deliver 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Uninfected: Delivered 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Virus Processing completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: Disinfection completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: Batch completed at 118 bytes per second (592 / 5) Feb 4 16:50:34 tttprime MailScanner[13434]: MailScanner child dying of old age ##################################################################### Full config : ##################################################################### %report-dir% = /etc/MailScanner/reports/en %etc-dir% = /etc/MailScanner %rules-dir% = /etc/MailScanner/rules %org-name% = TTT Max Children = 5 Run As User = Debian-exim Run As Group = Debian-exim Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/exim4_incoming/input Outgoing Queue Dir = /var/spool/exim4_outgoing/input Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner/MailScanner.pid Restart Every = 14400 MTA = exim Sendmail = /usr/lib/sendmail -oMr MailScanner Sendmail2 = /usr/sbin/exim -C /etc/exim/exim4_outgoing.conf -DMAILSCANNER_OUTGOING=On Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 1000 Maximum Attachments Per Message = 200 Expand TNEF = yes Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Maximum Message Size = 0 Maximum Attachment Size = -1 Virus Scanning = yes Virus Scanners = f-prot Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = All-Viruses Still Deliver Silent Viruses = yes Block Encrypted Messages = no Block Unencrypted Messages = no Allowed Sophos Error Messages = Sophos IDE Dir = /usr/local/Sophos/ide Sophos Lib Dir = /usr/local/Sophos/lib Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd Allow Partial Messages = no Allow External Message Bodies = no Allow IFrame Tags = no Log IFrame Tags = no Allow Form Tags = disarm Allow Object Codebase Tags = no Convert Dangerous HTML To Text = yes Convert HTML To Text = no Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Language Strings = %report-dir%/languages.conf Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/ deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = no Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Spam Score Character = s SpamScore Number Instead Of Stars = no Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Multiple Headers = append Hostname = MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Other Blocked Content = no Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = [::Scanned::] Virus Modify Subject = yes Virus Subject Text = [::Virus?::] Filename Modify Subject = yes Filename Subject Text = [::Filename?::] Content Modify Subject = yes Content Subject Text = [::Blocked Content::] Spam Modify Subject = yes Spam Subject Text = [::Spam?::] High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = [::Spam::] Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-15 Archive Mail = Send Notices = no Notices Include Full Headers = no Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = Spam Domain List = Spam Lists To Reach High Score = 5 Spam List Timeout = 10 Max Spam List Timeouts = 7 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes Use SpamAssassin = yes Max SpamAssassin Size = 90000 Required SpamAssassin Score = 6 High SpamAssassin Score = 20 SpamAssassin Auto Whitelist = yes SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf SpamAssassin Timeout = 40 Max SpamAssassin Timeouts = 20 Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = yes Spam Score = yes Spam Actions = striphtml attachment deliver High Scoring Spam Actions = striphtml attachment deliver Non Spam Actions = deliver Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Syslog Facility = mail Log Speed = yes Log Spam = no Log Permitted Filenames = no Log Permitted Filetypes = no SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = /etc/spamassassin SpamAssassin Default Rules Dir = /usr/share/spamassassin Use Default Rules With Multiple Recipients = yes Debug = yes Debug SpamAssassin = yes Always Looked Up Last = no Deliver In Background = yes Delivery Method = queue Split Exim Spool = no Lockfile Dir = /tmp Lock Type = posix Minimum Code Status = supported From sveinn at SVEINNG.COM Wed Feb 4 15:25:21 2004 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> Message-ID: <200402041523.i14FNSwQ5906536@cg.c.is> Hi Julian. I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting of non-exploit subject lines. These mails are sent from Lotus Notes server. I have not seen this happening when receiving mail from other servers. Here is a header-snip of one such email: From: yy@yy.is In-Reply-To: Subject: Re: WinCABAS: =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= To: xx@xx.is I have disabled these three lines in SweepContent.pm to let these subjects through, but a more elegant soulution would be nice :) # $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end of filename # $newsubject =~ s/\s*$//g; # $newsubject =~ s/\s{20,}//g; Thanks in advance ! Sveinn G. Gunnarsson UNIX Specialist Og Vodafone Sidumuli 28 108 Reykjavik Iceland www.ogvodafone.is From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 15:27:17 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041604.02066.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> Message-ID: <40210F55.30804@solid-state-logic.com> Christoph Resch wrote: > Hello, > > recently set up another debian-sarge with MS+SA using exim ... the Virus and > delivery part works fine, but icant find out how to help SA to do its work > > i run testmails with `date` as content and get fine response when parsing it > on CLI ... so this works , but from within MS it seems that SA is not running > properly ( i run MS with both debug-options and i get nothing useful on log) > > i used packages to install both software , and then ( after this troubles ) > reinstalled all important perl-mod via CPAN .. > > i also changed in /usr/sbin/MailScanner the require-argument fomr 5.005 to > 5.8.2 .. but thats not the problem > > thanks for any suggestions > > best regards to all > > -c- > hi When you say you see nothing useful in the debug, what do you see? Can you send the output? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Wed Feb 4 16:12:13 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <200402041523.i14FNSwQ5906536@cg.c.is> References: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> <200402041523.i14FNSwQ5906536@cg.c.is> Message-ID: <6.0.1.1.2.20040204161132.03b42008@imap.ecs.soton.ac.uk> What is it reducing them to? I can't see anything in the code snippet that would touch the sample subject line you gave. At 15:25 04/02/2004, you wrote: >Hi Julian. > >I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting >of non-exploit subject lines. These mails are sent from Lotus Notes server. >I have not seen this happening when receiving mail from other servers. > >Here is a header-snip of one such email: > > >From: yy@yy.is >In-Reply-To: > >Subject: Re: WinCABAS: > =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= > =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= >To: xx@xx.is > > >I have disabled these three lines in SweepContent.pm to let these subjects >through, but a more elegant soulution would be nice :) > ># $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end >of filename ># $newsubject =~ s/\s*$//g; ># $newsubject =~ s/\s{20,}//g; > > > >Thanks in advance ! > >Sveinn G. Gunnarsson >UNIX Specialist > >Og Vodafone >Sidumuli 28 >108 Reykjavik >Iceland >www.ogvodafone.is -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Wed Feb 4 16:26:55 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:19 2006 Subject: Easily Training Spam Assassin? In-Reply-To: <1075514831.21246.17.camel@jepdesk.projectdesign.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> Message-ID: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> I am trying to work out an ongoing method so that users with any user agent, whether it be Outlook, or Eudora can easily submit spam/ham to an account for proper classification. I am so overwhelmed by going through a mailbox with hundreds of email's and sorting through each message. There has to be an easier method and I was hoping someone could recommend that method to me? Errol Neal From edu at ICARUS.COM.BR Wed Feb 4 16:38:20 2004 From: edu at ICARUS.COM.BR (Eduardo Andre) Date: Thu Jan 12 21:22:19 2006 Subject: SpamAssassin Score In-Reply-To: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> Message-ID: <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> Hi, somebody know what options MailScanner use in spamassassin command to output the score of scannead emails? Tnx. Ed. From jaearick at COLBY.EDU Wed Feb 4 17:06:56 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> Message-ID: Julian, I applied the patch (had to do it by hand, an extra space in there on the second chunk), uncommented bayes_auto_expire in spam.assassin.prefs.conf, restarted. No apparent problems. I just noticed the "autolearn=spam" note in mails tagged as spam by SA. No mention of this in the docs. What is this about? Jeff Earickson Colby College From raymond at PROLOCATION.NET Wed Feb 4 17:13:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: Message-ID: Hi! > I applied the patch (had to do it by hand, an extra space in > there on the second chunk), uncommented bayes_auto_expire in > spam.assassin.prefs.conf, restarted. No apparent problems. > > I just noticed the "autolearn=spam" note in mails tagged as spam > by SA. No mention of this in the docs. What is this about? Most likely bayes autolearning ? :) Bye, Raymond. From mailscanner at WOGRI.AT Wed Feb 4 17:17:27 2004 From: mailscanner at WOGRI.AT (Wolfgang Hennerbichler) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. Message-ID: <1075915046.2886.77.camel@judas.stall> Hi! I am having heavy troubles using Mailscanner with Kaspersky version 5.0. I want Mailscanner to start the client portion of kaspersky called aveclient in version 5. I modified the wrapper-script slightly, and it seems to work: This is what the wrapper looks like: =============================== #!/bin/sh PackageDir=$1/bin shift Scanner=aveclient ScanOptions="-p /var/run/aveserver -s " if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/$Scanner ] && exit 0 exit 1 fi exec ${PackageDir}/$Scanner $ScanOptions "$@" =============================================== when I start the wrapper-script like this: ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe i get: /SampleVirus.exe INFECTED LINFECTED I-Worm.Swen so I assume this works. Also the return code ist other than zero: ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe > /dev/null && echo asfd returns nothing, as it shoud. The Problem is, that when Mailscanner starts this script, mailscanner never detects any virus, although it SURELY starts the wrapper script (i tried this with using a touch /tmp/asdf command just before the exec-part). Doesn't Mailscanner look at the return-code of the program? Due to which criteria does mailscanner decide that the object is a virus? I just don't know a solution. Thank you for help! wogri -- wogri@wogri.at http://www.wogri.at -- wogri@wogri.at http://www.wogri.at From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 18:31:35 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041704.38202.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041636.00869.mailing-oit@tttech.com> <402112F8.5070001@solid-state-logic.com> <200402041704.38202.mailing-oit@tttech.com> Message-ID: <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> >> MailScanner.conf. I get lot more info about the SA setup when I set >> that... > > ;-) thats exactly my problem .. and absolutely no idea why .. shouldnt it > lokk > like the -D output of spamassassin > > I attached my config also .. but i think its in the modules within > MS= 4.25.14-3 > SA= 2.63 > > > -c- > > Log Spam = no Try changing that to yes.. the output when using debug (in my case) drops to the terminal, rather than syslog, so it would be good to get a dump from that too.. Also how did you install SA? from the RPM's or from CPAN. If you installed from the RPM's do it from CPAN instead, that way you know you have all the dependencies. It's also worth checking that all the MailScanner perl modules are installed as well, again CPAN is useful in this and better than the RPM's. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From test at NEXTMILL.NET Wed Feb 4 18:40:15 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: Fedora Core 1 MailWatch .5 Perl-DBD-mysql-2.9002-1.i386.rpm does this: Feb 4 10:14:51 mailcheck MailScanner[4329]: Database ping failure attempting to re-connect Feb 4 10:14:51 mailcheck MailScanner[4266]: Cannot insert row: MySQL server has gone away So I tried using Perl-DBD-mysql-2.1028 and it just pauses on the MailScanner[xxxxx]: Initialising database connection line for about 4 seconds and then continues thru, nothing gets delivered. Nothing is logged to the Mysql Database. Mailscanner/Mailwatch web interface accesses database fine New database setup, using root username and a root password, /usr/lib/MailScanner/MailScanner/Mailwatch.pm has correct root username/pw/localhost settings Any advise or troubleshooting techniques would be greatly appreciated From mkettler at EVI-INC.COM Wed Feb 4 16:46:41 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: Easily Training Spam Assassin? In-Reply-To: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> Message-ID: <6.0.0.22.0.20040204114321.02617a00@xanadu.evi-inc.com> At 11:26 AM 2/4/2004, Admin Team wrote: >I am trying to work out an ongoing method so that users with any user >agent, whether it be Outlook, or Eudora can easily submit spam/ham to an >account for proper classification. I am so overwhelmed by going through a >mailbox with hundreds of email's and sorting through each message. There >has to be an easier method and I was hoping someone could recommend that >method to me? The best recommendation I've heard is to have users forward their spam/ham as an attachment with COMPLETE headers. Then set up an account, ie: spam_training27@evi-inc.com, and use procmail or some other system to automatically strip off attachments to the address and feed em to sa-learn. However, this will only work if your users mailclient is capable of forwarding as an attachment with complete headers... normal forwards with inline text won't work. I'd be VERY careful about training mail that has damaged headers.. SA learns a lot from the headers.. From mkettler at EVI-INC.COM Wed Feb 4 16:49:14 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: SpamAssassin Score In-Reply-To: <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> Message-ID: <6.0.0.22.0.20040204114724.027f8e48@xanadu.evi-inc.com> At 11:38 AM 2/4/2004, you wrote: >somebody know what options MailScanner use in spamassassin command to >output the score of scannead emails? Your english is a bit rough, so it's tough for me to understand exactly what your asking. It looks like you're wondering what options MailScanner passes to spamassassin. It doesn't. MailScanner doesn't use the spamassassin command-line.. it directly loads the perl API and calls that. From mailscanner at ecs.soton.ac.uk Wed Feb 4 18:55:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. In-Reply-To: <1075915046.2886.77.camel@judas.stall> References: <1075915046.2886.77.camel@judas.stall> Message-ID: <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> At 17:17 04/02/2004, you wrote: >Hi! > >I am having heavy troubles using Mailscanner with Kaspersky version 5.0. > >I want Mailscanner to start the client portion of kaspersky called >aveclient in version 5. I modified the wrapper-script slightly, and it >seems to work: > >This is what the wrapper looks like: > >=============================== >#!/bin/sh >PackageDir=$1/bin >shift >Scanner=aveclient > >ScanOptions="-p /var/run/aveserver -s " > >if [ "x$1" = "x-IsItInstalled" ]; then > [ -x ${PackageDir}/$Scanner ] && exit 0 > exit 1 >fi > >exec ${PackageDir}/$Scanner $ScanOptions "$@" > >=============================================== > > >when I start the wrapper-script like this: ./kavdaemonclient-wrapper >/opt/kav/ /SampleVirus.exe > >i get: > >/SampleVirus.exe >INFECTED >LINFECTED I-Worm.Swen > >so I assume this works. Also the return code ist other than zero: > ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe > /dev/null && echo > asfd > >returns nothing, as it shoud. > >The Problem is, that when Mailscanner starts this script, mailscanner never >detects any virus, although it SURELY starts the wrapper script (i tried this >with using a touch /tmp/asdf command just before the exec-part). Doesn't >Mailscanner look at the return-code of the program? No. That only tells it that it found a virus somewhere. It scans lots of messages at once, and parses the output of the virus scanner. > Due to which criteria does >mailscanner decide that the object is a virus? I just don't know a solution. > >Thank you for help! > >wogri > >-- >wogri@wogri.at >http://www.wogri.at >-- >wogri@wogri.at >http://www.wogri.at -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 4 18:53:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204185322.03763bf8@imap.ecs.soton.ac.uk> At 17:13 04/02/2004, you wrote: >Hi! > > > I applied the patch (had to do it by hand, an extra space in > > there on the second chunk), uncommented bayes_auto_expire in > > spam.assassin.prefs.conf, restarted. No apparent problems. > > > > I just noticed the "autolearn=spam" note in mails tagged as spam > > by SA. No mention of this in the docs. What is this about? > >Most likely bayes autolearning ? :) Someone wanted notification of when a message was auto-learned, so they got it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jflowers at EZO.NET Wed Feb 4 19:08:12 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:19 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: <20040204190812.M93179@ezo.net> Assuming sendmail for your outbound transport, there are seemingly endless possibilities. Perhaps the simplest all-in-one method is to use mailertable entrys: domain1.com server1.whatever.com domain2.com server6.whatever.com domainsoandso.com server2.whatever.com domainwhatnot.com [192.168.0.101] Note that you can avoid some potential dns looping problems by using ip addresses and including them in the brackets [] to prevent lookups. If you anticipate multiple fqdn (including host portion) then you may also want to include: .domain1.com server1.whatever.com .domain2.com server6.whatever.com .domainsoandso.com server2.whatever.com .domainwhatnot.com [192.168.0.101] You will also have to identify these as acceptable domains using a relay- domains table or, if you prefer, virtual-domains after adding VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-domains') to your mc file. You DON'T want to identify them as local. The access file can still be used in all it's glory but you can't use virtusertable to reroute individual users as mailertable bypasses that. With a relay, using access to validate real users and reject all others is probably a good idea but can be tedious if you have many users (say more than 100). If routing user1@domain1.com to one mail server and user2@domain1.com to a different mail server is needed there are better approaches using virtusertable or aliases. original message ----------------------------------------- domain1.com ----> server1.whatever.com domain2.com ----> server6.whatever.com domainsoandso.com ----> server2.whatever.com domainwhatnot.com ----> 192.168.0.101 -- Jim Flowers From campbell at CNPAPERS.COM Wed Feb 4 19:11:45 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems Message-ID: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> I upgraded to the latest greatest on Monday. I noticed the listing about having to whitelist this mailing list today and thought nothing of it, as I have always received the mailings from this list. I upgraded MailWatch today, and was watching the screen go by, and noticed that this list was flagged as spam. So I looked at the headers and sure enough, there is an "autolearn" component in the header. After going back to when the upgrade of MS took place and reviewing some of those headers, they too have "autolearn". Now I'm not getting any mail at all. I checked my MailScanner.conf and it has the following in it: SpamAssassin Auto Whitelist = no So now I'm lost. And I also don't know if I'll ever hear from you again. Is there some new function in the new MS that turns this on, related to something else? Steve Campbell campbell@cnpapers.com Charleston Newspapers From campbell at CNPAPERS.COM Wed Feb 4 19:15:40 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems Message-ID: <004b01c3eb53$472f4900$5001a8c0@cnpapers.net> After whitelisting this mail list, I am now receiving from you all again, so maybe I will hear from you again. Steve Campbell campbell@cnpapers.com Charleston Newspapers From hermit921 at YAHOO.COM Wed Feb 4 19:18:08 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages In-Reply-To: References: Message-ID: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> I am still trying to figure out why some messages don't get tagged by MailScanner 4-23, postfix 2. Every email should get tagged with at least one MailScanner header, but some don't. I came up with an idea. Is this feasible: Spammer sets up his client to use our mail server as his smtp gateway. Should work for any message addressed to a user in our domain, but he can't send mail outside. So spammer addresses a message to usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get fuzzy.... One message appears here, postfix dumps it in the hold queue. Postfix splits it up at the same time, so only the original message gets the MailScanner headers. Since I can't track the original, I can't verify the presence of headers. Am I way off? From acschmitt at BPA.GOV Wed Feb 4 19:42:31 2004 From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages Message-ID: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.gov> This may be completely off base, since I don't know if you already posted your network config, but are you delivering directly to Unix accounts after MailScanner, or forwarding on to an Exchange box on an internal network? The reason why I ask is that here, we use MS Exchange for internal mail, and it seems like headers get replaced at random times by the words "Microsoft Mail Internet Headers 2.0" followed by a sanitized version of headers, which still shows the server route, but nothing useful such as MailScanner headers. I've heard vague rumors as to why this happens, but have not heard of anyone being able to fix it. -----Original Message----- From: hermit921 [mailto:hermit921@YAHOO.COM] Sent: Wednesday, February 04, 2004 11:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: untagged messages I am still trying to figure out why some messages don't get tagged by MailScanner 4-23, postfix 2. Every email should get tagged with at least one MailScanner header, but some don't. I came up with an idea. Is this feasible: Spammer sets up his client to use our mail server as his smtp gateway. Should work for any message addressed to a user in our domain, but he can't send mail outside. So spammer addresses a message to usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get fuzzy.... One message appears here, postfix dumps it in the hold queue. Postfix splits it up at the same time, so only the original message gets the MailScanner headers. Since I can't track the original, I can't verify the presence of headers. Am I way off? From mailscanner at ecs.soton.ac.uk Wed Feb 4 21:31:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> At 19:11 04/02/2004, you wrote: >I upgraded to the latest greatest on Monday. I noticed the listing about >having to whitelist this mailing list today and thought nothing of it, as I >have always received the mailings from this list. > >I upgraded MailWatch today, and was watching the screen go by, and noticed >that this list was flagged as spam. So I looked at the headers and sure >enough, there is an "autolearn" component in the header. After going back to >when the upgrade of MS took place and reviewing some of those headers, they >too have "autolearn". Now I'm not getting any mail at all. > >I checked my MailScanner.conf and it has the following in it: > >SpamAssassin Auto Whitelist = no Autolearn is related to the Bayes engine, it's nothing to do with auto-whitelisting. >So now I'm lost. And I also don't know if I'll ever hear from you again. > >Is there some new function in the new MS that turns this on, related to >something else? > > > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Wed Feb 4 21:18:06 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Mr. Field, Can you explain what you mean by your reply to the reference to the autolearn=spam "Someone wanted notification of when a message was auto-learned, so they got it." This is causing quite a problem here and I do not know where it's coming from or how to stop it. Is this related anyway to MailWatch. And I also haven't noticed any material to read. Please and thank you. Steve Campbell campbell@cnpapers.com Charleston Newspapers From hermit921 at yahoo.com Wed Feb 4 20:06:33 2004 From: hermit921 at yahoo.com (hermit921) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages In-Reply-To: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.go v> References: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.gov> Message-ID: <6.0.0.22.2.20040204120547.01e66e88@pop.mail.yahoo.com> Postfix sends mail on to our internal mail server running sendmail on unix. hermit921 At 11:42 AM 2/4/2004, you wrote: >This may be completely off base, since I don't know if you already posted >your network config, but are you delivering directly to Unix accounts >after MailScanner, or forwarding on to an Exchange box on an internal network? > >The reason why I ask is that here, we use MS Exchange for internal mail, >and it seems like headers get replaced at random times by the words >"Microsoft Mail Internet Headers 2.0" followed by a sanitized version of >headers, which still shows the server route, but nothing useful such as >MailScanner headers. I've heard vague rumors as to why this happens, but >have not heard of anyone being able to fix it. > > >-----Original Message----- >From: hermit921 [mailto:hermit921@YAHOO.COM] >Sent: Wednesday, February 04, 2004 11:18 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: untagged messages > > >I am still trying to figure out why some messages don't get tagged by >MailScanner 4-23, postfix 2. Every email should get tagged with at least >one MailScanner header, but some don't. > >I came up with an idea. Is this feasible: >Spammer sets up his client to use our mail server as his smtp >gateway. Should work for any message addressed to a user in our domain, >but he can't send mail outside. So spammer addresses a message to >usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get >fuzzy.... > >One message appears here, postfix dumps it in the hold queue. Postfix >splits it up at the same time, so only the original message gets the >MailScanner headers. Since I can't track the original, I can't verify the >presence of headers. > >Am I way off? From jflowers at EZO.NET Wed Feb 4 20:06:58 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd Message-ID: <20040204200659.M8361@ezo.net> You would probably have much better luck installing the FreeBSD port (which is where mta.sh and mailscanner.sh come from) instead of the method in INSTALL.FreeBSD. It puts things in the usual FreeBSD places and uses traditional FreeBSD methods as well as installing any depends that are needed. The port maintainer may be a few versions behind (4.26.4) because MS is evolving so rapidly. Not to worry. Just download the latest version (MailScanner-4.26.7-1.tar.gz) to /usr/ports/distfiles and run md5 MailScanner-4.26.7-1.tar.gz to give you the line to update the port distinfo and edit the Makefile to include: PORTVERSION= 4.26.7 DISTNAME= MailScanner-4.26.7 DISTFILES= MailScanner-4.26.7-1.tar.gz and run make; make install. Some details in the FreeBSD README file. -- Jim Flowers From mailscanner at ecs.soton.ac.uk Wed Feb 4 21:57:52 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204215641.03cf3690@imap.ecs.soton.ac.uk> At 21:18 04/02/2004, you wrote: >Mr. Field, > >Can you explain what you mean by your reply to the reference to the >autolearn=spam It's merely an indication that the message was autolearned by the Bayes database as being ham or spam. >"Someone wanted notification of when a message was auto-learned, so they got >it." > >This is causing quite a problem here and I do not know where it's coming >from or how to stop it. Why is it a problem? I don't understand. It's just a little notification, it wasn't intended to cause any problems for anyone. > Is this related anyway to MailWatch. No. > And I also >haven't noticed any material to read. > >Please and thank you. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 4 22:07:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204220627.0453f608@imap.ecs.soton.ac.uk> Feel free to comment out line 437 of SA.pm if you don't like it. It just says this: $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; At 21:18 04/02/2004, you wrote: >Mr. Field, > >Can you explain what you mean by your reply to the reference to the >autolearn=spam > >"Someone wanted notification of when a message was auto-learned, so they got >it." > >This is causing quite a problem here and I do not know where it's coming >from or how to stop it. Is this related anyway to MailWatch. And I also >haven't noticed any material to read. > >Please and thank you. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Wed Feb 4 21:54:18 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> Message-ID: <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> Mr. Field, OK, my mistake. Total confusion here on my part. Thanks for the quick answer. Do you have any ideas though on why the list began catching a high bayes score. Do I need to "refresh" my Bayes files (relearn or something)? Almost everything is receiving high Bayesian probabilities. Seems like a SA problem, but I haven't changed that for a while. Thanks and sorry for the extra effort I caused. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, February 04, 2004 4:31 PM Subject: Re: Upgrade Autolearn problems > At 19:11 04/02/2004, you wrote: > >I upgraded to the latest greatest on Monday. I noticed the listing about > >having to whitelist this mailing list today and thought nothing of it, as I > >have always received the mailings from this list. > > > >I upgraded MailWatch today, and was watching the screen go by, and noticed > >that this list was flagged as spam. So I looked at the headers and sure > >enough, there is an "autolearn" component in the header. After going back to > >when the upgrade of MS took place and reviewing some of those headers, they > >too have "autolearn". Now I'm not getting any mail at all. > > > >I checked my MailScanner.conf and it has the following in it: > > > >SpamAssassin Auto Whitelist = no > > Autolearn is related to the Bayes engine, it's nothing to do with > auto-whitelisting. > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > >Is there some new function in the new MS that turns this on, related to > >something else? > > > > > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Wed Feb 4 21:53:25 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: Y'all, I'm running 4.26.8 with the following settings on Solaris 9, with no problems due to the bayes autolearn (but I'm worried because of your tale of woe): * SpamAssassin Auto Whitelist = no * the patch to SA.pm that Julian put out this morning * uncommented "bayes_auto_expire 0" in spam.assassin.prefs.conf, per Julian's patch instructions this morning. * I have the auto_whitelist_path defined in this file, but there is no whitelist file in /var/spool/spamassassin. I wouldn't expect there to be. I ran auto-whitelist once in the past, but it was such a pig that I turned it off, per Julian's advice. Do you have gobs of lock and/or expire files in /var/spool/spamassassin? What OS are you running on? Have you disabled any force-expire or force-rebuild in your ham/spam autolearn script? I've checked my spamassassin tagging numbers for today, both regular and high-test spam, and my numbers look about right. If everything was getting tagged as spam my phone would be ringing. Jeff Earickson Colby College PS. Note to Southerners on this list. Please don't be offended by my "Y'all" greeting that I sometimes use in my emails. Having lived in Mississippi and Alabama for many years, I have concluded that this pronoun is one of the South's great contributions to the English language. I once had an HP software engineer in Atlanta blow up because he thought my emails were poking fun at the Southern dialect (I live in Maine now). It was a total misunderstanding on his part and I hope not to repeat it. Now if the Queen would only use "Y'all", the revival of second-person plural in English would be complete. On Wed, 4 Feb 2004, Stephe Campbell wrote: > Date: Wed, 4 Feb 2004 16:18:06 -0500 > From: Stephe Campbell > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Fix for bayes rebuild bug on Solaris > > Mr. Field, > > Can you explain what you mean by your reply to the reference to the > autolearn=spam > > "Someone wanted notification of when a message was auto-learned, so they got > it." > > This is causing quite a problem here and I do not know where it's coming > from or how to stop it. Is this related anyway to MailWatch. And I also > haven't noticed any material to read. > > Please and thank you. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > From mailscanner at ecs.soton.ac.uk Wed Feb 4 22:28:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> It's possible your Bayes database has been poisoned beyond recovery :-( No ideas otherwise, I'm afraid. At 21:54 04/02/2004, you wrote: >Mr. Field, > >OK, my mistake. Total confusion here on my part. > >Thanks for the quick answer. Do you have any ideas though on why the list >began catching a high bayes score. Do I need to "refresh" my Bayes files >(relearn or something)? Almost everything is receiving high Bayesian >probabilities. Seems like a SA problem, but I haven't changed that for a >while. > >Thanks and sorry for the extra effort I caused. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, February 04, 2004 4:31 PM >Subject: Re: Upgrade Autolearn problems > > > > At 19:11 04/02/2004, you wrote: > > >I upgraded to the latest greatest on Monday. I noticed the listing about > > >having to whitelist this mailing list today and thought nothing of it, as >I > > >have always received the mailings from this list. > > > > > >I upgraded MailWatch today, and was watching the screen go by, and >noticed > > >that this list was flagged as spam. So I looked at the headers and sure > > >enough, there is an "autolearn" component in the header. After going back >to > > >when the upgrade of MS took place and reviewing some of those headers, >they > > >too have "autolearn". Now I'm not getting any mail at all. > > > > > >I checked my MailScanner.conf and it has the following in it: > > > > > >SpamAssassin Auto Whitelist = no > > > > Autolearn is related to the Bayes engine, it's nothing to do with > > auto-whitelisting. > > > > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > > > >Is there some new function in the new MS that turns this on, related to > > >something else? > > > > > > > > > > > >Steve Campbell > > >campbell@cnpapers.com > > >Charleston Newspapers > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at WOGRI.AT Thu Feb 5 07:18:38 2004 From: mailscanner at WOGRI.AT (Wolfgang Hennerbichler) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. In-Reply-To: <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> References: <1075915046.2886.77.camel@judas.stall> <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> Message-ID: <1075965518.2885.95.camel@judas.stall> On Wed, 2004-02-04 at 19:55, Julian Field wrote: > >The Problem is, that when Mailscanner starts this script, mailscanner never > >detects any virus, although it SURELY starts the wrapper script (i tried this > >with using a touch /tmp/asdf command just before the exec-part). Doesn't > >Mailscanner look at the return-code of the program? > > No. That only tells it that it found a virus somewhere. It scans lots of > messages at once, and parses the output of the virus scanner. Ah. Sounds logically. So I guess the only chance I have, is to upgrade Mailscanner (I have a debian-box, on which this scenario (without the daemons, but I read what Julian thinks about virus-scanner daemons) works perfectly, and mailscanner is in a new version. Hm... I wonder, if I upgrade this box (it is a SuSE 7.2), rpm behaves as .deb, and does not overwrite my config-files, or asks to overwrite. I don't have much experience with rpms. Thank you, Julian wogri -- wogri@wogri.at http://www.wogri.at From campbell at CNPAPERS.COM Wed Feb 4 23:04:34 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> Message-ID: <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> Mr. Field: Looks like a pretty good idea to me. Mail is flowing again after I deleted my Bayes files. Now that I've had experience with this and know a little about what I'm thinking, will the new expiry (Rebuild Bayes Every) function in MS generally take care of this? Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, February 04, 2004 5:28 PM Subject: Re: Upgrade Autolearn problems > It's possible your Bayes database has been poisoned beyond recovery :-( > No ideas otherwise, I'm afraid. > > At 21:54 04/02/2004, you wrote: > >Mr. Field, > > > >OK, my mistake. Total confusion here on my part. > > > >Thanks for the quick answer. Do you have any ideas though on why the list > >began catching a high bayes score. Do I need to "refresh" my Bayes files > >(relearn or something)? Almost everything is receiving high Bayesian > >probabilities. Seems like a SA problem, but I haven't changed that for a > >while. > > > >Thanks and sorry for the extra effort I caused. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Wednesday, February 04, 2004 4:31 PM > >Subject: Re: Upgrade Autolearn problems > > > > > > > At 19:11 04/02/2004, you wrote: > > > >I upgraded to the latest greatest on Monday. I noticed the listing about > > > >having to whitelist this mailing list today and thought nothing of it, as > >I > > > >have always received the mailings from this list. > > > > > > > >I upgraded MailWatch today, and was watching the screen go by, and > >noticed > > > >that this list was flagged as spam. So I looked at the headers and sure > > > >enough, there is an "autolearn" component in the header. After going back > >to > > > >when the upgrade of MS took place and reviewing some of those headers, > >they > > > >too have "autolearn". Now I'm not getting any mail at all. > > > > > > > >I checked my MailScanner.conf and it has the following in it: > > > > > > > >SpamAssassin Auto Whitelist = no > > > > > > Autolearn is related to the Bayes engine, it's nothing to do with > > > auto-whitelisting. > > > > > > > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > > > > > >Is there some new function in the new MS that turns this on, related to > > > >something else? > > > > > > > > > > > > > > > >Steve Campbell > > > >campbell@cnpapers.com > > > >Charleston Newspapers > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From frmitchell at BROOKES.AC.UK Wed Feb 4 23:05:47 2004 From: frmitchell at BROOKES.AC.UK (Faye Mitchell) Date: Thu Jan 12 21:22:19 2006 Subject: Debian wierdness Message-ID: <40217ACB.28029.5860BD9@localhost> Hi, Just curious (and hopefull) - has any other debian user experienced this? Mailscanner/exim/SpamAssassin combo working perfectly (although struggling a little under MyDoom :-) ) on my little debian box. Next day, Mailscanner is pointblankly refusing to copy messages from the incoming exim mail spool to the outgoing one. The previous evening I installed routed and I noticed dselect picked up some security updates for perl modules. Apart from that, no change to the box or to any of the config files. I tried putting Mailscanner into debug mode, but all mailscanner is saying is that it's starting and then no more logs from Mailscanner. It's still happily running as witnessed by top, and kicking in and out as it should - it's just not doing anything :-(. I tried putting the AV to none (thinking that may Sophos was causing the problem), but still no joy :-( I tried doing a debug run and it seemed to be trying to start up SA (despite the Spam Checks config option being set to no - for a variety of reasons (primarily performance related) I want exim to do the Spam checks, not MailScanner) and getting no where. I altered the config file so that use SpamAssassin was set to no, and commented out the lines in the mail MailScanner prog that initialised it to be on the safe side. And now it starts working. Has anybody else experienced this and knows why it behaved the way it did? I've got the thing working, but I'd kind of like to know why it stopped working in the first place! TTFN Faye -- -=+=- Faye Mitchell, Senior Lecturer, Department of Computing, Oxford Brookes University email frmitchell@brookes.ac.uk WWW http://wwwcms.brookes.ac.uk/~p0072371/ PGP public Key @ http://macallan.brookes.ac.uk/Personal/pgp/dr.f.mitchell.asc Tel. Work +44 1865 48 4544 Disclaimer: The views represented here, should in no way be taken to be the opinion or views of Oxford Brookes University. -=+=- Thought for the day: Light? Heck I can't even see the tunnel! From peter at UCGBOOK.COM Wed Feb 4 23:07:36 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> Message-ID: <40217B38.3020604@ucgbook.com> Stephe Campbell wrote: > Now that I've had experience with this and know a little about what I'm > thinking, will the new expiry (Rebuild Bayes Every) function in MS generally > take care of this? The rebuild will sync new tokens into the main db and the expire will flush old tokens out. It seems that SA is unable to do this itself in many cases. It can help with SA timeouts but it will not help against Bayes poisoning. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From rzewnickie at RFA.ORG Wed Feb 4 23:34:03 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:19 2006 Subject: Debian wierdness In-Reply-To: <40217ACB.28029.5860BD9@localhost> References: <40217ACB.28029.5860BD9@localhost> Message-ID: <20040204233403.GI6691@rfa.org> We also had issues around the time we did the perl update. I couldn't exactly pin it down to being related vs. just a coincidence. But, in our case the bayes database seemed to have gotten corrupted somehow around the time of the upgrade. Again, I'm not certain it's related, but I have not had any other issues with the bayes database previously. After I moved the existing bayes_* files asside everything was fine ... I retrained bayes with my saved corpus of ~1000 known spam and several thousand more site specific known ham. -Eric Rz. [OT] PS We have this line in our crontab to check for new packages every night: 05 5 * * * root apt-get -qq update && apt-get -dqq upgrade && apt-get -sqq upgrade It checks for and downloads updated packages, but does not install them. When there are new packages root gets an email. Another good thing is to subscribe to the debian security announce list. That way you get an explanation for any packages updated for security fixes. -edrz On Wed, Feb 04, 2004 at 11:05:47PM -0000, Faye Mitchell wrote: > Hi, > > Just curious (and hopefull) - has any other debian user experienced > this? > > Mailscanner/exim/SpamAssassin combo working perfectly (although > struggling a little under MyDoom :-) ) on my little debian box. Next day, > Mailscanner is pointblankly refusing to copy messages from the > incoming exim mail spool to the outgoing one. The previous evening I > installed routed and I noticed dselect picked up some security updates > for perl modules. Apart from that, no change to the box or to any of the > config files. > > I tried putting Mailscanner into debug mode, but all mailscanner is > saying is that it's starting and then no more logs from Mailscanner. It's > still happily running as witnessed by top, and kicking in and out as it > should - it's just not doing anything :-(. I tried putting the AV to none > (thinking that may Sophos was causing the problem), but still no joy :-( > > I tried doing a debug run and it seemed to be trying to start up SA > (despite the Spam Checks config option being set to no - for a variety > of reasons (primarily performance related) I want exim to do the Spam > checks, not MailScanner) and getting no where. I altered the config file > so that use SpamAssassin was set to no, and commented out the lines > in the mail MailScanner prog that initialised it to be on the safe side. > > And now it starts working. > > Has anybody else experienced this and knows why it behaved the way > it did? I've got the thing working, but I'd kind of like to know why it > stopped working in the first place! > > TTFN > > Faye > > > -- > -=+=- > Faye Mitchell, Senior Lecturer, > Department of Computing, > Oxford Brookes University > email frmitchell@brookes.ac.uk > WWW http://wwwcms.brookes.ac.uk/~p0072371/ > PGP public Key @ > http://macallan.brookes.ac.uk/Personal/pgp/dr.f.mitchell.asc > Tel. Work +44 1865 48 4544 > Disclaimer: The views represented here, should in no way be taken to > be the opinion or views of Oxford Brookes University. > -=+=- > > Thought for the day: > Light? Heck I can't even see the tunnel! From kevin at KEVINSPICER.CO.UK Wed Feb 4 23:55:25 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:19 2006 Subject: Beating bayes Message-ID: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> Interesting article on beating bayes filters at the BBC http://news.bbc.co.uk/1/hi/technology/3458457.stm Discuss... -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/af99f890/attachment.bin From sveinn at SVEINNG.COM Thu Feb 5 00:14:30 2004 From: sveinn at SVEINNG.COM (Sveinn Gunnarsson) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <6.0.1.1.2.20040204161132.03b42008@imap.ecs.soton.ac.uk> Message-ID: The Subject line apperas last in the headers of the modified emails like this: --%<------ X-OgVodafone-MailScanner-SpamScore: ss Subject: Re: WinCABAS: ---%<------ Thanks, Svenni... > What is it reducing them to? I can't see anything in the code snippet that > would touch the sample subject line you gave. > > At 15:25 04/02/2004, you wrote: > >Hi Julian. > > > >I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting > >of non-exploit subject lines. These mails are sent from Lotus Notes server. > >I have not seen this happening when receiving mail from other servers. > > > >Here is a header-snip of one such email: > > > > > >From: yy@yy.is > >In-Reply-To: > > > >Subject: Re: WinCABAS: > > =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= > > =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= > >To: xx@xx.is > > > > > >I have disabled these three lines in SweepContent.pm to let these subjects > >through, but a more elegant soulution would be nice :) > > > ># $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end > >of filename > ># $newsubject =~ s/\s*$//g; > ># $newsubject =~ s/\s{20,}//g; > > > > > > > >Thanks in advance ! > > > >Sveinn G. Gunnarsson > >UNIX Specialist > > > >Og Vodafone > >Sidumuli 28 > >108 Reykjavik > >Iceland > >www.ogvodafone.is > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From test at NEXTMILL.NET Thu Feb 5 00:16:05 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: Got it working!! installed MySQL-shared-3.23.58-1.i386.rpm MySQL-bevel-3.23.58-1.i386.rpm then reran Perl Makefile.pl, make, make test, and make install which successfully installed DBD:mysql v2.1028-8 and now Mailwatch talks to the MySQL server properly!!! Very Very slick!! Now we just need quarantine messages to database, self cleaning up to remove older database entries after a period of time (two settings, one for MESSAGE CONTENT and one for MESSAGE HEADER info) and the option to release a message for delivery and this product will be really sweet! From mkettler at EVI-INC.COM Thu Feb 5 00:42:03 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: Beating bayes In-Reply-To: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> References: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.0.22.0.20040204193553.0269baa0@xanadu.evi-inc.com> At 06:55 PM 2/4/2004, you wrote: >Interesting article on beating bayes filters at the BBC >http://news.bbc.co.uk/1/hi/technology/3458457.stm > >Discuss... It points out the fundamental reason why SpamAssassin isn't a pure bayes system. It's also why SA tokenizes headers, not just message bodies when it does bayes (if you tokenize headers, that section isn't as easy to obfuscate and/or add poison to). And let's face it.. my most recent bayes-poison loaded spam got: BAYES_99 5.40, HTML_MESSAGE 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 1.50, RCVD_IN_SORBS 0.10) Some benefit the 280 words of bayes poison they stuffed at the end got them. For reference the email in question is a bayes-poison loaded, random charachter-insert obfuscated super v-drug spam. It offered to: "Suxper chajrge your lolve linfe!" /yawn. From joebaker at DCRESEARCH.COM Thu Feb 5 02:09:07 2004 From: joebaker at DCRESEARCH.COM (Joe Baker) Date: Thu Jan 12 21:22:19 2006 Subject: Maximum Notifications Limit Message-ID: <1075946947.31331.89.camel@mail.dcresearch.com> There should be a maximum number of virus infection notifications sent per day value. After so many infection bounce notifications, the system should stop sending them. Otherwise our messages that alert "senders" that they have sent a virus infected message could bring the Internet to it's knees. Typically, I register a new virus as "silent" in the configurations right away. Here's an interesting article on the subject. http://www.raeinternet.com/newsletter/interview_skulason_092303.html -- Joe Baker Digital Communications Research, Inc. From kfliong at WOFS.COM Thu Feb 5 02:16:22 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> References: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> Message-ID: <6.0.0.22.0.20040205100713.03a69f90@192.168.10.2> I can't wait to upgrade my mailwatch to 0.5. But as of now, only my company's email is working as we have problems with our broadband internet connection. But have one question. The last time i tried to go to mailwatch screen, it took me very long to connect and usually it will timeout. Since then I have had other problems and didn't have time to check mailwatch properly. Could this be due to mysql queries taking too long? Maybe if my database is indexed, the queries will go faster? I only tried keeping 1 month's of data as this itself is taking over 700mb. Could this be the problem? Thanks for continuing the effort to improve mailwatch. It is a very good tool for mailscanner users. At 06:50 AM 2/4/2004, you wrote: >Thank you. Its now working... > >----- Original Message ----- >From: "Steve Freegard" >To: >Sent: Tuesday, February 03, 2004 5:06 PM >Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > Hi Joseph, > > > > You're getting this error because your copy of PHP doesn't have the MySQL > > module installed or compiled in. > > > > If you are running RedHat install the php-mysql RPM from your installation > > CD's and restart apache and it will start working. > > > > Kind regards, > > Steve. > > > > > -----Original Message----- > > > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > > > Sent: 03 February 2004 08:39 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > > > > > > Hi All, > > > > > > I think i followed the instruction correct. My > > > Mailscanner is logging to mysql database. But everytime i > > > point my browser to > > > > > > http://localhost/mailscanner it gives me an error: > > > > > > Fatal error: Call to undefined function: > > > mysql_pconnect() in > > > /home/httpd/html/mailscanner/functions.php on line 273 > > > > > > Anyone knows how to fixed this? > > > > > > Thnx. > > > > > > > > > ----- Original Message ----- > > > From: "Steve Freegard" > > > To: > > > Sent: Tuesday, February 03, 2004 8:44 AM > > > Subject: Announce: MailWatch for MailScanner 0.5 > > > > > > > > > > Hi All, > > > > > > > > I'm pleased to finally release 0.5 which you can download from > > > > http://www.sourceforge.net/projects/mailwatch. > > > > > > > > CHANGE LOG > > > > - Updated indexes for much greater performance (again!). > > > > - Added preliminary support for per-user filters (see USER_FILTERS > > > > file). > > > > - Added the ability to view quarantined items. > > > > - All tables now enable a pager when returning more than 50 > > > rows and allow > > > > ordering by any of the displayed columns. > > > > - New tool to run SpamAssassin --lint and time the output > > > for debugging > > > SA. > > > > - New F-Secure status page (like Sophos). > > > > - Required PEAR modules now included. > > > > - Added reporting of Blacklisted mails. > > > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > > > e-mails. > > > > - Quoted printable strings are now automatically decoded before > > > > display. > > > > - Configuration options moved from functions.php into conf.php > > > > - Automatically works out VIRUS_REGEX by using the first value in > > > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > > > clamavmodule' would > > > > activate the regexp for SophosSAVI. > > > > - New 'Virus Report' allows comparison of multiple scanners > > > (if you run > > > > more than one) and allows you to see 1st detection > > > date/time of each > > > > virus by each scanner. > > > > - Integration with Fortress Systems Secure Mail Gateway. > > > > > > > > FIXES > > > > - Multiple clean-ups of mailq.php to make it more robust. > > > > - Greatly improved debugging of SQL statments. > > > > - Quarantine now correctly looks in the non-spam quarantine > > > > directories. > > > > - SA Rules Description Update now reads custom rules as well. > > > > - sendmail_relay.php now works across log rotations. > > > > - Increased memory_limit to 128M for quarantine functions. > > > > > > > > Kind regards, > > > > Steve. > > > > > > > > -- > > > > MailWatch for MailScanner > > > > http://mailwatch.sourceforge.net > > > > > > > > -- > > > > This email and any files transmitted with it are confidential and > > > > intended solely for the use of the individual or entity to > > > whom they > > > > are addressed. If you have received this email in error > > > please notify > > > > the sender and delete the message from your mailbox. > > > > > > > > This footnote also confirms that this email message has > > > been swept by > > > > MailScanner (www.mailscanner.info) for the presence of computer > > > > viruses. > > > > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has been swept by > > MailScanner (www.mailscanner.info) for the presence of computer viruses. thanks From john at TRADOC.FR Thu Feb 5 07:26:07 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:19 2006 Subject: upgrade_MailScanner_conf help text inconsistency Message-ID: When you run upgrade_mailscanner_conf with no arguments, it suggests running it with the command | upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new When you then do so, at the end it says | If you ran this with a command like this | upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.conf.new | then you should do | diff MailScanner.conf.rpmnew MailScanner.conf.new | and check for any differences in values you have not changed yourself. Note that the suggested filename has changed from MailScanner.new to MailScanner.conf.new Not a big deal - I'm sure all but the most clueless of admins will work it out for themselves - but it would be nice to be consistent just so that copying and pasting the suggested commands unchanged will work! Or better still, make the suggestion use the arguments actually passed. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From christo at IT4AFRICA.CO.ZA Thu Feb 5 07:16:56 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade Message-ID: <002601c3ebb8$0a04ea70$660210ac@christoxp> After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/4e62e8fe/attachment.html From martinh at SOLID-STATE-LOGIC.COM Thu Feb 5 10:00:22 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade In-Reply-To: <002601c3ebb8$0a04ea70$660210ac@christoxp> References: <002601c3ebb8$0a04ea70$660210ac@christoxp> Message-ID: <40221436.2020909@solid-state-logic.com> Christo Bezuidenhout wrote: > After upgrading to the latest version of MailWatch and Mailscanner my > server started to take huge load. > > I Found the following in my maillogs. > > Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon > MTA: load average: 13 > Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and > was killed, consecutive failure 6 of 20 > Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out > and was killed, consecutive failure 1 of 7 > > The Spamassassin keeps on going up to 20 of 20. > > I have a caching DNS and is working properly. My config is. > mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 > 2Ghz with 512 MB ram > > Thanx > Christo Christo looks like you've got problems with ORDB which is causing the issues, not mailwatch.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From steve.freegard at LBSLTD.CO.UK Thu Feb 5 10:28:09 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade Message-ID: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Hi Christo, Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show what is slowing SpamAssassin down. Also are you running any custom SA rulesets that might be slowing SpamAssassin down?? - I've had problems in the past with the sa-blacklist and sa-blacklist-uri custom sets as they are so big. If you want to disable MailWatch to confirm that it is not causing your problems, you can do this by commenting the line in CustomConfig.pm that says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and see if that helps at all. Kind regards, Steve. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: 05 February 2004 07:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: High Load after MS and Mailwatch Upgrade After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/627d4f15/attachment.html From martinh at SOLID-STATE-LOGIC.COM Thu Feb 5 10:42:11 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade In-Reply-To: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Message-ID: <40221E03.7080406@solid-state-logic.com> Steve Freegard wrote: > Hi Christo, > > Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p > /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show > what is slowing SpamAssassin down. > > Also are you running any custom SA rulesets that might be slowing > SpamAssassin down?? - I've had problems in the past with the > sa-blacklist and sa-blacklist-uri custom sets as they are so big. > > If you want to disable MailWatch to confirm that it is not causing your > problems, you can do this by commenting the line in CustomConfig.pm that > says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and > see if that helps at all. > > Kind regards, > Steve. > Another thought is where are you doing the RBL checks? if you are duplication RBL checks on SA as well as Mailscanner then this could be an issue.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From christo at IT4AFRICA.CO.ZA Thu Feb 5 10:44:45 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:20 2006 Subject: High Load after MS and Mailwatch Upgrade {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Message-ID: <006301c3ebd5$11ff20c0$660210ac@christoxp> I found the problem. One of my custom cf files was corrupt. I ust replaced this file with the backup of two days ago and all is working fine again. Thanx for the assist -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard Sent: 05 February 2004 12:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: High Load after MS and Mailwatch Upgrade {Virus Scanned} Hi Christo, Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show what is slowing SpamAssassin down. Also are you running any custom SA rulesets that might be slowing SpamAssassin down?? - I've had problems in the past with the sa-blacklist and sa-blacklist-uri custom sets as they are so big. If you want to disable MailWatch to confirm that it is not causing your problems, you can do this by commenting the line in CustomConfig.pm that says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and see if that helps at all. Kind regards, Steve. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: 05 February 2004 07:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: High Load after MS and Mailwatch Upgrade After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks IT For Africa for their support. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/0c9ef083/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 5 10:55:39 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4EA@jessica.herefordshire.gov.uk> I for one find it very useful. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 04 February 2004 18:54 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Fix for bayes rebuild bug on Solaris > > > At 17:13 04/02/2004, you wrote: > >Hi! > > > > > I applied the patch (had to do it by hand, an extra space in > > > there on the second chunk), uncommented bayes_auto_expire in > > > spam.assassin.prefs.conf, restarted. No apparent problems. > > > > > > I just noticed the "autolearn=spam" note in mails tagged as spam > > > by SA. No mention of this in the docs. What is this about? > > > >Most likely bayes autolearning ? :) > > Someone wanted notification of when a message was > auto-learned, so they got > it. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From ugob at CAMO-ROUTE.COM Thu Feb 5 11:21:05 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B4@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Schmitt, Andy C - CIDD-2 [mailto:acschmitt@BPA.GOV] > Envoy? : Wednesday, February 04, 2004 2:43 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: untagged messages > > > This may be completely off base, since I don't know if you > already posted your network config, but are you delivering > directly to Unix accounts after MailScanner, or forwarding on > to an Exchange box on an internal network? > > The reason why I ask is that here, we use MS Exchange for > internal mail, and it seems like headers get replaced at > random times by the words "Microsoft Mail Internet Headers > 2.0" followed by a sanitized version of headers, which still > shows the server route, but nothing useful such as > MailScanner headers. I've heard vague rumors as to why this > happens, but have not heard of anyone being able to fix it. > Hmmm, I always see "Microsoft Mail Internet Headers 2.0,", but I never saw a message w/o MailScanner's headers, though. But I don't receive a lot of messages. Ugo > > -----Original Message----- > From: hermit921 [mailto:hermit921@YAHOO.COM] > Sent: Wednesday, February 04, 2004 11:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: untagged messages > > > I am still trying to figure out why some messages don't get tagged by > MailScanner 4-23, postfix 2. Every email should get tagged > with at least > one MailScanner header, but some don't. > > I came up with an idea. Is this feasible: > Spammer sets up his client to use our mail server as his smtp > gateway. Should work for any message addressed to a user in > our domain, > but he can't send mail outside. So spammer addresses a message to > usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get > fuzzy.... > > One message appears here, postfix dumps it in the hold queue. Postfix > splits it up at the same time, so only the original message gets the > MailScanner headers. Since I can't track the original, I > can't verify the > presence of headers. > > Am I way off? > From carles at UNLIMITEDMAIL.ORG Thu Feb 5 13:40:24 2004 From: carles at UNLIMITEDMAIL.ORG (Carles Xavier Munyoz =?iso-8859-15?q?Bald=F3?=) Date: Thu Jan 12 21:22:20 2006 Subject: Bayes database size. Message-ID: <200402051440.24833.carles@unlimitedmail.org> Hi, I'm using MailScanner with SpamAssassin and the auto_learn option enabled for the Bayes DataBase. My question is: will the learning process stop when there is enougth information on the database or will it continuosly learn new spam and ham messages ? That it is, is there any limit in the number of spam and ham messages learned by the Bayes database ? If there is no limit, will my database continuosly increase its size until I run out of disk space ? Greetings. --- Carles Xavier Munyoz Bald? carles@unlimitedmail.org http://www.unlimitedmail.net/ --- From brose at MED.WAYNE.EDU Thu Feb 5 14:19:22 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: Ok it seems to be working. I'm confused by the scheduling though. I set the rebuild to 300 secs last night so I could check adequately but it never ran a rebuild every 5 mins. Before anyone asks why 5 mins, this was only to "test" the code. Anyway, this morning I checked the logs and the rebuld did occur. But it looks like it just ran twice 5mins apart after the 4hr Mailscanner restart time. Is this correct? Feb 5 03:16:37 eeyore MailScanner[2023]: Bayes database rebuild is due Feb 5 03:16:38 eeyore MailScanner[2023]: SpamAssassin Bayes database rebuild preparing Feb 5 03:16:43 eeyore MailScanner[2023]: SpamAssassin Bayes database rebuild starting Feb 5 03:22:09 eeyore MailScanner[2658]: Bayes database rebuild is due Feb 5 03:22:11 eeyore MailScanner[2658]: SpamAssassin Bayes database rebuild preparing Feb 5 03:22:25 eeyore MailScanner[2658]: SpamAssassin Bayes database rebuild starting Feb 5 07:17:47 eeyore MailScanner[18646]: Bayes database rebuild is due Feb 5 07:17:48 eeyore MailScanner[18646]: SpamAssassin Bayes database rebuild preparing Feb 5 07:18:22 eeyore MailScanner[18646]: SpamAssassin Bayes database rebuild starting Feb 5 07:23:02 eeyore MailScanner[19177]: Bayes database rebuild is due Feb 5 07:23:03 eeyore MailScanner[19177]: SpamAssassin Bayes database rebuild preparing Feb 5 07:23:09 eeyore MailScanner[19177]: SpamAssassin Bayes database rebuild starting -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, February 04, 2004 4:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Fix for bayes rebuild bug on Solaris At 18:05 02/02/2004, you wrote: >At 17:57 02/02/2004, you wrote: >>Gee... >> >>FWIW, it happened a couple of centuries ago, but I recall having >>serious trouble making Perl's flock() work on Solaris... same >>situation, all development done under linux without a hitch and >>Solaris ignored all the locking... and it wasn't an interoperability >>problem, since I was competing against my own script... >> >>The point is I don't quite remember what we did to solve it (we is an >>understatement, since it wasn't me programming, I was just the >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not >>sure either... >> >>Seems like you'll need a Solaris box to test it thoroughly... I >>wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc >>:-( > >I've got an Ultra-5 so I can do a real test. If necessary, I can build >a >Solaris-x86 box too. But as you say, the best place to try it is a real sparc. I have found the problem. Attached is a very short patch to SA.pm. This should let you enable the "Rebuild Bayes Every" feature that does scheduled Bayes database rebuilds. If you turn this feature on in MailScanner.conf, you will want to set bayes_auto_expire 0 in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts at letting SpamAssassin rebuild its Bayes database when it feels like it. From rgreen at TRAYERPRODUCTS.COM Thu Feb 5 15:02:18 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV Message-ID: <40225AFA.9050908@trayerproducts.com> Hello. I'm testing MailScanner and ClamAV. When I receive a message with the MyDoom worm attached in a zip file the attachment is blocked and quarantined upon arrival. When I send a message with the same zip file attached through the server it gets through to the remote server without being blocked. Is there a way to have mail filtered on the way out too? Thanks, Rod From ycayer at 3WEBMEDIA.COM Thu Feb 5 15:04:33 2004 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:22:20 2006 Subject: Cannot parse /var/spool/MailScanner/incoming/25111/i15F3CI26572.header and , Message-ID: <4915A8E67C498D42BAB5CB1351FD026E14AC8C@3webad1.3WebMedia.int> I am getting the following error many many times in my MailScanner logs... Can anyone tell me what this means? Cannot parse /var/spool/MailScanner/incoming/25111/i15F3CI26572.header and , Thank you again -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/75e827e9/attachment.html From sits at CAEDERUS.COM Thu Feb 5 15:09:43 2004 From: sits at CAEDERUS.COM (Sitsofe Wheeler) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies Message-ID: <1075993782.1528.86.camel@subsub.caederus.com> Hi, I've noticed that the MailScanner specfile does not actually list dependencies on all the RPMs it needs to run. This means it is hard to get working with tools like apt and yum when all the RPMs are provided by a repository (also the tnef was not picked up even those it is listed as a requires) . Was this intentional? From ugob at CAMO-ROUTE.COM Thu Feb 5 15:23:00 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Rodney Green [mailto:rgreen@TRAYERPRODUCTS.COM] > Envoy? : Thursday, February 05, 2004 10:02 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : MailScanner/ClamAV > > > Hello. I'm testing MailScanner and ClamAV. When I receive a > message with > the MyDoom worm attached in a zip file the attachment is blocked and > quarantined upon arrival. When I send a message with the same zip file > attached through the server it gets through to the remote > server without > being blocked. Is there a way to have mail filtered on the > way out too? It is supposed to be filtered both ways. > > Thanks, > Rod > From HancockS at MORGANCO.COM Thu Feb 5 15:31:19 2004 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:22:20 2006 Subject: NDR strategy Message-ID: <3EA1A302A4978A4C970D2C63F327156E02406D12@worc-mail2.int.morganco.com> I use a batch command that calls a resource util ldifde to get info out of AD. I then compare it for changes on the windows side and copy it to the mailscanner for processing with a Perl script. Change the object class to "group" for dist. lists. ldifde -f c:\temp\Exportuser.ldf -s -d "dc=internal,dc=domain,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(proxyAddresses=*))" -l "cn,proxyAddresses" FWIW Scott From robv at DISASTER.COM Thu Feb 5 15:35:01 2004 From: robv at DISASTER.COM (Vicchiullo, Rob) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update Message-ID: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> For some reason I always get this error in y mail logs when mailscanner tries to update f-prot Updates download from http://updates.f-prot.com failed. Suspect server could not be reached, But if I run the mailscanner virus update script manually it works fine. Any ideas why this would happen ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/68407519/attachment.html From miguelk at KONSULTEX.COM.BR Thu Feb 5 15:36:47 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV References: <54C38A0B814C8E438EF73FC76F3629274108B8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4022630F.7020808@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/076697f8/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Thu Feb 5 16:02:32 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: Message-ID: You could look at using something like BigEvil Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jonathan Lampe > Sent: 05 February 2004 15:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Restricted Word List with MailScanner > > > Is there an easy way to use a restricted word list with MailScanner? > > (No, I don't want a "self-learning" Bayesian filter - I want a word list > which into which I can put words which will always flag spam as spam.) > From rgreen at TRAYERPRODUCTS.COM Thu Feb 5 16:03:56 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV In-Reply-To: <40225AFA.9050908@trayerproducts.com> References: <40225AFA.9050908@trayerproducts.com> Message-ID: <4022696C.4010604@trayerproducts.com> Thanks for your replies. I'm using Thunderbird as my mail client and found that the SMTP server I was using to send mail was not the test server I have MailScanner/ClamAV running on. :-) I changed it to the proper one and tested again and it blocked the outgoing attachment just fine. Rod Rodney Green wrote: > Hello. I'm testing MailScanner and ClamAV. When I receive a message with > the MyDoom worm attached in a zip file the attachment is blocked and > quarantined upon arrival. When I send a message with the same zip file > attached through the server it gets through to the remote server without > being blocked. Is there a way to have mail filtered on the way out too? > > Thanks, > Rod > > From steinkel at PA.NET Thu Feb 5 16:11:20 2004 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> Message-ID: <40226B28.5020904@pa.net> hermit921 wrote: > I am still trying to figure out why some messages don't get tagged by > MailScanner 4-23, postfix 2. Every email should get tagged with at least > one MailScanner header, but some don't. > > I came up with an idea. Is this feasible: > Spammer sets up his client to use our mail server as his smtp > gateway. Should work for any message addressed to a user in our domain, > but he can't send mail outside. So spammer addresses a message to > usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get > fuzzy.... > > One message appears here, postfix dumps it in the hold queue. Postfix > splits it up at the same time, so only the original message gets the > MailScanner headers. Since I can't track the original, I can't verify the > presence of headers. > > Am I way off? > As I recall, the cleanup daemon is what puts the arriving message into the hold queue, but it is downstream where the qmgr daemon that actually splits the message up for different destinations via the trivial-rewrite daemon. See http://www.postfix.org/big-picture.html. I saw one of these untagged messages this morning. I was able to track it through our logs where it did, in fact, get a SA score of 9.7, but there were no MS headers in the message at all. This was in the headers that did make it through: Message-ID: References: <200402051440.24833.carles@unlimitedmail.org> Message-ID: <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: >My question is: will the learning process stop when there is enougth >information on the database or will it continuosly learn new spam and ham >messages ? It will keep learning. >That it is, is there any limit in the number of spam and ham messages learned >by the Bayes database ? Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. >If there is no limit, will my database continuosly increase its size until I >run out of disk space ? No it won't, as long as the expiry process can successfully run now and again. The expiry pushes old tokens out of the bayes database if it's over the size limits. If you're using an older version of MailScanner on a busy server, you may need to run sa-learn --force-expire in your crontab. Newer versions of MailScanner manage bayes expiry automatically. (SA will try to "opportunistically" run expiry as it scans mail, but on a busy server, with multiple MailScanner children, it's unlikely to be successful, as it can only succeed in locking the bayes database when only one message is being SA'ed at the time it tries. Same rules of opportunism apply to autolearning. It only happens if it can be done without waiting for a lock.) From mkettler at EVI-INC.COM Thu Feb 5 16:24:59 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: References: Message-ID: <6.0.0.22.0.20040205112054.024a09b0@xanadu.evi-inc.com> At 10:39 AM 2/5/2004, Jonathan Lampe wrote: >Is there an easy way to use a restricted word list with MailScanner? > >(No, I don't want a "self-learning" Bayesian filter - I want a word list >which into which I can put words which will always flag spam as spam.) Although it's a bit of work, you can use/abuse SpamAssassin to do that.. it's overkill for the job, and probably not the simpliest thing to set up, but it's possible. Just set up MailScanner to use SA, disable bayes, awl, dnsbls and hack out most of the SA rules.. replace them with rules that search for single rules and apply huge point scores to each of those rules. As an added benefit, you can search for any perl-regex you want, not just words. If your MailScanner box does delivery, you could also use procmail as a MDA and have a procmail script filter words.. That's the old-fashioned simple way of doing it, and doesn't involve MailScanner at all per-se. From steve.swaney at FSL.COM Thu Feb 5 16:27:16 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> Message-ID: <20040205162715.846F521C149@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Vicchiullo, Rob > Sent: Thursday, February 05, 2004 10:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: f-prot update > > For some reason I always get this error in y mail logs when mailscanner > tries to update f-prot > > Updates download from http://updates.f-prot.com failed. Suspect server > could not be reached, > > But if I run the mailscanner virus update script manually it works fine. > Any ideas why this would happen ? > > Rob, Try adding a statement at the beginning of the update script that will store the environment that script is running in. In Linux with a bash shell this line would look like: printenv > /tmp/updates-f-prot.env Then run the printenv command in the interactive shell that runs the command correctly: printenv > /tmp/ok-shell.evn then diff /tmp/updates-f-prot.env /tmp/ok-shell.evn And you should see a hint on why one is working and the other command is not. Steve Steve Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > This message has been scanned for viruses and > dangerous content by MailScanner at Fortress Systems Ltd. > , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From steve.swaney at FSL.COM Thu Feb 5 16:33:00 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: <6.0.0.22.0.20040205112054.024a09b0@xanadu.evi-inc.com> Message-ID: <20040205163259.9EC2D21C149@mail.fsl.com> Check out the MCP feature is MailScanner. It should do what you want. It will use additional resources. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Matt Kettler > Sent: Thursday, February 05, 2004 11:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Restricted Word List with MailScanner > > At 10:39 AM 2/5/2004, Jonathan Lampe wrote: > >Is there an easy way to use a restricted word list with MailScanner? > > > >(No, I don't want a "self-learning" Bayesian filter - I want a word list > >which into which I can put words which will always flag spam as spam.) > > Although it's a bit of work, you can use/abuse SpamAssassin to do that.. > it's overkill for the job, and probably not the simpliest thing to set up, > but it's possible. > > Just set up MailScanner to use SA, disable bayes, awl, dnsbls and hack out > most of the SA rules.. replace them with rules that search for single > rules > and apply huge point scores to each of those rules. As an added benefit, > you can search for any perl-regex you want, not just words. > > If your MailScanner box does delivery, you could also use procmail as a > MDA > and have a procmail script filter words.. That's the old-fashioned simple > way of doing it, and doesn't involve MailScanner at all per-se. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From campbell at CNPAPERS.COM Thu Feb 5 16:39:35 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:20 2006 Subject: TNEF question Message-ID: <006501c3ec06$a3df86c0$5001a8c0@cnpapers.net> I have upgraded to the latest release, but don't really think this is a new problem. I have an Outlook user who seems to be getting his attachments deleted. I have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef to internal, and both fail to send the attachment. I am waiting for the last test where I have set Deliver Unparseable TNEF to yes. The real problem is that there is no notification anywhere that the attachment was removed. Nothing in the mail to the admin, the maillog, or the recipient that an attachment was dropped. Is there something like "Silent Viruses" that this falls under? I do see in the maillog that the TNEF Expander was called, but nothing else regarding this message ID. Does anyone have a clue -- Thanks very much for any help. Steve Campbell campbell@cnpapers.com Charleston Newspapers From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Feb 5 16:35:47 2004 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> tnef shows up on the RPM I have installed.. $ rpm -q mailscanner -R | grep tnef tnef >= 1.1.1 I believe some of the other dependencies (i.e.: Perl modules) aren't included because some people install them via CPAN or other locations. If this is the case, then RPM wouldn't know about them and still complain about dependency issues even though they do exist on the system. Cheers, -Joshua From campbell at CNPAPERS.COM Thu Feb 5 16:52:19 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:20 2006 Subject: TNEF question References: <006501c3ec06$a3df86c0$5001a8c0@cnpapers.net> Message-ID: <008f01c3ec08$6add7e20$5001a8c0@cnpapers.net> The final test with Deliver Unparseable TNEF to yes failed to send the attachment also. Thank for any help. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Stephe Campbell" To: Sent: Thursday, February 05, 2004 11:39 AM Subject: TNEF question > I have upgraded to the latest release, but don't really think this is a new > problem. > > I have an Outlook user who seems to be getting his attachments deleted. I > have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef > to internal, and both fail to send the attachment. I am waiting for the last > test where I have set Deliver Unparseable TNEF to yes. > > The real problem is that there is no notification anywhere that the > attachment was removed. Nothing in the mail to the admin, the maillog, or > the recipient that an attachment was dropped. Is there something like > "Silent Viruses" that this falls under? I do see in the maillog that the > TNEF Expander was called, but nothing else regarding this message ID. > > Does anyone have a clue -- Thanks very much for any help. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers From jonathan at STDNET.COM Thu Feb 5 15:39:11 2004 From: jonathan at STDNET.COM (Jonathan Lampe) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner Message-ID: Is there an easy way to use a restricted word list with MailScanner? (No, I don't want a "self-learning" Bayesian filter - I want a word list which into which I can put words which will always flag spam as spam.) From so-mlist-alias at all-about-shift.com Thu Feb 5 15:53:36 2004 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:22:20 2006 Subject: Bayes database size. In-Reply-To: <200402051440.24833.carles@unlimitedmail.org> References: <200402051440.24833.carles@unlimitedmail.org> Message-ID: <64688.205.191.194.164.1075996416.squirrel@miyako.all-about-shift.com> Hello Carles, > Hi, > I'm using MailScanner with SpamAssassin and the auto_learn option enabled > for > the Bayes DataBase. > > My question is: will the learning process stop when there is enougth > information on the database or will it continuosly learn new spam and ham > messages ? > That it is, is there any limit in the number of spam and ham messages > learned > by the Bayes database ? > > If there is no limit, will my database continuosly increase its size until > I > run out of disk space ? Your bayes database will increase continuously althoug the absolute rate will decrease. There is a possibility to expire old entries on request as well as using the "bayes_auto_expire" configuration parameter for automatically expiring old entries. You may want to check http://au.spamassassin.org/doc/Mail_SpamAssassin_Conf.html for details. regards, Soeren Gerlach From lenaig at WANADOO.FR Thu Feb 5 16:59:38 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> References: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> Message-ID: <20040205165938.GB4915@maelenn> Hi, Same problem for me, i am running freebsd. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From robv at DISASTER.COM Thu Feb 5 17:07:29 2004 From: robv at DISASTER.COM (Vicchiullo, Rob) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update Message-ID: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> I'm on Solaris, no printenv -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Thierry Sent: Thursday, February 05, 2004 12:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: f-prot update Hi, Same problem for me, i am running freebsd. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From raymond at PROLOCATION.NET Thu Feb 5 17:11:45 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: Hi! > Same problem for me, i am running freebsd. Works here, what version MS, what version f-prot ? They just released version 4.3.4. Bye, Raymond. From tmurphy at ICMCONTROLS.COM Thu Feb 5 17:06:57 2004 From: tmurphy at ICMCONTROLS.COM (Tim Murphy) Date: Thu Jan 12 21:22:20 2006 Subject: F-secure Seems not to be scanning Message-ID: <076e01c3ec0a$76b1fcb0$6a01a8c0@DCQR0G11> System is RH / cpanel / exim / I just installed the new version of MailScanner as of right now Virus Scanners = rav clamav f-prot f-secure mcafee Rav (Works) Clamav (Works) F-prot (Trial) (Works) Mcafee (Works) F-secure (Seems Not To Work) i can do the command line for f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fsav /tmp -And that works Database version: 2004-02-05_01 Scan started at Thu Feb 5 09:05:31 2004 Scan ended at Thu Feb 5 09:05:32 2004 11 files scanned But it is not catching any virus in incoming emails ---------------paste from email--------------------- MessageID: 1Aojlz-0002FM-LP Report: Rav: ./1Aojlz-0002FM-LP/body.zip->body.txt .pif Infected: Win32/Mydoom.A@mm ClamAV: body.zip contains Worm.SCO.A F-Prot: /var/spool/MailScanner/incoming/30908/1Aojlz-0002FM-LP/body.zip-body.txt Infection: W32/Mydoom.A@mm McAfee: /1Aojlz-0002FM-LP/body.zip Found the W32/Mydoom.a@MM virus !!! -----------------End Paste------------------- I dont see any thing in any of the infected mails about f-secure ----------paste from maillog--------------- Feb 5 09:01:07 srv1 update.virus.scanners: Found f-secure installed Feb 5 09:01:07 srv1 update.virus.scanners: Running autoupdate for f-secure -------------End Paste------------------------- Mailscanner is seeing it.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/2de9472b/attachment.html From sits at CAEDERUS.COM Thu Feb 5 17:23:03 2004 From: sits at CAEDERUS.COM (Sitsofe Wheeler) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> References: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> Message-ID: <1076001782.1528.106.camel@subsub.caederus.com> On Thu, 2004-02-05 at 16:35, Hirsh, Joshua wrote: > tnef shows up on the RPM I have installed.. > > $ rpm -q mailscanner -R | grep tnef > tnef >= 1.1.1 Ah but this doesn't appear to be enough to suck in the provided RPM via apt/yum. > I believe some of the other dependencies (i.e.: Perl modules) aren't > included because some people install them via CPAN or other locations. If > this is the case, then RPM wouldn't know about them and still complain about > dependency issues even though they do exist on the system. Thanks (I thought it might be deliberate). Any chance we could have a commented out Requires line that does have all the dependencies for the spec file? From steve.swaney at FSL.COM Thu Feb 5 17:48:42 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <20040205174842.E3AA121C149@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Vicchiullo, Rob > Sent: Thursday, February 05, 2004 12:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: f-prot update > > I'm on Solaris, no printenv > What shell are you are you running: 1. Using to call f-prot auto update? 2. Using in the command window that successfully runs the f-prot auto update? Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Thierry > Sent: Thursday, February 05, 2004 12:00 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: f-prot update > > Hi, > Same problem for me, i am running freebsd. > > Thx > > -- > Thierry > Ne faites jamais un "apt-get install new-wife" avant > un "apt-get remove --purge current-wife" > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From rzewnickie at RFA.ORG Thu Feb 5 18:01:00 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> Message-ID: <20040205180100.GB7760@rfa.org> I added --force-expire to my nightly 3am sa-learn cronjob. (previously done with only --rebuild). Since 3am no messages have bayes scores at all and it looks like autolearning is not working. Could I have done something stupid? -Eric Rz. On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > >My question is: will the learning process stop when there is enougth > >information on the database or will it continuosly learn new spam and ham > >messages ? > > It will keep learning. > > >That it is, is there any limit in the number of spam and ham messages > >learned > >by the Bayes database ? > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > >If there is no limit, will my database continuosly increase its size until > >I > >run out of disk space ? > > No it won't, as long as the expiry process can successfully run now and > again. The expiry pushes old tokens out of the bayes database if it's over > the size limits. > > If you're using an older version of MailScanner on a busy server, you may > need to run sa-learn --force-expire in your crontab. Newer versions of > MailScanner manage bayes expiry automatically. > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > busy server, with multiple MailScanner children, it's unlikely to be > successful, as it can only succeed in locking the bayes database when only > one message is being SA'ed at the time it tries. Same rules of opportunism > apply to autolearning. It only happens if it can be done without waiting > for a lock.) From mailing-oit at tttech.com Thu Feb 5 18:03:49 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:20 2006 Subject: New installation -- and problems i never had In-Reply-To: <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041704.38202.mailing-oit@tttech.com> <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> Message-ID: <200402051903.50240.mailing-oit@tttech.com> hi martin , thanks for support and this mail is just for the ML and for information .. i know installed mailscanner from latest debian unstable package .. but i think the problem was, tha Mailscanner handled the mails funny ... mails sent from the commandline to local users have no additional spam-reports .. everything that goes through SMTP does .. just interresting From DARYL at MONM.EDU Thu Feb 5 18:22:17 2004 From: DARYL at MONM.EDU (Carr, Daryl B.) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <995C465EA5BB0D42A493986D8D2E075089D9@ntmail2.monm.edu> Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/31b6d7be/attachment.html From ugob at CAMO-ROUTE.COM Thu Feb 5 18:26:09 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <54C38A0B814C8E438EF73FC76F3629274108BA@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Carr, Daryl B. [mailto:DARYL@MONM.EDU] Envoy? : Thursday, February 05, 2004 1:22 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. [Ugo Bellavance] You must put the IP address of your exchange server in /etc/mail/access like this 192.168.x.x RELAY Thanks for any help! [Ugo Bellavance] No prob. Please don't use HTML on mailing lists From Kevin_Miller at CI.JUNEAU.AK.US Thu Feb 5 18:31:44 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <08146035CA49D6119A36009027AC822A0264EDC3@CITY-EXCH-NTS> I think what you need to do is to put this line in your /etc/mail/access file: 192.168.8.33 RELAY ourdomain.com RELAY ... Be sure to run the makemap command after you edit /etc/mail/access to rebuid the database, and of course, use your own IP addresses for your hosts or subnet ranges rather than the sample one above. Be sure to use tabs rather than spaces in the entries. HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 9:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/8ae11bde/attachment.html From jaearick at COLBY.EDU Thu Feb 5 18:32:29 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: <20040205180100.GB7760@rfa.org> References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> <20040205180100.GB7760@rfa.org> Message-ID: Are you running 4.26.8, maybe with Julian's patch to SA.pm from a couple of days ago? If so, then you *do not* want to do force-expire via a cron job. MS handles this internally in 4.26.8. Jeff Earickson On Thu, 5 Feb 2004, Eric Dantan Rzewnicki wrote: > Date: Thu, 5 Feb 2004 13:01:00 -0500 > From: Eric Dantan Rzewnicki > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: force-expire broke bayes? [Re: Bayes database size.] > > I added --force-expire to my nightly 3am sa-learn cronjob. (previously > done with only --rebuild). Since 3am no messages have bayes scores at > all and it looks like autolearning is not working. > > Could I have done something stupid? > > -Eric Rz. > > On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > > >My question is: will the learning process stop when there is enougth > > >information on the database or will it continuosly learn new spam and ham > > >messages ? > > > > It will keep learning. > > > > >That it is, is there any limit in the number of spam and ham messages > > >learned > > >by the Bayes database ? > > > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > > > > >If there is no limit, will my database continuosly increase its size until > > >I > > >run out of disk space ? > > > > No it won't, as long as the expiry process can successfully run now and > > again. The expiry pushes old tokens out of the bayes database if it's over > > the size limits. > > > > If you're using an older version of MailScanner on a busy server, you may > > need to run sa-learn --force-expire in your crontab. Newer versions of > > MailScanner manage bayes expiry automatically. > > > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > > busy server, with multiple MailScanner children, it's unlikely to be > > successful, as it can only succeed in locking the bayes database when only > > one message is being SA'ed at the time it tries. Same rules of opportunism > > apply to autolearning. It only happens if it can be done without waiting > > for a lock.) > From mspieth at NEOD.NET Thu Feb 5 18:32:40 2004 From: mspieth at NEOD.NET (Mark Spieth) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: 2 parts here. 1. On the Redhat Box setup in /etc/mail/access a relay entry so that the exchange server can relay mail via your redhat box. E.g. 10.10.1.2 relay 2. Then on your exchange server open your exchange manager. Open Servers->servername->protocols->smtp->default smtp Virtual Server Right click on the default smtp server and choose properties. Then go to the delivery tab and click advanced. Put the IP address of your redhat box in the Smart Host section and restart the smtp service. All outbound email will then route through the redhat box rather than having the exchange server attempt to deliver it directly. Also make sure that the attempt direct delivery box is unchecked. Mark Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 1:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/8a50de4e/attachment.html From taz at AZTEK-ENG.COM Thu Feb 5 18:48:58 2004 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner Message-ID: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Quick question on a Mandrake 9.1 install. I have downloaded the rpm of MailScanner 4.26.8-1 and after stopping sendmail and starting Mailscanner I was getting an error about the Module CIDR.pm. So, I installed that module. Now when I try to start MailScanner I get the following error (with sendmail stopped): incoming sendmail: sendmail: invalid option -- O sendmail: fatal: usage: sendmail [options] where can I fix this problem at. Thanks From dustin.baer at IHS.COM Thu Feb 5 18:46:01 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update References: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <40228F69.8F35276B@ihs.com> "Vicchiullo, Rob" wrote: > > I'm on Solaris, no printenv /usr/ucb/printenv ? Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From raymond at PROLOCATION.NET Thu Feb 5 18:58:02 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner In-Reply-To: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Message-ID: Hi! > installed that module. Now when I try to start MailScanner I get the > following error (with sendmail stopped): incoming sendmail: sendmail: > > invalid option -- O > sendmail: fatal: usage: sendmail [options] > > where can I fix this problem at. What version sendmail are you running ? Bye, Raymond. From kevins at BMRB.CO.UK Thu Feb 5 19:00:22 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner In-Reply-To: <000001c3ec18$b6ff22d0$e90200bf@tazpc> References: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Message-ID: <1076007629.22416.16.camel@bach.kevinspicer.co.uk> On Thu, 2004-02-05 at 18:48, Travis Zadikem wrote: > Quick question on a Mandrake 9.1 install. I have downloaded the rpm of > MailScanner 4.26.8-1 and after stopping sendmail and starting > Mailscanner I was getting an error about the Module CIDR.pm. So, I > installed that module. Now when I try to start MailScanner I get the > following error (with sendmail stopped): incoming sendmail: sendmail: > > invalid option -- O > sendmail: fatal: usage: sendmail [options] > > where can I fix this problem at. > Absurd as it sounds I think your problem is that you actually have postfix installed, not sendmail! The error message above is in the format postfix uses for reporting errors, sendmail looks differnt Mandrake uses Debian's 'alternatives' system, which means that sendmail is a symlink to /etc/alternatives/mta - which in turn is a symlink to whichever mta you have installed. so either configure mailscanner/postfix to work together or, if you have already installed sendmail use the update-alternatives command to change the configuration. If sendmail isn't installed... rpm -e postfix rpm -i sendmail BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rzewnickie at RFA.ORG Thu Feb 5 19:01:14 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> <20040205180100.GB7760@rfa.org> Message-ID: <20040205190114.GF7760@rfa.org> No, I'm still on 4.25-14. It's a permissions problem. My crontab entry was in root's crontab. This apparently worked fine for --rebuild, but adding --force-expire caused the ownership of bayes_toks to change to root.root from postfix.postfix. As soon as I did chown postfix.postfix bayes_toks things started working again. -Eric Rz. On Thu, Feb 05, 2004 at 01:32:29PM -0500, Jeff A. Earickson wrote: > Are you running 4.26.8, maybe with Julian's patch to SA.pm from > a couple of days ago? If so, then you *do not* want to do force-expire > via a cron job. MS handles this internally in 4.26.8. > > Jeff Earickson > > On Thu, 5 Feb 2004, Eric Dantan Rzewnicki wrote: > > > Date: Thu, 5 Feb 2004 13:01:00 -0500 > > From: Eric Dantan Rzewnicki > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: force-expire broke bayes? [Re: Bayes database size.] > > > > I added --force-expire to my nightly 3am sa-learn cronjob. (previously > > done with only --rebuild). Since 3am no messages have bayes scores at > > all and it looks like autolearning is not working. > > > > Could I have done something stupid? > > > > -Eric Rz. > > > > On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > > > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > > > >My question is: will the learning process stop when there is enougth > > > >information on the database or will it continuosly learn new spam and ham > > > >messages ? > > > > > > It will keep learning. > > > > > > >That it is, is there any limit in the number of spam and ham messages > > > >learned > > > >by the Bayes database ? > > > > > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > > > > > > > >If there is no limit, will my database continuosly increase its size until > > > >I > > > >run out of disk space ? > > > > > > No it won't, as long as the expiry process can successfully run now and > > > again. The expiry pushes old tokens out of the bayes database if it's over > > > the size limits. > > > > > > If you're using an older version of MailScanner on a busy server, you may > > > need to run sa-learn --force-expire in your crontab. Newer versions of > > > MailScanner manage bayes expiry automatically. > > > > > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > > > busy server, with multiple MailScanner children, it's unlikely to be > > > successful, as it can only succeed in locking the bayes database when only > > > one message is being SA'ed at the time it tries. Same rules of opportunism > > > apply to autolearning. It only happens if it can be done without waiting > > > for a lock.) > > From jfraley at glenraven.com Thu Feb 5 19:42:25 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:20 2006 Subject: not scan local mail Message-ID: <1076010144.2141.13.camel@jfraleyx.glenraven.com> How can I tell MailScanner not to scan messages that originate from the server that MailScanner is running. Jon From hermit921 at YAHOO.COM Thu Feb 5 19:49:12 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages In-Reply-To: <40226B28.5020904@pa.net> References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> Message-ID: <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> At 08:11 AM 2/5/2004, Leland J. Steinke wrote: >hermit921 wrote: >>I am still trying to figure out why some messages don't get tagged by >>MailScanner 4-23, postfix 2. Every email should get tagged with at least >>one MailScanner header, but some don't. >> >>I came up with an idea. Is this feasible: >>Spammer sets up his client to use our mail server as his smtp >>gateway. Should work for any message addressed to a user in our domain, >>but he can't send mail outside. So spammer addresses a message to >>usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get >>fuzzy.... >> >>One message appears here, postfix dumps it in the hold queue. Postfix >>splits it up at the same time, so only the original message gets the >>MailScanner headers. Since I can't track the original, I can't verify the >>presence of headers. >> >>Am I way off? > >As I recall, the cleanup daemon is what puts the arriving message into the >hold queue, but it is downstream where the qmgr daemon that actually splits >the message up for different destinations via the trivial-rewrite daemon. >See http://www.postfix.org/big-picture.html. > >I saw one of these untagged messages this morning. I was able to track it >through our logs where it did, in fact, get a SA score of 9.7, but there >were no MS headers in the message at all. This was in the headers that did >make it through: > >Message-ID: >We are researching to see if this would make postfix, MailScanner, or >SpamAssassin choke. Other than the Message-ID, we saw nothing structurally >pathological with this message. Did your untagged message have a similar >header? > > >Leland Here is an example with headers and body, with a few changes to protect my names and IP addresses. >Received: from mail3.me.com (mail3.me.com [a.b.c.d]) > by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 > for ; Wed, 4 Feb 2004 01:37:42 -0800 >Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) > by mail3.me.com (Postfix) with SMTP id 7AC0B124003 > for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >Date: Wed, 04 Feb 2004 04:37:38 -0500 >From: "Norris Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >To: undisclosed-recipients:; >X-UIDL: >-9"!NO+!!Gmf"!$TC!! > > >nurtoplpn@enter7.com hermit921 From mailscanner at ecs.soton.ac.uk Thu Feb 5 20:00:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> References: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <6.0.1.1.2.20040205195959.03cdb410@imap.ecs.soton.ac.uk> At 17:07 05/02/2004, you wrote: >I'm on Solaris, no printenv It's not OS-dependent, it's shell-dependent. Please learn how to use your shell :-) Try "env" instead. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Thierry >Sent: Thursday, February 05, 2004 12:00 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: f-prot update > >Hi, >Same problem for me, i am running freebsd. > >Thx > >-- >Thierry >Ne faites jamais un "apt-get install new-wife" avant >un "apt-get remove --purge current-wife" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:56:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies In-Reply-To: <1075993782.1528.86.camel@subsub.caederus.com> References: <1075993782.1528.86.camel@subsub.caederus.com> Message-ID: <6.0.1.1.2.20040205195523.05c1be68@imap.ecs.soton.ac.uk> At 15:09 05/02/2004, you wrote: >Hi, > >I've noticed that the MailScanner specfile does not actually list >dependencies on all the RPMs it needs to run. This means it is hard to >get working with tools like apt and yum when all the RPMs are provided >by a repository (also the tnef was not picked up even those it is listed >as a requires) . Was this intentional? Yes. You might well have installed the Perl modules through something other than RPM (CPAN for example). Having all the dependencies caused a lot of problems. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:44:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: Maximum Notifications Limit In-Reply-To: <1075946947.31331.89.camel@mail.dcresearch.com> References: <1075946947.31331.89.camel@mail.dcresearch.com> Message-ID: <6.0.1.1.2.20040205194417.05dbeec0@imap.ecs.soton.ac.uk> By default, new or upgraded installations don't notify senders. Notifying senders is now a bad idea and shouldn't be done. At 02:09 05/02/2004, you wrote: >There should be a maximum number of virus infection notifications sent >per day value. After so many infection bounce notifications, the system >should stop sending them. Otherwise our messages that alert "senders" >that they have sent a virus infected message could bring the Internet >to it's knees. Typically, I register a new virus as "silent" in the >configurations right away. Here's an interesting article on the >subject. > >http://www.raeinternet.com/newsletter/interview_skulason_092303.html > > >-- >Joe Baker >Digital Communications Research, Inc. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:46:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: upgrade_MailScanner_conf help text inconsistency In-Reply-To: References: Message-ID: <6.0.1.1.2.20040205194641.05d0ec88@imap.ecs.soton.ac.uk> Well spotted. Fixed. At 07:26 05/02/2004, you wrote: >When you run upgrade_mailscanner_conf with no arguments, it suggests >running it with the command >| upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.new > >When you then do so, at the end it says > >| If you ran this with a command like this >| upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.conf.new >| then you should do >| diff MailScanner.conf.rpmnew MailScanner.conf.new >| and check for any differences in values you have not changed yourself. > >Note that the suggested filename has changed from MailScanner.new to >MailScanner.conf.new > >Not a big deal - I'm sure all but the most clueless of admins will work >it out for themselves - but it would be nice to be consistent just so >that copying and pasting the suggested commands unchanged will work! >Or better still, make the suggestion use the arguments actually passed. > >John. > >-- >-- Over 2400 webcams from ski resorts around the world - www.snoweye.com >-- Translate your technical documents and web pages - www.tradoc.fr -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:51:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: References: Message-ID: <6.0.1.1.2.20040205195036.0376b438@imap.ecs.soton.ac.uk> At 14:19 05/02/2004, you wrote: >Ok it seems to be working. I'm confused by the scheduling though. I >set the rebuild to 300 secs last night so I could check adequately but >it never ran a rebuild every 5 mins. Before anyone asks why 5 mins, >this was only to "test" the code. > >Anyway, this morning I checked the logs and the rebuld did occur. But >it looks like it just ran twice 5mins apart after the 4hr Mailscanner >restart time. Is this correct? Yes. It's intended that Rebuild Every > Restart Every and the timing is only approximate anyway. It gets done at the start of a new child process after the timeout has occurred. >Feb 5 03:16:37 eeyore MailScanner[2023]: Bayes database rebuild is due >Feb 5 03:16:38 eeyore MailScanner[2023]: SpamAssassin Bayes database >rebuild preparing >Feb 5 03:16:43 eeyore MailScanner[2023]: SpamAssassin Bayes database >rebuild starting >Feb 5 03:22:09 eeyore MailScanner[2658]: Bayes database rebuild is due >Feb 5 03:22:11 eeyore MailScanner[2658]: SpamAssassin Bayes database >rebuild preparing >Feb 5 03:22:25 eeyore MailScanner[2658]: SpamAssassin Bayes database >rebuild starting >Feb 5 07:17:47 eeyore MailScanner[18646]: Bayes database rebuild is due >Feb 5 07:17:48 eeyore MailScanner[18646]: SpamAssassin Bayes database >rebuild preparing >Feb 5 07:18:22 eeyore MailScanner[18646]: SpamAssassin Bayes database >rebuild starting >Feb 5 07:23:02 eeyore MailScanner[19177]: Bayes database rebuild is due >Feb 5 07:23:03 eeyore MailScanner[19177]: SpamAssassin Bayes database >rebuild preparing >Feb 5 07:23:09 eeyore MailScanner[19177]: SpamAssassin Bayes database >rebuild starting > > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, February 04, 2004 4:41 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Fix for bayes rebuild bug on Solaris > >At 18:05 02/02/2004, you wrote: > >At 17:57 02/02/2004, you wrote: > >>Gee... > >> > >>FWIW, it happened a couple of centuries ago, but I recall having > >>serious trouble making Perl's flock() work on Solaris... same > >>situation, all development done under linux without a hitch and > >>Solaris ignored all the locking... and it wasn't an interoperability > >>problem, since I was competing against my own script... > >> > >>The point is I don't quite remember what we did to solve it (we is an > >>understatement, since it wasn't me programming, I was just the > >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not > >>sure either... > >> > >>Seems like you'll need a Solaris box to test it thoroughly... I > >>wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc > > >>:-( > > > >I've got an Ultra-5 so I can do a real test. If necessary, I can build > >a > >Solaris-x86 box too. But as you say, the best place to try it is a real >sparc. > >I have found the problem. Attached is a very short patch to SA.pm. This >should let you enable the "Rebuild Bayes Every" feature that does >scheduled Bayes database rebuilds. > >If you turn this feature on in MailScanner.conf, you will want to set > bayes_auto_expire 0 >in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts >at letting SpamAssassin rebuild its Bayes database when it feels like >it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Thu Feb 5 20:56:08 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:20 2006 Subject: not scan local mail References: <1076010144.2141.13.camel@jfraleyx.glenraven.com> Message-ID: <4022ADE8.A0861F4D@ihs.com> Jon Fraley wrote: > > How can I tell MailScanner not to scan messages that originate from the > server that MailScanner is running. > > Jon Hi Jon, Which scan? Spam scanning, or virus scanning? Do the README, or EXAMPLES files in MailScanner/etc/rules help you? Basically, just create a rule for your server. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From taz at AZTEK-ENG.COM Thu Feb 5 21:03:34 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner References: Message-ID: <013d01c3ec2b$87bcc4b0$e90200bf@tazpc> Sendmail version 8.12.9. Removed postfix package and now this error goes away. But now, the mail is just sitting in mqueue ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Thursday, February 05, 2004 11:58 AM Subject: Re: sendmail error after trying to start mailscanner > Hi! > > > installed that module. Now when I try to start MailScanner I get the > > following error (with sendmail stopped): incoming sendmail: sendmail: > > > > invalid option -- O > > sendmail: fatal: usage: sendmail [options] > > > > where can I fix this problem at. > > What version sendmail are you running ? > > Bye, > Raymond. From steinkel at PA.NET Thu Feb 5 21:40:34 2004 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> Message-ID: <4022B852.2070901@pa.net> hermit921 wrote: > > Here is an example with headers and body, with a few changes to protect my > names and IP addresses. > >> Received: from mail3.me.com (mail3.me.com [a.b.c.d]) >> by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 >> for ; Wed, 4 Feb 2004 01:37:42 -0800 >> Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) >> by mail3.me.com (Postfix) with SMTP id 7AC0B124003 >> for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >> Date: Wed, 04 Feb 2004 04:37:38 -0500 >> From: "Norris > Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >> To: undisclosed-recipients:; >> X-UIDL: >-9"!NO+!!Gmf"!$TC!! >> >> >> nurtoplpn@enter7.com > Here is the complete message as quarantined on our MS server: ==8<===8<=== Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net [200.104.134.59]) by mx05.pa.net (Postfix) with SMTP id 6A140111526 for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 -0100 Message-ID: Delivered-To: steinkel@pa.net Received: from [local delivery stuff irrelevant to the discussion] Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net [200.104.134.59]) by mx05.pa.net (Postfix) with SMTP id 6A140111526 for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 -0100 Message-ID: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> <4022B852.2070901@pa.net> Message-ID: <4022BFD3.9080303@pa.net> Leland J. Steinke wrote: > hermit921 wrote: > >> >> Here is an example with headers and body, with a few changes to >> protect my >> names and IP addresses. well, I shoved my original message through the mailscanner gauntlet again and here is what happened. The envelope sender was replicated as the (originally null) message body and the MS headers were nowhere to be seen. I do not believe that this is a postfix issue, since I "netcat"ted the message to our smtp delivery server (also running postfix) directly and the message came through with no message body added. We are running 4.25-14. If MailScanner were written in C, I would suspect pointer arithmetic gone awry. Must... test... more... tomorrow... Leland From bpumphrey at WOODMACLAW.COM Thu Feb 5 22:29:52 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:20 2006 Subject: Mail pending 754 Message-ID: On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From lee at SJU.EDU Thu Feb 5 22:43:10 2004 From: lee at SJU.EDU (Stephen Lee) Date: Thu Jan 12 21:22:20 2006 Subject: virus detected but still delivered Message-ID: <4022C6FE.C2AEBD8A@sju.edu> Hello, MailScanner-4.25-14 Mail-SpamAssassin-2.63 Solaris 9 McAfee engine 4.3.20 and DAT 4322 McAfee stopped running some time ago for me. My file extension rules were keeping out so many viruses I never realized it stopped until today. I got it running again but still have a problem. Below is a log snippet that shows the virus in this batch of three messages being detected but still delivered. What confinguration setting did I screw up? Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 messages waiting Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 messages, 49642 bytes Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 found in spamhaus.org Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from 64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 0.23, HTML_WEB_BUGS 0.10) Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 found in spamhaus.org Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from 69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS 0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam messages Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message i15MGrbt004289 actions are striphtml,deliver Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message i15MEDbd001213 actions are striphtml,deliver Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: Starting Feb 5 17:27:46 mailhost MailScanner[9732]: /datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the W32/Mydoom.a@MM virus !!! Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found 1 infections Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 came from Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 viruses Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and will convert HTML message to plain text in i15MGrbt004289 Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and will convert HTML message to plain text in i15MEDbd001213 Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 messages Regards, Steve -- Stephen J. Lee Saint Joseph's University Senior Systems Administrator 5600 City Avenue Networking & Telecommunications Philadelphia, PA 19131-1395 E-mail: lee@sju.edu Voice: (610) 660-1679 Fax: (610) 660-1573 From mike at CAMAROSS.NET Thu Feb 5 22:58:16 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:20 2006 Subject: Mail pending 754 In-Reply-To: Message-ID: <200402052256.i15MuTD7028802@avwall.bladeware.com> Run 'mailq' and see what the output is. It should tell you what's pending AND why. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey Sent: Thursday, February 05, 2004 4:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From hermit921 at YAHOO.COM Thu Feb 5 23:02:34 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages Message-ID: <6.0.0.22.2.20040205150117.01b439d0@popserv.ucop.edu> At 01:40 PM 2/5/2004, Leland J. Steinke wrote: >hermit921 wrote: >> >>Here is an example with headers and body, with a few changes to protect my >>names and IP addresses. >> >>>Received: from mail3.me.com (mail3.me.com [a.b.c.d]) >>> by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 >>> for ; Wed, 4 Feb 2004 01:37:42 -0800 >>>Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) >>> by mail3.me.com (Postfix) with SMTP id 7AC0B124003 >>> for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >>>Date: Wed, 04 Feb 2004 04:37:38 -0500 >>>From: "Norris >>Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >>>To: undisclosed-recipients:; >>>X-UIDL: >-9"!NO+!!Gmf"!$TC!! >>> >>> >>>nurtoplpn@enter7.com > >Here is the complete message as quarantined on our MS server: > >==8<===8<=== >Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net >[200.104.134.59]) > by mx05.pa.net (Postfix) with SMTP id 6A140111526 > for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) >Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 >-0100 >Message-ID: Date: Wed, 4 Feb 2004 17:41:35 -0500 (EST) >From: Russell_Omari053@yahoo.com >To: undisclosed-recipients:; >==8<===8<=== > >What I downloaded is as follows: > >==8<===8<=== > From - Wed Feb 4 17:42:24 2004 >X-Mozilla-Status2: 00000000 >Return-Path: >Delivered-To: steinkel@pa.net >Received: from [local delivery stuff irrelevant to the discussion] >Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net >[200.104.134.59]) > by mx05.pa.net (Postfix) with SMTP id 6A140111526 > for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) >Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 >-0100 >Message-ID: Date: Wed, 4 Feb 2004 17:41:35 -0500 (EST) >From: Russell_Omari053@yahoo.com >To: undisclosed-recipients: ; > > >Russell_Omari053@yahoo.com >==8<===8<=== > >I notice that your From: header has an unmatched "<". Coincidence? I just >hand-jammed a message over port 25 with a Message-ID similar to the one I >received but all MS headers came through on the delivered message. > >Still a mystery. > >Leland Good catch. I checked the other message given me yesterday and it is missing the same >. But then I noticed it is inside the "" prepended to @enter7.com. Doesn't that make it some normal character and not a delimiter? I can't see this From field in the maillog, so I can't tell how often it happens. >well, I shoved my original message through the mailscanner gauntlet again >and here is what happened. > >The envelope sender was replicated as the (originally null) message body >and the MS headers were nowhere to be seen. I do not believe that this is >a postfix issue, since I "netcat"ted the message to our smtp delivery >server (also running postfix) directly and the message came through with no >message body added. > >We are running 4.25-14. If MailScanner were written in C, I would suspect >pointer arithmetic gone awry. Must... test... more... tomorrow... > >Leland I am glad you can replicate this problem of missing MS headers. My mail knowledge is insufficient for such things. hermit921 From kevin at KEVINSPICER.CO.UK Thu Feb 5 23:16:50 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released Message-ID: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> I'm pleased to announce that the latest version of MailScanner-MRTG is now available from http://mailscannermrtg.sourceforge.net This release corrects all known bugs and adds a few minor features. It is an essential upgrade for most users of the 0.07 series (particularly anyone using net-snmp, or running on Solaris or FreeBSD, or who uses perl-5.005) Users of older version may also wish to upgrade to benefit from the extra graphs and performance enhancements introduced at 0.07. Please report all issues using the forums on the sourceforge site. Regards Kevin -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/f6ff7203/attachment.bin From pete at eatathome.com.au Fri Feb 6 00:29:00 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach Message-ID: <4022DFCC.60305@eatathome.com.au> We are Domino shop, we have MailScanner/postfix/sa filtering all inbound mail. Very vanilla installation. We have merged with a company who used Exchange. Tnhey are sending messages from thier site, from exchange, over the net, into MailScanner to us. Suddenly we have started seeing messages from this company only that have the attachments icon in the client, to indicate that there is an attachment, but there is NO sign of an attachment. All other messages from people with attachments come through with no issue, or if they are noxious we get the inline spam warning as per usual. We have NO rules, just basic/default filename/type/warnjing settings in MS.conf. The only messages with attachments to have the X_MS_has_attach "yes" header are the ones from this new company, they have NO anti spam tools at all. There is no entry in the logs for these messages to have had an attachment modfied or anything. Maybe there is a way to modify this header?, but what are the implications of this? IS this header generated by mailscanner, why? We are in a situation where the new company (controlling) wants to force MS Exchange onto us in place of Lotus Domino, so incompabilities, that seems to be our fault work against in a hieous way - please help me fend off these marauding ms exchange loving heathens...for the love of Man, the benefit of the world and all that we stand for - etc :) From penguin at DHCP.NET Fri Feb 6 00:41:52 2004 From: penguin at DHCP.NET (A. Eijkhoudt) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <003901c3ec4a$039669b0$0200a8c0@penguin> Kevin Spicer wrote: > I'm pleased to announce that the latest version of MailScanner-MRTG is > now available from http://mailscannermrtg.sourceforge.net > ... I'll give the new version a go and let you know how it went. Thanks for the heads-up, Arnim. -- This E-mail has been checked for spam and viruses. From gdoris at ROGERS.COM Fri Feb 6 01:29:35 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:21 2006 Subject: Trend scanner log data missing Message-ID: <1076030975.1991.17.camel@jaguar.dorfam.ca> I am using three virus scanners...f-prot, clamav module, and trend. They are happily finding virii and when they do I get the following typical message: The following e-mail messages were found to have viruses in them: Sender: fedora-list-admin@redhat.com IP Address: 127.0.0.1 Recipient: gerry@localhost Subject: Test MessageID: i15Ft8e4009530 Report: ClamAV Module: data.zip was infected: Worm.SCO.A F-Prot: /var/spool/MailScanner/incoming/388/i15Ft8e4009530/data.zip->data.htm Infection: W32/Mydoom.A@mm Trend: Found virus WORM_MYDOOM.A in file ./i15Ft8e4009530/data.zip Notice that Trend has identified the virus in a separate line. However, in /var/log/maillog everything is there except for the Trend data. The log only contains a line that says "Trend found one infections". Is there a way to get the Trend data into the mail log or is this part of the trend scanning binary? -- Gerry Doris From mailscanner at ecs.soton.ac.uk Fri Feb 6 07:23:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: virus detected but still delivered In-Reply-To: <4022C6FE.C2AEBD8A@sju.edu> References: <4022C6FE.C2AEBD8A@sju.edu> Message-ID: <6.0.1.1.2.20040206072249.03b69930@imap.ecs.soton.ac.uk> What do you have set as your incoming working dir (what was /var/spool/MailScanner/incoming)? You need to have the real absolute path to it in your MailScanner.conf, i.e. /datavol15/incoming At 22:43 05/02/2004, you wrote: >Hello, > >MailScanner-4.25-14 >Mail-SpamAssassin-2.63 >Solaris 9 >McAfee engine 4.3.20 and DAT 4322 > > McAfee stopped running some time ago for me. My file extension rules >were keeping out so many viruses I never realized it stopped until >today. I got it running again but still have a problem. Below is a log >snippet that shows the virus in this batch of three messages being >detected but still delivered. What confinguration setting did I screw >up? > > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 >messages waiting >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 >messages, 49642 bytes >Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting >Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 >found in spamhaus.org >Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from >64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) >to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, >BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 >0.23, HTML_WEB_BUGS 0.10) >Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 >found in spamhaus.org >Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from >69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to >sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, >BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS >0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, >HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, >HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam >messages >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message >i15MGrbt004289 actions are striphtml,deliver >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message >i15MEDbd001213 actions are striphtml,deliver >Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: >Starting >Feb 5 17:27:46 mailhost MailScanner[9732]: >/datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the >W32/Mydoom.a@MM virus !!! >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found >1 infections >Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 >came from >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 >viruses >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and >will convert HTML message to plain text in i15MGrbt004289 >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and >will convert HTML message to plain text in i15MEDbd001213 >Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 >messages > >Regards, >Steve >-- >Stephen J. Lee Saint Joseph's University >Senior Systems Administrator 5600 City Avenue >Networking & Telecommunications Philadelphia, PA 19131-1395 >E-mail: lee@sju.edu Voice: (610) 660-1679 > Fax: (610) 660-1573 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 6 07:22:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: untagged messages In-Reply-To: <4022BFD3.9080303@pa.net> References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> <4022B852.2070901@pa.net> <4022BFD3.9080303@pa.net> Message-ID: <6.0.1.1.2.20040206072138.03897e60@imap.ecs.soton.ac.uk> Upgrade to 4.26 and see if that helps. It may well do as I fixed some of the Postfix code in 4.26 (as explained in the ChangeLog). At 22:12 05/02/2004, you wrote: >Leland J. Steinke wrote: >>hermit921 wrote: >> >>> >>>Here is an example with headers and body, with a few changes to >>>protect my >>>names and IP addresses. > >well, I shoved my original message through the mailscanner gauntlet again >and here is what happened. > >The envelope sender was replicated as the (originally null) message body >and the MS headers were nowhere to be seen. I do not believe that this is >a postfix issue, since I "netcat"ted the message to our smtp delivery >server (also running postfix) directly and the message came through with no >message body added. > >We are running 4.25-14. If MailScanner were written in C, I would suspect >pointer arithmetic gone awry. Must... test... more... tomorrow... > >Leland -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lenaig at WANADOO.FR Fri Feb 6 08:02:03 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> References: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <20040206080203.GB1380@maelenn> Hi, Which version did you gave me ? (MSMRTG.tar.gz) Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From kevins at BMRB.CO.UK Fri Feb 6 08:06:43 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <20040206080203.GB1380@maelenn> References: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> <20040206080203.GB1380@maelenn> Message-ID: <1076054804.22416.70.camel@bach.kevinspicer.co.uk> On Fri, 2004-02-06 at 08:02, Thierry wrote: > Hi, > Which version did you gave me ? (MSMRTG.tar.gz) > Can't quite remember, it was kind of a midpoint CVS thingy - with almost all of the fixes that are in 0.08. If its working okay then you probably don't need to bother upgrading. If you wish to continue this thread please email me off-list as I daresay the specifics of which files I sent you probably are only of interest to you and I. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lenaig at WANADOO.FR Fri Feb 6 08:34:50 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:21 2006 Subject: pb working Spam Message-ID: <20040206083450.GA1952@maelenn> Hi, Actually, i am using procmail to move Spam in special box : :0fw | spamassassin -P :0: * ^X-Spam-Flag: YES Bin So if i comment this lines, i receive Spam in my pricipal box, i mean that, mailscanner/spamassassin are not working. I need them to work because i am using mailscanner-mrtg. Mailscaner.conf: Spam Checks = yes Use SpamAssassin = yes Spam Score = yes Spam Actions = delete High Scoring Spam Actions = delete Log Spam = yes SpamAssassin User State Dir = /var/spool/spamassassin In /var/spool/spamassassin, i have two files : -rw-r-xr-x 1 root wheel 65536 Feb 6 09:30 bayes_seen -rw-r-xr-x 1 root wheel 114688 Feb 6 09:30 bayes_toks I think that i made a mistake, but i still do not know where. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 08:55:37 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402051903.50240.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041704.38202.mailing-oit@tttech.com> <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> <200402051903.50240.mailing-oit@tttech.com> Message-ID: <40235689.7080604@solid-state-logic.com> Christoph Resch wrote: > hi martin , > > thanks for support and this mail is just for the ML and for information .. > > i know installed mailscanner from latest debian unstable package .. but i > think the problem was, tha Mailscanner handled the mails funny ... mails sent > from the commandline to local users have no additional spam-reports .. > everything that goes through SMTP does .. > > just interresting There's some rules in the MailScanner.conf that say whether or not to spam scan certain hosts. The default is probably not to scan local host. either that or the way your MTA is setup the 'post mailscanner' queue (ie delivery) is the default queue for /usr/sbin/sendmail (or whatever your MTA is). Well I think that was really badly explained, if you need it clearer I can try again, after I've finished my first coffee :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 09:14:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <4022DFCC.60305@eatathome.com.au> References: <4022DFCC.60305@eatathome.com.au> Message-ID: <40235B0B.1020507@solid-state-logic.com> Pete wrote: > We are Domino shop, we have MailScanner/postfix/sa filtering all inbound > mail. Very vanilla installation. > > We have merged with a company who used Exchange. Tnhey are sending > messages from thier site, from exchange, over the net, into MailScanner > to us. > > Suddenly we have started seeing messages from this company only that > have the attachments icon in the client, to indicate that there is an > attachment, but there is NO sign of an attachment. > > All other messages from people with attachments come through with no > issue, or if they are noxious we get the inline spam warning as per > usual. We have NO rules, just basic/default filename/type/warnjing > settings in MS.conf. > > The only messages with attachments to have the X_MS_has_attach "yes" > header are the ones from this new company, they have NO anti spam tools > at all. There is no entry in the logs for these messages to have had an > attachment modfied or anything. > > Maybe there is a way to modify this header?, but what are the > implications of this? IS this header generated by mailscanner, why? > > We are in a situation where the new company (controlling) wants to force > MS Exchange onto us in place of Lotus Domino, so incompabilities, that > seems to be our fault work against in a hieous way - please help me fend > off these marauding ms exchange loving heathens...for the love of Man, > the benefit of the world and all that we stand for - etc :) Hi you might want to setup a whitelist rule for the new companies email server so SA doesn't scan - I guess you'll still need the virus scanning???? Given the fact the other half is a m-sexchange site you might want to investigate the TNEF settings on the MS host. doing TNEF from the perl module is generally more powerful and less error prone than the binary, but YMMV so check that. Another option might be to setup a VPN between to two LAN's, quite easy now-adays.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martyn at invictawiz.com Fri Feb 6 10:30:23 2004 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:22:21 2006 Subject: Mailscanner & Freebsd In-Reply-To: Message-ID: A briliant piece of work, thanks. I have made a couple of small changes to my copy of mta.sh I am using a perl script called "sendmail.logs.pl" to analyse my maillog and generate mrtg stats on simple numbers of mail, viruses & spam passing through the server. The script doesn't have any license/authorinfo in it! I had to change mta.sh to record "sendmail-in" etc instead of "sm-mta-in" as the analysis script stopped working because it was looking for the default "sendmail" Martyn Routley -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: 04 February 2004 09:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] Mailscanner & Freebsd Hi Martyn, > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember where they came from. I do. They are mine and they are part of the FreeBSD port! Disable all MTA stuff in rc.conf and simply use those start/stop scripts. :-) Regards, JP ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From pete at eatathome.com.au Fri Feb 6 11:29:35 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <40235B0B.1020507@solid-state-logic.com> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> Message-ID: <40237A9F.1000401@eatathome.com.au> Martin Hepworth wrote: > Pete wrote: > >> We are Domino shop, we have MailScanner/postfix/sa filtering all inbound >> mail. Very vanilla installation. >> >> We have merged with a company who used Exchange. Tnhey are sending >> messages from thier site, from exchange, over the net, into MailScanner >> to us. >> >> Suddenly we have started seeing messages from this company only that >> have the attachments icon in the client, to indicate that there is an >> attachment, but there is NO sign of an attachment. >> >> All other messages from people with attachments come through with no >> issue, or if they are noxious we get the inline spam warning as per >> usual. We have NO rules, just basic/default filename/type/warnjing >> settings in MS.conf. >> >> The only messages with attachments to have the X_MS_has_attach "yes" >> header are the ones from this new company, they have NO anti spam tools >> at all. There is no entry in the logs for these messages to have had an >> attachment modfied or anything. >> >> Maybe there is a way to modify this header?, but what are the >> implications of this? IS this header generated by mailscanner, why? >> >> We are in a situation where the new company (controlling) wants to force >> MS Exchange onto us in place of Lotus Domino, so incompabilities, that >> seems to be our fault work against in a hieous way - please help me fend >> off these marauding ms exchange loving heathens...for the love of Man, >> the benefit of the world and all that we stand for - etc :) > > > Hi > > you might want to setup a whitelist rule for the new companies email > server so SA doesn't scan - I guess you'll still need the virus > scanning???? > > Given the fact the other half is a m-sexchange site you might want to > investigate the TNEF settings on the MS host. doing TNEF from the perl > module is generally more powerful and less error prone than the binary, > but YMMV so check that. > > Another option might be to setup a VPN between to two LAN's, quite easy > now-adays.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Thanks a lot, i should have thought of that, i will whitelist them on Monday. Is this simple to do, but ensuring that virus scanning continues? I cant see any point turning AV off... Thanks Pete From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 11:52:26 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: [Fwd: Re: [MAILSCANNER] X_MS_has_attach] Message-ID: <40237FFA.50903@solid-state-logic.com> oops - errant reply to :-) -- martin ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Martin Hepworth Subject: Re: [MAILSCANNER] X_MS_has_attach Date: Fri, 06 Feb 2004 11:51:48 +0000 Size: 2100 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/9ecf417e/MAILSCANNERX_MS_has_attach.mht From mailscanner at ecs.soton.ac.uk Fri Feb 6 12:01:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <40237A9F.1000401@eatathome.com.au> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> <40237A9F.1000401@eatathome.com.au> Message-ID: <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> At 11:29 06/02/2004, you wrote: >Martin Hepworth wrote: > >>Pete wrote: >> >>>We are Domino shop, we have MailScanner/postfix/sa filtering all inbound >>>mail. Very vanilla installation. >>> >>>We have merged with a company who used Exchange. Tnhey are sending >>>messages from thier site, from exchange, over the net, into MailScanner >>>to us. >>> >>>Suddenly we have started seeing messages from this company only that >>>have the attachments icon in the client, to indicate that there is an >>>attachment, but there is NO sign of an attachment. >>> >>>All other messages from people with attachments come through with no >>>issue, or if they are noxious we get the inline spam warning as per >>>usual. We have NO rules, just basic/default filename/type/warnjing >>>settings in MS.conf. >>> >>>The only messages with attachments to have the X_MS_has_attach "yes" >>>header are the ones from this new company, they have NO anti spam tools >>>at all. There is no entry in the logs for these messages to have had an >>>attachment modfied or anything. >>> >>>Maybe there is a way to modify this header?, but what are the >>>implications of this? IS this header generated by mailscanner, why? >>> >>>We are in a situation where the new company (controlling) wants to force >>>MS Exchange onto us in place of Lotus Domino, so incompabilities, that >>>seems to be our fault work against in a hieous way - please help me fend >>>off these marauding ms exchange loving heathens...for the love of Man, >>>the benefit of the world and all that we stand for - etc :) >> >> >>Hi >> >>you might want to setup a whitelist rule for the new companies email >>server so SA doesn't scan - I guess you'll still need the virus >>scanning???? >> >>Given the fact the other half is a m-sexchange site you might want to >>investigate the TNEF settings on the MS host. doing TNEF from the perl >>module is generally more powerful and less error prone than the binary, >>but YMMV so check that. >> >>Another option might be to setup a VPN between to two LAN's, quite easy >>now-adays.. >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************** >> >> >Thanks a lot, i should have thought of that, i will whitelist them on >Monday. Is this simple to do, but ensuring that virus scanning >continues? I cant see any point turning AV off... You can control just about everything in MailScanner with a ruleset that lets you switch features on/off and change values for any arbitrary groups of users or domains. Read /etc/MailScanner/rules/* and see the FAQ too. There's plenty about rulesets there. You just want to tie a ruleset to "Spam Checks". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 6 12:00:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <6.0.1.1.2.20040206115916.06a14c98@imap.ecs.soton.ac.uk> At 10:30 06/02/2004, you wrote: >A briliant piece of work, thanks. > >I have made a couple of small changes to my copy of mta.sh > >I am using a perl script called "sendmail.logs.pl" to analyse my maillog >and generate mrtg stats on >simple numbers of mail, viruses & spam passing through the server. The >script doesn't have any >license/authorinfo in it! I think that's one of mine. It's pretty basic, you would be better off with MailScanner-MRTG or even MailWatch (rather bigger, needs a database) than my little old script. >I had to change mta.sh to record "sendmail-in" etc instead of "sm-mta-in" >as the analysis script >stopped working because it was looking for the default "sendmail" > >Martyn Routley > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jan-Peter Koopmann >Sent: 04 February 2004 09:58 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > >Hi Martyn, > > > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > > can't remember where they came from. > >I do. They are mine and they are part of the FreeBSD port! Disable all MTA >stuff in rc.conf and >simply use those start/stop scripts. :-) > >Regards, > JP > > >----------------------------------------------------------------------------- >This message has been scanned for viruses and >dangerous content by the http://www.anti84787.com >MailScanner, and is believed to be clean. >----------------------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From davidj at IMPOL.NET Fri Feb 6 13:11:32 2004 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/c75f77ae/attachment.html From mike at CAMAROSS.NET Fri Feb 6 13:17:31 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: Message-ID: <200402061315.i16DFiD7014534@avwall.bladeware.com> In MailScanner.conf: Spam Checks = /etc/MailScanner/rules/spamcheck.rules In spamcheck.rules FromTo: user_not_to_scan@domain.org no FromTo: default yes Save and reload MailScanner Mike ________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Jacobson Sent: Friday, February 06, 2004 7:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam ruleset Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. From pete at eatathome.com.au Fri Feb 6 13:33:51 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> <40237A9F.1000401@eatathome.com.au> <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> Message-ID: <402397BF.9070800@eatathome.com.au> Julian Field wrote: > At 11:29 06/02/2004, you wrote: > >> Martin Hepworth wrote: >> >>> Pete wrote: >>> >>>> We are Domino shop, we have MailScanner/postfix/sa filtering all >>>> inbound >>>> mail. Very vanilla installation. >>>> >>>> We have merged with a company who used Exchange. Tnhey are sending >>>> messages from thier site, from exchange, over the net, into >>>> MailScanner >>>> to us. >>>> >>>> Suddenly we have started seeing messages from this company only that >>>> have the attachments icon in the client, to indicate that there is an >>>> attachment, but there is NO sign of an attachment. >>>> >>>> All other messages from people with attachments come through with no >>>> issue, or if they are noxious we get the inline spam warning as per >>>> usual. We have NO rules, just basic/default filename/type/warnjing >>>> settings in MS.conf. >>>> >>>> The only messages with attachments to have the X_MS_has_attach "yes" >>>> header are the ones from this new company, they have NO anti spam >>>> tools >>>> at all. There is no entry in the logs for these messages to have >>>> had an >>>> attachment modfied or anything. >>>> >>>> Maybe there is a way to modify this header?, but what are the >>>> implications of this? IS this header generated by mailscanner, why? >>>> >>>> We are in a situation where the new company (controlling) wants to >>>> force >>>> MS Exchange onto us in place of Lotus Domino, so incompabilities, that >>>> seems to be our fault work against in a hieous way - please help me >>>> fend >>>> off these marauding ms exchange loving heathens...for the love of Man, >>>> the benefit of the world and all that we stand for - etc :) >>> >>> >>> >>> Hi >>> >>> you might want to setup a whitelist rule for the new companies email >>> server so SA doesn't scan - I guess you'll still need the virus >>> scanning???? >>> >>> Given the fact the other half is a m-sexchange site you might want to >>> investigate the TNEF settings on the MS host. doing TNEF from the perl >>> module is generally more powerful and less error prone than the binary, >>> but YMMV so check that. >>> >>> Another option might be to setup a VPN between to two LAN's, quite easy >>> now-adays.. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> ********************************************************************** >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they >>> are addressed. If you have received this email in error please notify >>> the system manager. >>> >>> This footnote confirms that this email message has been swept >>> for the presence of computer viruses and is believed to be clean. >>> >>> ********************************************************************** >>> >>> >> Thanks a lot, i should have thought of that, i will whitelist them on >> Monday. Is this simple to do, but ensuring that virus scanning >> continues? I cant see any point turning AV off... > > > You can control just about everything in MailScanner with a ruleset that > lets you switch features on/off and change values for any arbitrary > groups > of users or domains. Read /etc/MailScanner/rules/* and see the FAQ too. > There's plenty about rulesets there. You just want to tie a ruleset to > "Spam Checks". > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Thanks, i have alread6y been searching since i posted, and another helpful fellow posted a tip, so I will proceed on Monday. Does anyone know anything else about this mail header? i can find no info on the net, but it APPEARS to have been generated by exchange? Is there any way to tell why it is include and maked as YES and the mail is disaplying attachment icon, but no attachment is present? From bpumphrey at WOODMACLAW.COM Fri Feb 6 13:51:59 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: In your spam.whitelist.rules put: FromOrTo: user@domain.com yes _____ From: David Jacobson [mailto:davidj@IMPOL.NET] Sent: Friday, February 06, 2004 8:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam ruleset Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/4d6ffe6f/attachment.html From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:02:04 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: Now it says 954. Someone please tell me what this means? Does it mean what it says, that there are almost a 1000 emails waiting to be delivered? No one has said anything to make it seem this way though. -----Original Message----- From: Billy A. Pumphrey Sent: Thursday, February 05, 2004 5:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From David.While at UCE.AC.UK Fri Feb 6 14:04:43 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: <107DE25EC0216C45AEF670016024245F6FEA@exchangea.staff.uce.ac.uk> Mailstats counts the number of mails pending by counting the number of qf files in the directories configured. It is possible that you have qf files being left without the corresponding df files. As someone previously said you could type mailq at the prompt to see what the queue tells you. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Now it says 954. Someone please tell me what this means? Does it mean what it says, that there are almost a 1000 emails waiting to be delivered? No one has said anything to make it seem this way though. -----Original Message----- From: Billy A. Pumphrey Sent: Thursday, February 05, 2004 5:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From pete at eatathome.com.au Fri Feb 6 14:10:53 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: References: Message-ID: <4023A06D.2000900@eatathome.com.au> Billy A. Pumphrey wrote: > In your spam.whitelist.rules put: > > > > FromOrTo: user@domain.com yes > > > > ------------------------------------------------------------------------ > > *From:* David Jacobson [mailto:davidj@IMPOL.NET] > *Sent:* Friday, February 06, 2004 8:12 AM > *To:* MAILSCANNER@JISCMAIL.AC.UK > *Subject:* Spam ruleset > > > > > Hi, > > Can someone please post me an example on how to disable spam checking > for just one e-mail address? > > Thanks. > > Kind regards, > > David Jacobson > Network Security Administrator > RHCE > > Imperial Online - The Imperial Connection > > Switchboard (+27) 11 723-8000 > Helpdesk (+27) 11 723-8181 > Mobile (+27) 83 235-0760 > Facsimile (+27) 11 454 1236 > Email davidj@impol.net > > www.imperialonline.co.za / www.imperialtoday.co.za > > Confidentiality Notice: > This communication and the information it contains are intended for > the person(s) or organisation(s) named above and for no other > person(s) or organisation(s). > The content of this communication may be confidential, legally > privileged and protected. Unauthorised use, copying or disclosure of > any part of this communication may be unlawful. > IS the difference between the above 2 suggestions, 1. use whitelists 2. use a spoam check rule that 1 will even prevent virus scanning, while 2 will only disable the spame/filetype/content filtering? Thanks pete From lee at SJU.EDU Fri Feb 6 14:05:41 2004 From: lee at SJU.EDU (Stephen Lee) Date: Thu Jan 12 21:22:21 2006 Subject: virus detected but still delivered References: <4022C6FE.C2AEBD8A@sju.edu> <6.0.1.1.2.20040206072249.03b69930@imap.ecs.soton.ac.uk> Message-ID: <40239F35.49485154@sju.edu> Julian, I changed the path from a symbolic link to absolute path and the viruses have been stopped. Thanks very much, Steve Julian Field wrote: > > What do you have set as your incoming working dir (what was > /var/spool/MailScanner/incoming)? > You need to have the real absolute path to it in your MailScanner.conf, i.e. > /datavol15/incoming > > At 22:43 05/02/2004, you wrote: > >Hello, > > > >MailScanner-4.25-14 > >Mail-SpamAssassin-2.63 > >Solaris 9 > >McAfee engine 4.3.20 and DAT 4322 > > > > McAfee stopped running some time ago for me. My file extension rules > >were keeping out so many viruses I never realized it stopped until > >today. I got it running again but still have a problem. Below is a log > >snippet that shows the virus in this batch of three messages being > >detected but still delivered. What confinguration setting did I screw > >up? > > > > > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 > >messages waiting > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 > >messages, 49642 bytes > >Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting > >Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 > >found in spamhaus.org > >Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from > >64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) > >to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, > >BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, > >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 > >0.23, HTML_WEB_BUGS 0.10) > >Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 > >found in spamhaus.org > >Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from > >69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to > >sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, > >BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS > >0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, > >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, > >HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, > >HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam > >messages > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message > >i15MGrbt004289 actions are striphtml,deliver > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message > >i15MEDbd001213 actions are striphtml,deliver > >Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: > >Starting > >Feb 5 17:27:46 mailhost MailScanner[9732]: > >/datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the > >W32/Mydoom.a@MM virus !!! > >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found > >1 infections > >Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 > >came from > >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 > >viruses > >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and > >will convert HTML message to plain text in i15MGrbt004289 > >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and > >will convert HTML message to plain text in i15MEDbd001213 > >Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 > >messages > > > >Regards, > >Steve > >-- > >Stephen J. Lee Saint Joseph's University > >Senior Systems Administrator 5600 City Avenue > >Networking & Telecommunications Philadelphia, PA 19131-1395 > >E-mail: lee@sju.edu Voice: (610) 660-1679 > > Fax: (610) 660-1573 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Stephen J. Lee Saint Joseph's University Senior Systems Administrator 5600 City Avenue Networking & Telecommunications Philadelphia, PA 19131-1395 E-mail: lee@sju.edu Voice: (610) 660-1679 Fax: (610) 660-1573 From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 14:18:23 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: <4023A06D.2000900@eatathome.com.au> References: <4023A06D.2000900@eatathome.com.au> Message-ID: <4023A22F.9070601@solid-state-logic.com> Pete wrote: > Billy A. Pumphrey wrote: > >> In your spam.whitelist.rules put: >> >> >> >> FromOrTo: user@domain.com yes >> >> >> > IS the difference between the above 2 suggestions, > 1. use whitelists > 2. use a spoam check rule > that 1 will even prevent virus scanning, while 2 will only disable the > spame/filetype/content filtering? > > Thanks > pete Pete Billy's rule will still use the spam checks, but will give a score of -100 to start with - ie it will be very very unlikely to trigger the spam catch (default of +5). The rule that myself and Julian suggest won;t run SA at all for those emails, thus saving CPU time.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:20:59 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: Thanks for the additional note, I will change mine to your suggestion mailto: -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] Sent: Friday, February 06, 2004 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam ruleset Pete wrote: > Billy A. Pumphrey wrote: > >> In your spam.whitelist.rules put: >> >> >> >> FromOrTo: user@domain.com yes >> >> >> > IS the difference between the above 2 suggestions, > 1. use whitelists > 2. use a spoam check rule > that 1 will even prevent virus scanning, while 2 will only disable the > spame/filetype/content filtering? > > Thanks > pete Pete Billy's rule will still use the spam checks, but will give a score of -100 to start with - ie it will be very very unlikely to trigger the spam catch (default of +5). The rule that myself and Julian suggest won;t run SA at all for those emails, thus saving CPU time.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From campbell at CNPAPERS.COM Fri Feb 6 14:23:33 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:21 2006 Subject: TNEF problem - Not handling winmail.dat Message-ID: <00cd01c3ecbc$cd97f2c0$5001a8c0@cnpapers.net> I am reposting since I couldn't find my prior posts in the archive. I've been having some problems here and am not sure I have received or sent my list messages. BTW - I have searched the archives and have found only references to problems with TNEF, but no answers. I have upgraded to the latest release, but don't really think this is a new problem, just one that was never reported to me. I have an Outlook user who seems to be getting his attachments deleted. I have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef to internal, and both fail to send the attachment. The final test of setting Deliver Unparseable TNEF to yes failed to send the attachment also. The real problem is that there is no notification anywhere that the attachment was removed. Nothing in the mail to the admin, the maillog, or the recipient that an attachment was dropped. Is there something like "Silent Viruses" that this falls under? I do see in the maillog that the TNEF Expander was called, but nothing else regarding this message ID. Any help or clues would be greatly appreciated. Steve Campbell campbell@cnpapers.com Charleston Newspapers From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:24:32 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Message-ID: <200402061434.i16EYwD7021834@avwall.bladeware.com> Are you bouncing spam? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey > Sent: Friday, February 06, 2004 8:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Sorry for my newbness to Linux in general. > > Ok, I did mailq and it came up with 480 entries. From the > entries I'm guessing that I shouldn't care about these > because they are for example: > > i13I6CcX001139 747 Tue Feb 3 13:06 <> > (Deferred: Connection timed out with > mail2.prizeservers.com.) > > > They look like spam things. So what happened to the other > 500 or so emails that mailstats saids in que? Or should I > not even worry about it. It just seems that my 500mhz > machine might not be keeping up. > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Mailstats counts the number of mails pending by counting the > number of qf files in the directories configured. It is > possible that you have qf files being left without the > corresponding df files. As someone previously said you could > type mailq at the prompt to see what the queue tells you. > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Now it says 954. Someone please tell me what this means? > Does it mean what it says, that there are almost a 1000 > emails waiting to be delivered? No one has said anything to > make it seem this way though. > > -----Original Message----- > From: Billy A. Pumphrey > Sent: Thursday, February 05, 2004 5:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail pending 754 > > On my stats it says "Mail pending 754" > > Is this a big number? I use mailstats and that's what it shows. > > More: > Mail Analysis > General Mail Statistics > Data since December 23 2003 13:42:20 - Data up to February 5 2004 > 17:20:02 EST (44.2 days) > Total messages handled 87,995 Messages rejected 187 Total data > handled 1.09G bytes Spam received 42,062 > Messages handled successfully 87,808 Rejection rate 0.21% Average > message size 13K bytes Blocked IPs 0 > Average messages per day 1,995 Viruses detected 2,088 Rejected in > last 5 mins 0 Spam rate 47.90% > Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 > AV Updated Feb 5 17:01:03 > From cwharris at MORGAN.NET Fri Feb 6 14:42:02 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade Message-ID: <002b01c3ecbf$61e349a0$2105a8c0@delta> I upgraded SA to 2.63, and now tons of spam messages are coming through. There are still messages being flagged as spam, but the amount that is not flagged has went up quite a bit. Has anyone else had this problem? Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/15c6eb7f/attachment.html From David.While at UCE.AC.UK Fri Feb 6 14:33:50 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: <107DE25EC0216C45AEF670016024245F6FED@exchangea.staff.uce.ac.uk> A couple of questions/comments: 1. You shouldn't be bouncing any spam responses. If you have 480 of these then they are taking up system resources every time your MTA tries to send them. 2. Do you have more than one queue directory configured? Most MTAs will allow it and mailstats can be configured to count messages in those directories as well. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:25 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Hello, Thank you for the reponses to my question about directing outgoing mail through MailScanner. The suggestions were accurate. Mail seems to be flowing and scanned! I did however, have to go to (Exchange System Manager) Admin Groups->MyGroup->Routing Groups->MyGroup->Connectors->Main Internet Service->Properties and set the IP in "Forward all mail...". Thanks again and sorry about the HTML. Daryl -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mark Spieth Sent: Thursday, February 05, 2004 12:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How to scan mail going out? 2 parts here. On the Redhat Box setup in /etc/mail/access a relay entry so that the exchange server can relay mail via your redhat box. E.g. 10.10.1.2 relay Then on your exchange server open your exchange manager. Open Servers->servername->protocols->smtp->default smtp Virtual Server Right click on the default smtp server and choose properties. Then go to the delivery tab and click advanced. Put the IP address of your redhat box in the Smart Host section and restart the smtp service. All outbound email will then route through the redhat box rather than having the exchange server attempt to deliver it directly. Also make sure that the attempt direct delivery box is unchecked. Mark Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 1:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! From DERMODYR at ITCARLOW.IE Fri Feb 6 14:37:29 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023A6A8.6653.9EA1CD@localhost> Hi Guys, I am running RH9 , Sendmail-8.12.8-9.90 and MailScanner-4.26.8-1. I had sendmail running fine and it was running as my mail server without any problems. I then uninstalled MailScanner but now all my mails are getting stuck in /var/spool/mqueue.in/ In the /var/log/message file I see the following being repeated consistently Feb 6 11:18:32 mailtest root: Process did not exit cleanly, returned 255 with signal 0 Feb 6 11:19:13 mailtest last message repeated 4 times Feb 6 11:20:23 mailtest last message repeated 7 times Feb 6 11:21:33 mailtest last message repeated 7 times Feb 6 11:22:43 mailtest last message repeated 7 times Feb 6 11:23:54 mailtest last message repeated 7 times Can anybody point me in the right direction?. Many thanks. Ray. From DERMODYR at ITCARLOW.IE Fri Feb 6 14:38:54 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023A6FE.18313.9FEEA0@localhost> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/b9d544c5/attachment.html From ycayer at 3webmedia.com Fri Feb 6 15:02:26 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: A<1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <200402061502.i16F2KY03247@3webserv2.3webmedia.com> If I have mrtg setup in a weird place, how can I tell mailscanner-mrtg? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Thursday, February 05, 2004 6:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner-MRTG version 0.08.01 released > > I'm pleased to announce that the latest version of > MailScanner-MRTG is now available from > http://mailscannermrtg.sourceforge.net > > This release corrects all known bugs and adds a few minor features. > > It is an essential upgrade for most users of the 0.07 series > (particularly anyone using net-snmp, or running on Solaris or > FreeBSD, or who uses perl-5.005) Users of older version may > also wish to upgrade to benefit from the extra graphs and > performance enhancements introduced at 0.07. > > Please report all issues using the forums on the sourceforge site. > > Regards > > Kevin > -- > Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) > > This message is digitally signed using the GNU Privacy Guard. > My public key may be obtained from http://www.keyserver.net > From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 15:05:33 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <002b01c3ecbf$61e349a0$2105a8c0@delta> References: <002b01c3ecbf$61e349a0$2105a8c0@delta> Message-ID: <4023AD3D.80702@solid-state-logic.com> Chris Harris wrote: > I upgraded SA to 2.63, and now tons of spam messages are coming through. > There are still messages being flagged as spam, but the amount that is > not flagged has went up quite a bit. Has anyone else had this problem? > > > Chris Chris check the permissions on the bayes DB...also make sure any local rules were put in /etc/mail/spamassassin and not in /usr/local/share/spamassassin check spamassassin -D --lint -C /path/to/spam.assassin.prefs.conf -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ycayer at 3webmedia.com Fri Feb 6 15:05:43 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: A<200402061502.i16F2KY03247@3webserv2.3webmedia.com> Message-ID: <200402061505.i16F5bY03861@3webserv2.3webmedia.com> :-( Never mind, I found it. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer > Sent: Friday, February 06, 2004 10:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-MRTG version 0.08.01 released > > If I have mrtg setup in a weird place, how can I tell > mailscanner-mrtg? > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > > Sent: Thursday, February 05, 2004 6:17 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: MailScanner-MRTG version 0.08.01 released > > > > I'm pleased to announce that the latest version of > MailScanner-MRTG is > > now available from http://mailscannermrtg.sourceforge.net > > > > This release corrects all known bugs and adds a few minor features. > > > > It is an essential upgrade for most users of the 0.07 series > > (particularly anyone using net-snmp, or running on Solaris > or FreeBSD, > > or who uses perl-5.005) Users of older version may also wish to > > upgrade to benefit from the extra graphs and performance > enhancements > > introduced at 0.07. > > > > Please report all issues using the forums on the sourceforge site. > > > > Regards > > > > Kevin > > -- > > Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) > > > > This message is digitally signed using the GNU Privacy Guard. > > My public key may be obtained from http://www.keyserver.net > > > From mike at CAMAROSS.NET Fri Feb 6 15:06:46 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <002b01c3ecbf$61e349a0$2105a8c0@delta> Message-ID: <200402061504.i16F4xD7025912@avwall.bladeware.com> No. How did you upgrade SA? ________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Harris Sent: Friday, February 06, 2004 8:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SA 2.63 upgrade I upgraded SA to 2.63, and now tons of spam messages are coming through. There are still messages being flagged as spam, but the amount that is not flagged has went up quite a bit. Has anyone else had this problem? Chris From Kevin.Spicer at BMRB.CO.UK Fri Feb 6 15:06:17 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A41@pascal.priv.bmrb.co.uk> Yannick Cayer wrote: > If I have mrtg setup in a weird place, how can I tell > mailscanner-mrtg? If you install using the install.pl script then just do --mrtg=/path/ If you use rpms then after installing edit the /etc/cron.d/mailscanner-mrtg.cron file to change the path there (its only a one line file!) >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer >> Sent: Thursday, February 05, 2004 6:17 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: MailScanner-MRTG version 0.08.01 released >> >> I'm pleased to announce that the latest version of >> MailScanner-MRTG is now available from >> http://mailscannermrtg.sourceforge.net >> >> This release corrects all known bugs and adds a few minor features. >> >> It is an essential upgrade for most users of the 0.07 series >> (particularly anyone using net-snmp, or running on Solaris or >> FreeBSD, or who uses perl-5.005) Users of older version may >> also wish to upgrade to benefit from the extra graphs and >> performance enhancements introduced at 0.07. >> >> Please report all issues using the forums on the sourceforge site. >> >> Regards >> >> Kevin >> -- >> Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) >> >> This message is digitally signed using the GNU Privacy Guard. >> My public key may be obtained from http://www.keyserver.net BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From DERMODYR at itcarlow.ie Fri Feb 6 15:11:55 2004 From: DERMODYR at itcarlow.ie (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 In-Reply-To: <200402061506.i16F6WD7026082@avwall.bladeware.com> References: <4023A6FE.18313.9FEEA0@localhost> Message-ID: <4023AEBA.2771.BE259C@localhost> Thanks for replying Mike. Yep I did that. MailScanner runs fine along with sendmail and spamassassin. sendmail (pid 4570 4564 4559) is running... Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] spamd (pid 1705) is running... On 6 Feb 2004 at 9:08, Mike Kercher wrote: > Did you: > > chkconfig sendmail off > service sendmail stop > chkconfig MailScanner on > service MailScanner start > > > > > ________________________________ > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] > On Behalf Of Ray Dermody > Sent: Friday, February 06, 2004 8:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Process did not exit cleanly, returned 255 with signal > 0 > > > "I then uninstalled MailScanner but now all my mails" > > Sorry I meant I installed MailScanner. > > > Hi Guys, > > I am running RH9 , Sendmail-8.12.8-9.90 and MailScanner-4.26.8-1. > > I had sendmail running fine and it was running as my mail server > without any problems. > > I then uninstalled MailScanner but now all my mails are getting > stuck in > > /var/spool/mqueue.in/ > > In the /var/log/message file I see the following being repeated > consistently > > > > Feb 6 11:18:32 mailtest root: Process did not exit cleanly, > returned 255 with signal 0 > > Feb 6 11:19:13 mailtest last message repeated 4 times > > Feb 6 11:20:23 mailtest last message repeated 7 times > > Feb 6 11:21:33 mailtest last message repeated 7 times > > Feb 6 11:22:43 mailtest last message repeated 7 times > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > Can anybody point me in the right direction?. > > Many thanks. > > Ray. > > > > > Ray Dermody > Computing Services Technician > I.T. Carlow > 059 9176271 > > From DERMODYR at ITCARLOW.IE Fri Feb 6 15:19:51 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023B097.28175.C56C38@localhost> Ok shut down spamd and restarted MailScanner. Still no luck :( > > On 6 Feb 2004 at 9:14, Mike Kercher wrote: > > > spamd should NOT be running. MailScanner calls it on its own > > > > Mike > > > > > > > -----Original Message----- > > > From: MailScanner mailing list > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ray Dermody > > > Sent: Friday, February 06, 2004 9:12 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Process did not exit cleanly, returned 255 with signal 0 > > > > > > Thanks for replying Mike. > > > Yep I did that. MailScanner runs fine along with sendmail and > > > spamassassin. > > > > > > sendmail (pid 4570 4564 4559) is running... > > > Checking MailScanner daemons: > > > MailScanner: [ OK ] > > > incoming sendmail: [ OK ] > > > outgoing sendmail: [ OK ] > > > spamd (pid 1705) is running... > > > > > > > > > > > > On 6 Feb 2004 at 9:08, Mike Kercher wrote: > > > > > > > Did you: > > > > > > > > chkconfig sendmail off > > > > service sendmail stop > > > > chkconfig MailScanner on > > > > service MailScanner start > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > > On Behalf Of Ray Dermody > > > > Sent: Friday, February 06, 2004 8:39 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Process did not exit cleanly, returned 255 with > > > > signal 0 > > > > > > > > > > > > "I then uninstalled MailScanner but now all my mails" > > > > > > > > Sorry I meant I installed MailScanner. > > > > > > > > > Hi Guys, > > > > > I am running RH9 , Sendmail-8.12.8-9.90 and > > > MailScanner-4.26.8-1. > > > > > I had sendmail running fine and it was running as my mail > > > > server without any problems. > > > > > I then uninstalled MailScanner but now all my mails are > > > > getting stuck in > > > > > /var/spool/mqueue.in/ > > > > > In the /var/log/message file I see the following being > > > > repeated consistently > > > > > > > > > > Feb 6 11:18:32 mailtest root: Process did not exit > > > cleanly, > > > > returned 255 with signal 0 > > > > > Feb 6 11:19:13 mailtest last message repeated 4 times > > > > > Feb 6 11:20:23 mailtest last message repeated 7 times > > > > > Feb 6 11:21:33 mailtest last message repeated 7 times > > > > > Feb 6 11:22:43 mailtest last message repeated 7 times > > > > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > > > > > > > Can anybody point me in the right direction?. > > > > > Many thanks. > > > > > Ray. > > > > > > > > > > > > > > > > > Ray Dermody > > > > Computing Services Technician > > > > I.T. Carlow > > > > 059 9176271 > > > > > > > > > > > > > > > From eja at URBAKKEN.DK Fri Feb 6 15:43:41 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:21 2006 Subject: Antivir. Message-ID: <4023B62D.5070307@urbakken.dk> Hi. I'm back with my Antivir problem. Now I have written with an employed at the H+DEV, and he has told me, that my Antivir looks like being set up correct: I have run the: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp And the result is here: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp AntiVir / Linux Version 2.0.9-16 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.53 created 30 Jan 2004 For private, non-commercial use only. AntiVir license: 12345678 for Erik Jakobsen, Brovst checking drive/path (list): /tmp ----- scan results ----- directories: 1 files: 15 alerts: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. I dont know where the problem is to be found. Does anybody do that ?. -- Erik From mailscanner at ecs.soton.ac.uk Fri Feb 6 16:18:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 In-Reply-To: <4023B097.28175.C56C38@localhost> References: <4023B097.28175.C56C38@localhost> Message-ID: <6.0.1.1.2.20040206161751.03b73150@imap.ecs.soton.ac.uk> What does your maillog say? Anything from MailScanner in there? At 15:19 06/02/2004, you wrote: >Ok shut down spamd and restarted MailScanner. Still no luck :( > > > > On 6 Feb 2004 at 9:14, Mike Kercher wrote: > > > > > spamd should NOT be running. MailScanner calls it on its own > > > > > > Mike > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ray Dermody > > > > Sent: Friday, February 06, 2004 9:12 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Process did not exit cleanly, returned 255 with signal 0 > > > > > > > > Thanks for replying Mike. > > > > Yep I did that. MailScanner runs fine along with sendmail and > > > > spamassassin. > > > > > > > > sendmail (pid 4570 4564 4559) is running... > > > > Checking MailScanner daemons: > > > > MailScanner: [ OK ] > > > > incoming sendmail: [ OK ] > > > > outgoing sendmail: [ OK ] > > > > spamd (pid 1705) is running... > > > > > > > > > > > > > > > > On 6 Feb 2004 at 9:08, Mike Kercher wrote: > > > > > > > > > Did you: > > > > > > > > > > chkconfig sendmail off > > > > > service sendmail stop > > > > > chkconfig MailScanner on > > > > > service MailScanner start > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > From: MailScanner mailing list > > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > > > On Behalf Of Ray Dermody > > > > > Sent: Friday, February 06, 2004 8:39 AM > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: Process did not exit cleanly, returned 255 with > > > > > signal 0 > > > > > > > > > > > > > > > "I then uninstalled MailScanner but now all my mails" > > > > > > > > > > Sorry I meant I installed MailScanner. > > > > > > > > > > > Hi Guys, > > > > > > I am running RH9 , Sendmail-8.12.8-9.90 and > > > > MailScanner-4.26.8-1. > > > > > > I had sendmail running fine and it was running as my mail > > > > > server without any problems. > > > > > > I then uninstalled MailScanner but now all my mails are > > > > > getting stuck in > > > > > > /var/spool/mqueue.in/ > > > > > > In the /var/log/message file I see the following being > > > > > repeated consistently > > > > > > > > > > > > Feb 6 11:18:32 mailtest root: Process did not exit > > > > cleanly, > > > > > returned 255 with signal 0 > > > > > > Feb 6 11:19:13 mailtest last message repeated 4 times > > > > > > Feb 6 11:20:23 mailtest last message repeated 7 times > > > > > > Feb 6 11:21:33 mailtest last message repeated 7 times > > > > > > Feb 6 11:22:43 mailtest last message repeated 7 times > > > > > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > > > > > > > > > Can anybody point me in the right direction?. > > > > > > Many thanks. > > > > > > Ray. > > > > > > > > > > > > > > > > > > > > > Ray Dermody > > > > > Computing Services Technician > > > > > I.T. Carlow > > > > > 059 9176271 > > > > > > > > > > > > > > > > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Fri Feb 6 16:35:26 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: 1. Ok, I'll turn that off. 2. I don't know how to check to see what queue directories are configured, any tips? Thank you -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Friday, February 06, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 A couple of questions/comments: 1. You shouldn't be bouncing any spam responses. If you have 480 of these then they are taking up system resources every time your MTA tries to send them. 2. Do you have more than one queue directory configured? Most MTAs will allow it and mailstats can be configured to count messages in those directories as well. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:25 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Message-ID: <200402061652.i16Gq0D7009936@avwall.bladeware.com> mailq will tell you > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey > Sent: Friday, February 06, 2004 10:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > 1. Ok, I'll turn that off. > > 2. I don't know how to check to see what queue directories > are configured, any tips? > > Thank you > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > A couple of questions/comments: > > 1. You shouldn't be bouncing any spam responses. If you have > 480 of these then they are taking up system resources every > time your MTA tries to send them. > > 2. Do you have more than one queue directory configured? Most > MTAs will allow it and mailstats can be configured to count > messages in those directories as well. > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Sorry for my newbness to Linux in general. > > Ok, I did mailq and it came up with 480 entries. From the > entries I'm guessing that I shouldn't care about these > because they are for example: > > i13I6CcX001139 747 Tue Feb 3 13:06 <> > (Deferred: Connection timed out with > mail2.prizeservers.com.) > > > They look like spam things. So what happened to the other > 500 or so emails that mailstats saids in que? Or should I > not even worry about it. It just seems that my 500mhz > machine might not be keeping up. > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Mailstats counts the number of mails pending by counting the > number of qf files in the directories configured. It is > possible that you have qf files being left without the > corresponding df files. As someone previously said you could > type mailq at the prompt to see what the queue tells you. > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Now it says 954. Someone please tell me what this means? > Does it mean what it says, that there are almost a 1000 > emails waiting to be delivered? No one has said anything to > make it seem this way though. > > -----Original Message----- > From: Billy A. Pumphrey > Sent: Thursday, February 05, 2004 5:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail pending 754 > > On my stats it says "Mail pending 754" > > Is this a big number? I use mailstats and that's what it shows. > > More: > Mail Analysis > General Mail Statistics > Data since December 23 2003 13:42:20 - Data up to February 5 2004 > 17:20:02 EST (44.2 days) > Total messages handled 87,995 Messages rejected 187 Total data > handled 1.09G bytes Spam received 42,062 > Messages handled successfully 87,808 Rejection rate 0.21% Average > message size 13K bytes Blocked IPs 0 > Average messages per day 1,995 Viruses detected 2,088 Rejected in > last 5 mins 0 Spam rate 47.90% > Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 > AV Updated Feb 5 17:01:03 > From webmaster at sapl.ab.ca Fri Feb 6 18:07:27 2004 From: webmaster at sapl.ab.ca (webmaster) Date: Thu Jan 12 21:22:21 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner Message-ID: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> I've been watching some of the spam I've been recieving as of late and noticing that some spam with a score above the mark I've set has been getting into the mailbox declared as non-spam (auto whitelisted). Here is a sample header: X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) Until just recently I had: SpamAssassin Auto Whitelist = yes in my MailScanner.conf set. I just changed this to 'no' 5 minutes ago I changed this and reset SIGHUP'd all my MailScanner Processes on the mail server. Am I right in thinking that by setting this option in MailScanner.conf *should* be able to take high-scoring spam (and in my case, as set in my high scoring spam options, delete) the spam and not pass it along to the mailbox? Is there a way in SpamAssassin to automatically blacklist highscoring spam? I'm a MailScanner/SpamAssassin novice so any suggestions are greatly appriciated. I'm currently running MailScanner version 4.23-11 and SpamAssassin 2.61. Thanks In Advance, Peter Verhagen St. Albert Public Library From cwharris at MORGAN.NET Fri Feb 6 19:22:33 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade References: <200402061504.i16F4xD7025912@avwall.bladeware.com> Message-ID: <000801c3ece6$923c3b80$2105a8c0@delta> I upgraded SA via CPAN ----- Original Message ----- From: "Mike Kercher" To: Sent: Friday, February 06, 2004 9:06 AM Subject: Re: SA 2.63 upgrade > No. How did you upgrade SA? > > > > ________________________________ > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] > On Behalf Of Chris Harris > Sent: Friday, February 06, 2004 8:42 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SA 2.63 upgrade > > > I upgraded SA to 2.63, and now tons of spam messages are coming > through. There are still messages being flagged as spam, but the amount that > is not flagged has went up quite a bit. Has anyone else had this problem? > > > Chris > From dickenson at CFMC.COM Fri Feb 6 20:16:40 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <000801c3ece6$923c3b80$2105a8c0@delta> Message-ID: I am seeing the same problem. I updated, as I have always done, via RPM. What I am seeing is that none of the standard rules are getting tripped, just the RulesDuJour additions I have installed. I originally had the RulesDuJour .cf file in /usr/share/spamassassin along with the ones distributed with SA. I have moved them to /etc/mail/spamassassin but I am still seeing the same behavior. I also see that all the stuff that is spam is being auto-learned in my bayes files. What is the best way to stop using bayes files and then creating new ones. I need to get this problem sorted out before I can try to get my bayes files loaded again. TIA, -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: Chris Harris > Reply-To: MailScanner mailing list > Date: Fri, 6 Feb 2004 13:22:33 -0600 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > I upgraded SA via CPAN > > ----- Original Message ----- > From: "Mike Kercher" > To: > Sent: Friday, February 06, 2004 9:06 AM > Subject: Re: SA 2.63 upgrade > > >> No. How did you upgrade SA? >> >> >> >> ________________________________ >> >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] >> On Behalf Of Chris Harris >> Sent: Friday, February 06, 2004 8:42 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: SA 2.63 upgrade >> >> >> I upgraded SA to 2.63, and now tons of spam messages are coming >> through. There are still messages being flagged as spam, but the amount > that >> is not flagged has went up quite a bit. Has anyone else had this problem? >> >> >> Chris >> From mike at CAMAROSS.NET Fri Feb 6 20:37:46 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: Message-ID: <200402062036.i16KZxD7008730@avwall.bladeware.com> The recommendation is to NOT use the rpm to install/upgrade SpamAssassin unless you recompile the rpm from the .src.rpm Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson > Sent: Friday, February 06, 2004 2:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > I am seeing the same problem. I updated, as I have always > done, via RPM. > What I am seeing is that none of the standard rules are > getting tripped, just the RulesDuJour additions I have installed. > > I originally had the RulesDuJour .cf file in > /usr/share/spamassassin along with the ones distributed with > SA. I have moved them to /etc/mail/spamassassin but I am > still seeing the same behavior. > > I also see that all the stuff that is spam is being > auto-learned in my bayes files. What is the best way to stop > using bayes files and then creating new ones. I need to get > this problem sorted out before I can try to get my bayes > files loaded again. > > TIA, > -- > Jim Dickenson > mailto:dickenson@cfmc.com > > Computers for Marketing Corporation > http://www.cfmc.com/ > > > > > From: Chris Harris > > Reply-To: MailScanner mailing list > > Date: Fri, 6 Feb 2004 13:22:33 -0600 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SA 2.63 upgrade > > > > I upgraded SA via CPAN > > > > ----- Original Message ----- > > From: "Mike Kercher" > > To: > > Sent: Friday, February 06, 2004 9:06 AM > > Subject: Re: SA 2.63 upgrade > > > > > >> No. How did you upgrade SA? > >> > >> > >> > >> ________________________________ > >> > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] > >> On Behalf Of Chris Harris > >> Sent: Friday, February 06, 2004 8:42 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: SA 2.63 upgrade > >> > >> > >> I upgraded SA to 2.63, and now tons of spam messages are > >> coming through. There are still messages being flagged as > spam, but > >> the amount > > that > >> is not flagged has went up quite a bit. Has anyone else > had this problem? > >> > >> > >> Chris > >> > From dickenson at CFMC.COM Fri Feb 6 20:57:22 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <200402062036.i16KZxD7008730@avwall.bladeware.com> Message-ID: I have seen that mentioned in the list before but as it has always worked for me I did not know exactly why people make the recommendation. In addition SA is being called, what is not happening is that email that had tripped many rules before are not tripping those rules. I have seen email that for some time had been receiving scores in the teens now receive a score of 0. -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: Mike Kercher > Reply-To: MailScanner mailing list > Date: Fri, 6 Feb 2004 14:37:46 -0600 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > The recommendation is to NOT use the rpm to install/upgrade SpamAssassin > unless you recompile the rpm from the .src.rpm > > Mike > > >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >> Sent: Friday, February 06, 2004 2:17 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: SA 2.63 upgrade >> >> I am seeing the same problem. I updated, as I have always >> done, via RPM. >> What I am seeing is that none of the standard rules are >> getting tripped, just the RulesDuJour additions I have installed. >> >> I originally had the RulesDuJour .cf file in >> /usr/share/spamassassin along with the ones distributed with >> SA. I have moved them to /etc/mail/spamassassin but I am >> still seeing the same behavior. >> >> I also see that all the stuff that is spam is being >> auto-learned in my bayes files. What is the best way to stop >> using bayes files and then creating new ones. I need to get >> this problem sorted out before I can try to get my bayes >> files loaded again. >> >> TIA, >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> >> >> >>> From: Chris Harris >>> Reply-To: MailScanner mailing list >>> Date: Fri, 6 Feb 2004 13:22:33 -0600 >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: Re: SA 2.63 upgrade >>> >>> I upgraded SA via CPAN >>> >>> ----- Original Message ----- >>> From: "Mike Kercher" >>> To: >>> Sent: Friday, February 06, 2004 9:06 AM >>> Subject: Re: SA 2.63 upgrade >>> >>> >>>> No. How did you upgrade SA? >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: MailScanner mailing list >>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>> On Behalf Of Chris Harris >>>> Sent: Friday, February 06, 2004 8:42 AM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: SA 2.63 upgrade >>>> >>>> >>>> I upgraded SA to 2.63, and now tons of spam messages are >>>> coming through. There are still messages being flagged as >> spam, but >>>> the amount >>> that >>>> is not flagged has went up quite a bit. Has anyone else >> had this problem? >>>> >>>> >>>> Chris >>>> >> From andy at WILDBRAIN.COM Fri Feb 6 20:58:05 2004 From: andy at WILDBRAIN.COM (Andy Moran) Date: Thu Jan 12 21:22:21 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: References: Message-ID: <4023FFDD.5030802@wildbrain.com> Can anyone verify if this bug is still a problem in MailScanner 4.26.8 or if it has been fixed? We, like Garry, had to set "Quarantine Entire Message" on as a workaround in 4.25-14. --Andy Garry Glendown wrote: > Hi, > > one of our users just requested the HTML contents of a mail that was > filtered by MailScanner (4.25-11). Anyway, the file in the quarantine > directory is not the content of the mail, but rather the mail that was sent > out instead - the original content is lost. I have checked other HTML files > that MailScanner removed from incoming mails - it seems like about half of > all the files are the original content, whereas the other half is the > warning mails instead. > Has anybody else noticed this yet? > > Tnx, -garry > From mkettler at EVI-INC.COM Fri Feb 6 21:06:14 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:21 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner In-Reply-To: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> References: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> Message-ID: <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> At 01:07 PM 2/6/2004, webmaster wrote: >I've been watching some of the spam I've been recieving as of late and >noticing that some spam with a score above the mark I've set has been >getting into the mailbox declared as non-spam (auto whitelisted). Here is >a sample header: > >X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, > BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, > DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, > LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, > RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) Um.. the (whitelisted) does not mean that SA's AWL kicked in.. that means that MAILSCANNER whitelisted it. From shrek-m at GMX.DE Fri Feb 6 21:04:34 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <40240162.7010707@gmx.de> Jim Dickenson wrote: >I have seen that mentioned > what have you seen mentioned ?? ;-) > in the list before but as it has always worked >for me I did not know exactly why people make the recommendation. > >In addition SA is being called, what is not happening is that email that had >tripped many rules before are not tripping those rules. I have seen email >that for some time had been receiving scores in the teens now receive a >score of 0. >-- >Jim Dickenson >mailto:dickenson@cfmc.com > >Computers for Marketing Corporation >http://www.cfmc.com/ > > > > > >>From: Mike Kercher >>Reply-To: MailScanner mailing list >>Date: Fri, 6 Feb 2004 14:37:46 -0600 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: SA 2.63 upgrade >> >>The recommendation is to NOT use the rpm to install/upgrade SpamAssassin >>unless you recompile the rpm from the .src.rpm >> >>Mike >> >> >> >> >>>-----Original Message----- >>>From: MailScanner mailing list >>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >>>Sent: Friday, February 06, 2004 2:17 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: SA 2.63 upgrade >>> >>>I am seeing the same problem. I updated, as I have always >>>done, via RPM. >>>What I am seeing is that none of the standard rules are >>>getting tripped, just the RulesDuJour additions I have installed. >>> >>>I originally had the RulesDuJour .cf file in >>>/usr/share/spamassassin along with the ones distributed with >>>SA. I have moved them to /etc/mail/spamassassin but I am >>>still seeing the same behavior. >>> >>>I also see that all the stuff that is spam is being >>>auto-learned in my bayes files. What is the best way to stop >>>using bayes files and then creating new ones. I need to get >>>this problem sorted out before I can try to get my bayes >>>files loaded again. >>> >>>TIA, >>>-- >>>Jim Dickenson >>>mailto:dickenson@cfmc.com >>> >>>Computers for Marketing Corporation >>>http://www.cfmc.com/ >>> >>> >>> >>> >>> >>>>From: Chris Harris >>>>Reply-To: MailScanner mailing list >>>>Date: Fri, 6 Feb 2004 13:22:33 -0600 >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: SA 2.63 upgrade >>>> >>>>I upgraded SA via CPAN >>>> >>>>----- Original Message ----- >>>>From: "Mike Kercher" >>>>To: >>>>Sent: Friday, February 06, 2004 9:06 AM >>>>Subject: Re: SA 2.63 upgrade >>>> >>>> >>>> >>>> >>>>>No. How did you upgrade SA? >>>>> >>>>> >>>>> >>>>>________________________________ >>>>> >>>>> From: MailScanner mailing list >>>>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>>>On Behalf Of Chris Harris >>>>> Sent: Friday, February 06, 2004 8:42 AM >>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>> Subject: SA 2.63 upgrade >>>>> >>>>> >>>>> I upgraded SA to 2.63, and now tons of spam messages are >>>>>coming through. There are still messages being flagged as >>>>> >>>>> >>>spam, but >>> >>> >>>>>the amount >>>>> >>>>> >>>>that >>>> >>>> >>>>>is not flagged has went up quite a bit. Has anyone else >>>>> >>>>> >>>had this problem? >>> >>> >>>>> Chris >>>>> >>>>> >>>>> > > > > -- shrek-m From henker at S-H-COM.DE Fri Feb 6 21:05:55 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: On Fri, 6 Feb 2004, Jim Dickenson wrote: > I have seen that mentioned in the list before but as it has always worked > for me I did not know exactly why people make the recommendation. ...because if often does *not* work. There were so many people who had probs with the rpm, so manual installation is recommended. Regards, Steffan From webmaster at sapl.ab.ca Fri Feb 6 21:20:47 2004 From: webmaster at sapl.ab.ca (webmaster) Date: Thu Jan 12 21:22:22 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner In-Reply-To: <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> References: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> Message-ID: <3938.192.168.128.190.1076102447.squirrel@192.168.128.190> Interesting indeed. Then it must mean that I have a problem with my blacklist rules file. I'm going to take out the reference to my blacklist rules file and see if that helps. Thanks for the heads up. Peter Verhagen > At 01:07 PM 2/6/2004, webmaster wrote: >>I've been watching some of the spam I've been recieving as of late and >>noticing that some spam with a score above the mark I've set has been >>getting into the mailbox declared as non-spam (auto whitelisted). Here is >>a sample header: >> >>X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), >> SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, >> BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, >> DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, >> LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY >> 0.32, >> RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) > > Um.. the (whitelisted) does not mean that SA's AWL kicked in.. that means > that MAILSCANNER whitelisted it. > > From rzewnickie at RFA.ORG Fri Feb 6 21:33:00 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: <000801c3ece6$923c3b80$2105a8c0@delta> Message-ID: <20040206213300.GE9261@rfa.org> On Fri, Feb 06, 2004 at 12:16:40PM -0800, Jim Dickenson wrote: > files. What is the best way to stop using bayes files and then creating new > ones. I need to get this problem sorted out before I can try to get my bayes > files loaded again. I don't know if it's the right way, but I just moved my /var/spool/MailScanner/spamassassin/bayes_* to /tmp and retrained bayes Seemed to work for me. Note: I have not upgraded to 2.63, yet. My bayes files were corrupted somehow around the time of the debian perl security update that came out earlier this week. -Eric From james at grayonline.id.au Fri Feb 6 22:43:04 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <200402070943.04859.james@grayonline.id.au> On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: > I am seeing the same problem. I updated, as I have always done, via RPM. > What I am seeing is that none of the standard rules are getting tripped, > just the RulesDuJour additions I have installed. > > I originally had the RulesDuJour .cf file in /usr/share/spamassassin > along with the ones distributed with SA. I have moved them to > /etc/mail/spamassassin but I am still seeing the same behavior. > > I also see that all the stuff that is spam is being auto-learned in my > bayes files. What is the best way to stop using bayes files and then > creating new ones. I need to get this problem sorted out before I can try > to get my bayes files loaded again. > > TIA, > -- > Jim Dickenson Jim, I posted a similar problem to this list a few weeks ago when I upgraded my FreeBSD box via "ports" (fBSD "packages" for want of a better term). All my custom rules were being tripped but none of the standard SA2.63 rules. The problem was that between 2.61 -> 2.63 the fBSD port maintainer had moved the location of the standard rules from /usr/share/spamassassin to /usr/local/share/spamassassin. All I needed to do was manually tell MailScanner where the SpamAssassin files were, restart and voila! Here's the relevent lines from MailScanner.conf: SpamAssassin Local Rules Dir = /etc/mail/spamassassin SpamAssassin Default Rules Dir = /usr/local/share/spamassassin Hope that helps :) The problem is that all the default SA rules are version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds like your spamassassin is finding the older 2.61 rules with the 2.63 engine which means it will ignore them - have a look in the standard rules files; there's a "require 2.63" or something similar at the top of each one. DONT change this BTW, this will break things even worse than it already is. Cheers, James -- Fortune cookies says: The price one pays for pursuing any profession, or calling, is an intimate knowledge of its ugly side. -- James Baldwin From dickenson at CFMC.COM Fri Feb 6 22:50:10 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <40240162.7010707@gmx.de> Message-ID: What I have seen is people recommend not using the RPM. I have not seen a reason for that. This is why I am asking. I have not had a problem using the RPM since I started using MS a few months ago, until this update. My original install of SA was via RPM files and I have used them to do updates since. I had SA running without MS at first and added MS with clamAV some time after. I do not know what is going on with the current version of SA but some scanning is being done as I get some spam flagged like this: X-CfMC-MailScanner-SpamCheck: spam, SpamAssassin (score=17.565, required 5, BigEvilList_108 3.00, BigEvilList_79 3.00, FORGED_OUTLOOK_TAGS 1.10, J_BACKHAIR_12 1.00, J_BACKHAIR_13 1.00, J_BACKHAIR_15 1.00, J_BACKHAIR_22 1.00, J_BACKHAIR_35 1.00, J_BACKHAIR_42 1.00, J_BACKHAIR_51 1.00, J_BACKHAIR_53 1.00, TW_BF 0.08, TW_BT 0.08, TW_BZ 0.08, TW_CQ 0.08, TW_DJ 0.08, TW_DW 0.08, TW_FC 0.08, TW_FQ 0.08, TW_JD 0.08, TW_JP 0.08, TW_KK 0.08, TW_KP 0.08, TW_LB 0.08, TW_MV 0.08, TW_PD 0.08, TW_QD 0.08, TW_QH 0.08, TW_QR 0.08, TW_QU 0.08, TW_QY 0.08, TW_SF 0.08, TW_TD 0.08, TW_VG 0.08, TW_VU 0.08, TW_WB 0.08, TW_WC 0.08, TW_WQ 0.08, TW_WZ 0.08, TW_XV 0.08, TW_YZ 0.08, TW_ZT 0.08, TW_ZW 0.08) but only a very few non RulesDuJour rules are being triggered. I think I have successfully disabled bayes but that has not changed things. I updated SA yesterday at about 8AM. As you can see the "caught" spam has fallen off since then: Date Mail Spam % Virus % Volume 28/01 2,289 1,179 51.5 58 2.5 13.3Mb?? 29/01 8,223 4,224 51.4 222 2.7 73Mb?? 30/01 8,185 4,245 51.9 198 2.4 89Mb?? 31/01 6,883 3,685 53.5 94 1.4 27.6Mb?? 01/02 7,167 3,992 55.7 83 1.2 46.1Mb?? 02/02 8,304 4,280 51.5 138 1.7 66.1Mb?? 03/02 8,724 4,375 50.1 138 1.6 67.2Mb?? 04/02 8,498 4,282 50.4 125 1.5 120.3Mb?? 05/02 8,454 2,376 28.1 121 1.4 137.3Mb?? 06/02 5,143 828 16.1 81 1.6 66.2Mb?? -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: "shrek-m@gmx.de" > Reply-To: MAILSCANNER@JISCMAIL.AC.UK > Date: Fri, 6 Feb 2004 22:04:34 +0100 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > Jim Dickenson wrote: > >> I have seen that mentioned >> > > what have you seen mentioned ?? ;-) > > >> in the list before but as it has always worked >> for me I did not know exactly why people make the recommendation. >> >> In addition SA is being called, what is not happening is that email that had >> tripped many rules before are not tripping those rules. I have seen email >> that for some time had been receiving scores in the teens now receive a >> score of 0. >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> >> >> >> >> >>> From: Mike Kercher >>> Reply-To: MailScanner mailing list >>> Date: Fri, 6 Feb 2004 14:37:46 -0600 >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: Re: SA 2.63 upgrade >>> >>> The recommendation is to NOT use the rpm to install/upgrade SpamAssassin >>> unless you recompile the rpm from the .src.rpm >>> >>> Mike >>> >>> >>> >>> >>>> -----Original Message----- >>>> From: MailScanner mailing list >>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >>>> Sent: Friday, February 06, 2004 2:17 PM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: Re: SA 2.63 upgrade >>>> >>>> I am seeing the same problem. I updated, as I have always >>>> done, via RPM. >>>> What I am seeing is that none of the standard rules are >>>> getting tripped, just the RulesDuJour additions I have installed. >>>> >>>> I originally had the RulesDuJour .cf file in >>>> /usr/share/spamassassin along with the ones distributed with >>>> SA. I have moved them to /etc/mail/spamassassin but I am >>>> still seeing the same behavior. >>>> >>>> I also see that all the stuff that is spam is being >>>> auto-learned in my bayes files. What is the best way to stop >>>> using bayes files and then creating new ones. I need to get >>>> this problem sorted out before I can try to get my bayes >>>> files loaded again. >>>> >>>> TIA, >>>> -- >>>> Jim Dickenson >>>> mailto:dickenson@cfmc.com >>>> >>>> Computers for Marketing Corporation >>>> http://www.cfmc.com/ >>>> >>>> >>>> >>>> >>>> >>>>> From: Chris Harris >>>>> Reply-To: MailScanner mailing list >>>>> Date: Fri, 6 Feb 2004 13:22:33 -0600 >>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>> Subject: Re: SA 2.63 upgrade >>>>> >>>>> I upgraded SA via CPAN >>>>> >>>>> ----- Original Message ----- >>>>> From: "Mike Kercher" >>>>> To: >>>>> Sent: Friday, February 06, 2004 9:06 AM >>>>> Subject: Re: SA 2.63 upgrade >>>>> >>>>> >>>>> >>>>> >>>>>> No. How did you upgrade SA? >>>>>> >>>>>> >>>>>> >>>>>> ________________________________ >>>>>> >>>>>> From: MailScanner mailing list >>>>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>>>> On Behalf Of Chris Harris >>>>>> Sent: Friday, February 06, 2004 8:42 AM >>>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>>> Subject: SA 2.63 upgrade >>>>>> >>>>>> >>>>>> I upgraded SA to 2.63, and now tons of spam messages are >>>>>> coming through. There are still messages being flagged as >>>>>> >>>>>> >>>> spam, but >>>> >>>> >>>>>> the amount >>>>>> >>>>>> >>>>> that >>>>> >>>>> >>>>>> is not flagged has went up quite a bit. Has anyone else >>>>>> >>>>>> >>>> had this problem? >>>> >>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >> >> >> >> > > > -- > shrek-m From victor at PIXELMAGICFX.COM Sat Feb 7 00:29:59 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:22:22 2006 Subject: 200,000 downloads of MailScanner References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <40243187.9070008@pixelmagicfx.com> Julian Field wrote: > > Many thanks to all of you for helping to spread the word and make my > little > bit of code possibly the most widely-used combined email virus scanner > and > spam detector in the world. Many thanks? I think that's OUR line! :) Impressive. Vic Pixel Magic From peter at UCGBOOK.COM Sat Feb 7 00:34:39 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <4024329F.9050303@ucgbook.com> Jim Dickenson wrote: > What I have seen is people recommend not using the RPM. I have not seen a > reason for that. This is why I am asking. The binary RPM:s have fixed paths for everything and MS can't find what it needs, you seem to have lost all rules SA provides for example. People have had mixed results but for most it simply does not work and it's not supported when used with MS. Isn't that enough for you? Back out the SA RPM and install from CPAN. # rpm -e name_of_sa_rpm # perl -e shell -MCPAN cpan> install Mail::SpamAssassin It will work. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From jester at SPYDERINTERNET.COM Sat Feb 7 00:39:28 2004 From: jester at SPYDERINTERNET.COM (jester) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg Message-ID: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Ive download and installed the new mailscanner mrtg, im getting these errors and im not really sure why, other than just being completely oblivious to something I've missed. thanks in advance Michael What should these be set to and are they not correct? (well if they were, i wouldnt get errors) Unable to find a mountpoint for /var/spool/mqueue. Please set Spool Directory in mailscanner-mrtg.conf to a valid mountpoint Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint -- This message has been scanned for viruses and dangerous content by our MailScanner, and is believed to be clean. From henker at S-H-COM.DE Sat Feb 7 00:59:06 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <4024329F.9050303@ucgbook.com> References: <4024329F.9050303@ucgbook.com> Message-ID: On Sat, 7 Feb 2004, Peter Bonivart wrote: > cpan> install Mail::SpamAssassin > It will work. I added it to the FAQ today, maybe we should append this as a footer to *every* msg to the list :) Regards, Steffan From dickenson at CFMC.COM Sat Feb 7 02:06:05 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <200402070943.04859.james@grayonline.id.au> Message-ID: Thanks for the pointer about old .cf files not working with a new version. This lead me to the solution. I will try to remember this for future updates and leave a trail for those behind me. The install from the RPM was the cause of the problem. I now remember dealing with this at some time in the past as well. The perl-Mail-SpamAssassin-2.63-1 RPM file put stuff in the 5.6.1 directory but I am running perl 5.8.0 so the new .cf files got installed but as the new perl stuff got put into the "wrong" place I was still using the old version of SA. Moving a bit of stuff around fixed the problem. I also made a link from 5.6.1 to 5.8.0 so maybe I will remember this in the future. I guess the correct thing to do would be to uninstall the RPMs and install SA some other way. Maybe another day. One wasted day is enough this time around ;) Again thanks much! -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: James Gray > Reply-To: james@grayonline.id.au > Date: Sat, 7 Feb 2004 09:43:04 +1100 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: >> I am seeing the same problem. I updated, as I have always done, via RPM. >> What I am seeing is that none of the standard rules are getting tripped, >> just the RulesDuJour additions I have installed. >> >> I originally had the RulesDuJour .cf file in /usr/share/spamassassin >> along with the ones distributed with SA. I have moved them to >> /etc/mail/spamassassin but I am still seeing the same behavior. >> >> I also see that all the stuff that is spam is being auto-learned in my >> bayes files. What is the best way to stop using bayes files and then >> creating new ones. I need to get this problem sorted out before I can try >> to get my bayes files loaded again. >> >> TIA, >> -- >> Jim Dickenson > > Jim, > > I posted a similar problem to this list a few weeks ago when I upgraded my > FreeBSD box via "ports" (fBSD "packages" for want of a better term). All > my custom rules were being tripped but none of the standard SA2.63 rules. > The problem was that between 2.61 -> 2.63 the fBSD port maintainer had > moved the location of the standard rules from /usr/share/spamassassin to > /usr/local/share/spamassassin. All I needed to do was manually tell > MailScanner where the SpamAssassin files were, restart and voila! > > Here's the relevent lines from MailScanner.conf: > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > SpamAssassin Default Rules Dir = /usr/local/share/spamassassin > > Hope that helps :) The problem is that all the default SA rules are > version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds > like your spamassassin is finding the older 2.61 rules with the 2.63 engine > which means it will ignore them - have a look in the standard rules files; > there's a "require 2.63" or something similar at the top of each one. DONT > change this BTW, this will break things even worse than it already is. > > Cheers, > > James > -- > Fortune cookies says: > The price one pays for pursuing any profession, or calling, is an intimate > knowledge of its ugly side. -- James Baldwin From danielk at AVALONPUB.COM Sat Feb 7 02:36:11 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:22 2006 Subject: Trend scanner log data missing In-Reply-To: <1076030975.1991.17.camel@jaguar.dorfam.ca> References: <1076030975.1991.17.camel@jaguar.dorfam.ca> Message-ID: <40244F1B.9060306@avalonpub.com> Gerry Doris wrote: >Notice that Trend has identified the virus in a separate line. However, >in /var/log/maillog everything is there except for the Trend data. The >log only contains a line that says "Trend found one infections". > >Is there a way to get the Trend data into the mail log or is this part >of the trend scanning binary? > > I have the same issue with Trend. I wrote to the list about it, but never got a response. Now that 2 of us have reported the problem maybe someone will take a look. My original post has sample output from trend-wrapper. http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R97373&I=-1 Daniel From gdoris at ROGERS.COM Sat Feb 7 03:29:21 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <1076124561.8270.24.camel@jaguar.dorfam.ca> On Fri, 2004-02-06 at 19:39, jester wrote: > Ive download and installed the new mailscanner mrtg, im getting these > errors and im not really sure why, other than just being completely > oblivious to something I've missed. > > thanks in advance > Michael > > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint > > > -- > This message has been scanned for viruses and > dangerous content by our MailScanner, and is > believed to be clean. The latest version will not record data into a Spool Directory graph or a Work Directory graph unless it is a mount point (ie. the graphs will be empty). If you are using a tmpfs directory then go into mailscanner-mrtg.conf and change the value there (/var/spool/MailScanner/incoming) to the correct mount point. Do the same for Spool Directory value if you have a directory you want monitored (must be on a mount point). If you aren't going to use these values and want to stop the messages you can go to /etc/cron.d and change the line in mailscanner-mrtg.crond to read 0-59/5 root /usr/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg > /dev/null 2>&1 The above is all on one line. That will send those warning messages quietly to the bit bucket. -- Gerry Doris From mailscanner at ecs.soton.ac.uk Sat Feb 7 10:38:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Trend scanner log data missing In-Reply-To: <40244F1B.9060306@avalonpub.com> References: <1076030975.1991.17.camel@jaguar.dorfam.ca> <40244F1B.9060306@avalonpub.com> Message-ID: <6.0.1.1.2.20040207103556.044a5e68@imap.ecs.soton.ac.uk> At 02:36 07/02/2004, you wrote: >Gerry Doris wrote: > >>Notice that Trend has identified the virus in a separate line. However, >>in /var/log/maillog everything is there except for the Trend data. The >>log only contains a line that says "Trend found one infections". >> >>Is there a way to get the Trend data into the mail log or is this part >>of the trend scanning binary? >> >I have the same issue with Trend. I wrote to the list about it, but >never got a response. Now that 2 of us have reported the problem maybe >someone will take a look. My original post has sample output from >trend-wrapper. > >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R97373&I=-1 Please mail me a reminder off-list. I am extremely snowed under at the moment, and don't have much time for MailScanner work. You're not getting any of my day-job hours at all right now. If you can mail me a copy of the latest Trend scanner, that would help so I can test it properly. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevin at KEVINSPICER.CO.UK Sat Feb 7 10:12:38 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <1076148758.11003.30.camel@bach.kevinspicer.co.uk> On Sat, 2004-02-07 at 00:39, jester wrote: > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint Please see the thread discussing this on the MailScanner-MRTG sourceforge site. http://sourceforge.net/forum/forum.php?thread_id=1018853&forum_id=234161 Note to MailScanner-MRTG users: Julian and everyone on this list have been very tolerant of out MSMRTG discussions, but I'm aware that this is a fairly high traffic list and don't want to cause inconvenience to others. I'm also seeing duplication of issues on this list and on the sourceforge forums. Therefore I would appreciate it if MailScanner-MRTG issues could be posted to the forums on the sourceforge site - this will also assist other users by providing a single searchable resource. I will continue to post announcements of new releases here. -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040207/86edff7b/attachment.bin From mailscanner at ecs.soton.ac.uk Sat Feb 7 11:39:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: f-secure version 4.52 In-Reply-To: <029301c3ec4e$10f5bc10$6401a8c0@game> References: <029301c3ec4e$10f5bc10$6401a8c0@game> Message-ID: <6.0.1.1.2.20040207113819.03756ec0@imap.ecs.soton.ac.uk> Please apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm It comes down to a 1 character change to the code :-) ------SNIP------- --- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 +++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 @@ -1585,7 +1585,10 @@ $fsecure_InHeader++; return 0; } - $fsecure_InHeader == 0 or return 0; + # This test is more vague than it used to be, but is more tolerant to + # output changes such as extra headers. Scanning non-scanning data is + # not a great idea but causes no harm. + $fsecure_InHeader >= 0 or return 0; $report = $line; $logout = $line; ------SNIP------- At 01:09 06/02/2004, you wrote: >At 19:38 05/02/2004, you wrote: > >MailScanner E-Mail Virus Scanner version 4.26.8 starting... > >F-Secure Anti-Virus for Linux version 4.52 build 2461 > > > > > >I have posted also in the mail letter but no responce.. > > > >Thanks > >----- Original Message ----- > >From: "Julian Field" > <mailscanner@ecs.soton.ac.uk> > >To: "Tim Murphy" <tmurphy@icmcontrols.com> > >Sent: Thursday, February 05, 2004 1:55 PM > >Subject: Re: Not realy sure where to ask this ? i have posted in a couple of > >forums.. but no responce > > > > > > > What version of MailScanner and F-Secure are you using? > > > > > > The best place to ask is on the MailScanner mailing list. See > > > www.mailscanner.info for subscription > instructions. > > > > > > At 14:13 05/02/2004, you wrote: > > > >Thanks.... > > > >System is RH / cpanel / exim / > > > > > > > >I just installed the new version of MailScanner > > > >as of right now > > > >Virus Scanners = rav clamav f-prot f-secure mcafee > > > > > > > >Rav (Registered) (Works) > > > >Clamav (Free) (Works) > > > >F-prot (Trial) (Works) > > > >Mcafee (Trial) (Works) > > > >F-secure (Registered) (Seems Not To Work) > > > > > > > >i can do the command line for f-secure > > > >/usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fsav /tmp > > > >-And that works > > > >Database version: 2004-02-05_01 > > > >Scan started at Thu Feb 5 09:05:31 2004 > > > >Scan ended at Thu Feb 5 09:05:32 2004 > > > >11 files scanned > > > > > > > >But it is not catching any virus in incoming emails > > > >---------------paste from email--------------------- > > > >MessageID: 1Aojlz-0002FM-LP > > > >Report: > > > > Rav: ./1Aojlz-0002FM-LP/body.zip->body.txt .pif Infected: > > > > > <Win32/Mydoom.A@mm>mailto:Win32/Mydoom.A@mm>Win32/Mydoom.A@mm > > > > ClamAV: body.zip contains Worm.SCO.A > > > > F-Prot: > > > > > /var/spool/MailScanner/incoming/30908/1Aojlz-0002FM-LP/body.zip-body.txt > > > > Infection: > <W32/Mydoom.A@mm>mailto:W32/Mydoom.A@mm>W32/Mydoom.A@mm > > > > McAfee: /1Aojlz-0002FM-LP/body.zip Found the > > > > > <W32/Mydoom.a@MM>mailto:W32/Mydoom.a@MM>W32/Mydoom.a@MM > virus !!! > > > >-----------------End Paste------------------- > > > >I dont see any thing in any of the infected mails about f-secure > > > > > > > >----------paste from maillog--------------- > > > >Feb 5 09:01:07 srv1 update.virus.scanners: Found f-secure installed > > > >Feb 5 09:01:07 srv1 update.virus.scanners: Running autoupdate for > >f-secure > > > >-------------End Paste------------------------- > > > > > > > >Mailscanner is seeing it.. > > > > > > > > > > > >Thanks.. > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at > www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at >www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Sat Feb 7 15:23:51 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:22 2006 Subject: OT - list options In-Reply-To: <1076148758.11003.30.camel@bach.kevinspicer.co.uk> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> <1076148758.11003.30.camel@bach.kevinspicer.co.uk> Message-ID: <1257.159.134.245.217.1076167431.squirrel@www.blacknightsolutions.com> Slightly OT, but I was wondering if there was any chance of messages to the list being prepended by "Mailscanner" or similar. When using my desktop email client I filter mail using the "to" or "from" fields, however I cannot use this with my IMAP webmail, as I wouldn't be able to download mail after. Michele From ugob at CAMO-ROUTE.COM Sat Feb 7 15:24:07 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: vnames.pl and mailstats with clamav-module In-Reply-To: References: <4024329F.9050303@ucgbook.com> Message-ID: <40250317.9070706@camo-route.com> Hi, Has anyone been able to make vnames.pl and mailstats with clamav-module? It worked ok with ClamAV. I don't find other settings than "clamav". It is reported correctly with mailscanner-mrtg. Thanks, Ugo From ugob at CAMO-ROUTE.COM Sat Feb 7 15:27:19 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <402503D7.3070802@camo-route.com> jester wrote: > Ive download and installed the new mailscanner mrtg, im getting these > errors and im not really sure why, other than just being completely > oblivious to something I've missed. > > thanks in advance > Michael > > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) do the command mount you'll get the mount points available on your system. You can choose the one you want, usually /var. It will then monitor its usage. > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid > mountpoint > > > -- > This message has been scanned for viruses and > dangerous content by our MailScanner, and is > believed to be clean. From mailscanner at ecs.soton.ac.uk Sat Feb 7 15:54:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: OT - list options In-Reply-To: <1257.159.134.245.217.1076167431.squirrel@www.blacknightsol utions.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> <1076148758.11003.30.camel@bach.kevinspicer.co.uk> <1257.159.134.245.217.1076167431.squirrel@www.blacknightsolutions.com> Message-ID: <6.0.1.1.2.20040207155428.02dbd4f0@imap.ecs.soton.ac.uk> You can do this yourself at www.jiscmail.ac.uk/lists/mailscanner.html At 15:23 07/02/2004, you wrote: >Slightly OT, but I was wondering if there was any chance of messages to >the list being prepended by "Mailscanner" or similar. >When using my desktop email client I filter mail using the "to" or "from" >fields, however I cannot use this with my IMAP webmail, as I wouldn't be >able to download mail after. > >Michele -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From David.While at UCE.AC.UK Sat Feb 7 15:39:25 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:22 2006 Subject: vnames.pl and mailstats with clamav-module Message-ID: <107DE25EC0216C45AEF670016024245F6441B3@exchangea.staff.uce.ac.uk> The current version of mailstats doesn't support the clamav-module but the next version will. David While -----Original Message----- From: MailScanner mailing list on behalf of Ugo Bellavance Sent: Sat 2/7/2004 3:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: vnames.pl and mailstats with clamav-module Hi, Has anyone been able to make vnames.pl and mailstats with clamav-module? It worked ok with ClamAV. I don't find other settings than "clamav". It is reported correctly with mailscanner-mrtg. Thanks, Ugo From lenaig at WANADOO.FR Sat Feb 7 18:56:04 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? Message-ID: <20040207185604.GA15196@maelenn> Hi, I still have a problem with my mailscanner-mrtg who do not want to scan the number of spam that i should have ? I was speaking to kevin about it, he told me to put Log spam = yes, that's what i did long time ago ... But still do not work. this evening i think about something, i am still using fetchmail/procmail to fetch and sort all of my emails ... Is that possible that fetchmail/procmail (with mda "/usr/local/bin/procmail -d %T") took all of my spam before mailscanner/spamassassin ?? If i am right, how can i do to correct this ? thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From kevins at BMRB.CO.UK Sat Feb 7 21:45:20 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? In-Reply-To: <20040207185604.GA15196@maelenn> References: <20040207185604.GA15196@maelenn> Message-ID: <1076190321.11002.40.camel@bach.kevinspicer.co.uk> On Sat, 2004-02-07 at 18:56, Thierry wrote: > Hi, > I still have a problem with my mailscanner-mrtg who do not want to scan the number of spam that i should have ? > I was speaking to kevin about it, he told me to put Log spam = yes, that's what i did long time ago ... But still do not work. > this evening i think about something, i am still using fetchmail/procmail to fetch and sort all of my emails ... Is that possible that fetchmail/procmail (with mda "/usr/local/bin/procmail -d %T") took all of my spam before mailscanner/spamassassin ?? If i am right, how can i do to correct this ? > Ah you didn't tell me that! If you have set fetchmail to use procmail then all incoming mail will bypass MailScanner completely. Usually simply deleting the mda option will cause fetchmail to start using sendmail to handle incoming mail (naturally I'd advise testing this before putting it into production) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From faq at mailscanner.info Sun Feb 8 00:28:04 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:22 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402080028.i180S4Kj008710@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-02-01-11-38-11 2.717 error editPart 21680 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 2; in item: 3) 2004-02-02-07-08-26 2.717 error editPart 5905 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 3; in item: 4) From rcooper at DIMENSION-FLM.COM Sun Feb 8 00:31:07 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone Message-ID: Hopefully someone will see/think something I have missed on this, it's driving me up the wall.. I have been getting a lot of mail from the new SpamAssassin list dumped into my spam box even though I had the list whitelisted. I then wrote a custom rule that would look at the Return-path header (since the from address could be some other address with a cc to the list) and tested it with SA and all worked fine. But when it runs through MailScanner (and I restarted MS several times) it misses every single time. Below is a sample header section of the last message that got tagged spam. Rules that are in the same .cf file as the rule in question will have hits but the RC_SA_LIST has not hit once, spam or ham. And every time I run it on the same message in the SpamBox it gets dumped into (by MailScanner delete forward spam) it will hit the RC_SA_LIST rule. (MailScanner Version 4.23-7 SA Version 2.63) Message header: Return-path: Envelope-to: SpamMailBox@MyDomain.com Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 Received: from daedalus.apache.org ([208.185.179.12] helo=mail.apache.org) by Mail.MyDomain.com with smtp (Exim 4.22) id 1ApaFQ-0003Vn-MY for MyUname@MyDomain.com; Sat, 07 Feb 2004 16:44:20 -0500 Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 21:44:06 -0000 Mailing-List: contact spamassassin-users-help@incubator.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: List-Id: "SpamAssassin Users" Rule: header RC_SA_LIST Return-path =~ /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\.com\@incu bator\.apache\.org/i Original Score from MailScanner (right out of the header) X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, required 5, AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, FVGT_TRIPWIRE_LW 0.08, FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, FVGT_m_MULTI_ODD2 1.10, FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, RC_B_REGALIS 4.50, b_OBFU_QnoU 0.50) X-DFW-MailScanner-SpamScore: sssssss Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST , Score running spamassassin directly: (with the -p option or not, I have local.cf linked to etc/spam.assassin.prefs.conf) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on MyDomain.com X-Spam-Level: X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT_m_MULTI_O DD2, FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,HTML_40_50, HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,RC_B_REGALI S, RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no version=2.63 ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ So when SA is called directly it hists the whitelist and the custome RC_SA_LIST rule, but both are missed when MailScanner is front-ending SA. I have not updated MailScanner as I don't want to have to repatch Exim.pm, or reapply the custom logging code to log the "To:" address(s), and truncate the SA return to 800 chars, as I have not created a patch for that as of yet. Any one have an idea? Thanks Rick Cooper From adrian at gds.ro Sun Feb 8 00:31:49 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: No subject Message-ID: <57593.193.230.152.1.1076200309.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this error? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, Adrian From craig at WESTPRESS.COM Sun Feb 8 00:31:42 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:22 2006 Subject: SpamAssassins config options and sa-learn Message-ID: <64753.68.63.190.49.1076200302.squirrel@new.host.name> I have installed MailWatch (http://mailwatch.sourceforge.net/) along side of MailScanner with SpamAssassin using Sendmail as my MTA. I have also created two user accounts ('spam', and 'notspam') for our employees to send their email to teach SpamAssassin's Bayesian learning filter. MailScanner, MailWatch, and SpamAssassin seem to be working great, and as I am about to impliment the 'spam' and 'notspam' email option, I find myself with some confusion.... Does MailScanner honor the SpamAssassin options that are set in SpamAssassins 'local.cf' file? Or does MailScanner instead only use the options which are set in /etc/MailScanner/spam.assassin.prefs.conf. I guess what I am asking is this, I want to add these options, but am confused as to where to stick them: use_bayes 1 bayes_path /etc/MailScanner/bayes auto_learn 1 skip_rbl_checks 1 use_razor2 1 use_dcc 1 use_pyzor 0 dcc_add_header 1 dns_available yes header LOCAL_RCVD Received =~ /\S+\.domain\.com\s+$.*\[.*\]$/ describe LOCAL_RCVD Received from local machine score LOCAL_RCVD -50 ## Optional Score Increases score DCC_CHECK 4.000 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_90 3.500 score BAYES_80 3.000 Finally, I want to set up a script and crontab that will force sa-learn to learn from 'spam' and 'notspam', and in this case would I also use /etc/MailScanner/spam.assassin.prefs.conf? my_sa-learn.sh: #!/bin/sh if [ -e /var/mail/spam ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/spam rm /var/mail/spam > /dev/null fi if [ -e /var/mail/notspam ]; then /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/notspam rm /var/mail/notspam > /dev/null fi /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf Am I on the right track here? Craig D. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From adrian at gds.ro Sun Feb 8 00:31:49 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: No subject Message-ID: <57593.193.230.152.1.1076200309.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this error? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, Adrian From steve.swaney at FSL.COM Sun Feb 8 00:49:17 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: Message-ID: <20040208004917.2A86521C138@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Rick Cooper > Sent: Saturday, February 07, 2004 7:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Different score with SpamAssassin Alone > > Hopefully someone will see/think something I have missed on this, > it's driving me up the wall.. > > I have been getting a lot of mail from the new SpamAssassin list > dumped into my spam box even though I had the list whitelisted. I > then wrote a custom rule that would look at the Return-path > header (since the from address could be some other address with a > cc to the list) and tested it with SA and all worked fine. But > when it runs through MailScanner (and I restarted MS several > times) it misses every single time. Below is a sample header > section of the last message that got tagged spam. Rules that are > in the same .cf file as the rule in question will have hits but > the RC_SA_LIST has not hit once, spam or ham. And every time I > run it on the same message in the SpamBox it gets dumped into (by > MailScanner delete forward spam) it will hit the RC_SA_LIST > rule. (MailScanner Version 4.23-7 SA Version 2.63) > Where are you placing your rules? On a typical Linux system, by default, SpamAssassin and MailScanner (configurable in the latest release) look for flies that end in ".cf" in /etc/mail/spamassassin You could also append the rules to /etc/MailScanner/spam.assassin.prefs.conf. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Message header: > > Return-path: > che.org> > Envelope-to: SpamMailBox@MyDomain.com > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > Received: from daedalus.apache.org ([208.185.179.12] > helo=mail.apache.org) > by Mail.MyDomain.com with smtp (Exim 4.22) > id 1ApaFQ-0003Vn-MY > for MyUname@MyDomain.com; Sat, 07 Feb 2004 16:44:20 -0500 > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > 21:44:06 -0000 > Mailing-List: contact > spamassassin-users-help@incubator.apache.org; run by ezmlm > Precedence: bulk > list-help: > list-unsubscribe: > > list-post: > List-Id: "SpamAssassin Users" > > Rule: > > header RC_SA_LIST Return-path =~ > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\.com\@incu > bator\.apache\.org/i > > Original Score from MailScanner (right out of the header) > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, > required 5, > AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > FVGT_TRIPWIRE_LW 0.08, > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > FVGT_m_MULTI_ODD2 1.10, > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > HTML_LINK_CLICK_HERE 0.10, > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, RC_B_REGALIS > 4.50, > b_OBFU_QnoU 0.50) > X-DFW-MailScanner-SpamScore: sssssss > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > , > > Score running spamassassin directly: > (with the -p option or not, I have local.cf linked to > etc/spam.assassin.prefs.conf) > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > MyDomain.com > X-Spam-Level: > X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT_m_MULTI_O > DD2, > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,HTML_40_50, > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,RC_B_REGALI > S, > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > version=2.63 > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > So when SA is called directly it hists the whitelist and the > custome RC_SA_LIST rule, but both are missed when MailScanner is > front-ending SA. I have not updated MailScanner as I don't want > to have to repatch Exim.pm, or reapply the custom logging code to > log the "To:" address(s), and truncate the SA return to 800 > chars, as I have not created a patch for that as of yet. > > Any one have an idea? > > Thanks > > > Rick Cooper > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From peter at UCGBOOK.COM Sun Feb 8 01:06:28 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:22 2006 Subject: SpamAssassins config options and sa-learn In-Reply-To: <64753.68.63.190.49.1076200302.squirrel@new.host.name> References: <64753.68.63.190.49.1076200302.squirrel@new.host.name> Message-ID: <40258B94.2050206@ucgbook.com> Craig Daters wrote: > Does MailScanner honor the SpamAssassin options that are set in > SpamAssassins 'local.cf' file? Or does MailScanner instead only use the > options which are set in /etc/MailScanner/spam.assassin.prefs.conf. I > guess what I am asking is this, I want to add these options, but am > confused as to where to stick them: Make your changes in spam.assassin.prefs.conf and symlink local.cf to it. Then there's no confusion when you for example run spamassassin --lint to check rules. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From dee at ASYOUNEED.COM Sun Feb 8 01:12:49 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <40258B94.2050206@ucgbook.com> Message-ID: <000901c3ede0$aae334e0$0201a8c0@lappy> Hi, Is it possible to stop Mailscanner from scanning any mails sent from localhost e.g. forms on user webspace? Thanks, Dee From kevins at BMRB.CO.UK Sun Feb 8 01:27:11 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <000901c3ede0$aae334e0$0201a8c0@lappy> References: <000901c3ede0$aae334e0$0201a8c0@lappy> Message-ID: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-08 at 01:12, Dee Lowndes wrote: > Hi, > > Is it possible to stop Mailscanner from scanning any mails sent from > localhost e.g. forms on user webspace? > Yes use a ruleset for whatever options you want to trun off.(you don't mention whether you want to stop virus scanning, spam scanning, or whatever) Take a look at the README and EXAMPLES files in /etc/MailScanner/rules Just out of curiosity why do you want to stop it scanning them? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rcooper at DIMENSION-FLM.COM Sun Feb 8 01:51:00 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: <20040208004917.2A86521C138@mail.fsl.com> Message-ID: All of the .cf files are in /etc/mail/spamassassin, and reading below note that : RC_B_REGALIS is in the same .cf file as RC_SA_LIST and RC_B_REGALIS hit with MS. The only difference is that RC_B_REGALIS is not a negative score. Two rules same file, one is ignored when MS runs and neither is ignored when spamassassin is run alone, even with a command of spamassassin -p /opt/MailScanner/etc/spam.assassin.prefs.conf (which is redundant since SA will pick up the /etc/mail/spamassasin/local.cf link to /opt/MailScanner/etc/spam.assassin.prefs.conf) Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Stephen Swaney > Sent: Saturday, February 07, 2004 7:49 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Different score with SpamAssassin Alone > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Rick Cooper > > Sent: Saturday, February 07, 2004 7:31 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Different score with SpamAssassin Alone > > > > Hopefully someone will see/think something I have > missed on this, > > it's driving me up the wall.. > > > > I have been getting a lot of mail from the new > SpamAssassin list > > dumped into my spam box even though I had the list > whitelisted. I > > then wrote a custom rule that would look at the Return-path > > header (since the from address could be some other > address with a > > cc to the list) and tested it with SA and all worked > fine. But > > when it runs through MailScanner (and I restarted MS several > > times) it misses every single time. Below is a sample header > > section of the last message that got tagged spam. > Rules that are > > in the same .cf file as the rule in question will > have hits but > > the RC_SA_LIST has not hit once, spam or ham. And > every time I > > run it on the same message in the SpamBox it gets > dumped into (by > > MailScanner delete forward spam) it will hit the RC_SA_LIST > > rule. (MailScanner Version 4.23-7 SA Version 2.63) > > > > Where are you placing your rules? On a typical Linux > system, by default, > SpamAssassin and MailScanner (configurable in the > latest release) look for > flies that end in ".cf" in /etc/mail/spamassassin > > You could also append the rules to > /etc/MailScanner/spam.assassin.prefs.conf. > > Steve > > Stephen Swaney > President > Fortress Systems Ltd. > Steve.Swaney@FSL.com > > > Message header: > > > > Return-path: > > > ubator.apa > > che.org> > > Envelope-to: SpamMailBox@MyDomain.com > > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > > Received: from daedalus.apache.org ([208.185.179.12] > > helo=mail.apache.org) > > by Mail.MyDomain.com with smtp (Exim 4.22) > > id 1ApaFQ-0003Vn-MY > > for MyUname@MyDomain.com; Sat, 07 Feb 2004 > 16:44:20 -0500 > > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > > 21:44:06 -0000 > > Mailing-List: contact > > spamassassin-users-help@incubator.apache.org; run by ezmlm > > Precedence: bulk > > list-help: > > > list-unsubscribe: > > > > list-post: > > List-Id: "SpamAssassin Users" > > > > Rule: > > > > header RC_SA_LIST Return-path =~ > > > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\ > .com\@incu > > bator\.apache\.org/i > > > > Original Score from MailScanner (right out of the header) > > > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin > (score=7.759, > > required 5, > > AWL -5.91, CLICK_BELOW 0.00, > FROM_HAS_MIXED_NUMS 0.30, > > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > > FVGT_TRIPWIRE_LW 0.08, > > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > > FVGT_m_MULTI_ODD2 1.10, > > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > > HTML_LINK_CLICK_HERE 0.10, > > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, > RC_B_REGALIS > > 4.50, > > b_OBFU_QnoU 0.50) > > X-DFW-MailScanner-SpamScore: sssssss > > > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > > , > > > > Score running spamassassin directly: > > (with the -p option or not, I have local.cf linked to > > etc/spam.assassin.prefs.conf) > > > > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > > MyDomain.com > > X-Spam-Level: > > X-Spam-Status: No, hits=-106.3 required=5.0 > tests=CLICK_BELOW, > > > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > > > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT > _m_MULTI_O > > DD2, > > > > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,H > TML_40_50, > > > > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,R > C_B_REGALI > > S, > > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > > version=2.63 > > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > > So when SA is called directly it hists the whitelist and the > > custome RC_SA_LIST rule, but both are missed when > MailScanner is > > front-ending SA. I have not updated MailScanner as I > don't want > > to have to repatch Exim.pm, or reapply the custom > logging code to > > log the "To:" address(s), and truncate the SA return to 800 > > chars, as I have not created a patch for that as of yet. > > > > Any one have an idea? > > > > Thanks > > > > > > Rick Cooper > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From stefanzman at YAHOO.COM Sun Feb 8 02:58:53 2004 From: stefanzman at YAHOO.COM (Stefan Z) Date: Thu Jan 12 21:22:22 2006 Subject: Sender Virus Warning Message-ID: Hello, I am using MailScanner 4.26.8-1 on a LINUX rh9 box with exim 2.4 C-Panel. All was well until I update MailScanner from 4.22-5 to this latest version. After this, the Warning messages for Infected mails are no longer being sent to Senders. The admin Virus notification is still going to the postmaster, but not to the Senders. The settings in MailScanner.conf still specify to notify the Sender. What should I check? Thanks, Stefan From oldmaxgit at YAHOO.COM Sun Feb 8 09:14:19 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working Message-ID: Thanks Julian and Mike. Apologies for the lateness of this reply, another crisis got in the way. (does anybody have a script which will lengthen each day by a couple of hours) :o) I have, I think, made the changes which should have stopped RBL checks in MailScanner and enabled them in SpamAssasin, but still I find Spamcop listed emails getting through. I would appreciate any further input you can offer here. Rather than paste the whole, I have pasted some lines from my config files below (and hope I have all the important ones). I know that some of them are over the top, but would still appreciate comments. In MailScanner.conf : Spam Checks = yes Spam List = Spam Lists To Reach High Score = 1 Think these two are rather high, but wanted to give it every chance Spam List Timeout = 15 Max Spam List Timeouts = 15 Use SpamAssassin = yes Required SpamAssassin Score = 5 SpamAssassin Timeout = 40 Spam Actions = bounce High Scoring Spam Actions = bounce I know that SpamAssassin is slightly off topic but ... In spam.assassin.prefs.conf : # skip_rbl_checks 1 (commented out) rbl_timeout 20 score RCVD_IN_BL_SPAMCOP_NET 6 Still tearing my hair out, so again, thanks for any help you can offer. From lenaig at WANADOO.FR Sun Feb 8 08:40:10 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? In-Reply-To: <1076190321.11002.40.camel@bach.kevinspicer.co.uk> References: <20040207185604.GA15196@maelenn> <1076190321.11002.40.camel@bach.kevinspicer.co.uk> Message-ID: <20040208084010.GA99872@maelenn> Working ... thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From mailscanner at ecs.soton.ac.uk Sun Feb 8 09:38:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Sender Virus Warning In-Reply-To: References: Message-ID: <6.0.1.1.2.20040208093540.03d94ec0@imap.ecs.soton.ac.uk> Virus Sender Warning are a very bad idea. All major viruses now forge the sender address. So none of your warnings are going to the people who have the infected PCs, they are going to poor innocent third parties who are sick of getting millions of warning messages about viruses they don't have. This causes them lots of grief, it wastes a lot of my time (as they contact me for help or to rant or whinge) and it gives MailScanner a very bad name. So sender warnings are now switched off. At 02:58 08/02/2004, you wrote: >Hello, > >I am using MailScanner 4.26.8-1 on a LINUX rh9 box with exim 2.4 C-Panel. >All was well until I update MailScanner from 4.22-5 to this latest >version. After this, the Warning messages for Infected mails are no longer >being sent to Senders. The admin Virus notification is still going to the >postmaster, but not to the Senders. > >The settings in MailScanner.conf still specify to notify the Sender. > >What should I check? > >Thanks, > >Stefan -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Feb 8 10:19:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working In-Reply-To: Message-ID: Hi! > Use SpamAssassin = yes > Required SpamAssassin Score = 5 > SpamAssassin Timeout = 40 > Spam Actions = bounce > High Scoring Spam Actions = bounce Dont bounce, this is a very bad idea, especially with high scoring spam you can almost be sure it wont reach the original sender anyway. Please turn that off. Bye, Raymond. From dee at ASYOUNEED.COM Sun Feb 8 10:16:52 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> Message-ID: <001001c3ee2c$ac19f5a0$0201a8c0@lappy> > > Is it possible to stop Mailscanner from scanning any mails sent from > > localhost e.g. forms on user webspace? > > > Yes use a ruleset for whatever options you want to trun off.(you don't > mention whether you want to stop virus scanning, spam scanning, or > whatever) > > Take a look at the README and EXAMPLES files in /etc/MailScanner/rules > > Just out of curiosity why do you want to stop it scanning them? > Thanks Kevin, I had been using that but it turns out localhost in my rules doesn't work but changing it to 127.0.0.1 did guess I was a bit tired last night :) Dee From mailscanner at ecs.soton.ac.uk Sun Feb 8 11:28:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <001001c3ee2c$ac19f5a0$0201a8c0@lappy> References: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> <001001c3ee2c$ac19f5a0$0201a8c0@lappy> Message-ID: <6.0.1.1.2.20040208112418.04559ec0@imap.ecs.soton.ac.uk> At 10:16 08/02/2004, you wrote: > > > Is it possible to stop Mailscanner from scanning any mails sent from > > > localhost e.g. forms on user webspace? > > > > > Yes use a ruleset for whatever options you want to trun off.(you don't > > mention whether you want to stop virus scanning, spam scanning, or > > whatever) > > > > Take a look at the README and EXAMPLES files in /etc/MailScanner/rules > > > > Just out of curiosity why do you want to stop it scanning them? > > > >Thanks Kevin, > >I had been using that but it turns out localhost in my rules doesn't >work but changing it to 127.0.0.1 did guess I was a bit tired last night >:) It assumes that anything with letters in it is an email address, or email domain or things like that. I only recognises IP addresses when they are all numbers and punctuation. You might find that *@localhost.* might work, but it depends on your sendmail configuration a bit. Just putting in localhost is equivalent to *@localhost which isn't what you meant. I tried to make the parser as intelligent as possible, as I don't see why you should have to tell it the full details of what you want when the parser can make a pretty reliable guess at what you meant :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Feb 8 11:47:38 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working In-Reply-To: Message-ID: Hi! After reading your post again: > Spam List = > Spam Lists To Reach High Score = 1 > > Think these two are rather high, but wanted to give it every chance > Spam List Timeout = 15 > Max Spam List Timeouts = 15 > > Use SpamAssassin = yes > Required SpamAssassin Score = 5 > SpamAssassin Timeout = 40 > Spam Actions = bounce > High Scoring Spam Actions = bounce You bounce mail if its on _1_ RBL, why not reject them within youtr mailer, that way you dont bother people who didnt send the message in the first place. Seems a better idea for what you wanna do. Bye, Raymond. From rcooper at DIMENSION-FLM.COM Sun Feb 8 12:34:51 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: Message-ID: Ok I was being very brain dead... There is no return path when MailScanner gets the message as Exim has queued it for delivery but doesn't add the return path until final delivery, after MailScanner has processed it. Doh! Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Rick Cooper > Sent: Saturday, February 07, 2004 7:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Different score with SpamAssassin Alone > > > Hopefully someone will see/think something I have > missed on this, > it's driving me up the wall.. > > I have been getting a lot of mail from the new > SpamAssassin list > dumped into my spam box even though I had the list > whitelisted. I > then wrote a custom rule that would look at the Return-path > header (since the from address could be some other > address with a > cc to the list) and tested it with SA and all worked fine. But > when it runs through MailScanner (and I restarted MS several > times) it misses every single time. Below is a sample header > section of the last message that got tagged spam. > Rules that are > in the same .cf file as the rule in question will have hits but > the RC_SA_LIST has not hit once, spam or ham. And every time I > run it on the same message in the SpamBox it gets > dumped into (by > MailScanner delete forward spam) it will hit the RC_SA_LIST > rule. (MailScanner Version 4.23-7 SA Version 2.63) > > Message header: > > Return-path: > ubator.apa > che.org> > Envelope-to: SpamMailBox@MyDomain.com > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > Received: from daedalus.apache.org ([208.185.179.12] > helo=mail.apache.org) > by Mail.MyDomain.com with smtp (Exim 4.22) > id 1ApaFQ-0003Vn-MY > for MyUname@MyDomain.com; Sat, 07 Feb 2004 > 16:44:20 -0500 > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > 21:44:06 -0000 > Mailing-List: contact > spamassassin-users-help@incubator.apache.org; run by ezmlm > Precedence: bulk > list-help: > > list-unsubscribe: > > list-post: > List-Id: "SpamAssassin Users" > > Rule: > > header RC_SA_LIST Return-path =~ > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\ > .com\@incu > bator\.apache\.org/i > > Original Score from MailScanner (right out of the header) > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, > required 5, > AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > FVGT_TRIPWIRE_LW 0.08, > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > FVGT_m_MULTI_ODD2 1.10, > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > HTML_LINK_CLICK_HERE 0.10, > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, > RC_B_REGALIS > 4.50, > b_OBFU_QnoU 0.50) > X-DFW-MailScanner-SpamScore: sssssss > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > , > > Score running spamassassin directly: > (with the -p option or not, I have local.cf linked to > etc/spam.assassin.prefs.conf) > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > MyDomain.com > X-Spam-Level: > X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT > _m_MULTI_O > DD2, > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,H > TML_40_50, > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,R > C_B_REGALI > S, > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > version=2.63 > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > So when SA is called directly it hists the whitelist and the > custome RC_SA_LIST rule, but both are missed when > MailScanner is > front-ending SA. I have not updated MailScanner as I don't want > to have to repatch Exim.pm, or reapply the custom > logging code to > log the "To:" address(s), and truncate the SA return to 800 > chars, as I have not created a patch for that as of yet. > > Any one have an idea? > > Thanks > > > Rick Cooper From eja at URBAKKEN.DK Sun Feb 8 14:08:20 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir Message-ID: <402642D4.1050603@urbakken.dk> Hi. Is anybody here having success with antivir and MailScanner ?. -- Erik From shrek-m at GMX.DE Sun Feb 8 14:19:50 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:22 2006 Subject: OT: mydoom-a Message-ID: <40264586.6040202@gmx.de> ---- Received: from iki.fi (ad245.neoplus.adsl.tpnet.pl [80.50.149.245]) by mx2.redhat.com (8.11.6/8.11.6) with SMTP id i18DSen12810 for ; Sun, 8 Feb 2004 08:28:41 -0500 ---- hi, all mydoom-a i get privat or throgh lists are coming from xxx.neoplus.adsl.tpnet.pl can you check if this is the case ? -- shrek-m From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:06:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208150503.04696008@imap.ecs.soton.ac.uk> Can someone send me a copy of Antivir? Sounds like it's another bug I need to check out. Having a good bug killing weekend so far, I'll release a beta once these are all sorted. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:12:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208151225.058d26a0@imap.ecs.soton.ac.uk> I currently have AntiVir / Linux Version 2.1.0-1 and it is working fine. I guess you have a newer one. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From adrian at gds.ro Sun Feb 8 15:23:29 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: MailScanner high CPU usage Message-ID: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this problem? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:25:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> I have just tested against 2.1.0 (latest on their web site) and it works fine. Are you sure you have the licence key file installed into /usr/lib/AntiVir? It won't work without it. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Sun Feb 8 15:33:59 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> Message-ID: <402656E7.9080109@urbakken.dk> Julian Field wrote: > I have just tested against 2.1.0 (latest on their web site) and it works > fine. > Are you sure you have the licence key file installed into /usr/lib/AntiVir? > It won't work without it. Yes I have: I have run the: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp And the result is here: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp AntiVir / Linux Version 2.0.9-16 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.53 created 30 Jan 2004 For private, non-commercial use only. AntiVir license: 12345678 for Erik Jakobsen, Brovst checking drive/path (list): /tmp ----- scan results ----- directories: 1 files: 15 alerts: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. > At 14:08 08/02/2004, you wrote: > >> Hi. >> >> Is anybody here having success with antivir and MailScanner ?. >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Erik From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:40:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402656E7.9080109@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> Message-ID: <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is detecting viruses in emails just fine. Both inside and outside zip files. Everything just works, so I don't understand what problems other people are having. At 15:33 08/02/2004, you wrote: >Julian Field wrote: >>I have just tested against 2.1.0 (latest on their web site) and it works >>fine. >>Are you sure you have the licence key file installed into /usr/lib/AntiVir? >>It won't work without it. > >Yes I have: > >I have run the: > >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >And the result is here: > ># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >AntiVir / Linux Version 2.0.9-16 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > >VDF version: 6.23.0.53 created 30 Jan 2004 > >For private, non-commercial use only. >AntiVir license: 12345678 for Erik Jakobsen, Brovst > >checking drive/path (list): /tmp > >----- scan results ----- >directories: 1 >files: 15 >alerts: 0 >scan time: 00:00:01 >------------------------ >Thank you for using AntiVir. > >>At 14:08 08/02/2004, you wrote: >> >>>Hi. >>> >>>Is anybody here having success with antivir and MailScanner ?. >>>-- >>>Erik >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevin at EVERTS.US Sun Feb 8 18:20:29 2004 From: kevin at EVERTS.US (Kevin Everts) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner Message-ID: <003701c3ee70$3b8585e0$7203a8c0@everts.us> I am using MailScanner with Postfix to scan my incoming email. I am also using getmail to poll my pop3 accounts and download my email. I would like to process all of the email that getmail retrieves in MailScanner. The way to do this is to invoke MailScanner manually. Is this possible? If so, what is the command to do this? Below is a message that I posted to the getmail mailing list. The reply is from the author of getmail. > I am in the process of setting up a new mail server with Postfix (using > /Maildir's) , getmail, MailScanner and Maildrop. I have everything working > except for getmail. I would like to have getmail first send my email to > MailScanner for virus scanning and spam checking and then to Maildrop for > sorting. Okay. In this case, MailScanner must add headers to the message to allow you to sort based on it's spam/non-spam decision? If that's the case, it must write the modified message to stdout. So your getmail delivery directive would be something like this: postmaster="|/path/to/mydeliveryagent.sh" where that script is something like: #!/bin/bash cat - \ | /path/to/mailscanner [options] \ | /path/to/maildrop [options] I've never used MailScanner, so I can't help you with what specific options you'll need to get it to operate in filter mode (read stdin, modify, write stdout). It should be clearly spelled out in its documentation. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040208/5d14c114/attachment.html From eja at URBAKKEN.DK Sun Feb 8 18:38:47 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> Message-ID: <40268237.5080903@urbakken.dk> Julian Field wrote: > Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is > detecting viruses in emails just fine. Both inside and outside zip files. > Everything just works, so I don't understand what problems other people are > having. Hi Julian. Just installe the 2.1.0. I think its working now, as I couldn't get a message to mysef delivered cause of the eicar file. But I'll look at the logfiles, and report to you. > At 15:33 08/02/2004, you wrote: > >> Julian Field wrote: >> >>> I have just tested against 2.1.0 (latest on their web site) and it works >>> fine. >>> Are you sure you have the licence key file installed into >>> /usr/lib/AntiVir? >>> It won't work without it. >> >> >> Yes I have: >> >> I have run the: >> >> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >> >> And the result is here: >> >> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >> AntiVir / Linux Version 2.0.9-16 >> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >> All rights reserved. >> >> Loading /usr/lib/AntiVir/antivir.vdf ... >> >> VDF version: 6.23.0.53 created 30 Jan 2004 >> >> For private, non-commercial use only. >> AntiVir license: 12345678 for Erik Jakobsen, Brovst >> >> checking drive/path (list): /tmp >> >> ----- scan results ----- >> directories: 1 >> files: 15 >> alerts: 0 >> scan time: 00:00:01 >> ------------------------ >> Thank you for using AntiVir. >> >>> At 14:08 08/02/2004, you wrote: >>> >>>> Hi. >>>> >>>> Is anybody here having success with antivir and MailScanner ?. >>>> -- >>>> Erik >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Erik From eja at URBAKKEN.DK Sun Feb 8 20:14:12 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir Message-ID: My antivir is also licensed, and the key is placed into the antivir diretory. /erik From eja at URBAKKEN.DK Sun Feb 8 20:19:57 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: References: Message-ID: <402699ED.302@urbakken.dk> Erik Jakobsen wrote: > My antivir is also licensed, and the key is placed into the antivir diretory. > > /erik > Here's the content of my /usr/lib/antivir directory: ]# ls -l total 3368 -rwxr-xr-x 1 root root 742912 Feb 5 17:02 antivir -rwxr-xr-x 1 root root 971264 Jan 25 17:18 antivir-fc -rw-r--r-- 1 root root 1650176 Feb 6 19:14 antivir.vdf -rwxr-xr-x 1 root root 1233 Feb 8 19:26 avupdater -rwxr-xr-x 1 root root 52411 Feb 8 19:26 configantivir -rw------- 1 root root 1024 Jan 25 17:12 hbedv.key -- Erik From ugob at CAMO-ROUTE.COM Sun Feb 8 20:50:25 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <003701c3ee70$3b8585e0$7203a8c0@everts.us> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> Message-ID: <4026A111.8040402@camo-route.com> Kevin Everts wrote: > I am using MailScanner with Postfix to scan my incoming email. I am > also using getmail to poll my pop3 accounts and download my email. I > would like to process all of the email that getmail retrieves in > MailScanner. The way to do this is to invoke MailScanner manually. Is > this possible? If so, what is the command to do this? I don't really know how getmail works, but I can say that fetchmail works like a charm and is very easy to setup. hth Ugo > > Below is a message that I posted to the getmail mailing list. The reply > is from the author of getmail. > > > I am in the process of setting up a new mail server with Postfix (using > > /Maildir's) , getmail, MailScanner and Maildrop. I have everything > working > > except for getmail. I would like to have getmail first send my email to > > MailScanner for virus scanning and spam checking and then to Maildrop for > > sorting. > > Okay. In this case, MailScanner must add headers to the message to > allow you > to sort based on it's spam/non-spam decision? If that's the case, it must > write the modified message to stdout. So your getmail delivery directive > would be something like this: > > postmaster="|/path/to/mydeliveryagent.sh" > > where that script is something like: > > #!/bin/bash > cat - \ > | /path/to/mailscanner [options] \ > | /path/to/maildrop [options] > > I've never used MailScanner, so I can't help you with what specific options > you'll need to get it to operate in filter mode (read stdin, modify, write > stdout). It should be clearly spelled out in its documentation. > > Thanks, > Kevin From ugob at CAMO-ROUTE.COM Sun Feb 8 20:52:13 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <40268237.5080903@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> Message-ID: <4026A17D.2040903@camo-route.com> Erik Jakobsen wrote: > Julian Field wrote: > >> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >> detecting viruses in emails just fine. Both inside and outside zip files. >> Everything just works, so I don't understand what problems other >> people are >> having. > > > Hi Julian. > > Just installe the 2.1.0. I think its working now, as I couldn't get a > message to mysef delivered cause of the eicar file. But I'll look at the > logfiles, and report to you. Just a tip, open a terminal window via ssh or virtual console and type in tail -f /var/log/maillog You'll see the mail log in real time. Then send in the virus. > >> At 15:33 08/02/2004, you wrote: >> >>> Julian Field wrote: >>> >>>> I have just tested against 2.1.0 (latest on their web site) and it >>>> works >>>> fine. >>>> Are you sure you have the licence key file installed into >>>> /usr/lib/AntiVir? >>>> It won't work without it. >>> >>> >>> >>> Yes I have: >>> >>> I have run the: >>> >>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> >>> And the result is here: >>> >>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> AntiVir / Linux Version 2.0.9-16 >>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>> All rights reserved. >>> >>> Loading /usr/lib/AntiVir/antivir.vdf ... >>> >>> VDF version: 6.23.0.53 created 30 Jan 2004 >>> >>> For private, non-commercial use only. >>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>> >>> checking drive/path (list): /tmp >>> >>> ----- scan results ----- >>> directories: 1 >>> files: 15 >>> alerts: 0 >>> scan time: 00:00:01 >>> ------------------------ >>> Thank you for using AntiVir. >>> >>>> At 14:08 08/02/2004, you wrote: >>>> >>>>> Hi. >>>>> >>>>> Is anybody here having success with antivir and MailScanner ?. >>>>> -- >>>>> Erik >>>> >>>> >>>> >>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> Professional Support Services at www.MailScanner.biz >>>> MailScanner thanks transtec Computers for their support >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>> >>> -- >>> Erik >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > > > -- > Erik From mailscanner at ecs.soton.ac.uk Sun Feb 8 19:23:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <40268237.5080903@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> Message-ID: <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> Thanks for the server version. I installed my licence file into it (thanks to the AntiVir crew for that), and ran it on a message with a few copies of eicar in it. It detected all of them just fine. Here is an example report: >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "eicar.zip" >was believed to be infected by a virus and has been replaced by this warning >message. > >If you wish to receive a copy of the *infected* attachment, please >e-mail helpdesk and include the whole of this message >in your request. Alternatively, you can call them, with >the contents of this message to hand when you call. > >At Sun Feb 8 19:12:09 2004 the virus scanner said: > AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com <<< = >Contains code of the Eicar-Test-Signatur virus I have now tested this on AntiVir workstation 2.0.6 AntiVir workstation 2.1.0 AntiVir server 2.0.8 and can confirm that they all work with MailScanner on my Linux systems. Please place a copy of eicar.com in a directory and run this command: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs -z . The output should be this (except for the line about the Verlor.B virus) -----SNIP----- AntiVir / Linux Version 2.1.0-1 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.60 created 06 Feb 2004 For private, non-commercial use only. AntiVir license: 1001034888 for Julian Field, Southampton checking drive/path (list): . ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of the Word macro virus W97M/Verlor.B (removeable) ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the Eicar-Test-Signatur virus ----- scan results ----- directories: 1 files: 4 alerts: 2 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. -----SNIP----- Please let me know if your output matches this. At 18:38 08/02/2004, you wrote: >Julian Field wrote: >>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>detecting viruses in emails just fine. Both inside and outside zip files. >>Everything just works, so I don't understand what problems other people are >>having. > >Hi Julian. > >Just installe the 2.1.0. I think its working now, as I couldn't get a >message to mysef delivered cause of the eicar file. But I'll look at the >logfiles, and report to you. > >>At 15:33 08/02/2004, you wrote: >> >>>Julian Field wrote: >>> >>>>I have just tested against 2.1.0 (latest on their web site) and it works >>>>fine. >>>>Are you sure you have the licence key file installed into >>>>/usr/lib/AntiVir? >>>>It won't work without it. >>> >>> >>>Yes I have: >>> >>>I have run the: >>> >>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> >>>And the result is here: >>> >>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>AntiVir / Linux Version 2.0.9-16 >>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>All rights reserved. >>> >>>Loading /usr/lib/AntiVir/antivir.vdf ... >>> >>>VDF version: 6.23.0.53 created 30 Jan 2004 >>> >>>For private, non-commercial use only. >>>AntiVir license: 12345678 for Erik Jakobsen, Brovst >>> >>>checking drive/path (list): /tmp >>> >>>----- scan results ----- >>>directories: 1 >>>files: 15 >>>alerts: 0 >>>scan time: 00:00:01 >>>------------------------ >>>Thank you for using AntiVir. >>> >>>>At 14:08 08/02/2004, you wrote: >>>> >>>>>Hi. >>>>> >>>>>Is anybody here having success with antivir and MailScanner ?. >>>>>-- >>>>>Erik >>>> >>>> >>>> >>>>-- >>>>Julian Field >>>>www.MailScanner.info >>>>Professional Support Services at www.MailScanner.biz >>>>MailScanner thanks transtec Computers for their support >>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>>-- >>>Erik >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 8 19:00:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <003701c3ee70$3b8585e0$7203a8c0@everts.us> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> Message-ID: <6.0.1.1.2.20040208185850.03ce3190@imap.ecs.soton.ac.uk> The standard solution to this setup is to use fetchmail and have it poll all your pop3 accounts and then deliver via SMTP to localhost. MailScanner then picks up the incoming mail and scans it. Your existing sendmail setup then delivers the mail into local mailboxes as before. Plenty of people here use this setup and you should find whatever help you need. At 18:20 08/02/2004, you wrote: >I am using MailScanner with Postfix to scan my incoming email. I am also >using getmail to poll my pop3 accounts and download my email. I would >like to process all of the email that getmail retrieves in >MailScanner. The way to do this is to invoke MailScanner manually. Is >this possible? If so, what is the command to do this? > >Below is a message that I posted to the getmail mailing list. The reply >is from the author of getmail. > > > I am in the process of setting up a new mail server with Postfix (using > > /Maildir's) , getmail, MailScanner and Maildrop. I have everything working > > except for getmail. I would like to have getmail first send my email to > > MailScanner for virus scanning and spam checking and then to Maildrop for > > sorting. > >Okay. In this case, MailScanner must add headers to the message to allow you >to sort based on it's spam/non-spam decision? If that's the case, it must >write the modified message to stdout. So your getmail delivery directive >would be something like this: > > postmaster="|/path/to/mydeliveryagent.sh" > >where that script is something like: > > #!/bin/bash > cat - \ > | /path/to/mailscanner [options] \ > | /path/to/maildrop [options] > >I've never used MailScanner, so I can't help you with what specific options >you'll need to get it to operate in filter mode (read stdin, modify, write >stdout). It should be clearly spelled out in its documentation. > >Thanks, >Kevin -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Sun Feb 8 22:48:42 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <4026A111.8040402@camo-route.com> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> <4026A111.8040402@camo-route.com> Message-ID: <4026BCCA.7050309@gmx.de> Ugo Bellavance wrote: > I don't really know how getmail works, but I can say that fetchmail > works like a charm and is very easy to setup. eg. not really tested # grep fetchmail /etc/rc.local /usr/bin/fetchmail # vi /root/.fetchmailrc set daemon 600 set logfile /var/log/maillog poll pop.provider.net proto pop3 user "shrek-m@gmx.de" password "your_passowrd" smtpname "localuser@localhost.localdomain" keep poll imap.other_provider.de proto imap user "user@bla.de" password "other_password" is "localuser" here user "user1@bla.de" password "password" is "localuser1" here # man fetchmail if your distro provides fetchmailconf you can try it with # fetchmailconf -- shrek-m From kevin at KEVINSPICER.CO.UK Mon Feb 9 00:15:38 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner-MRTG users Message-ID: <1076285740.26581.9.camel@bach.kevinspicer.co.uk> Those of you who use MailScanner-MRTG may be interested to read the page I've just added to the website at http://mailscannermrtg.sourceforge.net/future.html in which I propose some future directions for the project. Please feel free to post feedback/ comments/ objections etc to the forums on the sourceforge site. (it would be appreciated if we could avoid staging a takeover of the MailScanner list again!) Regards Kevin -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040209/8b9a6261/attachment.bin From mailbase2004 at yahoo.com Mon Feb 9 00:27:31 2004 From: mailbase2004 at yahoo.com (c c) Date: Thu Jan 12 21:22:23 2006 Subject: source rpm error Message-ID: <20040209002731.63973.qmail@web80105.mail.yahoo.com> Hi I downloaded MailScanner source rpm mailscanner-4.26.8-1.src.rpm Installed the src rpm package and then built rpm package. But when I installed the rpm package, I found the size of the rpm file built from src rpm is different from that in MailScanner-4.26.8-1.rpm.tar.gz Also I got error message during the installation. The same error happened with verion mailscanner-4.23-11. Here is the error error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 My environment is Redhat 9.0 on pentium IV. I just wonder how the mailscanner rpm file in rpm tgz file is created, from a tgz file or src rpm? If it is from a tgz file, where is the tgz file located on the web site? If it is from source rpm, why do I get the error? Thanks in advance. -Tom +++++++++++++++++++++++++++++++++++++++++++ [root@pe400 SPECS]# rpm -i mailscanner-4.23-11.src.rpm [root@pe400 SPECS]# rpmbuild -ba MailScanner4.spec [root@pe400 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/noarch/mailscanner-4.23-11.noarch.rpm error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 From mailbase2004 at YAHOO.COM Mon Feb 9 02:16:53 2004 From: mailbase2004 at YAHOO.COM (c c) Date: Thu Jan 12 21:22:23 2006 Subject: rpmbuild src rpm error Message-ID: <20040209021653.51510.qmail@web80106.mail.yahoo.com> Hi I downloaded MailScanner source rpm mailscanner-4.26.8-1.src.rpm Installed the src rpm package and then built rpm package. But when I installed the rpm package, I found the size of the rpm file built from src rpm is different from that in MailScanner-4.26.8-1.rpm.tar.gz Also I got error message during the installation. The same error happened with verion mailscanner-4.23-11. Here is the error error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 My environment is Redhat 9.0 on pentium IV. I just wonder how the mailscanner rpm file in rpm tgz file is created, from a tgz file or src rpm? If it is from a tgz file, where is the tgz file located on the web site? If it is from source rpm, why do I get the error? Thanks in advance. -Tom +++++++++++++++++++++++++++++++++++++++++++ [root@pe400 SPECS]# rpm -i mailscanner-4.23-11.src.rpm [root@pe400 SPECS]# rpmbuild -ba MailScanner4.spec [root@pe400 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/noarch/mailscanner-4.23-11.noarch.rpm error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 From email at ace.net.au Mon Feb 9 04:49:28 2004 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:22:23 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <200402091519280237.0EC4AE79@smtp1.ace.net.au> Using the SRPM is an overlooked but easy way of doing upgrades reliably, especially if you like to let the RPM system handle everything. D/L the SRPM, you don't need the other bits. rpm -Uvh spamassassin*.src.rpm cd /usr/src/redhat/SPECS rpmbuild -bb spamassassin.spec cd ../RPMS/i386 rpm -Uvh *.rpm (make sure there aren't other rpm's in there that you don't want. All done. No need for CPAN and SpamaAssassin is now configured for your system. Peter *********** REPLY SEPARATOR *********** On 6/02/2004 at 6:06 PM Jim Dickenson wrote: >Thanks for the pointer about old .cf files not working with a new version. >This lead me to the solution. > >I will try to remember this for future updates and leave a trail for those >behind me. > >The install from the RPM was the cause of the problem. I now remember >dealing with this at some time in the past as well. > >The perl-Mail-SpamAssassin-2.63-1 RPM file put stuff in the 5.6.1 directory >but I am running perl 5.8.0 so the new .cf files got installed but as the >new perl stuff got put into the "wrong" place I was still using the old >version of SA. > >Moving a bit of stuff around fixed the problem. I also made a link from >5.6.1 to 5.8.0 so maybe I will remember this in the future. > >I guess the correct thing to do would be to uninstall the RPMs and install >SA some other way. Maybe another day. One wasted day is enough this time >around ;) > >Again thanks much! >-- >Jim Dickenson >mailto:dickenson@cfmc.com > >Computers for Marketing Corporation >http://www.cfmc.com/ > > > >> From: James Gray >> Reply-To: james@grayonline.id.au >> Date: Sat, 7 Feb 2004 09:43:04 +1100 >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: SA 2.63 upgrade >> >> On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: >>> I am seeing the same problem. I updated, as I have always done, via RPM. >>> What I am seeing is that none of the standard rules are getting tripped, >>> just the RulesDuJour additions I have installed. >>> >>> I originally had the RulesDuJour .cf file in /usr/share/spamassassin >>> along with the ones distributed with SA. I have moved them to >>> /etc/mail/spamassassin but I am still seeing the same behavior. >>> >>> I also see that all the stuff that is spam is being auto-learned in my >>> bayes files. What is the best way to stop using bayes files and then >>> creating new ones. I need to get this problem sorted out before I can >try >>> to get my bayes files loaded again. >>> >>> TIA, >>> -- >>> Jim Dickenson >> >> Jim, >> >> I posted a similar problem to this list a few weeks ago when I upgraded >my >> FreeBSD box via "ports" (fBSD "packages" for want of a better term). All >> my custom rules were being tripped but none of the standard SA2.63 >rules. >> The problem was that between 2.61 -> 2.63 the fBSD port maintainer had >> moved the location of the standard rules from /usr/share/spamassassin to >> /usr/local/share/spamassassin. All I needed to do was manually tell >> MailScanner where the SpamAssassin files were, restart and voila! >> >> Here's the relevent lines from MailScanner.conf: >> SpamAssassin Local Rules Dir = /etc/mail/spamassassin >> SpamAssassin Default Rules Dir = /usr/local/share/spamassassin >> >> Hope that helps :) The problem is that all the default SA rules are >> version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds >> like your spamassassin is finding the older 2.61 rules with the 2.63 >engine >> which means it will ignore them - have a look in the standard rules >files; >> there's a "require 2.63" or something similar at the top of each one. >DONT >> change this BTW, this will break things even worse than it already is. >> >> Cheers, >> >> James >> -- >> Fortune cookies says: >> The price one pays for pursuing any profession, or calling, is an >intimate >> knowledge of its ugly side. -- James Baldwin From eja at URBAKKEN.DK Mon Feb 9 06:17:07 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <4026A17D.2040903@camo-route.com> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <4026A17D.2040903@camo-route.com> Message-ID: <402725E3.3030107@urbakken.dk> Ugo Bellavance wrote: > Erik Jakobsen wrote: > >> Julian Field wrote: >> >>> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>> detecting viruses in emails just fine. Both inside and outside zip >>> files. >>> Everything just works, so I don't understand what problems other >>> people are >>> having. >> >> >> >> Hi Julian. >> >> Just installe the 2.1.0. I think its working now, as I couldn't get a >> message to mysef delivered cause of the eicar file. But I'll look at the >> logfiles, and report to you. > > > Just a tip, open a terminal window via ssh or virtual console and type in > > tail -f /var/log/maillog > > You'll see the mail log in real time. Then send in the virus. Thanks for this Ugo. >> >>> At 15:33 08/02/2004, you wrote: >>> >>>> Julian Field wrote: >>>> >>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>> works >>>>> fine. >>>>> Are you sure you have the licence key file installed into >>>>> /usr/lib/AntiVir? >>>>> It won't work without it. >>>> >>>> >>>> >>>> >>>> Yes I have: >>>> >>>> I have run the: >>>> >>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>> And the result is here: >>>> >>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> AntiVir / Linux Version 2.0.9-16 >>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>> All rights reserved. >>>> >>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>> For private, non-commercial use only. >>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>> checking drive/path (list): /tmp >>>> >>>> ----- scan results ----- >>>> directories: 1 >>>> files: 15 >>>> alerts: 0 >>>> scan time: 00:00:01 >>>> ------------------------ >>>> Thank you for using AntiVir. >>>> >>>>> At 14:08 08/02/2004, you wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>> -- >>>>>> Erik >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> Professional Support Services at www.MailScanner.biz >>>>> MailScanner thanks transtec Computers for their support >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Erik >>> >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >> >> >> -- >> Erik > > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Mon Feb 9 06:06:38 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir Message-ID: On Sun, 8 Feb 2004 19:23:12 +0000, Julian Field wrote: Hi Julian. Here is the result that you asked for. Sorry, I didn't recognized you wish at first: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs -z AntiVir / Linux Version 2.1.0-1 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.60 created 06 Feb 2004 For private, non-commercial use only. AntiVir license: 1001048978 for Erik Jakobsen, Brovst checking drive/path (cwd): /var/spool/MailScanner/quarantine/20040208/150E8C812 ALERT: [Eicar-Test-Signatur virus] /var/spool/MailScanner/quarantine/20040208/150E8C812/eicar.com <<< Contains code of the Eicar-Test-Signatur virus ----- scan results ----- directories: 1 files: 1 alerts: 1 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. >Thanks for the server version. I installed my licence file into it (thanks >to the AntiVir crew for that), and ran it on a message with a few copies of >eicar in it. It detected all of them just fine. > >Here is an example report: >>This is a message from the MailScanner E-Mail Virus Protection Service >>---------------------------------------------------------------------- >>The original e-mail attachment "eicar.zip" >>was believed to be infected by a virus and has been replaced by this warning >>message. >> >>If you wish to receive a copy of the *infected* attachment, please >>e-mail helpdesk and include the whole of this message >>in your request. Alternatively, you can call them, with >>the contents of this message to hand when you call. >> >>At Sun Feb 8 19:12:09 2004 the virus scanner said: >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com <<< = >>Contains code of the Eicar-Test-Signatur virus > >I have now tested this on > AntiVir workstation 2.0.6 > AntiVir workstation 2.1.0 > AntiVir server 2.0.8 >and can confirm that they all work with MailScanner on my Linux systems. > >Please place a copy of eicar.com in a directory and run this command: >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot >-rs -z . >The output should be this (except for the line about the Verlor.B virus) > >-----SNIP----- >AntiVir / Linux Version 2.1.0-1 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > >VDF version: 6.23.0.60 created 06 Feb 2004 > >For private, non-commercial use only. >AntiVir license: 1001034888 for Julian Field, Southampton > >checking drive/path (list): . >ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of >the Word macro virus W97M/Verlor.B (removeable) >ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the >Eicar-Test-Signatur virus > > >----- scan results ----- > directories: 1 > files: 4 > alerts: 2 > repaired: 0 > deleted: 0 > renamed: 0 > scan time: 00:00:01 >------------------------ >Thank you for using AntiVir. >-----SNIP----- > >Please let me know if your output matches this. > >At 18:38 08/02/2004, you wrote: >>Julian Field wrote: >>>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>>detecting viruses in emails just fine. Both inside and outside zip files. >>>Everything just works, so I don't understand what problems other people are >>>having. >> >>Hi Julian. >> >>Just installe the 2.1.0. I think its working now, as I couldn't get a >>message to mysef delivered cause of the eicar file. But I'll look at the >>logfiles, and report to you. >> >>>At 15:33 08/02/2004, you wrote: >>> >>>>Julian Field wrote: >>>> >>>>>I have just tested against 2.1.0 (latest on their web site) and it works >>>>>fine. >>>>>Are you sure you have the licence key file installed into >>>>>/usr/lib/AntiVir? >>>>>It won't work without it. >>>> >>>> >>>>Yes I have: >>>> >>>>I have run the: >>>> >>>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>>And the result is here: >>>> >>>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>AntiVir / Linux Version 2.0.9-16 >>>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>>All rights reserved. >>>> >>>>Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>>VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>>For private, non-commercial use only. >>>>AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>>checking drive/path (list): /tmp >>>> >>>>----- scan results ----- >>>>directories: 1 >>>>files: 15 >>>>alerts: 0 >>>>scan time: 00:00:01 >>>>------------------------ >>>>Thank you for using AntiVir. >>>> >>>>>At 14:08 08/02/2004, you wrote: >>>>> >>>>>>Hi. >>>>>> >>>>>>Is anybody here having success with antivir and MailScanner ?. >>>>>>-- >>>>>>Erik >>>>> >>>>> >>>>> >>>>>-- >>>>>Julian Field >>>>>www.MailScanner.info >>>>>Professional Support Services at www.MailScanner.biz >>>>>MailScanner thanks transtec Computers for their support >>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>>-- >>>>Erik >>> >>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>Professional Support Services at www.MailScanner.biz >>>MailScanner thanks transtec Computers for their support >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >>-- >>Erik > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Mon Feb 9 06:53:09 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> Message-ID: <40272E55.7020305@urbakken.dk> I have tested it looking into my maillog realtime. But unfortunatley antivir is not present in the scanning ?: Feb 9 07:49:31 gateway postfix/pipe[1676]: C3853C80F: to=, relay=ccfilter, delay=2, status=sent (urbakken.dk) Feb 9 06:49:31 gateway postfix/pickup[32464]: 888F3C812: uid=100 from= Feb 9 06:49:31 gateway postfix/cleanup[1674]: 888F3C812: message-id=<40272D9E.3040903@urbakken.dk> Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: from=, size=1662, nrcpt=1 (queue active) Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: to=, relay=none, delay=0, status=deferred (deferred transport) Feb 9 07:49:32 gateway MailScanner[860]: New Batch: Scanning 1 messages, 1801 bytes Feb 9 07:49:32 gateway MailScanner[860]: Virus and Content Scanning: Starting Feb 9 07:49:33 gateway MailScanner[860]: /var/spool/MailScanner/incoming/860/888F3C812/eicar.com Infection: EICAR_Test_File Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found 1 infections Feb 9 07:49:35 gateway MailScanner[860]: /var/spool/MailScanner/incoming/860/./888F3C812/eicar.com: Eicar-Test-Signature FOUND Feb 9 07:49:36 gateway MailScanner[860]: Virus Scanning: ClamAV found 1 infections Feb 9 07:49:36 gateway MailScanner[860]: Infected message 888F3C812 came from 127.0.0.1 Feb 9 07:49:37 gateway MailScanner[860]: Filename Checks: Windows/DOS Executable (eicar.com) Feb 9 07:49:37 gateway MailScanner[860]: Other Checks: Found 1 problems Feb 9 07:49:37 gateway MailScanner[860]: Saved infected "eicar.com" to /var/spool/MailScanner/quarantine/20040209/888F3C812 Feb 9 01:49:37 gateway postfix/nqmgr[31729]: 7876323EE5: from=, size=2905, nrcpt=1 (queue active) Feb 9 07:49:37 gateway MailScanner[860]: Silent: Delivered 1 messages containing silent viruses Feb 9 01:49:37 gateway postfix/pickup[30831]: 5EB5423F00: uid=89 from= Feb 9 01:49:37 gateway postfix/cleanup[1855]: 5EB5423F00: message-id=<20040209064937.5EB5423F00@gateway.urbakken.dk> Feb 9 07:49:37 gateway MailScanner[860]: Notices: Warned about 1 messages Julian Field wrote: > Thanks for the server version. I installed my licence file into it (thanks > to the AntiVir crew for that), and ran it on a message with a few copies of > eicar in it. It detected all of them just fine. > > Here is an example report: > >> This is a message from the MailScanner E-Mail Virus Protection Service >> ---------------------------------------------------------------------- >> The original e-mail attachment "eicar.zip" >> was believed to be infected by a virus and has been replaced by this >> warning >> message. >> >> If you wish to receive a copy of the *infected* attachment, please >> e-mail helpdesk and include the whole of this message >> in your request. Alternatively, you can call them, with >> the contents of this message to hand when you call. >> >> At Sun Feb 8 19:12:09 2004 the virus scanner said: >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com >> <<< = >> Contains code of the Eicar-Test-Signatur virus > > > I have now tested this on > AntiVir workstation 2.0.6 > AntiVir workstation 2.1.0 > AntiVir server 2.0.8 > and can confirm that they all work with MailScanner on my Linux systems. > > Please place a copy of eicar.com in a directory and run this command: > /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot > -rs -z . > The output should be this (except for the line about the Verlor.B virus) > > -----SNIP----- > AntiVir / Linux Version 2.1.0-1 > Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > All rights reserved. > > Loading /usr/lib/AntiVir/antivir.vdf ... > > VDF version: 6.23.0.60 created 06 Feb 2004 > > For private, non-commercial use only. > AntiVir license: 1001034888 for Julian Field, Southampton > > checking drive/path (list): . > ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of > the Word macro virus W97M/Verlor.B (removeable) > ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the > Eicar-Test-Signatur virus > > > ----- scan results ----- > directories: 1 > files: 4 > alerts: 2 > repaired: 0 > deleted: 0 > renamed: 0 > scan time: 00:00:01 > ------------------------ > Thank you for using AntiVir. > -----SNIP----- > > Please let me know if your output matches this. > > At 18:38 08/02/2004, you wrote: > >> Julian Field wrote: >> >>> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>> detecting viruses in emails just fine. Both inside and outside zip >>> files. >>> Everything just works, so I don't understand what problems other >>> people are >>> having. >> >> >> Hi Julian. >> >> Just installe the 2.1.0. I think its working now, as I couldn't get a >> message to mysef delivered cause of the eicar file. But I'll look at the >> logfiles, and report to you. >> >>> At 15:33 08/02/2004, you wrote: >>> >>>> Julian Field wrote: >>>> >>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>> works >>>>> fine. >>>>> Are you sure you have the licence key file installed into >>>>> /usr/lib/AntiVir? >>>>> It won't work without it. >>>> >>>> >>>> >>>> Yes I have: >>>> >>>> I have run the: >>>> >>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>> And the result is here: >>>> >>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> AntiVir / Linux Version 2.0.9-16 >>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>> All rights reserved. >>>> >>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>> For private, non-commercial use only. >>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>> checking drive/path (list): /tmp >>>> >>>> ----- scan results ----- >>>> directories: 1 >>>> files: 15 >>>> alerts: 0 >>>> scan time: 00:00:01 >>>> ------------------------ >>>> Thank you for using AntiVir. >>>> >>>>> At 14:08 08/02/2004, you wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>> -- >>>>>> Erik >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> Professional Support Services at www.MailScanner.biz >>>>> MailScanner thanks transtec Computers for their support >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>> >>>> -- >>>> Erik >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From kcchang at HKUSUA.HKU.HK Mon Feb 9 06:42:49 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file Message-ID: Hi all, We have used MailScanner 4.20.3 installed on our Solaris 2.6 system (with Sophos and Spamassassin 2.55). This combination has been running fine for nearly a year but we recently encountered a problem like this: Feb 9 10:32:51 host MailScanner[21163]: Could not open file >/var_spool/MailScanner/incoming/21163/i192WVVt005047.header: Resource temporarily unavailable Feb 9 10:32:51 host MailScanner[21163]: Cannot create + lock headers file /var_spool/MailScanner/incoming/21163/i192WVVt005047.header, .... Feb 9 10:33:58 host MailScanner[20958]: Could not open file >/var_spool/MailScanner/incoming/20958/i192WVVt005047.header: Resource temporarily unavailable Feb 9 10:33:58 host MailScanner[20958]: Cannot create + lock headers file /var_spool/MailScanner/incoming/20958/i192WVVt005047.header, and the child died out one by one. We have searched through the mailing list and take the recommended actions: - lower the number of child processes - lower the max. messages per scan - add additional resources (CPU and memory), now we should have around 20% utilization left in terms of CPU - add ulimit lines in check_mailscanner script: ulimit -n 2048 ulimit -Hn 2048 ulimit -s 32678 ulimit -Hs 32678 ulimit -v 1048576 ulimit -Hv 1048576 ulimit -d 3932152 ulimit -Hd 3932152 However, we still get into the same problem. When the above problem is encountered, the child mailscanner processes die one by one and repeated with the same error message. We have to re-create a new mqueue.in directory and gradually move back the queued files/messages in batches for delivery. Moving the queued files to fast would result in the same problem. I had performed some sar captured on this morning problem but could only spot a sudden increase in slock/s: 10:27:17 atch/s pgin/s ppgin/s pflt/s vflt/s slock/s 10:30:18 603.25 664.34 3030.24 19383.92 15327.84 0.00 10:33:18 664.29 782.39 3767.35 18025.67 14332.42 6.97 10:36:18 616.73 810.95 4190.90 10806.34 9065.96 20.91 10:39:18 570.98 643.07 3199.66 3298.72 3412.87 238.33 10:42:18 564.98 718.91 3597.47 4662.66 4904.46 17.60 10:45:18 864.03 779.65 3624.08 6613.88 6722.09 0.00 10:48:18 985.85 839.64 4035.54 11045.76 9830.23 0.00 Average 695.73 748.42 3635.03 10548.22 9085.19 40.54 Does anyone has similar experience to solve the problem? Thanks in advance. KC Chang From eja at URBAKKEN.DK Mon Feb 9 07:07:11 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <40272E55.7020305@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> <40272E55.7020305@urbakken.dk> Message-ID: <4027319F.2040206@urbakken.dk> I forgot to mention, that I don't use the avguard. Erik Jakobsen wrote: > I have tested it looking into my maillog realtime. > > But unfortunatley antivir is not present in the scanning ?: > > > Feb 9 07:49:31 gateway postfix/pipe[1676]: C3853C80F: > to=, relay=ccfilter, delay=2, status=sent > (urbakken.dk) > Feb 9 06:49:31 gateway postfix/pickup[32464]: 888F3C812: uid=100 > from= > Feb 9 06:49:31 gateway postfix/cleanup[1674]: 888F3C812: > message-id=<40272D9E.3040903@urbakken.dk> > Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: > from=, size=1662, nrcpt=1 (queue active) > Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: > to=, relay=none, delay=0, status=deferred (deferred > transport) > Feb 9 07:49:32 gateway MailScanner[860]: New Batch: Scanning 1 > messages, 1801 bytes > Feb 9 07:49:32 gateway MailScanner[860]: Virus and Content Scanning: > Starting > Feb 9 07:49:33 gateway MailScanner[860]: > /var/spool/MailScanner/incoming/860/888F3C812/eicar.com Infection: > EICAR_Test_File > Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found > virus EICAR_Test_File > Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found 1 > infections > Feb 9 07:49:35 gateway MailScanner[860]: > /var/spool/MailScanner/incoming/860/./888F3C812/eicar.com: > Eicar-Test-Signature FOUND > Feb 9 07:49:36 gateway MailScanner[860]: Virus Scanning: ClamAV found 1 > infections > Feb 9 07:49:36 gateway MailScanner[860]: Infected message 888F3C812 > came from 127.0.0.1 > Feb 9 07:49:37 gateway MailScanner[860]: Filename Checks: Windows/DOS > Executable (eicar.com) > Feb 9 07:49:37 gateway MailScanner[860]: Other Checks: Found 1 problems > Feb 9 07:49:37 gateway MailScanner[860]: Saved infected "eicar.com" to > /var/spool/MailScanner/quarantine/20040209/888F3C812 > Feb 9 01:49:37 gateway postfix/nqmgr[31729]: 7876323EE5: > from=, size=2905, nrcpt=1 (queue active) > Feb 9 07:49:37 gateway MailScanner[860]: Silent: Delivered 1 messages > containing silent viruses > Feb 9 01:49:37 gateway postfix/pickup[30831]: 5EB5423F00: uid=89 > from= > Feb 9 01:49:37 gateway postfix/cleanup[1855]: 5EB5423F00: > message-id=<20040209064937.5EB5423F00@gateway.urbakken.dk> > Feb 9 07:49:37 gateway MailScanner[860]: Notices: Warned about 1 messages > > > Julian Field wrote: > >> Thanks for the server version. I installed my licence file into it >> (thanks >> to the AntiVir crew for that), and ran it on a message with a few >> copies of >> eicar in it. It detected all of them just fine. >> >> Here is an example report: >> >>> This is a message from the MailScanner E-Mail Virus Protection Service >>> ---------------------------------------------------------------------- >>> The original e-mail attachment "eicar.zip" >>> was believed to be infected by a virus and has been replaced by this >>> warning >>> message. >>> >>> If you wish to receive a copy of the *infected* attachment, please >>> e-mail helpdesk and include the whole of this message >>> in your request. Alternatively, you can call them, with >>> the contents of this message to hand when you call. >>> >>> At Sun Feb 8 19:12:09 2004 the virus scanner said: >>> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com >>> <<< = >>> Contains code of the Eicar-Test-Signatur virus >> >> >> >> I have now tested this on >> AntiVir workstation 2.0.6 >> AntiVir workstation 2.1.0 >> AntiVir server 2.0.8 >> and can confirm that they all work with MailScanner on my Linux systems. >> >> Please place a copy of eicar.com in a directory and run this command: >> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s >> -noboot >> -rs -z . >> The output should be this (except for the line about the Verlor.B virus) >> >> -----SNIP----- >> AntiVir / Linux Version 2.1.0-1 >> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >> All rights reserved. >> >> Loading /usr/lib/AntiVir/antivir.vdf ... >> >> VDF version: 6.23.0.60 created 06 Feb 2004 >> >> For private, non-commercial use only. >> AntiVir license: 1001034888 for Julian Field, Southampton >> >> checking drive/path (list): . >> ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains >> code of >> the Word macro virus W97M/Verlor.B (removeable) >> ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the >> Eicar-Test-Signatur virus >> >> >> ----- scan results ----- >> directories: 1 >> files: 4 >> alerts: 2 >> repaired: 0 >> deleted: 0 >> renamed: 0 >> scan time: 00:00:01 >> ------------------------ >> Thank you for using AntiVir. >> -----SNIP----- >> >> Please let me know if your output matches this. >> >> At 18:38 08/02/2004, you wrote: >> >>> Julian Field wrote: >>> >>>> Can you try upgrading to 2.1.0 (on their website). My (licensed) >>>> copy is >>>> detecting viruses in emails just fine. Both inside and outside zip >>>> files. >>>> Everything just works, so I don't understand what problems other >>>> people are >>>> having. >>> >>> >>> >>> Hi Julian. >>> >>> Just installe the 2.1.0. I think its working now, as I couldn't get a >>> message to mysef delivered cause of the eicar file. But I'll look at the >>> logfiles, and report to you. >>> >>>> At 15:33 08/02/2004, you wrote: >>>> >>>>> Julian Field wrote: >>>>> >>>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>>> works >>>>>> fine. >>>>>> Are you sure you have the licence key file installed into >>>>>> /usr/lib/AntiVir? >>>>>> It won't work without it. >>>>> >>>>> >>>>> >>>>> >>>>> Yes I have: >>>>> >>>>> I have run the: >>>>> >>>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>> >>>>> And the result is here: >>>>> >>>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>> AntiVir / Linux Version 2.0.9-16 >>>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>>> All rights reserved. >>>>> >>>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>>> >>>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>>> >>>>> For private, non-commercial use only. >>>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>>> >>>>> checking drive/path (list): /tmp >>>>> >>>>> ----- scan results ----- >>>>> directories: 1 >>>>> files: 15 >>>>> alerts: 0 >>>>> scan time: 00:00:01 >>>>> ------------------------ >>>>> Thank you for using AntiVir. >>>>> >>>>>> At 14:08 08/02/2004, you wrote: >>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>>> -- >>>>>>> Erik >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Julian Field >>>>>> www.MailScanner.info >>>>>> Professional Support Services at www.MailScanner.biz >>>>>> MailScanner thanks transtec Computers for their support >>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Erik >>>> >>>> >>>> >>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> Professional Support Services at www.MailScanner.biz >>>> MailScanner thanks transtec Computers for their support >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>> >>> -- >>> Erik >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From oldmaxgit at YAHOO.COM Mon Feb 9 07:13:50 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:23 2006 Subject: Spamcop not working Message-ID: Hi Raymond, Thanks for your time and comments. I Set bounce to "1" for testing purposes and will probably up this when it is running. I know that conversations and arguements rage over whether spam should be bounced or not, and I don't want to start that here. My reasoning behind bouncing RBL listed mail is that there are occasions when an IP can be listed inadvertantly. For example: I was black listed once because somebody on the same server was running an old version of formmail which was used by a spammer. :o( If nobody ever bounces RBL mail, the service providers would never know. I guess that once it is running properly, I will trim/tidy/tweak it as time proceeds. Thanks for your thoughts on the subject, but I remain unconvinced, unsure and open minded about it. Why is life so complicated ? :o) From kevins at BMRB.CO.UK Mon Feb 9 07:57:54 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: References: Message-ID: <1076313474.26581.15.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-09 at 06:42, Chang Kai Cheong wrote: > > > Does anyone has similar experience to solve the problem? > I recommended once to someone that they should add ulimit -n unlimited to the init script, based on the fact I had a similar problem with a different program which that cured (I don't use Solaris for my mail servers). I think that solved the problem for them. You can also tweak system wide limits in /etc/system, but that requires care (you can knacker the entire system) and a reboot. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 9 10:15:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: References: Message-ID: <6.0.3.0.2.20040209101427.03dd4528@imap.ecs.soton.ac.uk> You forgot the "." off the end of the command. Can you just compare your output with mine and see if you see any differences? Something is going screwy with blank lines when you paste it into a mail message, which makes it impossible for me to check. Just get the 2 outputs side by side in 2 windows so they line up, and see what has changed. At 06:06 09/02/2004, you wrote: >On Sun, 8 Feb 2004 19:23:12 +0000, Julian Field > wrote: > >Hi Julian. > >Here is the result that you asked for. Sorry, I didn't recognized you wish >at first: > ># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s >-noboot -rs -z >AntiVir / Linux Version 2.1.0-1 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > > > >VDF version: 6.23.0.60 created 06 Feb 2004 > > > >For private, non-commercial use only. >AntiVir license: 1001048978 for Erik Jakobsen, Brovst > > > >checking drive/path (cwd): >/var/spool/MailScanner/quarantine/20040208/150E8C812 > >ALERT: [Eicar-Test-Signatur virus] >/var/spool/MailScanner/quarantine/20040208/150E8C812/eicar.com <<< Contains >code of the Eicar-Test-Signatur virus > > > >----- scan results ----- > > > directories: 1 > > > files: 1 > > > alerts: 1 > > > repaired: 0 > > > deleted: 0 > > > renamed: 0 > > > scan time: 00:00:01 > > >------------------------ > > >Thank you for using AntiVir. > > > >Thanks for the server version. I installed my licence file into it (thanks > >to the AntiVir crew for that), and ran it on a message with a few copies of > >eicar in it. It detected all of them just fine. > > > >Here is an example report: > >>This is a message from the MailScanner E-Mail Virus Protection Service > >>---------------------------------------------------------------------- > >>The original e-mail attachment "eicar.zip" > >>was believed to be infected by a virus and has been replaced by this > warning > >>message. > >> > >>If you wish to receive a copy of the *infected* attachment, please > >>e-mail helpdesk and include the whole of this message > >>in your request. Alternatively, you can call them, with > >>the contents of this message to hand when you call. > >> > >>At Sun Feb 8 19:12:09 2004 the virus scanner said: > >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com > <<< = > >>Contains code of the Eicar-Test-Signatur virus > > > >I have now tested this on > > AntiVir workstation 2.0.6 > > AntiVir workstation 2.1.0 > > AntiVir server 2.0.8 > >and can confirm that they all work with MailScanner on my Linux systems. > > > >Please place a copy of eicar.com in a directory and run this command: > >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot > >-rs -z . > >The output should be this (except for the line about the Verlor.B virus) > > > >-----SNIP----- > >AntiVir / Linux Version 2.1.0-1 > >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > >All rights reserved. > > > >Loading /usr/lib/AntiVir/antivir.vdf ... > > > >VDF version: 6.23.0.60 created 06 Feb 2004 > > > >For private, non-commercial use only. > >AntiVir license: 1001034888 for Julian Field, Southampton > > > >checking drive/path (list): . > >ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of > >the Word macro virus W97M/Verlor.B (removeable) > >ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the > >Eicar-Test-Signatur virus > > > > > >----- scan results ----- > > directories: 1 > > files: 4 > > alerts: 2 > > repaired: 0 > > deleted: 0 > > renamed: 0 > > scan time: 00:00:01 > >------------------------ > >Thank you for using AntiVir. > >-----SNIP----- > > > >Please let me know if your output matches this. > > > >At 18:38 08/02/2004, you wrote: > >>Julian Field wrote: > >>>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is > >>>detecting viruses in emails just fine. Both inside and outside zip files. > >>>Everything just works, so I don't understand what problems other > people are > >>>having. > >> > >>Hi Julian. > >> > >>Just installe the 2.1.0. I think its working now, as I couldn't get a > >>message to mysef delivered cause of the eicar file. But I'll look at the > >>logfiles, and report to you. > >> > >>>At 15:33 08/02/2004, you wrote: > >>> > >>>>Julian Field wrote: > >>>> > >>>>>I have just tested against 2.1.0 (latest on their web site) and it works > >>>>>fine. > >>>>>Are you sure you have the licence key file installed into > >>>>>/usr/lib/AntiVir? > >>>>>It won't work without it. > >>>> > >>>> > >>>>Yes I have: > >>>> > >>>>I have run the: > >>>> > >>>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >>>> > >>>>And the result is here: > >>>> > >>>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >>>>AntiVir / Linux Version 2.0.9-16 > >>>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > >>>>All rights reserved. > >>>> > >>>>Loading /usr/lib/AntiVir/antivir.vdf ... > >>>> > >>>>VDF version: 6.23.0.53 created 30 Jan 2004 > >>>> > >>>>For private, non-commercial use only. > >>>>AntiVir license: 12345678 for Erik Jakobsen, Brovst > >>>> > >>>>checking drive/path (list): /tmp > >>>> > >>>>----- scan results ----- > >>>>directories: 1 > >>>>files: 15 > >>>>alerts: 0 > >>>>scan time: 00:00:01 > >>>>------------------------ > >>>>Thank you for using AntiVir. > >>>> > >>>>>At 14:08 08/02/2004, you wrote: > >>>>> > >>>>>>Hi. > >>>>>> > >>>>>>Is anybody here having success with antivir and MailScanner ?. > >>>>>>-- > >>>>>>Erik > >>>>> > >>>>> > >>>>> > >>>>>-- > >>>>>Julian Field > >>>>>www.MailScanner.info > >>>>>Professional Support Services at www.MailScanner.biz > >>>>>MailScanner thanks transtec Computers for their support > >>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>>> > >>>> > >>>> > >>>>-- > >>>>Erik > >>> > >>> > >>>-- > >>>Julian Field > >>>www.MailScanner.info > >>>Professional Support Services at www.MailScanner.biz > >>>MailScanner thanks transtec Computers for their support > >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >> > >>-- > >>Erik > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 10:33:22 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:23 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402091033.i19AXMXG014305@seer.ecs.soton.ac.uk> New Guestbook-Entry from Daniel Kleinsinger I am totally impressed with the way Julian maintains MailScanner. From new features, to fixes for specific problems, to dealing with new users\'\' repetitive questions, I can\'\'t think of a developer who does a better job. MailScanner is a great product with a great user community and Julian sets the tone for everyone.

From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 10:34:17 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> Message-ID: <40276229.7000002@solid-state-logic.com> Adrian Voinea wrote: > Hello, here's my problem: > > Sometimes, mailscanner uses a lot of cpu, for a long amount of time. > The mail server's load average rises to ~13 and stays that way for a while. > You can see the cpu hogs' activity in the strace output. > (I searched for "shmat and umoven: Input/output error" on google and this > error is obviously related to > the high cpu usage: > http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) > > What do you think is wrong? Did anyone else encounter this problem? > > > System configuration: > Celeron 2.4 > 512 ram > Kernel 2.4.23 > perl 5.6.1 > sendmail 8.12.11 > mailscanner 4.26.7, sa+bayes enabled > spamassassin 2.63 Have you got RBL's setup in spamassassin? Also worth checking are the numbers of messages you scan and one and the number of children you are running. mine are.. (on a 600mhz Celeron and 512MB ram).. Max Children = 5 Max Unscanned Messages Per Scan = 20 Max Unsafe Messages Per Scan = 20 Also worth checking the SA settings to make sure the rules parse properly.. spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From m.sapsed at BANGOR.AC.UK Mon Feb 9 10:51:55 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos and inconsistent MIME messages? Message-ID: <4027664B.40404@bangor.ac.uk> Hi folks, I've just received this info via my EM Library server: ---------- Global notifications: 2004-02-06 17:07:45: Sophos Anti-Virus version 3.78(d) contains code designed to deal with inconsistent MIME messages. If you are using Sophos Anti-Virus at your email gateway, you are advised to subscribe to this new version. If you are using Sophos Anti-Virus at your desktop only, there is no need to download this new version. ---------- But the release notes are no different to the standard 3.78 version! Any know what this is about? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From adrian at gds.ro Mon Feb 9 11:37:00 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <40276229.7000002@solid-state-logic.com> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> <40276229.7000002@solid-state-logic.com> Message-ID: <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> It must be something else that causes the high CPU usage... does *anyone* know what that shmat error means? ( umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) ) Martin Hepworth said: > Adrian Voinea wrote: >> Hello, here's my problem: >> >> Sometimes, mailscanner uses a lot of cpu, for a long amount of time. >> The mail server's load average rises to ~13 and stays that way for a >> while. >> You can see the cpu hogs' activity in the strace output. >> (I searched for "shmat and umoven: Input/output error" on google and >> this >> error is obviously related to >> the high cpu usage: >> http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) [...] > > Have you got RBL's setup in spamassassin? I have skip_rbl_checks set to 1 in spam.assassin.prefs.conf > Also worth checking are the > numbers of messages you scan and one and the number of children you are > running. > > mine are.. (on a 600mhz Celeron and 512MB ram).. > Max Children = 5 > Max Unscanned Messages Per Scan = 20 > Max Unsafe Messages Per Scan = 20 I have the same settings. > > > Also worth checking the SA settings to make sure the rules parse > properly.. > > spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf This is the output of the command: root@kiki:/opt/MailScanner/etc# spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/usr/local/iproute', keeping. debug: PATH included '/usr/local/samba/bin', keeping. debug: PATH included '/etc/scripts', keeping. debug: PATH included '/www/mysql/bin', keeping. debug: PATH included '/etc/bin', which doesn't exist, dropping. debug: PATH included '/usr/local/samba/bin', keeping. debug: Final PATH set to: /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/local/iproute:/usr/local/samba/bin:/etc/scripts:/www/mysql/bin:/usr/local/samba/bin debug: ignore: using a test message to lint rules debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: 26096 tie-ing to DB file R/O /opt/MailScanner/spamassassin/bayes_toks debug: bayes: 26096 tie-ing to DB file R/O /opt/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: Score set 3 chosen. debug: Initialising learner debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= From michele at BLACKNIGHTSOLUTIONS.COM Mon Feb 9 11:46:43 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:23 2006 Subject: OT - list options In-Reply-To: <6.0.1.1.2.20040207155428.02dbd4f0@imap.ecs.soton.ac.uk> Message-ID: Excellent! I've changed my settings and Squirrel mail is now a lot more user-friendly Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 07 February 2004 15:55 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT - list options > > > You can do this yourself at > www.jiscmail.ac.uk/lists/mailscanner.html > > At 15:23 07/02/2004, you wrote: > >Slightly OT, but I was wondering if there was any chance of messages to > >the list being prepended by "Mailscanner" or similar. > >When using my desktop email client I filter mail using the "to" or "from" > >fields, however I cannot use this with my IMAP webmail, as I wouldn't be > >able to download mail after. > > > >Michele > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 11:57:12 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> <40276229.7000002@solid-state-logic.com> <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> Message-ID: <40277598.2080104@solid-state-logic.com> Adrian Voinea wrote: > It must be something else that causes the high CPU usage... > does *anyone* know what that shmat error means? > > ( > > umask(0177) = 077 > open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 > fstat64(0x7, 0x80f5380) = 0 > shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error > ) = ? > flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily > unavailable) > close(7) > > ) > Hi have you checked /var/log/messages to see if there is any indication here? It could be that you are out of shared memory... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From linux at MOSTERT.NOM.ZA Mon Feb 9 15:52:59 2004 From: linux at MOSTERT.NOM.ZA (Mozzi) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks Message-ID: <200402091752.59090.linux@mostert.nom.za> Hi all I have disabled spamchecks and use spamassassin in the conf file yet I still see entries like below in my logfile. MailScanner[20476]: Spam Checks: Starting Any ideas? Mozzi ************************************************************ Scanned by @lantic IS Virus Control Service This message was scanned for viruses and dangerous content. @lantic Internet Services (Pty) Ltd. - http://www.lantic.net eScan for Windows-based PCs - http://www.escan.co.za If you have received a message marked in the subject line as [SPAM] please note that according to our MailScanner, this message has all the attributes of Unsolicited Commercial Email (UCE). If the message has however been marked incorrectly, please send a query to abuse@lantic.net ************************************************************ From JEN at AH.DK Mon Feb 9 14:38:03 2004 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:23 2006 Subject: Svar: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails Message-ID: Hi I am trying to install mailscanner 4.26.8-1 on suse 9.0 and I get some "Failed build dependencies" Attempting to build and install perl-MIME-tools-5.411-pl4.2 Installing perl-MIME-tools-5.411-pl4.2.src.rpm error: Failed build dependencies: perl >= 0:5.00503 is needed by perl-MIME-tools-5.411-pl4.2 My perl version is: 5.8.1 Where do I put: BuildRequires: perl >= 0:5.5.3 or 0:5.8.1 /Jan Elmqvist Nielsen >>> Heinz.Knutzen@DATAPORT.DE 30-01-2004 17:34:03 >>> It doesn't help to install perl-Net-CIDR manually, because the package doesn't build at all: "ERROR: EMPTY FILE LIST" On a system with SuSE 8.0 perl-Net-CIDR builds nicly. I compared the output of rpmbuild at both systems and found the underlying problem. When calling rpmbuild with SuSE 9.0 this results in paths where BuildRoot occurs twice: Installing /var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm perl-Net-CIDR.spec defines BuildRoot as %{_tmppath}/%{name}-%{version}-%{release}-root The first occurence comes from perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix} It appears twice, because SuSE defines it's own version of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros: %makeinstall make DESTDIR=%{buildroot} install The problem didn't occur with SuSE 8.0, because it uses an older version of ExtUtils::MakeMaker, where the resuting Makefile is ignoring it's parameter "DESTDIR" and hence (accidently) successfully creates the package. A possible solution would be to call "make install" directly instead of "%makeinstall" in perl-Net-CIDR.spec. This would solve the problem for SuSE. It shouldn't hurt for other rpm based distributions, because the standard definition of %makeinstall effectivly calls "make install" with many paramters defining prefixes and directories. But these are useless, because PREFIX is already set when processing Makefile.PL. I still need --nodeps to build this package. If I change "BuildRequires" to BuildRequires: perl >= 0:5.5.3 it works fine for SuSE 8.0 and 9.0 without using --nodeps. Viele Gr??e Heinz Knutzen Dataport Altenholzer Str 10-14, 24161 Altenholz, Germany http://www.dataport.de/ mailto:Heinz.Knutzen@dataport.de Tel: +49.431.3295.6581 Fax: +49.431.3295.410 -----Urspr?ngliche Nachricht----- Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im Auftrag von Julian Field Gesendet am: Freitag, 30. Januar 2004 10:14 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails Try just installing the Net-CIDR module with something like rpm -Uvh --nodeps perl-Net-CIDR* and then run ./install.sh. At 16:53 29/01/2004, you wrote: >For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get: >./install.sh >... >Attempting to build and install perl-Net-CIDR-0.08-2 >Installiere perl-Net-CIDR-0.08-2.src.rpm >Fehler: Failed build dependencies: > perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2 > >My perl is: ># rpm -q perl >perl-5.8.1-46 ># perl -v >This is perl, v5.8.1 built for i586-linux-thread-multi >(with 1 registered patch, see perl -V for more detail) > >I get this message for some perl packages, but nor for all of them. >Using "./install.sh nodeps" doesn't help, it gives the same error. > >Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm" >does help a bit, but aborts with: >"ERROR: EMPTY FILE LIST" > >This doesn't seem to be a new problem, it occurs with >MailScanner-4.25-14.suse.tar.gz as well. > > >Viele Gr??e > >-- Heinz > >-----Urspr?ngliche Nachricht----- >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im >Auftrag von Julian Field >Gesendet am: Donnerstag, 29. Januar 2004 16:25 >An: MAILSCANNER@JISCMAIL.AC.UK >Betreff: ANNOUNCE: Beta 4.26.6 released > >Hi folks, > >I have just posted 4.26.6 on the website for you all. Download from >www.mailscanner.info as usual. > >This is intended as a final testing release before 4.26 goes stable, which >will hopefully be this weekend. If you could test it out and let me know of >any problems as soon as possible, I will get them fixed. > >Thanks folks! > >Changes this time are: > >* New Features and Improvements * >- Improved configuration engine so that rules can now contain 2 tests > separated by "and". >- Added "notify" Spam Action and High Scoring Spam Action. This will cause a > short text notification message to be sent to the recipients of the spam > message. The filename of the report is set with the "Recipient Spam > Report" > configuration setting. There is also an MCP equivalent of this > functionality. See the MCP documentation for details of the settings. >- Removed the "bounce" spam action. >- Added regular rebuild of Bayes database. Has 2 options associated with it > which I haven't included in the conf file yet. >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to > configure the operation of the regular Bayes database rebuilds. >- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as > you will want to uncomment this line if you are using the regular > scheduled > Bayes database expiry feature given above. >- Added "Minimum Stars If On Spam List" setting so that people who just filter > on the "Spam Stars" can catch messages which only trigger the "Spam List" > trap. >- Added "Log Non Spam" option to allow logging of all non-spam, which can be > coerced into logging SpamAssassin scores of non-spam mail. >- Added support for Norman virus scanner (www.norman.de). >- Added logging of ids of dropped silent viruses. >- Added "Too Many Attachments" error report in a message instead of old > report saying it could not analyse the message. >- No longer stops or restarts after RPM upgrade. >- Added MCP patches for SpamAssassin 2.61 and 2.63. >- Added 'SpamAssassin Site Rules Dir' setting to locate >/etc/mail/spamassassin. >- Spanish translations of languages.conf updated from Debian translators. >- Added Catalan translation of all report files. >- Added bogusmx list to supplied spam.lists.conf. >- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf. >- Changed the version number scheme from major.minor-teeny to >major.minor.teeny. >- Forced owner to be root.root in both RPM spec files, so can be re-built by > non-root users. >- Added my Amazon.co.uk "wish list" to the donations page. >- Detailed spam report now includes auto-learn status if it was auto-learnt. > >* Fixes * >- Fixed creation of MCP quarantine directory bug. >- Fix to Postfix message duplication problems. Must find "end of message" > record now. >- Fix to duplicate recipient listing in postmaster notices. >- Fixed bug so filename/filetype rules configuration setting can be blank. >- Exim per-message log files are deleted correctly now. >- Fixed recipient duplication problems in sender messages and other reports. >- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's > own checks find multiple problems with 1 attachment. >- Fixed bug where _SCORE_ in subject line modifications is never more than 60. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Mon Feb 9 15:10:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks Message-ID: <54C38A0B814C8E438EF73FC76F3629274108BF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mozzi [mailto:linux@MOSTERT.NOM.ZA] > Envoy? : Monday, February 09, 2004 10:53 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Spam checks > > > Hi all > I have disabled spamchecks and use spamassassin in the conf > file yet I still > see entries like below in my logfile. > MailScanner[20476]: Spam Checks: Starting Spam check can also mean "Checking spam, using spamassassin" Ugo > > Any ideas? > > > Mozzi > > > > > ************************************************************ > Scanned by @lantic IS Virus Control Service > This message was scanned for viruses and dangerous content. > @lantic Internet Services (Pty) Ltd. - http://www.lantic.net > eScan for Windows-based PCs - http://www.escan.co.za > > If you have received a message marked in the subject line > as [SPAM] please note that according to our MailScanner, > this message has all the attributes of Unsolicited > Commercial Email (UCE). If the message has however been > marked incorrectly, please send a query to abuse@lantic.net > ************************************************************ > From mailscanner at LISTS.COM.AR Mon Feb 9 15:30:46 2004 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... Message-ID: <40277D76.10613.236AC43D@localhost> Hi, Kevin Miller asked a few days ago about av-scanners identifying by means of an option the e-mail borne virus so they could be automatically categorized as "silent virus" by MS and apropiate action be taken (e.g. "Still deliver silent viruses = no"). http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17196 Jason Balicki said Sophos is working on this (or so their PR people lie about): http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17462 I aske about this in the clamav list a few days ago (actually asking for the virus database format, in case it already existed): http://mail-archive.com/clamav-users@lists.sourceforge.net/msg04859.html Fajar Nugraha sugested using the 'Worm.' prefix in the name of the virus to identify them: http://mail-archive.com/clamav-users@lists.sourceforge.net/msg04863.html I don't know about other scanners, but they may also have a standard string within their name implying it is a mail worm. Now, Julian, would you consider this as a wished option? It'd be a new option like this (configured for clamav): Silent Viruses Regex: /^Worm\..*/ This way, we can immediately recognize new e-mail worms as 'Silent' and process them appropiately... I wouldn't eliminate the "Silent Viruses:" option, just in case. TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. From raq at CHURCHER.ORG.UK Mon Feb 9 15:30:34 2004 From: raq at CHURCHER.ORG.UK (Steve Churcher) Date: Thu Jan 12 21:22:23 2006 Subject: Mcafee In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108BF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <00a001c3ef21$a95ba2a0$206510ac@euclid.local> Hi All Does anyone know where I can purchase a license for McAfee Command line for unix in the UK? Or indeed anywhere really! Seems a hard one to track down or maybe its just me.. Thanks Steve From dot at DOTAT.AT Mon Feb 9 15:42:16 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... In-Reply-To: Message-ID: Mariano Absatz wrote: > >I don't know about other scanners, but they may also have a standard string >within their name implying it is a mail worm. I think McAfee always uses @MM as a mass mailing worm suffix, but I haven't properly checked that this covers exactly the viruses I want to auto-delete. Tony. -- f.a.n.finch http://dotat.at/ DOVER WIGHT: NORTHWEST 7 TO SEVERE GALE 9 DECREASING 4 OR 5, VEERING NORTH 3 OR 4 LATER. SHOWERS. GOOD. From kcchang at HKUSUA.HKU.HK Mon Feb 9 15:53:03 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <1076313474.26581.15.camel@bach.kevinspicer.co.uk> Message-ID: Hi Kevin, My Solaris got: set rlim_fd_max = 4096 in /etc/system and I think 2048 (out of 4096) should be fairly good but still it failed. The strange thing is that the same error message keeps going even after the restart of MailScanner. I have to move the mqueue.in away and create a new one in order to successfully start MailScanner and make it work properly again (should it be a file descriptor problem??). I can re-start the MailScanner only if the mqueue.in is re-created and then gradually moved back the queued messages. Actually, my MailScanner has been running smoothly for over a year and got this intermittent error since January 2004 (and I got the same version running on Alpha Tru64 without problem). I cannot find any clues in truss output as well (only find a number of fstat/open/fcntl call to mail messages and then rmdir of the incoming dir. before dying of child mailscanner processes). Any ideas? Thanks for your input. KC Chang On Mon, 9 Feb 2004, Kevin Spicer wrote: > On Mon, 2004-02-09 at 06:42, Chang Kai Cheong wrote: > > > > > > Does anyone has similar experience to solve the problem? > > > I recommended once to someone that they should add ulimit -n unlimited > to the init script, based on the fact I had a similar problem with a > different program which that cured (I don't use Solaris for my mail > servers). I think that solved the problem for them. > You can also tweak system wide limits in /etc/system, but that requires > care (you can knacker the entire system) and a reboot. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From prandal at HEREFORDSHIRE.GOV.UK Mon Feb 9 15:53:17 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:23 2006 Subject: Mcafee Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4F2@jessica.herefordshire.gov.uk> We got ours through our Total Virus Defence subscription. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Steve Churcher > Sent: 09 February 2004 15:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mcafee > > > Hi All > > Does anyone know where I can purchase a license for McAfee > Command line > for unix in the UK? Or indeed anywhere really! > > Seems a hard one to track down or maybe its just me.. > > Thanks > Steve > From eja at URBAKKEN.DK Mon Feb 9 15:57:23 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: Mail ?. Message-ID: <4027ADE3.6090007@urbakken.dk> Julian !. Did you receive my mail with the antivir log_file ?. -- Erik From Kevin.Spicer at BMRB.CO.UK Mon Feb 9 16:05:42 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE9B@pascal.priv.bmrb.co.uk> Chang Kai Cheong wrote: > Hi Kevin, > > My Solaris got: > > set rlim_fd_max = 4096 > > in /etc/system and I think 2048 (out of 4096) should be fairly good > but still it failed. The strange thing is that the same error > message keeps going even after the restart of MailScanner. I have to > move the mqueue.in away and create a new one in order to successfully > start MailScanner and make it work properly again (should it be a > file descriptor problem??). I can re-start the MailScanner only if > the mqueue.in is re-created and then gradually moved back the queued > messages. > > Actually, my MailScanner has been running smoothly for over a year > and got this intermittent error since January 2004 (and I got the > same version running on Alpha Tru64 without problem). I cannot find > any clues in truss output as well (only find a number of > fstat/open/fcntl call to mail messages and then rmdir of the incoming > dir. before dying of child mailscanner processes). Any ideas? > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits apply to processes and their children, so... 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files Then we've got the output header files (another 500 files), then any attachments/ bodies being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - but you can see how quickly they can be used up when the server is busy. The very fact that taking the messages out of the queue clears the problem suggests it is a symptom of the number of files involved. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ralexand at HOODINDUSTRIES.COM Mon Feb 9 16:35:15 2004 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external Message-ID: I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of the recent flood of *.zip attachment viruses we currently block all the standard attachments as well as all zip attachments. Is there a way to allow to local users to send zip files within our local site, while still blocking external zip attachments from entering our system? Thanks From raymond at PROLOCATION.NET Mon Feb 9 15:35:50 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... In-Reply-To: <40277D76.10613.236AC43D@localhost> Message-ID: Hi! > It'd be a new option like this (configured for clamav): > Silent Viruses Regex: /^Worm\..*/ Worm will do just fine. > This way, we can immediately recognize new e-mail worms as 'Silent' and > process them appropiately... > > I wouldn't eliminate the "Silent Viruses:" option, just in case. You can also add it in the existing 'Silent virusses', works fine. Some people who are using Kasperski are allready using this, since Kasperski allrady put those into one catagory. Bye, Raymond. From 20020401 at DUH.NET Mon Feb 9 16:44:58 2004 From: 20020401 at DUH.NET (Travis Taylor) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <1076345098@otherbbs.com> We are trying to figure out how an email slipped past MailScanner with Sophos. Symantec quarantined the message on the server when the user checked her mail this morning. The message was a bounce from a site that does not permit executables. Here is the message recovered from the quarantine server: Received: from emailscanner.newton.k12.ks.us not authenticated [192.168.254.10] by newton.k12.ks.us with NetMail SMTP Agent $Revision: 3.22.1.3 $ on Novell NetWare; Fri, 06 Feb 2004 08:36:46 -0600 Received: from mx07.futurequest.net (mx07.futurequest.net [69.5.6.178]) by emailscanner.newton.k12.ks.us (8.12.8/8.12.8) with SMTP id i16EaM6L008388 for ; Fri, 6 Feb 2004 08:36:22 -0600 X-Envelope-To: Message-Id: <200402061436.i16EaM6L008388@emailscanner.newton.k12.ks.us> Received: (qmail 15257 invoked for bounce); 6 Feb 2004 14:27:02 -0000 Date: 6 Feb 2004 14:27:02 -0000 From: MAILER-DAEMON@mx07.futurequest.net To: khays@newton.k12.ks.us Subject: failure notice X-USD373-MailScanner-Information: Mail scanned using http://mailscanner.info X-USD373-MailScanner: Found to be clean X-USD373-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.903, required 5, LARGE_HEX 1.59, MSGID_FROM_MTA_HEADER 0.76, NO_REAL_NAME 0.28, UPPERCASE_25_50 0.26) X-USD373-MailScanner-SpamScore: ss Hi. This is the qmail-send program at mx07.futurequest.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : No executable files accepted. Message rejected 1076077622 pid 2773 --- Below this line is a copy of the message. Return-Path: Received: (qmail 32431 invoked from network); 6 Feb 2004 13:43:40 -0000 Received: from newton.k12.ks.us (hillsboro-bm.teen.k12.ks.us [65.241.105.189]) by mx07.futurequest.net ([69.5.6.178]) with ESMTP via TCP; 06 Feb 2004 13:43:40 -0000 From: khays@newton.k12.ks.us To: ugaw@myparentime.com Subject: Status Date: Fri, 6 Feb 2004 07:43:35 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_9E42CB75.1E93C406" X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0004_9E42CB75.1E93C406 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit [snip] ------=_NextPart_000_0004_9E42CB75.1E93C406 Content-Type: application/octet-stream; name="readme.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="readme.scr" [snip] ------=_NextPart_000_0004_9E42CB75.1E93C406-- So far MailScanner has caught 1817 MyDoom-A virus, with the exception of 27 MyDoom infected messages that slipped through during the window when the virus was released in the wild and before Sophos updated the definitions, MailScanner and Sophos has caught everyone since until now. Anyone got some ideas on what to check or how to verify this got through? Is this something we need to sent to Sophos? Using RH 9, MailScanner v4.23-11, and Sophos v3.75 --- Travis Taylor, EMail Administrator Newton Unified School District #373 Educational Technology Center 116 West 7th Newton, KS 67114 316-284-6251 From dustin.baer at IHS.COM Mon Feb 9 17:09:55 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076345098@otherbbs.com> Message-ID: <4027BEE3.73038005@ihs.com> Travis Taylor wrote: > > We are trying to figure out how an email slipped past MailScanner with > Sophos. Symantec quarantined the message on the server when the user > checked her mail this morning. > > The message was a bounce from a site that does not permit executables. > > Here is the message recovered from the quarantine server: > > [snip] > > So far MailScanner has caught 1817 MyDoom-A virus, with the exception of > 27 MyDoom infected messages that slipped through during the window > when the virus was released in the wild and before Sophos updated the > definitions, MailScanner and Sophos has caught everyone since until now. > Anyone got some ideas on what to check or how to verify this got > through? > > Is this something we need to sent to Sophos? > > Using RH 9, MailScanner v4.23-11, and Sophos v3.75 > > --- > Travis Taylor, EMail Administrator Travis, We have the same situation here. Right now, I am trying to retreive the Symantec quarantined documents, and will be sending them to Sophos. I would suggest sending them yours, also. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From 20020401 at DUH.NET Mon Feb 9 17:32:21 2004 From: 20020401 at DUH.NET (Travis Taylor) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <1076347941@otherbbs.com> >Travis, > >We have the same situation here. Right now, I am trying to retreive >the Symantec quarantined documents, and will be sending them to Sophos. > >I would suggest sending them yours, also. > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 I'm in the process of sending it to sophos now, Dustin. On a side note, I decided to sent the quarantined message as an attachment to myself and MailScanner/Sophos caught it. Though when I pasted the infected bounced message in the body of a message and sent it to myself it slipped through without being detected. I'm wondering if this has something to do with how the message is encoded (mime, uuencode, etc). --- Travis Taylor, EMail Administrator Newton Unified School District #373 Educational Technology Center 116 West 7th Newton, KS 67114 316-284-6251 From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 17:37:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <1076347941@otherbbs.com> References: <1076347941@otherbbs.com> Message-ID: <4027C56F.2010103@solid-state-logic.com> Travis Taylor wrote: >>Travis, >> >>We have the same situation here. Right now, I am trying to retreive >>the Symantec quarantined documents, and will be sending them to Sophos. >> >>I would suggest sending them yours, also. >> >>Dustin >>-- >>Dustin Baer >>Unix Administrator/Postmaster >>Information Handling Services >>15 Inverness Way East >>Englewood, CO 80112 >>303-397-2836 > > > I'm in the process of sending it to sophos now, Dustin. > > On a side note, I decided to sent the quarantined message as an > attachment to myself and MailScanner/Sophos caught it. Though when I > pasted the infected bounced message in the body of a message and sent > it to myself it slipped through without being detected. I'm wondering > if this has something to do with how the message is encoded (mime, > uuencode, etc). > > This is a known issue with MailScanner and specifically one of the Perl modules it uses. From memory Julian asked for anyone with such an email to forward it direct to him (not the list) so he can investigate the problem. I hope Julian doesn't shoot me getting people to send him viruses. You might want to email him before hand to warn him an example is on the way! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From kevins at BMRB.CO.UK Mon Feb 9 18:28:01 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <4027C56F.2010103@solid-state-logic.com> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> Message-ID: <1076351285.1679.0.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-09 at 17:37, Martin Hepworth wrote: > From memory Julian asked for anyone with such an email to forward it > direct to him (not the list) so he can investigate the problem. > > I hope Julian doesn't shoot me getting people to send him viruses. > > You might want to email him before hand to warn him an example is on the > way! I think he asked for them in a password protected zip (?) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From peter at UCGBOOK.COM Mon Feb 9 18:31:40 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external In-Reply-To: References: Message-ID: <4027D20C.5050609@ucgbook.com> Richard Alexander wrote: > I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of > the recent flood of *.zip attachment viruses we currently block all the > standard attachments as well as all zip attachments. Is there a way to > allow to local users to send zip files within our local site, while still > blocking external zip attachments from entering our system? Yes, use a ruleset to point local users to a different filename.rules.conf than the rest. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From kodak at FRONTIERHOMEMORTGAGE.COM Mon Feb 9 19:13:48 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <1076351285.1679.0.camel@bach.kevinspicer.co.uk> Message-ID: <007f01c3ef40$d8a456a0$0501a8c0@darkside> This issue may be fixed by using the 3.78d version which according to Sophos: "2004-02-06 17:07:45: Sophos Anti-Virus version 3.78(d) contains code designed to deal with inconsistent MIME messages. If you are using Sophos Anti-Virus at your email gateway, you are advised to subscribe to this new version. If you are using Sophos Anti-Virus at your desktop only, there is no need to download this new version." My appologies if you are already using 3.78d. HTH, --J(K) From mailscanner at ecs.soton.ac.uk Mon Feb 9 19:59:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks In-Reply-To: <200402091752.59090.linux@mostert.nom.za> References: <200402091752.59090.linux@mostert.nom.za> Message-ID: <6.0.1.1.2.20040209195721.02d84ec0@imap.ecs.soton.ac.uk> It tends to log it even though it's not doing it. Considering the possibility of rulesets, it's not actually as trivial as you think it might be to decide if any spam checks are to be done. So I log it anyway, even though that particular message batch might not contain any messages to be spam checked. At 15:52 09/02/2004, you wrote: >Hi all >I have disabled spamchecks and use spamassassin in the conf file yet I still >see entries like below in my logfile. >MailScanner[20476]: Spam Checks: Starting > >Any ideas? > > >Mozzi > > > > >************************************************************ >Scanned by @lantic IS Virus Control Service >This message was scanned for viruses and dangerous content. >@lantic Internet Services (Pty) Ltd. - http://www.lantic.net >eScan for Windows-based PCs - http://www.escan.co.za > >If you have received a message marked in the subject line >as [SPAM] please note that according to our MailScanner, >this message has all the attributes of Unsolicited >Commercial Email (UCE). If the message has however been >marked incorrectly, please send a query to abuse@lantic.net >************************************************************ -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:08:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external In-Reply-To: References: Message-ID: <6.0.1.1.2.20040209200435.02d1fec0@imap.ecs.soton.ac.uk> At 16:35 09/02/2004, you wrote: >I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of >the recent flood of *.zip attachment viruses we currently block all the >standard attachments as well as all zip attachments. Is there a way to >allow to local users to send zip files within our local site, while still >blocking external zip attachments from entering our system? Use a ruleset to point at different filename.rules.conf files. First ban zip files in your main filename.rules.conf file. Copy one of the other deny lines and put it right near the top of the file. Make sure the 4 sections of the line are separated with tabs and not spaces. Then copy the file to filename.allowzip.rules.conf. Change the deny zip to allow zip (use one of the other allow lines as a template). Make sure it's near the top of the file so gets acted on very early. Then create a ruleset in /etc/MailScanner/rules/filenameconf.rules FromAndTo: yourdomain.com /etc/MailScanner/filename.allowzip.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf Finally, in /etc/MailScanner.conf, put this Filename Rules = /etc/MailScanner/rules/filenameconf.rules and then restart or reload MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:11:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <4027C56F.2010103@solid-state-logic.com> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> At 17:37 09/02/2004, you wrote: >Travis Taylor wrote: >>>Travis, >>> >>>We have the same situation here. Right now, I am trying to retreive >>>the Symantec quarantined documents, and will be sending them to Sophos. >>> >>>I would suggest sending them yours, also. >>> >>>Dustin >>>-- >>>Dustin Baer >>>Unix Administrator/Postmaster >>>Information Handling Services >>>15 Inverness Way East >>>Englewood, CO 80112 >>>303-397-2836 >> >> >>I'm in the process of sending it to sophos now, Dustin. >> >>On a side note, I decided to sent the quarantined message as an >>attachment to myself and MailScanner/Sophos caught it. Though when I >>pasted the infected bounced message in the body of a message and sent >>it to myself it slipped through without being detected. I'm wondering >>if this has something to do with how the message is encoded (mime, >>uuencode, etc). >> > >This is a known issue with MailScanner and specifically one of the Perl >modules it uses. > > From memory Julian asked for anyone with such an email to forward it >direct to him (not the list) so he can investigate the problem. > >I hope Julian doesn't shoot me getting people to send him viruses. > >You might want to email him before hand to warn him an example is on the >way! We have seen some cases where Sophos with MailScanner failed to spot a MyDoom. But F-Prot on the same system (running as a secondary scanner) spotted the virus just fine. So somehow Sophos is missing it when F-Prot is finding it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:03:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Svar: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails In-Reply-To: References: Message-ID: <6.0.1.1.2.20040209200227.03c2dc50@imap.ecs.soton.ac.uk> You can use the "--nodeps" command-line option with "./install.sh" to get around this. I'm going to get time to install a SuSE 9 box soon (hopefully later this week, but the day job is busy right now) and will get all the SuSE 9 niggles sorted out. At 14:38 09/02/2004, you wrote: >Hi > >I am trying to install mailscanner 4.26.8-1 on suse 9.0 and I get some >"Failed build dependencies" > >Attempting to build and install perl-MIME-tools-5.411-pl4.2 >Installing perl-MIME-tools-5.411-pl4.2.src.rpm >error: Failed build dependencies: > perl >= 0:5.00503 is needed by perl-MIME-tools-5.411-pl4.2 > >My perl version is: 5.8.1 > >Where do I put: >BuildRequires: perl >= 0:5.5.3 or 0:5.8.1 > >/Jan Elmqvist Nielsen > > > >>> Heinz.Knutzen@DATAPORT.DE 30-01-2004 17:34:03 >>> >It doesn't help to install perl-Net-CIDR manually, >because the package doesn't build at all: >"ERROR: EMPTY FILE LIST" > >On a system with SuSE 8.0 perl-Net-CIDR builds nicly. >I compared the output of rpmbuild at both systems and found >the underlying problem. > >When calling rpmbuild with SuSE 9.0 this results in paths >where BuildRoot occurs twice: >Installing >/var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm > >perl-Net-CIDR.spec defines BuildRoot as >%{_tmppath}/%{name}-%{version}-%{release}-root > >The first occurence comes from > perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix} > >It appears twice, because SuSE defines it's own version >of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros: >%makeinstall make DESTDIR=%{buildroot} install > >The problem didn't occur with SuSE 8.0, >because it uses an older version of ExtUtils::MakeMaker, >where the resuting Makefile is ignoring it's parameter >"DESTDIR" and hence (accidently) successfully creates the package. > >A possible solution would be to call "make install" directly >instead of "%makeinstall" in perl-Net-CIDR.spec. > >This would solve the problem for SuSE. >It shouldn't hurt for other rpm based distributions, >because the standard definition of %makeinstall effectivly calls >"make install" with many paramters defining prefixes and directories. >But these are useless, because PREFIX is already set >when processing Makefile.PL. > > >I still need --nodeps to build this package. >If I change "BuildRequires" to >BuildRequires: perl >= 0:5.5.3 >it works fine for SuSE 8.0 and 9.0 without using --nodeps. > >Viele Gr??e > >Heinz Knutzen > >Dataport >Altenholzer Str 10-14, 24161 Altenholz, Germany >http://www.dataport.de/ >mailto:Heinz.Knutzen@dataport.de >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 > > > >-----Urspr?ngliche Nachricht----- >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im >Auftrag von Julian Field >Gesendet am: Freitag, 30. Januar 2004 10:14 >An: MAILSCANNER@JISCMAIL.AC.UK >Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails > >Try just installing the Net-CIDR module with something like >rpm -Uvh --nodeps perl-Net-CIDR* >and then run ./install.sh. > >At 16:53 29/01/2004, you wrote: > >For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get: > >./install.sh > >... > >Attempting to build and install perl-Net-CIDR-0.08-2 > >Installiere perl-Net-CIDR-0.08-2.src.rpm > >Fehler: Failed build dependencies: > > perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2 > > > >My perl is: > ># rpm -q perl > >perl-5.8.1-46 > ># perl -v > >This is perl, v5.8.1 built for i586-linux-thread-multi > >(with 1 registered patch, see perl -V for more detail) > > > >I get this message for some perl packages, but nor for all of them. > >Using "./install.sh nodeps" doesn't help, it gives the same error. > > > >Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm" > >does help a bit, but aborts with: > >"ERROR: EMPTY FILE LIST" > > > >This doesn't seem to be a new problem, it occurs with > >MailScanner-4.25-14.suse.tar.gz as well. > > > > > >Viele Gr??e > > > >-- Heinz > > > >-----Urspr?ngliche Nachricht----- > >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im > >Auftrag von Julian Field > >Gesendet am: Donnerstag, 29. Januar 2004 16:25 > >An: MAILSCANNER@JISCMAIL.AC.UK > >Betreff: ANNOUNCE: Beta 4.26.6 released > > > >Hi folks, > > > >I have just posted 4.26.6 on the website for you all. Download from > >www.mailscanner.info as usual. > > > >This is intended as a final testing release before 4.26 goes stable, which > >will hopefully be this weekend. If you could test it out and let me know of > >any problems as soon as possible, I will get them fixed. > > > >Thanks folks! > > > >Changes this time are: > > > >* New Features and Improvements * > >- Improved configuration engine so that rules can now contain 2 tests > > separated by "and". > >- Added "notify" Spam Action and High Scoring Spam Action. This will cause a > > short text notification message to be sent to the recipients of the spam > > message. The filename of the report is set with the "Recipient Spam > > Report" > > configuration setting. There is also an MCP equivalent of this > > functionality. See the MCP documentation for details of the settings. > >- Removed the "bounce" spam action. > >- Added regular rebuild of Bayes database. Has 2 options associated with it > > which I haven't included in the conf file yet. > >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to > > configure the operation of the regular Bayes database rebuilds. > >- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as > > you will want to uncomment this line if you are using the regular > > scheduled > > Bayes database expiry feature given above. > >- Added "Minimum Stars If On Spam List" setting so that people who just > filter > > on the "Spam Stars" can catch messages which only trigger the "Spam > List" > > trap. > >- Added "Log Non Spam" option to allow logging of all non-spam, which can be > > coerced into logging SpamAssassin scores of non-spam mail. > >- Added support for Norman virus scanner (www.norman.de). > >- Added logging of ids of dropped silent viruses. > >- Added "Too Many Attachments" error report in a message instead of old > > report saying it could not analyse the message. > >- No longer stops or restarts after RPM upgrade. > >- Added MCP patches for SpamAssassin 2.61 and 2.63. > >- Added 'SpamAssassin Site Rules Dir' setting to locate > >/etc/mail/spamassassin. > >- Spanish translations of languages.conf updated from Debian translators. > >- Added Catalan translation of all report files. > >- Added bogusmx list to supplied spam.lists.conf. > >- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf. > >- Changed the version number scheme from major.minor-teeny to > >major.minor.teeny. > >- Forced owner to be root.root in both RPM spec files, so can be re-built by > > non-root users. > >- Added my Amazon.co.uk "wish list" to the donations page. > >- Detailed spam report now includes auto-learn status if it was auto-learnt. > > > >* Fixes * > >- Fixed creation of MCP quarantine directory bug. > >- Fix to Postfix message duplication problems. Must find "end of message" > > record now. > >- Fix to duplicate recipient listing in postmaster notices. > >- Fixed bug so filename/filetype rules configuration setting can be blank. > >- Exim per-message log files are deleted correctly now. > >- Fixed recipient duplication problems in sender messages and other reports. > >- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's > > own checks find multiple problems with 1 attachment. > >- Fixed bug where _SCORE_ in subject line modifications is never more > than 60. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Mon Feb 9 20:58:53 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf Message-ID: <4027F48D.D06CF176@ihs.com> I see the following in filename.rules.conf: deny pretty\s+park\.exe$ deny happy99.exe$ deny webpage\.rar$ Is the \ required before . ? Also, I wanted to block any "doc.zip" attachments that come through, so added the following line: deny doc.zip$ - - This also blocks dp_doc.zip, or anything else that has .....doc.zip. The following appears to work properly, but just want to make sure: deny ^doc.zip$ - - Again, is a \. needed, rather than just the . ? Thanks, Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 -- This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank you. From hywel at BURRIS.ORG.UK Mon Feb 9 20:29:38 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> Message-ID: <200402092029.i19KTcKT014669@mail.burris.org.uk> [snip] >> >>This is a known issue with MailScanner and specifically one of the Perl >>modules it uses. >> >> From memory Julian asked for anyone with such an email to forward it >>direct to him (not the list) so he can investigate the problem. >> >>I hope Julian doesn't shoot me getting people to send him viruses. >> >>You might want to email him before hand to warn him an example is on the >>way! >We have seen some cases where Sophos with MailScanner failed to spot a >MyDoom. But F-Prot on the same system (running as a secondary scanner) >spotted the virus just fine. So somehow Sophos is missing it when F-Prot is >finding it. I have seen this today with Clam and McAfee missing one and F-Prot getting it. I have also noticed this before with clam missing some and Mcafee and F-Prot catching them. Hywel From mailscanner at ecs.soton.ac.uk Mon Feb 9 21:11:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027F48D.D06CF176@ihs.com> References: <4027F48D.D06CF176@ihs.com> Message-ID: <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> At 20:58 09/02/2004, you wrote: >I see the following in filename.rules.conf: > >deny pretty\s+park\.exe$ >deny happy99.exe$ >deny webpage\.rar$ > >Is the \ required before . ? Yes, otherwise it wouldn't be there. They are regular expressions. "." means any character. "\." means the literal character "." >Also, I wanted to block any "doc.zip" attachments that come through, so >added the following line: > >deny doc.zip$ - - > >This also blocks dp_doc.zip, or anything else that has .....doc.zip. >The following appears to work properly, but just want to make sure: > >deny ^doc.zip$ - - > >Again, is a \. needed, rather than just the . ? That will match filenames which are exactly "doc.zip" as ^ means the start of the filename and $ means the end of the filename. Suggest you read up a bit on regular expressions. "man perlre" will get you started. What I suspect you mean is to block any filename ending in ".doc.zip" which is deny \.doc\.zip$ - - >Thanks, > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 > >-- >This email message is for the sole use of the intended recipient(s) and >may contain confidential and privileged information. Any unauthorized >review, use, disclosure or distribution is prohibited. If you are not >the intended recipient, please contact the sender by reply email and >destroy all copies of the original message. Thank you. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Mon Feb 9 21:24:37 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027F48D.D06CF176@ihs.com> References: <4027F48D.D06CF176@ihs.com> Message-ID: <6.0.0.22.0.20040209162316.025c15d0@xanadu.evi-inc.com> At 03:58 PM 2/9/2004, Dustin Baer wrote: >deny webpage\.rar$ > >Is the \ required before . ? Yes, because in regular expressions, a . by itself is a single-character wildcard. (like ? in the dos filename world) ie doc.zip will match: doc2zip doc_zip docszip doc.zip etc.. From dustin.baer at IHS.COM Mon Feb 9 21:22:08 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf References: <4027F48D.D06CF176@ihs.com> <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> Message-ID: <4027FA00.3B0F9575@ihs.com> Julian Field wrote: > > At 20:58 09/02/2004, you wrote: > >I see the following in filename.rules.conf: > > > >deny pretty\s+park\.exe$ > >deny happy99.exe$ > >deny webpage\.rar$ > > > >Is the \ required before . ? > > Yes, otherwise it wouldn't be there. They are regular expressions. "." > means any character. "\." means the literal character "." So, since it isn't there, I will assume it is not a typo when you have "happy99.exe$" in filename.rules.conf, rather than "happy99\.exe$"? :-) > >deny ^doc.zip$ - - > > > > That will match filenames which are exactly "doc.zip" as ^ means the start > of the filename and $ means the end of the filename. I know, but... > Suggest you read up a > bit on regular expressions. "man perlre" will get you started. I felt pretty comfortable with regular expressions, but not seeing the \ in "happy99.exe$" made me think twice and though you might be doing something else. > What I > suspect you mean is to block any filename ending in ".doc.zip" which is > deny \.doc\.zip$ - - Nope, just wanted "doc.zip" to be blocked...along with message.zip, document.zip, data.zip, text.zip, file.zip and test.zip, since these sometimes get past MailScanner/Sophos. Thanks for the answer! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Mon Feb 9 21:37:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027FA00.3B0F9575@ihs.com> References: <4027F48D.D06CF176@ihs.com> <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> <4027FA00.3B0F9575@ihs.com> Message-ID: <6.0.3.0.2.20040209213612.03828200@imap.ecs.soton.ac.uk> At 21:22 09/02/2004, you wrote: >Julian Field wrote: > > > > At 20:58 09/02/2004, you wrote: > > >I see the following in filename.rules.conf: > > > > > >deny pretty\s+park\.exe$ > > >deny happy99.exe$ > > >deny webpage\.rar$ > > > > > >Is the \ required before . ? > > > > Yes, otherwise it wouldn't be there. They are regular expressions. "." > > means any character. "\." means the literal character "." > >So, since it isn't there, I will assume it is not a typo when you have >"happy99.exe$" in filename.rules.conf, rather than "happy99\.exe$"? :-) > > > >deny ^doc.zip$ - - > > > > > > > That will match filenames which are exactly "doc.zip" as ^ means the start > > of the filename and $ means the end of the filename. > >I know, but... > > > Suggest you read up a > > bit on regular expressions. "man perlre" will get you started. > >I felt pretty comfortable with regular expressions, but not seeing the \ >in "happy99.exe$" made me think twice and though you might be doing >something else. Yes, a typo. > > What I > > suspect you mean is to block any filename ending in ".doc.zip" which is > > deny \.doc\.zip$ - - > >Nope, just wanted "doc.zip" to be blocked...along with message.zip, >document.zip, data.zip, text.zip, file.zip and test.zip, since these >sometimes get past MailScanner/Sophos. Then I think there's an allow line for *.zip. Change the allow to deny and put in some explanatory text in the last 2 fields of the line. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jclark at SKIDMORE.EDU Mon Feb 9 21:38:15 2004 From: jclark at SKIDMORE.EDU (Jeffrey A. Clark) Date: Thu Jan 12 21:22:23 2006 Subject: Special Characters in stored.XXXXXX.message.txt Message-ID: We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. I am trying to include an e-mail address in the body of the stored.virus.message.txt and stored.filename.message.txt. When I include the '@' symbol in the text line, the whole line does not print. I have tried escaping the @ with the \ but it doesn't send the errant line. examples tried: Please forward this message to the helpdesk (helpdesk@skidmore.edu) for recovery of your attachment. and Please forward this message to the helpdesk (helpdesk\@skidmore.edu) for recovery of your attachment. The only way I was able to have the line print was to use: Please forward this message to the helpdesk (helpdesk skidmore.edu) for recovery of your attachment. leaving a blank where the @ symbol should be. I know, a stupid question, but any help would be appreciated. Jeff -- Jeffrey A. Clark Associate Director, CITS Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866-1632 From sysadmins at ENHTECH.COM Mon Feb 9 21:58:40 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:23 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <40243187.9070008@pixelmagicfx.com> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> <40243187.9070008@pixelmagicfx.com> Message-ID: <6.0.2.0.0.20040209165739.0261d490@mail.enhtech.com> At 07:29 PM 2/6/2004, you wrote: >Julian Field wrote: > >> >>Many thanks to all of you for helping to spread the word and make my >>little >>bit of code possibly the most widely-used combined email virus scanner >>and >>spam detector in the world. > >Many thanks? I think that's OUR line! :) > >Impressive. > > >Vic >Pixel Magic I second that. Julian, thank you. It always amazes me how the Open Source community puts out this great software. You just got to love it. Thanks a million. Errol Neal From walkera-mailscanner at OFB.NET Mon Feb 9 21:28:59 2004 From: walkera-mailscanner at OFB.NET (Walker Aumann) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? Message-ID: <8021.1076362139@ofb.net> Hello, I noticed something odd with a batch of messages coming through and apparently being misclassified. The relevant portions of my MailScanner.conf file are included followed by the mail logs. By my reading of things, this should not have been marked as spam (although it is close). Did I list these things in the wrong place (SpamList instead of SpamDomainList)? Does SpamAssassin count as a list? Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL SORBS-DNSBL RFC-IGNORANT-BOGUSMX Spam Domain List = Spam Lists To Reach High Score = 2 Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: from=, size=102178, class=0, nrcpts=1, msgid=<3.0.32.20040209065640.00e270d8@mail73006.popserver.pop.net>, proto=ESMTP, daemon=MTA, relay=mr4.ash.ops.us.uu.net [198.5.241.89] Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: to=, delay=00:00:01, mailer=esmtp, pri=30855, stat=queued Feb 9 04:04:25 gw-sea MailScanner[18326]: New Batch: Scanning 1 messages, 102700 bytes Feb 9 04:04:25 gw-sea MailScanner[18326]: Saved archive copies of i19C4N9E019313 Feb 9 04:04:25 gw-sea MailScanner[18326]: Spam Checks: Starting Feb 9 04:04:26 gw-sea MailScanner[18326]: RBL checks: i19C4N9E019313 found in SORBS-DNSBL Feb 9 04:04:27 gw-sea MailScanner[18326]: Message i19C4N9E019313 from 198.5.241.89 (isigrp@isigrp.com) to fiduciary-asset.com is spam, SORBS-DNSBL, SpamAssassin (score=4.637, required 5, BAYES_00 -0.00, MIME_MISSING_BOUNDARY 1.84, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_SMTP 2.70) Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Checks: Found 1 spam messages Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Actions: message i19C4N9E019313 actions are deliver Feb 9 04:04:27 gw-sea MailScanner[18326]: Virus and Content Scanning: Starting Feb 9 04:04:33 gw-sea MailScanner[18326]: Uninfected: Delivered 1 messages From mailscanner at ecs.soton.ac.uk Mon Feb 9 22:17:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: <8021.1076362139@ofb.net> References: <8021.1076362139@ofb.net> Message-ID: <6.0.3.0.2.20040209221714.03aa5e30@imap.ecs.soton.ac.uk> The message was found in SORBS-DNSBL and is therefore marked as spam. What's the problem? At 21:28 09/02/2004, you wrote: >Hello, > >I noticed something odd with a batch of messages coming through and >apparently being misclassified. The relevant portions of my >MailScanner.conf file are included followed by the mail logs. By my >reading of things, this should not have been marked as spam (although it >is close). Did I list these things in the wrong place (SpamList instead >of SpamDomainList)? Does SpamAssassin count as a list? > >Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL SORBS-DNSBL >RFC-IGNORANT-BOGUSMX >Spam Domain List = >Spam Lists To Reach High Score = 2 > >Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: >from=, size=102178, class=0, nrcpts=1, >msgid=<3.0.32.20040209065640.00e270d8@mail73006.popserver.pop.net>, >proto=ESMTP, daemon=MTA, relay=mr4.ash.ops.us.uu.net [198.5.241.89] >Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: >to=, delay=00:00:01, mailer=esmtp, >pri=30855, stat=queued >Feb 9 04:04:25 gw-sea MailScanner[18326]: New Batch: Scanning 1 messages, >102700 bytes >Feb 9 04:04:25 gw-sea MailScanner[18326]: Saved archive copies of >i19C4N9E019313 >Feb 9 04:04:25 gw-sea MailScanner[18326]: Spam Checks: Starting >Feb 9 04:04:26 gw-sea MailScanner[18326]: RBL checks: i19C4N9E019313 >found in SORBS-DNSBL >Feb 9 04:04:27 gw-sea MailScanner[18326]: Message i19C4N9E019313 from >198.5.241.89 (isigrp@isigrp.com) to fiduciary-asset.com is spam, >SORBS-DNSBL, SpamAssassin (score=4.637, required 5, BAYES_00 -0.00, >MIME_MISSING_BOUNDARY 1.84, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_SMTP 2.70) >Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Checks: Found 1 spam messages >Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Actions: message >i19C4N9E019313 actions are deliver >Feb 9 04:04:27 gw-sea MailScanner[18326]: Virus and Content Scanning: >Starting >Feb 9 04:04:33 gw-sea MailScanner[18326]: Uninfected: Delivered 1 messages -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From walkera-mailscanner at OFB.NET Mon Feb 9 23:29:43 2004 From: walkera-mailscanner at OFB.NET (Walker Aumann) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: Your message of "Mon, 09 Feb 2004 22:17:35 GMT." <6.0.3.0.2.20040209221714.03aa5e30@imap.ecs.soton.ac.uk> Message-ID: <25391.1076369383@ofb.net> Julian Field wrote: > The message was found in SORBS-DNSBL and is therefore marked as spam. > What's the problem? > >Spam Lists To Reach High Score = 2 My impression was that, because of this entry, it needed to be found in two lists, not just one. This is probably a misunderstanding on my part, so being on one list marks the message as spam while two lists marks the message as high scoring spam for people who have a different action for high scoring spam. What I was hoping for was a way to have three tiers of spam lists. The most trusted ones are configured into sendmail, so the connection is dropped immediately and MailScanner never sees it. For the second level, which I was trying to do here, mail is blocked only if it is found in multiple lists (to allow administrators to give some weight to what they might consider to be overly aggressive blacklists). Finally, if a message makes it past those checks, SpamAssassin will still assign points to the message based on what lists it was found in. From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 00:09:33 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:23 2006 Subject: f-secure version 4.52 Message-ID: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> >-----Original Message----- >Please apply this patch to >/usr/lib/MailScanner/MailScanner/SweepViruses.pm >It comes down to a 1 character change to the code :-) > >------SNIP------- >--- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 >+++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 >@@ -1585,7 +1585,10 @@ > $fsecure_InHeader++; > return 0; > } >- $fsecure_InHeader == 0 or return 0; >+ # This test is more vague than it used to be, but is more >tolerant to >+ # output changes such as extra headers. Scanning >non-scanning data is >+ # not a great idea but causes no harm. >+ $fsecure_InHeader >= 0 or return 0; > > $report = $line; > $logout = $line; >------SNIP------- Just to cover my bases: anybody running 4.52 should apply this? And to apply it I copied the stuff between the snips to SweepViruses.pm.old and should now do: patch SweepViruses.pm SweepViruses.pm.old from within /usr/lib/MailScanner/MailScanner/ Thanks... ...Kevin From c.bates at COMNET.CO.NZ Tue Feb 10 00:38:01 2004 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:22:23 2006 Subject: per domain / user Rules Message-ID: <402827E9.7000605@comnet.co.nz> Hi, When using the per domain and per user black and white lists, which takes preference? Say I have a file called foo.bar in the per domain blacklist directory and in that file I have *@chickclick.com. Then I have a file called bob@foo.com in the whitelist directory that says *@chickclick.com. Which ones takes preference? Is the rule behaviour explained somewhere? It would be nice if there was a faciltity where Mailscanner could dump out all its rules and if you could pass an email address to mailscanner and it would print out which rules match it and what the results are. Thanks Craig From kcchang at HKUSUA.HKU.HK Tue Feb 10 01:23:29 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE9B@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 9 Feb 2004, Spicer, Kevin wrote: > > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits > apply to processes and their children, so... > > 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files > Then we've got the output header files (another 500 files), then any attachments/ bodies > being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, > file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - > but you can see how quickly they can be used up when the server is busy. > > The very fact that taking the messages out of the queue clears the problem suggests it is a > symptom of the number of files involved. > Actually, I suspected it was file descriptor problem and hence I lowered the number of child from 10 to 5, max. message per scan from 100 to 80 and increase the file descriptors as my first step. However, I was confused by why MailScanner cannot restart successfully. The first (and subsequent) child process would get the "Cannot create + lock headers file" at retart of MailScanner. I don't think the file descriptors would be used up immediately upon the restart of MailScanner (no message files should have been opened yet). I will try further up the number of file descriptor to observe whether the problem was still observed. Thanks, KC Chang From pete at eatathome.com.au Tue Feb 10 03:37:41 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:23 2006 Subject: A Good Test Email Message-ID: <40285205.4050701@eatathome.com.au> I was wondering if anyone has a favorite test email to trigger the bigevil and backhair rule sets - something that is specifically bad content for tripping these rules, rather than hvaing poor originating sources etc... If so cpould you post the body and subject to the list? Specifically i want to see the bigevil and backhair rules working. ta Pete From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:48:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: per domain / user Rules In-Reply-To: <402827E9.7000605@comnet.co.nz> References: <402827E9.7000605@comnet.co.nz> Message-ID: <6.0.3.0.2.20040210094752.03e156d0@imap.ecs.soton.ac.uk> I seem to remember that whitelisting overrides blacklisting. At 00:38 10/02/2004, you wrote: >Hi, > >When using the per domain and per user black and white lists, which >takes preference? > >Say I have a file called foo.bar in the per domain blacklist directory >and in that file I have *@chickclick.com. Then I have a file called >bob@foo.com in the whitelist directory that says *@chickclick.com. >Which ones takes preference? > >Is the rule behaviour explained somewhere? > >It would be nice if there was a faciltity where Mailscanner could dump >out all its rules and if you could pass an email address to mailscanner >and it would print out which rules match it and what the results are. Nice idea. One of these sunny days.... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:47:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: f-secure version 4.52 In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> Message-ID: <6.0.3.0.2.20040210094651.03cbc670@imap.ecs.soton.ac.uk> At 00:09 10/02/2004, you wrote: > >-----Original Message----- > >Please apply this patch to > >/usr/lib/MailScanner/MailScanner/SweepViruses.pm > >It comes down to a 1 character change to the code :-) > > > >------SNIP------- > >--- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 > >+++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 > >@@ -1585,7 +1585,10 @@ > > $fsecure_InHeader++; > > return 0; > > } > >- $fsecure_InHeader == 0 or return 0; > >+ # This test is more vague than it used to be, but is more > >tolerant to > >+ # output changes such as extra headers. Scanning > >non-scanning data is > >+ # not a great idea but causes no harm. > >+ $fsecure_InHeader >= 0 or return 0; > > > > $report = $line; > > $logout = $line; > >------SNIP------- > > >Just to cover my bases: anybody running 4.52 should apply this? > >And to apply it I copied the stuff between the snips to SweepViruses.pm.old >and should now do: No. Save the bit between the snips to a file (let's call it SV.patch for now). cd /usr/lib/MailScanner/MailScanner patch < SV.patch If that doesn't work, try patch -p0 < SV.patch instead. > patch SweepViruses.pm SweepViruses.pm.old > >from within /usr/lib/MailScanner/MailScanner/ > >Thanks... > >...Kevin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:46:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: <25391.1076369383@ofb.net> References: <25391.1076369383@ofb.net> Message-ID: <6.0.3.0.2.20040210094424.03e1fc68@imap.ecs.soton.ac.uk> At 23:29 09/02/2004, you wrote: >Julian Field wrote: > > The message was found in SORBS-DNSBL and is therefore marked as spam. > > What's the problem? > > > >Spam Lists To Reach High Score = 2 > >My impression was that, because of this entry, it needed to be found >in two lists, not just one. It needs to be on 2 lists to "reach high score". If on 1 list, it will still be treated as spam, but as normal spam (as opposed to high-scoring spam). > This is probably a misunderstanding on my >part, so being on one list marks the message as spam while two lists >marks the message as high scoring spam for people who have a different >action for high scoring spam. Correct. >What I was hoping for was a way to have three tiers of spam lists. >The most trusted ones are configured into sendmail, so the connection >is dropped immediately and MailScanner never sees it. For the second >level, which I was trying to do here, mail is blocked only if it is >found in multiple lists (to allow administrators to give some weight >to what they might consider to be overly aggressive blacklists). >Finally, if a message makes it past those checks, SpamAssassin will >still assign points to the message based on what lists it was found >in. If you need more than 2 tiers, then you will have to implement something of your own using "Custom Functions". Long ago, I came to the conclusion (after much discussion on this list) that 2 tiers was enough for 99.9% of people, and the other 0.1% would always want more tiers than I implemented. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From DERMODYR at ITCARLOW.IE Tue Feb 10 10:04:30 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file Message-ID: <4028ACAD.11317.39DF73D@localhost> Hi Guys, I have succesfully installed mailscanner and its working great (picking up viruses, tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do this all my emails remain stuck in te mqueue.in file and go no further. Once I set this option back to no and restart mailscanner everything works great again. Heres what I did to install Spamassassin 2.63. 1 ) I downloaded spamassassin-2.63-1.i386.rpm 2) rpm -U spamassassin-2.63.1.i386.rpm But then this message appears warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 A rpm -q spam* gives package spamassassin-2.63-1.i386.rpm is not installed Any ideas people or would I be better using the tar bundle? Thanks in advance, From raymond at PROLOCATION.NET Tue Feb 10 10:16:41 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> Message-ID: Hi! > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? Yes, this is pointed out several times, please have a look on the mailinglist archives. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 10:24:38 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> References: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028B166.9060401@solid-state-logic.com> Ray Dermody wrote: > Hi Guys, > I have succesfully installed mailscanner and its working great (picking up viruses, > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > option back to no and restart mailscanner everything works great again. > Heres what I did to install Spamassassin 2.63. > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? > > Thanks in advance, Ray Install from CPAN, much better and will do the dependencies for you. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From DERMODYR at ITCARLOW.IE Tue Feb 10 10:38:10 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028B491.14069.3BCC980@localhost> Argh.... Thanks for the replies guys. Using CPAN now but I get this now Writing Makefile for Mail::SpamAssassin Makefile written by ExtUtils::MakeMaker 6.05 Makefile:94: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible Looks like theres a prob with this, according to bugzilla anyway https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 No recommended resolution there though. On 10 Feb 2004 at 10:04, Ray Dermody wrote: > Hi Guys, > I have succesfully installed mailscanner and its working great (picking up viruses, > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > option back to no and restart mailscanner everything works great again. > Heres what I did to install Spamassassin 2.63. > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? > > Thanks in advance, From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 10:42:11 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> Message-ID: <4028B583.1090709@solid-state-logic.com> Julian Field wrote: > At 17:37 09/02/2004, you wrote: > >> Travis Taylor wrote: >> >>>> Travis, >>>> >>>> We have the same situation here. Right now, I am trying to retreive >>>> the Symantec quarantined documents, and will be sending them to Sophos. >>>> >>>> I would suggest sending them yours, also. >>>> >>>> Dustin >>>> -- >>>> Dustin Baer >>>> Unix Administrator/Postmaster >>>> Information Handling Services >>>> 15 Inverness Way East >>>> Englewood, CO 80112 >>>> 303-397-2836 >>> >>> >>> >>> I'm in the process of sending it to sophos now, Dustin. >>> >>> On a side note, I decided to sent the quarantined message as an >>> attachment to myself and MailScanner/Sophos caught it. Though when I >>> pasted the infected bounced message in the body of a message and sent >>> it to myself it slipped through without being detected. I'm wondering >>> if this has something to do with how the message is encoded (mime, >>> uuencode, etc). >>> >> >> This is a known issue with MailScanner and specifically one of the Perl >> modules it uses. >> >> From memory Julian asked for anyone with such an email to forward it >> direct to him (not the list) so he can investigate the problem. >> >> I hope Julian doesn't shoot me getting people to send him viruses. >> >> You might want to email him before hand to warn him an example is on the >> way! > > > We have seen some cases where Sophos with MailScanner failed to spot a > MyDoom. But F-Prot on the same system (running as a secondary scanner) > spotted the virus just fine. So somehow Sophos is missing it when F-Prot is > finding it. Julian I've seen, very early in the outbreak, ClamAV (NOT using the module version) and SophosSavi both miss one. No reports other than that single item.. Anyway I'm upgrading to 3.78d as I type so we'll see I guess.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From raymond at PROLOCATION.NET Tue Feb 10 10:52:08 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> Message-ID: Hi! > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test What about installing a compiler? It cant find that. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 11:09:21 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> References: <4028B491.14069.3BCC980@localhost> Message-ID: <4028BBE1.6010003@solid-state-logic.com> Ray Dermody wrote: > Argh.... > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > > Looks like theres a prob with this, according to bugzilla anyway > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 > > No recommended resolution there though. > Ray from the comments on the bug.... OK, works with LANG=en_US, but not with LANG unset. try setting the LANG environment variable.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From DERMODYR at ITCARLOW.IE Tue Feb 10 11:20:07 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> References: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028BE66.22902.3E33243@localhost> Thats it guys. Got there, changed the $LANG and reran CPAN. Restarted mailscanner and changed "Use SpamAssassin" to yes and we are all good to go. Thanks for your help guys ;-) On 10 Feb 2004 at 10:38, Ray Dermody wrote: > Argh.... > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > > Looks like theres a prob with this, according to bugzilla anyway > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 > > No recommended resolution there though. > > > On 10 Feb 2004 at 10:04, Ray Dermody wrote: > > > Hi Guys, > > I have succesfully installed mailscanner and its working great (picking up viruses, > > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > > option back to no and restart mailscanner everything works great again. > > Heres what I did to install Spamassassin 2.63. > > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > > 2) rpm -U spamassassin-2.63.1.i386.rpm > > But then this message appears > > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > > > A rpm -q spam* gives > > package spamassassin-2.63-1.i386.rpm is not installed > > > > Any ideas people or would I be better using the tar bundle? > > > > Thanks in advance, From taz at AZTEK-ENG.COM Tue Feb 10 13:38:20 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> <4028B583.1090709@solid-state-logic.com> Message-ID: <001701c3efdb$28a40520$e90200bf@tazpc> Will do. Maybe, I should just change to F-prot since it seems to be the better one. ----- Original Message ----- From: "Martin Hepworth" To: Sent: Tuesday, February 10, 2004 3:42 AM Subject: Re: Sophos missed MyDoom-A bounced msg > Julian Field wrote: > > At 17:37 09/02/2004, you wrote: > > > >> Travis Taylor wrote: > >> > >>>> Travis, > >>>> > >>>> We have the same situation here. Right now, I am trying to retreive > >>>> the Symantec quarantined documents, and will be sending them to Sophos. > >>>> > >>>> I would suggest sending them yours, also. > >>>> > >>>> Dustin > >>>> -- > >>>> Dustin Baer > >>>> Unix Administrator/Postmaster > >>>> Information Handling Services > >>>> 15 Inverness Way East > >>>> Englewood, CO 80112 > >>>> 303-397-2836 > >>> > >>> > >>> > >>> I'm in the process of sending it to sophos now, Dustin. > >>> > >>> On a side note, I decided to sent the quarantined message as an > >>> attachment to myself and MailScanner/Sophos caught it. Though when I > >>> pasted the infected bounced message in the body of a message and sent > >>> it to myself it slipped through without being detected. I'm wondering > >>> if this has something to do with how the message is encoded (mime, > >>> uuencode, etc). > >>> > >> > >> This is a known issue with MailScanner and specifically one of the Perl > >> modules it uses. > >> > >> From memory Julian asked for anyone with such an email to forward it > >> direct to him (not the list) so he can investigate the problem. > >> > >> I hope Julian doesn't shoot me getting people to send him viruses. > >> > >> You might want to email him before hand to warn him an example is on the > >> way! > > > > > > We have seen some cases where Sophos with MailScanner failed to spot a > > MyDoom. But F-Prot on the same system (running as a secondary scanner) > > spotted the virus just fine. So somehow Sophos is missing it when F-Prot is > > finding it. > > Julian > > I've seen, very early in the outbreak, ClamAV (NOT using the module > version) and SophosSavi both miss one. > > No reports other than that single item.. > > Anyway I'm upgrading to 3.78d as I type so we'll see I guess.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From m.sapsed at BANGOR.AC.UK Tue Feb 10 13:38:59 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076347941@otherbbs.com> Message-ID: <4028DEF3.7080703@bangor.ac.uk> 20020401@duh.net wrote: > On a side note, I decided to sent the quarantined message as an > attachment to myself and MailScanner/Sophos caught it. Though when I > pasted the infected bounced message in the body of a message and sent > it to myself it slipped through without being detected. I'm wondering > if this has something to do with how the message is encoded (mime, > uuencode, etc). Someone's already mentioned 3.78d although a MailScanner user in Germany has contacted me after my message about 3.78d the other day to say that he's got a problem with Sophos and some MyDooms and 3.78d didn't fix it. As an aside, looking at the message Travis pasted in, would the payload actually be identified as an attachment by any reasonable mail program? I realise that we ought to find everything but if the code isn't readily useable then how much does it matter that it got through? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From taz at AZTEK-ENG.COM Tue Feb 10 13:54:08 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: mailscanner (Solaris 2.6) Could not open file References: Message-ID: <002401c3efdd$5e045920$e90200bf@tazpc> We had a problem with this, but the log said too many files open. Come to find out that when Solaris 2.6 is installed by default it can only handle a maximum of 64 descriptors by 1 process at a time. I added the following to /etc/system and rebooted the machine and the problem cleared up: set rlim_fd_cur = 1024 set rlim_fd_max = 1024 This sets both the hard and soft limits. I find this just by doing a search on the web on google for: I know this is set high, but us it didn't break anything and was recommended by one of the Sun Managers list. ----- Original Message ----- From: "Chang Kai Cheong" To: Sent: Monday, February 09, 2004 6:23 PM Subject: Re: mailscanner (Solaris 2.6) Could not open file > On Mon, 9 Feb 2004, Spicer, Kevin wrote: > > > > > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits > > apply to processes and their children, so... > > > > 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files > > Then we've got the output header files (another 500 files), then any attachments/ bodies > > being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, > > file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - > > but you can see how quickly they can be used up when the server is busy. > > > > The very fact that taking the messages out of the queue clears the problem suggests it is a > > symptom of the number of files involved. > > > > Actually, I suspected it was file descriptor problem and hence I lowered > the number of child from 10 to 5, max. message per scan from 100 to 80 and > increase the file descriptors as my first step. > > However, I was confused by why MailScanner cannot restart successfully. > The first (and subsequent) child process would get the "Cannot create + > lock headers file" at retart of MailScanner. I don't think the file > descriptors would be used up immediately upon the restart of MailScanner > (no message files should have been opened yet). > > I will try further up the number of file descriptor to observe whether the > problem was still observed. > > Thanks, > KC Chang From Kevin.Spicer at BMRB.CO.UK Tue Feb 10 13:55:59 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A5B@pascal.priv.bmrb.co.uk> Martin Sapsed wrote: > 20020401@duh.net wrote: > As an aside, looking at the message Travis pasted in, would the > payload actually be identified as an attachment by any reasonable > mail program? I realise that we ought to find everything but if the > code isn't readily useable then how much does it matter that it got > through? > This issue is also receiving attention on the clam list.. I think its important (reputation wise) to detect everything we can - because some scanners do match it (Symantec has a signature for the encoded file for example), this makes it look like MailScanner/Clam/Sophos missed it (which they did, even though it doesn't really matter). Also just because we can't unpack it doesn't mean that there isn't a more tolerent MUA out there that can. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From taz at AZTEK-ENG.COM Tue Feb 10 14:04:15 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: sendmail error after trying to start mailscanner References: <000001c3ec18$b6ff22d0$e90200bf@tazpc> <1076007629.22416.16.camel@bach.kevinspicer.co.uk> Message-ID: <00a101c3efde$c7c26590$e90200bf@tazpc> That fixed that problem. Sorry, I didn't respond quicker I have been working on other issues and only have two days a week to work on this now. ----- Original Message ----- From: "Kevin Spicer" To: Sent: Thursday, February 05, 2004 12:00 PM Subject: Re: sendmail error after trying to start mailscanner > On Thu, 2004-02-05 at 18:48, Travis Zadikem wrote: > > Quick question on a Mandrake 9.1 install. I have downloaded the rpm of > > MailScanner 4.26.8-1 and after stopping sendmail and starting > > Mailscanner I was getting an error about the Module CIDR.pm. So, I > > installed that module. Now when I try to start MailScanner I get the > > following error (with sendmail stopped): incoming sendmail: sendmail: > > > > invalid option -- O > > sendmail: fatal: usage: sendmail [options] > > > > where can I fix this problem at. > > > > Absurd as it sounds I think your problem is that you actually have > postfix installed, not sendmail! The error message above is in the > format postfix uses for reporting errors, sendmail looks differnt > > Mandrake uses Debian's 'alternatives' system, which means that sendmail > is a symlink to /etc/alternatives/mta - which in turn is a symlink to > whichever mta you have installed. > > so either configure mailscanner/postfix to work together or, if you have > already installed sendmail use the update-alternatives command to change > the configuration. > If sendmail isn't installed... > > rpm -e postfix > rpm -i sendmail > > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 14:27:28 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <002401c3efdd$5e045920$e90200bf@tazpc> References: <002401c3efdd$5e045920$e90200bf@tazpc> Message-ID: <4028EA50.6020403@solid-state-logic.com> Travis wrote: > We had a problem with this, but the log said too many files open. Come to > find out that when Solaris 2.6 > is installed by default it can only handle a maximum of 64 descriptors by 1 > process at a time. I added the following to /etc/system and rebooted the > machine and the problem cleared up: > set rlim_fd_cur = 1024 > set rlim_fd_max = 1024 > This sets both the hard and soft limits. I find this just by doing a search > on the web on google for: > I know this is set high, but us it didn't break anything and was recommended > by one of the Sun Managers list. > Wouldn't say it's high. Solaris 7 and later sets this by default to be amount of ram in MB upto 4096. I've seen a quite a few systems well over that. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 10 14:58:10 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:24 2006 Subject: Can't run unzip Message-ID: Hi guys, never noticed this before: 2004-02-10T15:51:31+0100 dns mail.warning MailScanner MailScanner[26580]: ERROR: Can\'t run unzip 2004-02-10T15:51:31+0100 dns mail.warning MailScanner MailScanner[26580]: ERROR: Can\'t execute some unpacker. Check paths and permissions on the temporary directory. Any hints? Unzip is installed and works on the box. Regards, JP From Kevin.Spicer at BMRB.CO.UK Tue Feb 10 15:07:59 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:24 2006 Subject: Can't run unzip Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> Jan-Peter Koopmann wrote: > Hi guys, > > never noticed this before: > > 2004-02-10T15:51:31+0100 dns mail.warning MailScanner > MailScanner[26580]: ERROR: Can\'t run unzip > 2004-02-10T15:51:31+0100 dns mail.warning MailScanner > MailScanner[26580]: ERROR: Can\'t execute some unpacker. Check paths > and permissions on the temporary directory. > > > Any hints? Unzip is installed and works on the box. > If you're using an MTA that drops privilege, so MailScanner is running as a user other then root, it possible your environment may set a temp directory in /root/tmp. you need to unset this variable (TMPDIR?) in the MailScanner init script. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From sysadmins at ENHTECH.COM Tue Feb 10 15:48:10 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> Message-ID: <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Hi- I don't know if this question has been asked before. If it has, please forgive me. Is there a way to include the original headers in a virus or spam warning report? If so, how do I do that. Regards, Errol Neal. From dustin.baer at IHS.COM Tue Feb 10 15:58:29 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Message-ID: <4028FFA5.9290C3BB@ihs.com> Admin Team wrote: > > Hi- > > I don't know if this question has been asked before. If it has, please > forgive me. > Is there a way to include the original headers in a virus or spam warning > report? > If so, how do I do that. The report to postmaster: Notices Include Full Headers = yes The report to the recipient is the original email with the report added, so a person should just need to expand the headers in the email. Dustin From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 10 16:00:46 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Message-ID: <006401c3efef$0b3aa200$0501a8c0@darkside> >I don't know if this question has been asked before. If it has, please >forgive me. >Is there a way to include the original headers in a virus or >spam warning >report? >If so, how do I do that. Set: Notices Include Full Headers = yes in your Mailscanner.conf HTH, --J(K) From sysadmins at ENHTECH.COM Tue Feb 10 16:06:00 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <4028FFA5.9290C3BB@ihs.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> Message-ID: <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Well im not talking about to the postmaster. I'm talking about including them in the messages sent to senders of virii and spam Errol Neal At 10:58 AM 2/10/2004, you wrote: >Admin Team wrote: > > > > Hi- > > > > I don't know if this question has been asked before. If it has, please > > forgive me. > > Is there a way to include the original headers in a virus or spam warning > > report? > > If so, how do I do that. > >The report to postmaster: Notices Include Full Headers = yes > >The report to the recipient is the original email with the report added, >so a person should just need to expand the headers in the email. > >Dustin From newslists at PESSIMISTS.NET Tue Feb 10 16:16:03 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Message-ID: <1076429763.3954.61.camel@andy.pessimists.net> On Tue, 2004-02-10 at 11:06, Admin Team wrote: > Well im not talking about to the postmaster. I'm talking about including > them in the messages sent to senders of virii and spam Since most modern virii and spam fake their addresses, why send out notices at all? It's sort of pointless, and I personally get tired of virus infection messages from people who received an email supposedly from me but with a forged TO: Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From dustin.baer at IHS.COM Tue Feb 10 16:11:35 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Message-ID: <402902B7.92FBA790@ihs.com> Admin Team wrote: > > Well im not talking about to the postmaster. I'm talking about including > them in the messages sent to senders of virii and spam > > Errol Neal Errol, Okay...I don't believe there is a way to do that. If you continue to send notices to the "senders" of viruses, please make sure you have an updated list of silent viruses, since current viruses are well known to spoof sender addresses. If you send notices to "senders" of spam, please create a ruleset and add *@ihs.com as an address who shouldn't be notified, since it is most likely a spoofed sender address. Thanks, Dustin From sysadmins at ENHTECH.COM Tue Feb 10 16:31:24 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <1076429763.3954.61.camel@andy.pessimists.net> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> At 11:16 AM 2/10/2004, you wrote: >Since most modern virii and spam fake their addresses, why send out >notices at all? It's sort of pointless, and I personally get tired of >virus infection messages from people who received an email supposedly >from me but with a forged TO: Well we think it would be irresponsible of us not to notify. As a matter of fact, it is a pain for us to do so and we only do so because of our client base. We would love not to have to do this. If one of our clients were expecting an urgent, time sensitive email and that email was did not make through the MailScanner for some reason, we feel it is our obligation to notify the sender. Otherwise you have the situation where they believe the message was delivered and leave town, go out of the country, go on vacation or whatever, but our client is left hanging. The notification is critical in this regard because it allows us to quickly alert someone in case of an obvious mistake. Now one would argue the obvious that we are responding to far more spoofed messages than we are valid one and I would agree. But at this point and time, there is no other alternative for my company than do this. Regards Errol Neal From sysadmins at ENHTECH.COM Tue Feb 10 16:32:33 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <402902B7.92FBA790@ihs.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <402902B7.92FBA790@ihs.com> Message-ID: <6.0.2.0.0.20040210113209.02641dd8@mail.enhtech.com> At 11:11 AM 2/10/2004, you wrote: >Errol, > >Okay...I don't believe there is a way to do that. > >If you continue to send notices to the "senders" of viruses, please make >sure you have an updated list of silent viruses, since current viruses >are well known to spoof sender addresses. > >If you send notices to "senders" of spam, please create a ruleset and >add *@ihs.com as an address who shouldn't be notified, since it is most >likely a spoofed sender address. > >Thanks, > >Dustin Will do and thanks. Errol Neal From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 10 16:39:32 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefordshire.gov.uk> Telephones work wonders in situations like this. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: 10 February 2004 16:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Including original headers in reports > > > At 11:16 AM 2/10/2004, you wrote: > >Since most modern virii and spam fake their addresses, why send out > >notices at all? It's sort of pointless, and I personally > get tired of > >virus infection messages from people who received an email supposedly > >from me but with a forged TO: > > > Well we think it would be irresponsible of us not to notify. > As a matter of > fact, it is a pain for us to do so and we only do so > because of our client base. We would love not to have to do > this. If one of > our clients were expecting an urgent, time sensitive email > and that email > was did not make through the MailScanner for some reason, we > feel it is > our obligation to notify the sender. Otherwise you have the > situation where > they believe the message was delivered and leave town, go out of the > country, go on vacation or whatever, but our client is left > hanging. The > notification is critical in this regard because it allows us > to quickly > alert someone in case of an obvious mistake. > Now one would argue the obvious that we are responding to far > more spoofed > messages than we are valid one and I would agree. But at this > point and > time, there is no other alternative for my company than do this. > > Regards > > Errol Neal > From craig at WESTPRESS.COM Tue Feb 10 16:39:48 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <1076429763.3954.61.camel@andy.pessimists.net> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: Does MailScanner need to be restarted after edits to this file. For that matter, are there any files which can be edited that do not require MailScanner to be restarted? -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From sysadmins at ENHTECH.COM Tue Feb 10 16:42:45 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefordshire.gov.uk> Message-ID: <6.0.2.0.0.20040210114159.026449d8@mail.enhtech.com> At 11:39 AM 2/10/2004, you wrote: >Telephones work wonders in situations like this. > >Phil In what situation? Errol Neal From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 10 16:45:39 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> ring ring - we haven't got that email you said you'd send us. OK, I'll fax it, etc... Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: 10 February 2004 16:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Including original headers in reports > > > At 11:39 AM 2/10/2004, you wrote: > >Telephones work wonders in situations like this. > > > >Phil > > > In what situation? > > > > Errol Neal > From ugob at CAMO-ROUTE.COM Tue Feb 10 16:43:37 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <40290A39.6030801@camo-route.com> Craig Daters wrote: > Does MailScanner need to be restarted after edits to this file. For > that matter, are there any files which can be edited that do not > require MailScanner to be restarted? I cannot tell exactly, but you can usually just reloading it instead of restarding it. Ugo > -- > --- > > Craig Daters (craig@westpress.com) > Graphic Designer / Systems Administrator > West Press Printing & Copying > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > --- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Tue Feb 10 13:43:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Thankyou for the CD Message-ID: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> To whoever sent me the Peter Gabriel CD from my wish list at www.amazon.co.uk, many thanks! It is much appreciated. It's great getting pressies :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:06:52 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:24 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402101706.i1AH6qsb021119@seer.ecs.soton.ac.uk> New Guestbook-Entry from Anise Betts Very nice! Come visit From sysadmins at ENHTECH.COM Tue Feb 10 16:55:06 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> Message-ID: <6.0.2.0.0.20040210114824.0263f9a0@mail.enhtech.com> At 11:45 AM 2/10/2004, you wrote: >ring ring - we haven't got that email you said you'd send us. OK, I'll fax >it, etc... > >Phil What if it is not convenient for it to be faxed? Such as a 100 page contract or other information like that? So do we inconvenience customers and clients? I don't think that should be our philosophy and it most certainly is not the approach that my company takes. We deploy MailScanner as a value-added service for our clients. It adds more value to the other services we are able to provide. It removes the inconveniences of having to deal with virri and spam at the desktop. What you are suggesting adds another inconvenience. Errol Neal From craig at WESTPRESS.COM Tue Feb 10 17:09:45 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <40290A39.6030801@camo-route.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <40290A39.6030801@camo-route.com> Message-ID: >I cannot tell exactly, but you can usually just reloading it instead of >restarding it. Okay, forgive me if this is a stupid question, but how do I reload MailScanner? I have been usually restarting it by 'service MailScanner restart' would I reload it instead by 'service MailScanner reload'? -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 17:12:00 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> Message-ID: <402910E0.2070605@solid-state-logic.com> Randal, Phil wrote: > ring ring - we haven't got that email you said you'd send us. OK, I'll fax > it, etc... > > Phil > Exactly what I have to tell the 'users' around here every so often. There is *no* guarentee of delivery with email, if its that important use return receipts of phone the person to confirm they got it. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From james at DENY.ORG Tue Feb 10 16:51:27 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <40290C0F.6080306@deny.org> For those of us that feel strongly that email should be a reliable transport medium. That believe that every email server should have secondary mx records. That believe strongly that any message that does not get delivered should send a bounce notice to the original sender. That no properly configured mail server should ever deletes mail with out some kind of notice to either the recipient or sender! For those of us that do spam filtering for brokers or certain types of lawyers that most BY LAW archive every message they get or bounce it. Who also don't want those same brokers wading through hundreds of spam messages a day, just to do there job. Has anyone made a third party patch to add back bounce as a option for Spam Actions? If not and you have interest in such a thing let me know. For those of you that feel email is not a reliable transport medium, that think it is ok for mail servers to just delete email on arbitrary criteria, this is not a prelude to a debat. I don't care what your opinion is, we have a different philosophy about what email is. So don't expect a replay from me because you don't like my point of view. This email is to others that want to bounce message instead of deleting them, whose users expect email to get through or a least tell someone if it does not. We know there are a few people that get a ton of bogus bounce. That this is unfortunate but less sever then mom not getting those pictures of the new baby. I personally wade through 3000 bounce messages a day, It is not that hard to filter them into another folder. So get over it. From mailscanner at ecs.soton.ac.uk Tue Feb 10 16:54:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> At 16:31 10/02/2004, you wrote: >At 11:16 AM 2/10/2004, you wrote: >>Since most modern virii and spam fake their addresses, why send out >>notices at all? It's sort of pointless, and I personally get tired of >>virus infection messages from people who received an email supposedly >>from me but with a forged TO: > > >Well we think it would be irresponsible of us not to notify. As a matter of >fact, it is a pain for us to do so and we only do so >because of our client base. We would love not to have to do this. If one of >our clients were expecting an urgent, time sensitive email and that email >was did not make through the MailScanner for some reason, we feel it is >our obligation to notify the sender. Otherwise you have the situation where >they believe the message was delivered and leave town, go out of the >country, go on vacation or whatever, but our client is left hanging. The >notification is critical in this regard because it allows us to quickly >alert someone in case of an obvious mistake. >Now one would argue the obvious that we are responding to far more spoofed >messages than we are valid one and I would agree. But at this point and >time, there is no other alternative for my company than do this. Please can you do a compromise like this: In MailScanner.conf, set Required SpamAssassin Score = 6 High SpamAssassin Score = 10 Spam Actions = deliver bounce High Scoring Spam Actions = deliver That way low scoring (possibly marginal, possibly incorrectly tagged) spam gets bounced back to the sender. But if you are sure it is spam (believe me, a score of 10 will guarantee that!) then you don't bounce it. Fortunately, with the latest version, even this isn't an option as I have removed the "bounce" spam action completely. If the message had a virus in it, then by default the recipient would still get the message (with the virus removed) and so would know that the client sent them an email. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:13:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40290C0F.6080306@deny.org> References: <40290C0F.6080306@deny.org> Message-ID: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> At 16:51 10/02/2004, you wrote: >For those of us that feel strongly that email should be a reliable >transport medium. That believe that every email server should have >secondary mx records. That believe strongly that any message that does >not get delivered should send a bounce notice to the original sender. >That no properly configured mail server should ever deletes mail with >out some kind of notice to either the recipient or sender! >For those of us that do spam filtering for brokers or certain types of >lawyers that most BY LAW archive every message they get or bounce it. >Who also don't want those same brokers wading through hundreds of spam >messages a day, just to do there job. > >Has anyone made a third party patch to add back bounce as a option for >Spam Actions? If not and you have interest in such a thing >let me know. > >For those of you that feel email is not a reliable transport medium, >that think it is ok for mail servers to just delete Why not just use Spam Actions = deliver or Spam Actions = deliver attachment or Spam Actions = notify store That way your recipients don't have to wade through anything, all your incoming email is stored and people can get at messages that were wrongly tagged very easily. I appreciate your point, and I am aware of your position. But bouncing spam is not the correct answer to it, there are many other superior solutions to the problem, that don't cause grief to everyone else on the net. >email on arbitrary criteria, this is not a prelude to a debat. I don't >care what your opinion is, we have a different philosophy >about what email is. So don't expect a replay from me because you don't >like my point of view. This email is to others that >want to bounce message instead of deleting them, whose users expect >email to get through or a least tell someone if it does not. >We know there are a few people that get a ton of bogus bounce. That this >is unfortunate but less sever then mom not getting those pictures of the >new baby. I personally wade through 3000 bounce messages a day, It is >not that hard to filter them into another folder. So get over it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:08:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> At 16:39 10/02/2004, you wrote: >Does MailScanner need to be restarted after edits to this file. For >that matter, are there any files which can be edited that do not >require MailScanner to be restarted? A "reload" will do. If the "ps ax" command lists all the MailScanner processes as having parent PID of, say, 1234, then type this: kill -HUP -1234 as that will force all the child processes to restart and re-read their configuration. If you don't want to do that, then the child processes restart themselves every 4 hours by default (see "Restart Every" in MailScanner.conf) at which point they will re-read their configuration anyway. A few advanced SpamAssassin configuration options actually require a full restart of MailScanner, but that's pretty rare. >-- >--- > >Craig Daters (craig@westpress.com) >Graphic Designer / Systems Administrator >West Press Printing & Copying >1663 West Grant Road >Tucson, Arizona 85745-1433 > >Tel: 520-624-4939 >Fax: 520-624-2715 > >www.westpress.com > >--- > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:19:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <40290A39.6030801@camo-route.com> Message-ID: <6.0.1.1.2.20040210171903.039e5670@imap.ecs.soton.ac.uk> At 17:09 10/02/2004, you wrote: >>I cannot tell exactly, but you can usually just reloading it instead of >>restarding it. > >Okay, forgive me if this is a stupid question, but how do I reload >MailScanner? > >I have been usually restarting it by 'service MailScanner restart' >would I reload it instead by 'service MailScanner reload'? Yes -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tyler at BELOIT.EDU Tue Feb 10 17:13:15 2004 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:22:24 2006 Subject: conditional direction of email? Message-ID: <6.0.0.22.0.20040210111244.03fe5ca8@beloit.edu> Mailscanner experts, We have most email get MXed through a scanner. We are running sendmail on our AIX5.1 systems. 95% of messages will get relayed through the scanner. Is it possible to have sendmail redirect ONLY messages that were NOT relayed through that scanner to redirect through your mailscanner? Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mkettler at EVI-INC.COM Tue Feb 10 17:26:28 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40290C0F.6080306@deny.org> References: <40290C0F.6080306@deny.org> Message-ID: <6.0.0.22.0.20040210120454.01bf7dd8@xanadu.evi-inc.com> Hmm, that's a great way to convince people to join your cause.. start off with a flame before anyone even replies. Sigh. Feel free to develop a patch and use it, but beware of the implications for your ability to exchange mail with others. I for one take a strong stance against broken MTAs and at times am forced to start 550ing servers that are puking on my network when the admins will not correct their servers. We have a difference of opinion, and that's fine, but keep in mind that your opinion regarding the "reliability" of email may affect the reliability of your ability to send mail in the first place. I'd encourage you to actually try do this some other way than using MailScanner.. Using a tool with deep MTA layer integrations will allow you to 550 the message before delivery. You're now meeting your needs for notifying legitimate senders, AND you're not brokenly puking on bystanders. It's not something MailScanner can do, but so what? You needs encompass something that MailScanner cannot do properly. From wberbert at SERMAP.COM.BR Tue Feb 10 17:14:01 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 Message-ID: Im using mailscanner for debian and Im trying to user f-secure 4.52 as virus scanner engine, Ive changed the f-securewrapper script to meet may needs and started mailscanner, all seems to be fine until: Commercial virus checker failed with real error: Either you've found a bug in MailScanner's F-Secure output parser, or F-Secure's output format has changed! Please mail the author of MailScanner! Thanks for any help From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:25:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> Please search the archives before posting here. I answered this a couple of days ago. See the thread with the title "Re: f-secure version 4.52". At 17:14 10/02/2004, you wrote: >Im using mailscanner for debian and Im trying to user f-secure 4.52 as >virus scanner engine, Ive changed the f-securewrapper script to meet may >needs and started mailscanner, all seems to be fine until: > >Commercial virus checker failed with real error: Either >you've found a bug in MailScanner's F-Secure >output parser, or F-Secure's output format has changed! >Please mail the author of MailScanner! > >Thanks for any help -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wberbert at SERMAP.COM.BR Tue Feb 10 18:38:29 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> Message-ID: <40292525.3050609@sermap.com.br> Ive already looked at archives before posting this email, you posted a patch to be applied to SweepViruses.pm but I didnt find this file in /usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on my computer, I installed MailScanner from packages.debian.org Thanks Julian Field escreveu: > Please search the archives before posting here. > I answered this a couple of days ago. See the thread with the title "Re: > f-secure version 4.52". > > At 17:14 10/02/2004, you wrote: > >> Im using mailscanner for debian and Im trying to user f-secure 4.52 as >> virus scanner engine, Ive changed the f-securewrapper script to meet may >> needs and started mailscanner, all seems to be fine until: >> >> Commercial virus checker failed with real error: Either >> you've found a bug in MailScanner's F-Secure >> output parser, or F-Secure's output format has changed! >> Please mail the author of MailScanner! >> >> Thanks for any help > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From craig at WESTPRESS.COM Tue Feb 10 17:48:08 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> Message-ID: That works! Thanks Julian. >At 16:39 10/02/2004, you wrote: >>Does MailScanner need to be restarted after edits to this file. For >>that matter, are there any files which can be edited that do not >>require MailScanner to be restarted? > >A "reload" will do. If the "ps ax" command lists all the MailScanner >processes as having parent PID of, say, 1234, then type this: > kill -HUP -1234 >as that will force all the child processes to restart and re-read their >configuration. > >If you don't want to do that, then the child processes restart themselves >every 4 hours by default (see "Restart Every" in MailScanner.conf) at which >point they will re-read their configuration anyway. > >A few advanced SpamAssassin configuration options actually require a full >restart of MailScanner, but that's pretty rare. -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From sysadmins at ENHTECH.COM Tue Feb 10 17:54:44 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> At 11:54 AM 2/10/2004, you wrote: Please can you do a compromise like this: >In MailScanner.conf, set >Required SpamAssassin Score = 6 >High SpamAssassin Score = 10 >Spam Actions = deliver bounce >High Scoring Spam Actions = deliver >That way low scoring (possibly marginal, possibly incorrectly tagged) spam >gets bounced back to the sender. But if you are sure it is spam (believe >me, a score of 10 will guarantee that!) then you don't bounce it. > >Fortunately, with the latest version, even this isn't an option as I have >removed the "bounce" spam action completely. > >If the message had a virus in it, then by default the recipient would still >get the message (with the virus removed) and so would know that the client >sent them an email. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Well Julian, we already do this. If a message is off the chart, there is absolutely no sense in use bouncing it. That would be crazy. So in the latest version you've removed the bounce option? Ouch... Errol Neal From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:58:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: <40292525.3050609@sermap.com.br> References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> Message-ID: <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> In which case, do "locate SweepViruses.pm" assuming debian has "locate". If it doesn't have a "locate" command, then try this instead find /opt /usr -name SweepViruses.pm -print though that may take a little while. At 18:38 10/02/2004, you wrote: >Ive already looked at archives before posting this email, you posted a >patch to be applied to SweepViruses.pm but I didnt find this file in >/usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >my computer, I installed MailScanner from packages.debian.org > >Thanks > > >Julian Field escreveu: > >>Please search the archives before posting here. >>I answered this a couple of days ago. See the thread with the title "Re: >>f-secure version 4.52". >> >>At 17:14 10/02/2004, you wrote: >> >>>Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>virus scanner engine, Ive changed the f-securewrapper script to meet may >>>needs and started mailscanner, all seems to be fine until: >>> >>>Commercial virus checker failed with real error: Either >>>you've found a bug in MailScanner's F-Secure >>>output parser, or F-Secure's output format has changed! >>>Please mail the author of MailScanner! >>> >>>Thanks for any help >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>------------------------------------------------- >>Esta mensagem foi escaneada por virus e conteudos >>perigosos pelo MailScanner e nao foram encontrados >>virus nesta mensagem. >>------------------------------------------------- >> > > > >------------------------------------------------- >Esta mensagem foi escaneada por virus e conteudos >perigosos pelo MailScanner e nao foram encontrados >virus nesta mensagem. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:03:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210175946.03bdbb98@imap.ecs.soton.ac.uk> At 17:54 10/02/2004, you wrote: >At 11:54 AM 2/10/2004, you wrote: >Please can you do a compromise like this: >>In MailScanner.conf, set >>Required SpamAssassin Score = 6 >>High SpamAssassin Score = 10 >>Spam Actions = deliver bounce >>High Scoring Spam Actions = deliver >>That way low scoring (possibly marginal, possibly incorrectly tagged) spam >>gets bounced back to the sender. But if you are sure it is spam (believe >>me, a score of 10 will guarantee that!) then you don't bounce it. >> >>Fortunately, with the latest version, even this isn't an option as I have >>removed the "bounce" spam action completely. >> >>If the message had a virus in it, then by default the recipient would still >>get the message (with the virus removed) and so would know that the client >>sent them an email. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Well Julian, we already do this. If a message is off the chart, there is >absolutely no sense in use bouncing it. That would be >crazy. > >So in the latest version you've removed the bounce option? Ouch... I believe there are better solutions to the problem, such as "deliver attachment" or "notify" so the recipient makes the decision as to what to do with the message. I will only put the "bounce" option back in if there is an absolute outcry about it, which there isn't. The outcry is for stopping people bouncing spam as the sender address is always faked so some innocent soul gets inundated with warning messages about stuff they never sent. I have to deal with a lot of these people, as they contact me for help. This takes a fair amount of my time, so I am strongly against anything that wastes my time. You guys don't have to deal with the fallout from this option, I do! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Tue Feb 10 18:09:54 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> At 12:13 PM 2/10/2004, you wrote: >I appreciate your point, and I am aware of your position. But bouncing spam >is not the correct answer to it, there are many other superior solutions to >the problem, that don't cause grief to everyone else on the net. Julian, as opposed to "bouncing" a message, can we implement something to notify a sender politely that they *may* have sent an email to someone that did not get delivered and *IF* they do not know this person to disregard the message. I am very concerned that the bounce feature is removed. For those providers not wishing to guarantee some type of service to their clients, Tell your Backpone providers to also renig on the SLA you have with them. The reason we notify senders is not to be mean but as a responsibility to the clients we handle mail for. They intrust us with their mail. If for any reason a message cannot be delivered to someone, then the sender needs to know about this. I am asking you to please have this option available for those who need it. Otherwise this breaks more than you are trying to fix. Email is an important form of communication in this day and age and ANY provider who tells their clients they cannot "guarantee" delivery of email to their inbox is simply irresponsible. Again,if you are willing to take this approach, please relieve your backbone providers of all SLA's they provide you. Allow them to tell you that they do not "guarantee" delivery of any datagram to your servers and see how quickly you look for another provider. Errol Neal From wberbert at SERMAP.COM.BR Tue Feb 10 19:07:09 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> Message-ID: <40292BDD.2070107@sermap.com.br> I found a file called sweep.pl at /usr/share/mailscanner/ SweepViruses.pm doesnt exit in my system Thanks for help Julian Field escreveu: > In which case, do "locate SweepViruses.pm" assuming debian has > "locate". If > it doesn't have a "locate" command, then try this instead > find /opt /usr -name SweepViruses.pm -print > though that may take a little while. > > At 18:38 10/02/2004, you wrote: > >> Ive already looked at archives before posting this email, you posted a >> patch to be applied to SweepViruses.pm but I didnt find this file in >> /usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >> my computer, I installed MailScanner from packages.debian.org >> >> Thanks >> >> >> Julian Field escreveu: >> >>> Please search the archives before posting here. >>> I answered this a couple of days ago. See the thread with the title >>> "Re: >>> f-secure version 4.52". >>> >>> At 17:14 10/02/2004, you wrote: >>> >>>> Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>> virus scanner engine, Ive changed the f-securewrapper script to >>>> meet may >>>> needs and started mailscanner, all seems to be fine until: >>>> >>>> Commercial virus checker failed with real error: Either >>>> you've found a bug in MailScanner's F-Secure >>>> output parser, or F-Secure's output format has changed! >>>> Please mail the author of MailScanner! >>>> >>>> Thanks for any help >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> ------------------------------------------------- >>> Esta mensagem foi escaneada por virus e conteudos >>> perigosos pelo MailScanner e nao foram encontrados >>> virus nesta mensagem. >>> ------------------------------------------------- >>> >> >> >> >> ------------------------------------------------- >> Esta mensagem foi escaneada por virus e conteudos >> perigosos pelo MailScanner e nao foram encontrados >> virus nesta mensagem. >> ------------------------------------------------- > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From wberbert at SERMAP.COM.BR Tue Feb 10 17:59:55 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 Message-ID: I found in /usr/share/mailscanner/sweep.pl, something interesting sub ProcessFSecureOutput { my($line, $infections, $types, $BaseDir) = @_; #my($line) = @_; my($report, $infected, $dot, $id, $part, @rest); chomp $line; # Lose cruft return 0 if $fsecure_InCruft > 0; if ($line eq "") { $fsecure_InCruft += 1; return 0; } $fsecure_InCruft == 0 or return 0; # Prefer s/// to m// as less likely to do unpredictable things. # We hope. if ($line =~ /\tinfection:\s/) { $report = $line; # Get to relevant filename in a reasonably but not # totally robust manner (*impossible* to be totally robust # if we have square brackets and spaces in filenames) # Strip archive bits if present $line =~ s/^\[(.*?)\] .+(\tinfection:.*)/$1$2/; # Get to the meat or die trying... $line =~ s/\tinfection:[^:]*$// or Log::DieLog("Dodgy things going on in F-Secure output:\n$report\n"); ($dot,$id,$part,@rest) = split(/\//, $line); $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender return 1; } Log::DieLog("Either you've found a bug in MailScanner's F-Secure\noutput parse r, or F-Secure's output format has changed!\nPlease mail the author of MailScann er!\n"); } When I invoke /etc/mailscanner/wrapper/f- securewrapper /var/spool/mailscanner/incoming/ the output is: F-Secure Anti-Virus for Linux version 4.52 build 2461 Copyright (c) 1999-2003 F-Secure Corporation. All Rights Reserved. EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS. To purchase license, please check http://www.F-Secure.com/purchase/ Database version: 2004-02-09_04^M Scan started at Tue Feb 10 15:58:10 2004 /var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected: W32/Mydoom.A @mm [Orion] /var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected: I- Worm.Mydoo m.a [AVP] [/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm .exe: Infected : W32/Mydoom.A@mm [Orion] [/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm .exe: Infected : I-Worm.Mydoom.a [AVP] [/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm .exe: Infected: W32/My doom.A@mm [Orion] [/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm .exe: Infected: I- Worm .Mydoom.a [AVP] /var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected: W32/Mydo om.A@mm [Orion] /var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected: I- Worm.M ydoom.a [AVP] Scan ended at Tue Feb 10 15:58:13 2004 18 files scanned 4 files infected From marco at MUW.EDU Tue Feb 10 18:40:04 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <1076438404.40292584d0e3a@webmail.MUW.Edu> I support Julian's decision of removing the "Bounce" option. To ask for this option knowingly that 99% of the time you're notifying the wrong sender is outrageous!!! ... I repspectfuly object to the point was made about e-mail "reliability" by enabling "Bounce". I think all you're doing is saturating the Internet with junk and costing other MTAs valuable resources and creating confusion. Do you call this "reliable"? Bouncing too many messages may even force some other MTAs to block your server to stop the excessive bounces. Do you call this "reliable"? I have been running MS to thousands of my users for 2 years now. Our users are extremely happy, less confused, and trust our service. There are other ways that Julian made available to accomplish what you are trying to do without "Bouncing" messages all over the Internet. If you look at the whole picture, you will see Julian's point ... Create a patch that more fits your needs and be done with !!! Marco Quoting Admin Team : > At 12:13 PM 2/10/2004, you wrote: > >I appreciate your point, and I am aware of your position. But bouncing spam > >is not the correct answer to it, there are many other superior solutions to > >the problem, that don't cause grief to everyone else on the net. From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:31:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> At 18:09 10/02/2004, you wrote: >At 12:13 PM 2/10/2004, you wrote: >>I appreciate your point, and I am aware of your position. But bouncing spam >>is not the correct answer to it, there are many other superior solutions to >>the problem, that don't cause grief to everyone else on the net. > > >Julian, as opposed to "bouncing" a message, can we implement something to >notify a sender politely that >they *may* have sent an email to someone that did not get delivered and >*IF* they do not know this person >to disregard the message. I am very concerned that the bounce feature is >removed. For those providers not wishing >to guarantee some type of service to their clients, Tell your Backpone >providers to also renig on the SLA you have with them. >The reason we notify senders is not to be mean but as a responsibility to >the clients we handle mail for. They intrust us with their mail. >If for any reason a message cannot be delivered to someone, then the sender >needs to know about this. I am asking you to please have this option >available for those who need it. Otherwise this breaks more than you are >trying to fix. Email is an important form of communication in this day and >age and ANY provider who tells their clients they cannot "guarantee" >delivery of email to their inbox is >simply irresponsible. That is entirely down to your configuration. I guarantee to deliver every piece of mail to my users' inboxes, and I don't use the bounce option. Informing the (forged, 99.999% of the time) sender is a totally different matter to delivering mail to their inbox. You simply tag the subject line and use "Spam Actions = deliver". That way the recipient can quickly skip through all the labelled spam, but they have the option to check all of it is correctly tagged. You are confusing these two processes. They are totally separate and unrelated. My users would go through the roof if I didn't deliver every piece of mail addressed to them. I do that, but I see no need to "bounce" spam. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:26:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: <40292BDD.2070107@sermap.com.br> References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> <40292BDD.2070107@sermap.com.br> Message-ID: <6.0.3.0.2.20040210182310.03cd1a28@imap.ecs.soton.ac.uk> At 19:07 10/02/2004, you wrote: >I found a file called sweep.pl at /usr/share/mailscanner/ >SweepViruses.pm doesnt exit in my system In which case you are running version 3 which I haven't supported for at least 1 1/2 years when I wrote version 4. The Debian stable version is so old it's completely useless. It's a bit like virus scanning or spam scanning, if the code is too old it doesn't work any more. The world has moved on rather a long way since the last edition of version 3. I suggest you remove version 3 *completely*, switch to debian unstable and install version 4. Sorry, but I haven't got the time to support code that is getting on for being nearly 2 years out of date. To stay with version 3, you will have to use a version of F-Secure that is 1 1/2 years old as well. >Thanks for help > > >Julian Field escreveu: > >>In which case, do "locate SweepViruses.pm" assuming debian has >>"locate". If >>it doesn't have a "locate" command, then try this instead >>find /opt /usr -name SweepViruses.pm -print >>though that may take a little while. >> >>At 18:38 10/02/2004, you wrote: >> >>>Ive already looked at archives before posting this email, you posted a >>>patch to be applied to SweepViruses.pm but I didnt find this file in >>>/usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >>>my computer, I installed MailScanner from packages.debian.org >>> >>>Thanks >>> >>> >>>Julian Field escreveu: >>> >>>>Please search the archives before posting here. >>>>I answered this a couple of days ago. See the thread with the title >>>>"Re: >>>>f-secure version 4.52". >>>> >>>>At 17:14 10/02/2004, you wrote: >>>> >>>>>Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>>>virus scanner engine, Ive changed the f-securewrapper script to >>>>>meet may >>>>>needs and started mailscanner, all seems to be fine until: >>>>> >>>>>Commercial virus checker failed with real error: Either >>>>>you've found a bug in MailScanner's F-Secure >>>>>output parser, or F-Secure's output format has changed! >>>>>Please mail the author of MailScanner! >>>>> >>>>>Thanks for any help >>>> >>>> >>>> >>>>-- >>>>Julian Field >>>>www.MailScanner.info >>>>MailScanner thanks transtec Computers for their support >>>> >>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>>------------------------------------------------- >>>>Esta mensagem foi escaneada por virus e conteudos >>>>perigosos pelo MailScanner e nao foram encontrados >>>>virus nesta mensagem. >>>>------------------------------------------------- >>> >>> >>> >>>------------------------------------------------- >>>Esta mensagem foi escaneada por virus e conteudos >>>perigosos pelo MailScanner e nao foram encontrados >>>virus nesta mensagem. >>>------------------------------------------------- >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>------------------------------------------------- >>Esta mensagem foi escaneada por virus e conteudos >>perigosos pelo MailScanner e nao foram encontrados >>virus nesta mensagem. >>------------------------------------------------- >> > > > >------------------------------------------------- >Esta mensagem foi escaneada por virus e conteudos >perigosos pelo MailScanner e nao foram encontrados >virus nesta mensagem. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From acschmitt at BPA.GOV Tue Feb 10 18:39:09 2004 From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <242663BECAD80B4DAAF2E62788F96917473B18@exhq01.bud.bpa.gov> I think the original problem was that, polite or not, getting 3000 messages within a half-hour just because a spammer spoofed an email address just doesn't make someone's day. It's happened to some of my clients a few times, and it's _not_ fun. The clueless use of bouncing, on any mail gateway, by some admins has made it a real monster, and I think Julian has done the right thing in deciding to eliminate it. I see a lot of people using "mail receipts", which are client-based, that send back a receipt when they read the message. Someone on this list suggested phone calls to verify, which I use sometimes (since receipts seem kind of annoying to me). Or just allow mail to get through (setting spam to deliver) and tell clients to set up a rule (Outlook and Eudora, IIRC, both do this) that will dump messages labelled spam into the appropriate folder; then they can decide what they want to keep. All I know is, if you are in a position where you are filtering mail in such a way that clients will never see blocked messages, which I am, you can't have your cake and eat it too. Do you want to err on the side of eliminating spam, yielding some false negatives, or err on the side of ensuring mail delivery, yielding some false positives? There are many ways to handle this problem, but flooding the Internet with thousands of replies to spam is one of the least efficient. Andy Schmitt BPA Unix Team -----Original Message----- From: Admin Team [mailto:sysadmins@ENHTECH.COM] Sent: Tuesday, February 10, 2004 10:10 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: For those of us that feel strongly that email should be a reliable transport medium. At 12:13 PM 2/10/2004, you wrote: >I appreciate your point, and I am aware of your position. But bouncing spam >is not the correct answer to it, there are many other superior solutions to >the problem, that don't cause grief to everyone else on the net. Julian, as opposed to "bouncing" a message, can we implement something to notify a sender politely that they *may* have sent an email to someone that did not get delivered and *IF* they do not know this person to disregard the message. I am very concerned that the bounce feature is removed. For those providers not wishing to guarantee some type of service to their clients, Tell your Backpone providers to also renig on the SLA you have with them. The reason we notify senders is not to be mean but as a responsibility to the clients we handle mail for. They intrust us with their mail. If for any reason a message cannot be delivered to someone, then the sender needs to know about this. I am asking you to please have this option available for those who need it. Otherwise this breaks more than you are trying to fix. Email is an important form of communication in this day and age and ANY provider who tells their clients they cannot "guarantee" delivery of email to their inbox is simply irresponsible. Again,if you are willing to take this approach, please relieve your backbone providers of all SLA's they provide you. Allow them to tell you that they do not "guarantee" delivery of any datagram to your servers and see how quickly you look for another provider. Errol Neal From wberbert at SERMAP.COM.BR Tue Feb 10 19:44:55 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> <40292BDD.2070107@sermap.com.br> <6.0.3.0.2.20040210182310.03cd1a28@imap.ecs.soton.ac.uk> Message-ID: <402934B7.3050301@sermap.com.br> ok, I understand I will see what I can do Thanks Julian Field escreveu: > At 19:07 10/02/2004, you wrote: > >> I found a file called sweep.pl at /usr/share/mailscanner/ >> SweepViruses.pm doesnt exit in my system > > > In which case you are running version 3 which I haven't supported for at > least 1 1/2 years when I wrote version 4. The Debian stable version is so > old it's completely useless. It's a bit like virus scanning or spam > scanning, if the code is too old it doesn't work any more. The world has > moved on rather a long way since the last edition of version 3. I suggest > you remove version 3 *completely*, switch to debian unstable and install > version 4. > > Sorry, but I haven't got the time to support code that is getting on for > being nearly 2 years out of date. To stay with version 3, you will > have to > use a version of F-Secure that is 1 1/2 years old as well. > > >> Thanks for help >> >> >> Julian Field escreveu: >> >>> In which case, do "locate SweepViruses.pm" assuming debian has >>> "locate". If >>> it doesn't have a "locate" command, then try this instead >>> find /opt /usr -name SweepViruses.pm -print >>> though that may take a little while. >>> >>> At 18:38 10/02/2004, you wrote: >>> >>>> Ive already looked at archives before posting this email, you posted a >>>> patch to be applied to SweepViruses.pm but I didnt find this file in >>>> /usr/lib/MailScanner I not even have the folder >>>> /usr/lib/MailScanner on >>>> my computer, I installed MailScanner from packages.debian.org >>>> >>>> Thanks >>>> >>>> >>>> Julian Field escreveu: >>>> >>>>> Please search the archives before posting here. >>>>> I answered this a couple of days ago. See the thread with the title >>>>> "Re: >>>>> f-secure version 4.52". >>>>> >>>>> At 17:14 10/02/2004, you wrote: >>>>> >>>>>> Im using mailscanner for debian and Im trying to user f-secure >>>>>> 4.52 as >>>>>> virus scanner engine, Ive changed the f-securewrapper script to >>>>>> meet may >>>>>> needs and started mailscanner, all seems to be fine until: >>>>>> >>>>>> Commercial virus checker failed with real error: Either >>>>>> you've found a bug in MailScanner's F-Secure >>>>>> output parser, or F-Secure's output format has changed! >>>>>> Please mail the author of MailScanner! >>>>>> >>>>>> Thanks for any help >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> MailScanner thanks transtec Computers for their support >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> ------------------------------------------------- >>>>> Esta mensagem foi escaneada por virus e conteudos >>>>> perigosos pelo MailScanner e nao foram encontrados >>>>> virus nesta mensagem. >>>>> ------------------------------------------------- >>>> >>>> >>>> >>>> >>>> ------------------------------------------------- >>>> Esta mensagem foi escaneada por virus e conteudos >>>> perigosos pelo MailScanner e nao foram encontrados >>>> virus nesta mensagem. >>>> ------------------------------------------------- >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> ------------------------------------------------- >>> Esta mensagem foi escaneada por virus e conteudos >>> perigosos pelo MailScanner e nao foram encontrados >>> virus nesta mensagem. >>> ------------------------------------------------- >>> >> >> >> >> ------------------------------------------------- >> Esta mensagem foi escaneada por virus e conteudos >> perigosos pelo MailScanner e nao foram encontrados >> virus nesta mensagem. >> ------------------------------------------------- > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From gdoris at rogers.com Tue Feb 10 18:44:02 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <35195.129.80.22.133.1076438642.squirrel@65.48.246.102> I was just in the process of sending a note complimenting Julian for removing the bounce option when this message came in. I've been receiving a flood of bogus bounces from all over the world. They are the result of emails from unkown users from my domain that have been faked by the MyDoom virus. Some still contained the virus. I'd hardly call falsely bouncing virus laden messages an example of a reliable transport medium. A short time ago I had a spammer fake my domain as his sending address...I had so many bounces I had to close down my server until they died off! The existing email transport system is inherently not reliable. Gerry From Mark.Warpool at BENCHMARK-USA.COM Tue Feb 10 18:44:27 2004 From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256827@srv-btc-2k.corp.benchmark-usa.com> I was originally against this idea. But after following this list, and considering the arguments, and more importantly, dealing with the onslaught of requests I've gotten from my users because they received a bounce from the recent MYDOOM virus (not from me, but someone else), I've seen the light. I agree with Julian, there are a lot better ways to deal with this, and I think in the end you're customers/users will thank you for it. Most people don't understand what is going on when they get these messages, and it frustrates them. When you take that burden off of them, they're less worried about the rare message which accidentally skipped or deleted, and more grateful for not having to deal with all the rest of it. At least, that's been my experience. Mark Warpool Benchmark Technologies Corp -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, February 10, 2004 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Including original headers in reports At 17:54 10/02/2004, you wrote: >At 11:54 AM 2/10/2004, you wrote: >Please can you do a compromise like this: >>In MailScanner.conf, set >>Required SpamAssassin Score = 6 >>High SpamAssassin Score = 10 >>Spam Actions = deliver bounce >>High Scoring Spam Actions = deliver >>That way low scoring (possibly marginal, possibly incorrectly tagged) spam >>gets bounced back to the sender. But if you are sure it is spam (believe >>me, a score of 10 will guarantee that!) then you don't bounce it. >> >>Fortunately, with the latest version, even this isn't an option as I have >>removed the "bounce" spam action completely. >> >>If the message had a virus in it, then by default the recipient would still >>get the message (with the virus removed) and so would know that the client >>sent them an email. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Well Julian, we already do this. If a message is off the chart, there is >absolutely no sense in use bouncing it. That would be >crazy. > >So in the latest version you've removed the bounce option? Ouch... I believe there are better solutions to the problem, such as "deliver attachment" or "notify" so the recipient makes the decision as to what to do with the message. I will only put the "bounce" option back in if there is an absolute outcry about it, which there isn't. The outcry is for stopping people bouncing spam as the sender address is always faked so some innocent soul gets inundated with warning messages about stuff they never sent. I have to deal with a lot of these people, as they contact me for help. This takes a fair amount of my time, so I am strongly against anything that wastes my time. You guys don't have to deal with the fallout from this option, I do! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Tue Feb 10 18:52:37 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <6.0.0.22.0.20040210133708.01fbe0a0@xanadu.evi-inc.com> At 01:09 PM 2/10/2004, Admin Team wrote: >Julian, as opposed to "bouncing" a message, can we implement something to >notify a sender politely that >they *may* have sent an email to someone that did not get delivered and >*IF* they do not know this person >to disregard the message. Unfortunately this just ignores the underlying problem of bounces and just replaces it with something with a different name. If nothing else, your suggested change makes life HARDER for the victims of Joe jobs because the message now doesn't even look like a bounce and can't be procmailed out as easily. (Imagine receiving thousands of "notifications" per hour in hundreds of different formats. Ouch.) To explain a bit, the fundamental problem with post-delivery bounces and notifications is the DDoS that results from thousands of domains sending hundreds of thousands of notifications to forged addresses that spammers use. It's not the content of the message that's a problem, it's the number of them and the vast number of sources they all come from. Post delivery bounces, notifications, etc are a very BAD thing for those on the receiving end of a joe job. They make a bad situation significantly worse. In the case of spam notifications, you already know there's at least a 99% chance that you're sending email to a joe job victim, so why are you sending it in the first place? Really, there are other ways to handle the 1% of the spam-matches that are false positives without abusing 99% of the rest of the world. Use A SMTP layer 550, tag it, quarantine it, or whatever. But don't generate post-delivery bounces, notices, or whatever name you want to call them. From sysadmins at ENHTECH.COM Tue Feb 10 18:54:58 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <1076438404.40292584d0e3a@webmail.MUW.Edu> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <1076438404.40292584d0e3a@webmail.MUW.Edu> Message-ID: <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> At 01:40 PM 2/10/2004, you wrote: >I support Julian's decision of removing the "Bounce" option. To ask for this >option knowingly that 99% of the time you're notifying the wrong sender is >outrageous!!! ... > >I repspectfuly object to the point was made about e-mail "reliability" by >enabling "Bounce". I think all you're doing is saturating the Internet with >junk and costing other MTAs valuable resources and creating confusion. >Do you call this "reliable"? >Bouncing too many messages may even force some other MTAs to block your >server to stop the excessive bounces. Do you call this "reliable"? > >I have been running MS to thousands of my users for 2 years now. Our users are >extremely happy, less confused, and trust our service. There are other ways >that Julian made available to accomplish what you are trying to do >without "Bouncing" messages all over the Internet. > >If you look at the whole picture, you will see Julian's point ... >Create a patch that more fits your needs and be done with !!! > >Marco Well can we agree that it is not the bounce, but the contents of the bounce? For example, a message that says "You are a spammer that sent a message to user@domain.com We do not accept unsolicted mail and blah blah blah" as opposed to a message that says "A message to user@domain.com that apparently came from your email address was not recieved. If you are indeed the sender, please find a alternate means of communicating with the user. Otherwise please disregard this message". That sounds a lot better than he first one. Errol Neal From sysadmins at ENHTECH.COM Tue Feb 10 19:00:06 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> At 01:31 PM 2/10/2004, you wrote: >That way the recipient can quickly skip >through all the labelled spam, but they have the option to check all of it >is correctly tagged. > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Yea, they also get to see all the nice lower scoring porn. *sigh*. I give up. Thanks for at least hearing me out. Regards, Errol Neal From ugob at CAMO-ROUTE.COM Tue Feb 10 19:04:23 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Admin Team [mailto:sysadmins@ENHTECH.COM] > Envoy? : Tuesday, February 10, 2004 2:00 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: For those of us that feel strongly that email should be a > reliable transport medium. > > > At 01:31 PM 2/10/2004, you wrote: > >That way the recipient can quickly skip > >through all the labelled spam, but they have the option to > check all of it > >is correctly tagged. > > > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Yea, they also get to see all the nice lower scoring porn. Not if you use the 'notify' option. Ugo > *sigh*. I give > up. Thanks for at least hearing me out. > > > Regards, > > Errol Neal > From marco at MUW.EDU Tue Feb 10 19:25:13 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> Message-ID: <1076441113.402930199d9e9@webmail.MUW.Edu> Quoting Admin Team : > Yea, they also get to see all the nice lower scoring porn. *sigh*. I give > up. Thanks for at least hearing me out. Exactly :) There is always a trade-off between security and convenience as you might know. There is a price for fighting spam/viruses. Sometimes this price is tangible and other times it is not. What works for me may not exactly work for everyone. However, we all share a common goal "fighting spam/viruses" and hopefully make the Internet "safer" for our users. I think your job as a skilled admin is to find that fine-line where you can satisfy a host of variables...You can never make everyone happy, right Julian??? Marco From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:21:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> At 19:04 10/02/2004, you wrote: > > -----Message d'origine----- > > De : Admin Team [mailto:sysadmins@ENHTECH.COM] > > Envoy? : Tuesday, February 10, 2004 2:00 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Re: For those of us that feel strongly that email should be a > > reliable transport medium. > > > > > > At 01:31 PM 2/10/2004, you wrote: > > >That way the recipient can quickly skip > > >through all the labelled spam, but they have the option to > > check all of it > > >is correctly tagged. > > > > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > Yea, they also get to see all the nice lower scoring porn. > >Not if you use the 'notify' option. This case is one of the main exact reasons I provide this option. They don't have to look at the message at all. I have still not seen any response to my proposal that you are confusing the two issues involved. If you want to have this out properly, then please reply to the proposals that are put to you. "*sigh*" doesn't do your argument any good, you are admitting defeat rather than coming to a compromise that satisfies all involved. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:17:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210191634.03bf4d38@imap.ecs.soton.ac.uk> At 19:00 10/02/2004, you wrote: >At 01:31 PM 2/10/2004, you wrote: >>That way the recipient can quickly skip >>through all the labelled spam, but they have the option to check all of it >>is correctly tagged. >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Yea, they also get to see all the nice lower scoring porn. *sigh*. I give >up. Thanks for at least hearing me out. No they don't. They set up their own email filters to put all the spam in an "AutoSpam" folder. Once in a while they go through the folder checking the "From:" and "Subject:" looking for false positives. That doesn't involve looking at the contents of each message at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:01:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <1076438404.40292584d0e3a@webmail.MUW.Edu> <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210185923.03899e00@imap.ecs.soton.ac.uk> At 18:54 10/02/2004, you wrote: >At 01:40 PM 2/10/2004, you wrote: >>I support Julian's decision of removing the "Bounce" option. To ask for this >>option knowingly that 99% of the time you're notifying the wrong sender is >>outrageous!!! ... >> >>I repspectfuly object to the point was made about e-mail "reliability" by >>enabling "Bounce". I think all you're doing is saturating the Internet with >>junk and costing other MTAs valuable resources and creating confusion. >>Do you call this "reliable"? >>Bouncing too many messages may even force some other MTAs to block your >>server to stop the excessive bounces. Do you call this "reliable"? >> >>I have been running MS to thousands of my users for 2 years now. Our >>users are >>extremely happy, less confused, and trust our service. There are other ways >>that Julian made available to accomplish what you are trying to do >>without "Bouncing" messages all over the Internet. >> >>If you look at the whole picture, you will see Julian's point ... >>Create a patch that more fits your needs and be done with !!! >> >>Marco > > > >Well can we agree that it is not the bounce, but the contents of the >bounce? For example, a message that says >"You are a spammer that sent a message to user@domain.com We do not accept >unsolicted mail and blah blah blah" >as opposed to a message that says "A message to user@domain.com that >apparently came from your email address was >not recieved. If you are indeed the sender, please find a alternate means >of communicating with the user. Otherwise please disregard this message". >That sounds a lot better than he first one. It's not the contents that are the problem, it's the quantity. Have you ever been on the receiving end of a joe-job attack? Or have you ever been the software author that has to put up with the personal abuse and physical threats mailed to you every week by the poor innocent victims of joe-jobs? I think your stance might change *real* fast if you had to deal with this. If you like, I'll start redirecting all my abusive email to you :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at TRCINTL.COM Tue Feb 10 19:26:47 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: I have been running MailScanner for quite some time and it has successfully found literally thousands of e-mail's infected with the Mydoom virus, as well as many others. However, I have noticed that every now and then for whatever reason one seems to slip through MailScanner. The reason I know this is that my mail is first scanned with MailScanner (using eTrust Antivirus 7.0) and then it is sent on to another machine running TrendMicro InterScan VirusWall (I had that in place before MailScanner). On about 4 occasions since the outbreak of Mydoom, a copy of the virus has made it through MailScanner undetected and has then been caught by the TrendMicro product. I had it happen several times already today. I checked the e-mail ID and I see in the log on MailScanner where it passed through without a hitch. I seem to recall someone posting something earlier about this occuring while using the Sophos antivirus product. I just thought this might be something to take note of. By the way, I am currently using MailScanner version 4.26.8 and my virus signatures are up to date. TrendMicro InterScan VirusWall reports the e-mail messages in question as having Mydoom.A. From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:32:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.3.0.2.20040210193152.03c02cb0@imap.ecs.soton.ac.uk> At 19:26 10/02/2004, you wrote: >I have been running MailScanner for quite some time and it has successfully >found literally thousands of e-mail's infected with the Mydoom virus, as >well as many others. However, I have noticed that every now and then for >whatever reason one seems to slip through MailScanner. The reason I know >this is that my mail is first scanned with MailScanner (using eTrust >Antivirus 7.0) and then it is sent on to another machine running TrendMicro >InterScan VirusWall (I had that in place before MailScanner). > >On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >made it through MailScanner undetected and has then been caught by the >TrendMicro product. I had it happen several times already today. I >checked the e-mail ID and I see in the log on MailScanner where it passed >through without a hitch. > >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. Can you set "Quarantine Whole Message = yes" and send me the quarantined copy of one that get through please? You will need to put it in a password-protected zip file to get to me. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james at DENY.ORG Tue Feb 10 19:32:40 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> Message-ID: <402931D8.5030803@deny.org> Julian Field wrote: > At 16:51 10/02/2004, you wrote: > > Why not just use > > Spam Actions = deliver > or > Spam Actions = deliver attachment > or > Spam Actions = notify store > > That way your recipients don't have to wade through anything, all your > incoming email is stored and people can get at messages that were wrongly > tagged very easily. My setup is an ISP setup very high volume: deliver, deliver attachment, and notify all still puts hundreds of email in pop mails boxes that users have to download over 28.8 baud links, The number of support calls we get because some users email client can't handle this (always outlook or outlook express) eats up real money. As I scan mail for hundreds of domains I'm not sure how long I would be able to "store" email for. I take in hundreds of emails a second, maybe a few days worth. Not to mention I would have to train thousands of users on how to pick up these stored messages! I'm not even sure how I would go about authenticating the users of the corporate customer that use us as an email gateway for incoming mail! > > I appreciate your point, and I am aware of your position. But bouncing > spam > is not the correct answer to it, there are many other superior > solutions to > the problem, that don't cause grief to everyone else on the net. I also appreciate your point of view, but I'm not worried about bouncing the spam I'm worried about bouncing that one message in a thousand that is a false positive. The one that winds me up on the phone with an irate customer because his stock quote did not get acknowledged, and a $5000 dollar a month customer is threating to find another ISP over a few emails! I would love to hear of these "superior solutions" but from what I can tell the only real solution is to bounce, every other solution has serious down sides. Or causes thousands of users to jump through hoops deleting mail they never wanted to begin with! > > > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 10 19:37:22 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: Message-ID: <008001c3f00d$4dc40940$0501a8c0@darkside> >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using >MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. There are issues with some MTAs bouncing MyDoom with munged-up MIME attachments, making it difficult for email virus scanners to detect. I honestly don't know if this is the domain of the anti-virus product or MailScanner (or it's equivilent.) Also, I've gotten quite a few through Mailscanner + Sophos as well, but when examined the attachments were 0 bytes. This may not be the case with you, but in my case it wasn't being detected because there was nothing to detect. It's possible that Trend sees something in the message itself (as opposed to the attachment) and calls it "MyDoom" even though it's not executable. I would also reccomend adding clamav to your setup. It's free and very, very good -- if one doesn't hit the other probably will. YMMV, of course. HTH, --J(K) From sysadmins at ENHTECH.COM Tue Feb 10 19:48:52 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210142958.02646e30@mail.enhtech.com> At 02:21 PM 2/10/2004, you wrote: >I have still not seen any response to my proposal that you are confusing >the two issues involved. If you want to have this out properly, then >please reply to the proposals that are put to you. "*sigh*" doesn't do >your argument any good, you are admitting defeat rather than coming to a >compromise that satisfies all involved. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 My sigh is out of frustration and for the work that is coming for me. When we discovered MailScanner and started using it and offering it to our clients, we quickly learned what worked and what did not work with our client base. Based upon what we learned we implemented standards and procedures around that. Since we have very high profile clients who rely upon email being delivered to them in a timely manner, they required some sort of assurance in this respect. So we implemented procedures where we bounce lower scoring SPAM so as to notify senders in case one senders was an actual valid email address with good intentions. Now, that you've changed things, I need to figure out other procedures that may not work for my client base and in our company Philosophy, you don't tell the client how you are going to inconveinence them. Businesses that do this don't stay in business very long. And please let me be clear Julian that you have every right to modify your software. I'm not the least bit upset about that nor am I challenging your authority to do so. However, what is funny to me is that the bounce option is just that. It's an option. For those of you not wishing to use, it, don't do so. Now it is not an option any more but forcing people to change and modify their policies and procedures. So to answer your question, the way you guarantee delivery of email to your users is different than I do. My customers appreciate the lack of technical knowledge their users have to possess because our of services. This way they can focus on running their business operations. They appreciate that they do not have to filter messages and receive notifications. Errol Neal From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 19:49:25 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <08146035CA49D6119A36009027AC822A0264EDEF@CITY-EXCH-NTS> >-----Original Message----- >It's not the contents that are the problem, it's the quantity. Have you >ever been on the receiving end of a joe-job attack? Or have >you ever been the software author that has to put up with the personal >abuse and physical threats mailed to you every week by the poor innocent >victims of joe-jobs? Don't get me wrong, as I fully agree w/you Julian, but I wonder if the default footer in the reports isn't somewhat to blame. I went though all of mine and put in stuff that pertains to my domain, and postmaster address. It may be though that some newcomers to MailScanner leave the default verbiage in there, thus insuring that it looks at first blush like MailScanner the "entity" is doing the filtering, not MailScanner the program running on a gazillion different mail hosts all over the planet. Sorta like Postini does. So here's a feature request: Make the reports footer a macro. Then, the MailScanner administrators can just rewrite that info once, and have it appear in all reports. This would also make upgrades a lot easier as we wouldn't get .rpmnew copies sitting there which are identical except for the footer. You, of course, *might* see a degradation of wayward ire over time as people put postmaster@theirdomain in the footer rather than a bunch of stuff that targets MailScanner. >I think your stance might change *real* fast if you had to >deal with this. >If you like, I'll start redirecting all my abusive email to you :-) Now there's an option! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From sysadmins at ENHTECH.COM Tue Feb 10 19:51:28 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.2.0.0.20040210145012.02512238@mail.enhtech.com> At 02:26 PM 2/10/2004, you wrote: >I have been running MailScanner for quite some time and it has successfully >found literally thousands of e-mail's infected with the Mydoom virus, as >well as many others. However, I have noticed that every now and then for >whatever reason one seems to slip through MailScanner. The reason I know >this is that my mail is first scanned with MailScanner (using eTrust >Antivirus 7.0) and then it is sent on to another machine running TrendMicro >InterScan VirusWall (I had that in place before MailScanner). > >On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >made it through MailScanner undetected and has then been caught by the >TrendMicro product. I had it happen several times already today. I >checked the e-mail ID and I see in the log on MailScanner where it passed >through without a hitch. > >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. I know this is obvious for some, but still. Check your original message headers if you can. If your final SMTP server is not protected from the Internet, it may be open to receive message that were not routed through MX records. We are seeing some of this lately. Regards, Errol Neal From Mark.Warpool at BENCHMARK-USA.COM Tue Feb 10 19:52:28 2004 From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> > From: James Sizemore [mailto:james@DENY.ORG] > Sent: Tuesday, February 10, 2004 2:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > > I also appreciate your point of view, but I'm not worried about > bouncing the spam > I'm worried about bouncing that one message in a thousand that is a > false positive. > The one that winds me up on the phone with an irate customer because > his stock > quote did not get acknowledged, and a $5000 dollar a month customer is > threating > to find another ISP over a few emails! I would love to hear of these > "superior > solutions" but from what I can tell the only real solution is to bounce, > every other > solution has serious down sides. Or causes thousands of users to jump > through > hoops deleting mail they never wanted to begin with! No offense, but this sounds rather self-serving. "I don't care who I damage, as long as my bottom line is safe." I'm not a MailScanner expert here, but I'd be willing to bet that someone could come up with an alternate solution that would be a decent compromise. But 'reverse-spamming' everyone else so that you have no chance of upsetting your customers seems a little selfish. From lists at TRCINTL.COM Tue Feb 10 19:58:56 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: On Tue, 10 Feb 2004 14:51:28 -0500, Admin Team wrote: >At 02:26 PM 2/10/2004, you wrote: >>I have been running MailScanner for quite some time and it has successfully >>found literally thousands of e-mail's infected with the Mydoom virus, as >>well as many others. However, I have noticed that every now and then for >>whatever reason one seems to slip through MailScanner. The reason I know >>this is that my mail is first scanned with MailScanner (using eTrust >>Antivirus 7.0) and then it is sent on to another machine running TrendMicro >>InterScan VirusWall (I had that in place before MailScanner). >> >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >>made it through MailScanner undetected and has then been caught by the >>TrendMicro product. I had it happen several times already today. I >>checked the e-mail ID and I see in the log on MailScanner where it passed >>through without a hitch. >> >>I seem to recall someone posting something earlier about this occuring >>while using the Sophos antivirus product. I just thought this might be >>something to take note of. By the way, I am currently using MailScanner >>version 4.26.8 and my virus signatures are up to date. TrendMicro >>InterScan VirusWall reports the e-mail messages in question as having >>Mydoom.A. > >I know this is obvious for some, but still. Check your original message >headers if you can. If your final SMTP server is not >protected from the Internet, it may be open to receive message that were >not routed through MX records. We are seeing >some of this lately. The messages in question never get to the final SMTP server (which, by the way is protected from the Internet). The messages in question are clearly going through MailScanner, but thanks anyway. > > >Regards, > >Errol Neal From lists at TRCINTL.COM Tue Feb 10 20:04:31 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: On Tue, 10 Feb 2004 19:32:42 +0000, Julian Field wrote: >At 19:26 10/02/2004, you wrote: >>I have been running MailScanner for quite some time and it has successfully >>found literally thousands of e-mail's infected with the Mydoom virus, as >>well as many others. However, I have noticed that every now and then for >>whatever reason one seems to slip through MailScanner. The reason I know >>this is that my mail is first scanned with MailScanner (using eTrust >>Antivirus 7.0) and then it is sent on to another machine running TrendMicro >>InterScan VirusWall (I had that in place before MailScanner). >> >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >>made it through MailScanner undetected and has then been caught by the >>TrendMicro product. I had it happen several times already today. I >>checked the e-mail ID and I see in the log on MailScanner where it passed >>through without a hitch. >> >>I seem to recall someone posting something earlier about this occuring >>while using the Sophos antivirus product. I just thought this might be >>something to take note of. By the way, I am currently using MailScanner >>version 4.26.8 and my virus signatures are up to date. TrendMicro >>InterScan VirusWall reports the e-mail messages in question as having >>Mydoom.A. > >Can you set "Quarantine Whole Message = yes" and send me the quarantined >copy of one that get through please? You will need to put it in a >password-protected zip file to get to me. I would be more than happy to do this as I have already received two more since I posted this, but won't it only quarantine something if it finds a virus in it? Since MailScanner is not finding anything wrong with the messages in question, it is sending them on. Kyle H. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Tue Feb 10 20:05:38 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> Message-ID: <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> At 02:52 PM 2/10/2004, you wrote: >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. No offense, but I cannot help but laugh to some extent. As a business owner, (not this company) I have to think not just at a technical level but at level that involves good business sense. For any business, the customers are what matters. Without them, why the heck are we in business? What is a product or service with out a user? The answer is IT is and will be nothing. So yes, it does sound self serving because it is. It serves the best interests of our clients and the are the reason we are in business. IF, any of the CEO's of CFO's of your companies were a client of my company's and subscribed to our services. IF, they received a time sensitive email message involving lots of money and did not get the message due to the fact that the message was destroyed and no sender was notified, guess who you CEO's and CFO's would hold liable? Can anyone say law suit? Errol neal From garry at GLENDOWN.DE Tue Feb 10 20:07:45 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <40293A11.30909@glendown.de> Kyle Harris wrote: > I would be more than happy to do this as I have already received two more > since I posted this, but won't it only quarantine something if it finds a > virus in it? Since MailScanner is not finding anything wrong with the > messages in question, it is sending them on. If it is getting through, all you need to do is just export the whole message with all headers ... no need for the quarantine ... -gg From steve.swaney at FSL.COM Tue Feb 10 20:24:11 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> Message-ID: <20040210202412.443DA21C14A@mail.fsl.com> Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Admin Team > Sent: Tuesday, February 10, 2004 3:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > At 02:52 PM 2/10/2004, you wrote: > > >No offense, but this sounds rather self-serving. "I don't care who I > >damage, as long as my bottom line is safe." I'm not a MailScanner > >expert here, but I'd be willing to bet that someone could come up with > >an alternate solution that would be a decent compromise. But > >'reverse-spamming' everyone else so that you have no chance of upsetting > >your customers seems a little selfish. > > No offense, but I cannot help but laugh to some extent. As a business > owner, (not this company) I have to think > not just at a technical level but at level that involves good business > sense. For any business, the customers > are what matters. Without them, why the heck are we in business? What is > a > product or service with out a user? The answer > is IT is and will be nothing. So yes, it does sound self serving because > it > is. It serves the best interests of our clients > and the are the reason we are in business. IF, any of the CEO's of CFO's > of > your companies were a client of my company's and > subscribed to our services. IF, they received a time sensitive email > message involving lots of money and did not get the message due > to the fact that the message was destroyed and no sender was notified, > guess who you CEO's and CFO's would hold > liable? Can anyone say law suit? > I know his is Way, way off topic but I just can't resist. Email is and should be considered as reliable but not guaranteed message delivery system. If your lawyer or banking clients are using email for critical document delivery, they should probably re-think that practice. I can tell you from personal experience with Wall Street Banking firms that if a broker ever sent a buy-sell order or other type of exchange that certifies a fund transfer via email he or she would be subject to severe disciplinary action. It is forbidden. The banks I've worked for legally consider email a totally insecure, not 100% guaranteed delivery, "business convenience" - and try to treat it accordingly. Good lawyers treat email the same way. Steve > Errol neal > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mailscanner at ecs.soton.ac.uk Tue Feb 10 20:44:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.3.0.2.20040210204323.03d347a0@imap.ecs.soton.ac.uk> At 20:04 10/02/2004, you wrote: >On Tue, 10 Feb 2004 19:32:42 +0000, Julian Field > wrote: > > >At 19:26 10/02/2004, you wrote: > >>I have been running MailScanner for quite some time and it has >successfully > >>found literally thousands of e-mail's infected with the Mydoom virus, as > >>well as many others. However, I have noticed that every now and then for > >>whatever reason one seems to slip through MailScanner. The reason I know > >>this is that my mail is first scanned with MailScanner (using eTrust > >>Antivirus 7.0) and then it is sent on to another machine running >TrendMicro > >>InterScan VirusWall (I had that in place before MailScanner). > >> > >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has > >>made it through MailScanner undetected and has then been caught by the > >>TrendMicro product. I had it happen several times already today. I > >>checked the e-mail ID and I see in the log on MailScanner where it passed > >>through without a hitch. > >> > >>I seem to recall someone posting something earlier about this occuring > >>while using the Sophos antivirus product. I just thought this might be > >>something to take note of. By the way, I am currently using MailScanner > >>version 4.26.8 and my virus signatures are up to date. TrendMicro > >>InterScan VirusWall reports the e-mail messages in question as having > >>Mydoom.A. > > > >Can you set "Quarantine Whole Message = yes" and send me the quarantined > >copy of one that get through please? You will need to put it in a > >password-protected zip file to get to me. > >I would be more than happy to do this as I have already received two more >since I posted this, but won't it only quarantine something if it finds a >virus in it? Since MailScanner is not finding anything wrong with the >messages in question, it is sending them on. Either dig out the message as finally delivered (lift it out of the mailbox completely intact) or just use "Archive Mail" to store absolutely everything until you know you've found one. Then switch off "Archive Mail" again. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Tue Feb 10 20:46:00 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> Message-ID: <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> > > > > I also appreciate your point of view, but I'm not worried about > > bouncing the spam > > I'm worried about bouncing that one message in a thousand that is a > > false positive. > > The one that winds me up on the phone with an irate customer because > > his stock > > quote did not get acknowledged, and a $5000 dollar a month customer >is > > threating > > to find another ISP over a few emails! I would love to hear of these > > "superior > > solutions" but from what I can tell the only real solution is to >bounce, > > every other > > solution has serious down sides. Or causes thousands of users to jump > > through > > hoops deleting mail they never wanted to begin with! > >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. Of course it is. But he's serving "high profile customers" whom obviously are more important than the rest of us slags! From james at DENY.ORG Tue Feb 10 20:46:27 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> Message-ID: <40294323.5020506@deny.org> Mark Warpool wrote: > >>every other >>solution has serious down sides. Or causes thousands of users to jump >>through >>hoops deleting mail they never wanted to begin with! >> >> > >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. > > The need of the many I think out way the need of the one or the few, You want thousands of users to go through hundreds of emails a day they did not want to save ten or fifteen poor slobs (And yes I have been one of theses poor slobs before.) from get a few thousand email they did not want. The truth is BOTH of us are being selfish!!! We both just happen to be annoyed by different side of the same problem. All things aside I was not asking him to go against his best interest, I was finding out if enough people felt like me to make a public patch instead of just patching my own server and moving on, he was just trying to offer me other options. Thats fine I just wished he had an option I liked, but alas it was not so. From dustin.baer at IHS.COM Tue Feb 10 20:47:44 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> Message-ID: <40294370.EA5BE0D8@ihs.com> Admin Team wrote: > > IF, they received a time sensitive email > message involving lots of money and did not get the message due > to the fact that the message was destroyed and no sender was notified, > guess who you CEO's and CFO's would hold liable? How would CEO/CFO have received it, if it were bounced? What is your definition of time sensitive? I would be pretty annoyed if I was trying to do business with one of your CEOs or CFOs and sent them a message that bounced back to me with a message that it was spam. If there is something in there that caused a bounce, then how am I supposed to know how to format it "properly" to get the spamminess out of it? Do I call Mr. CFO and ask him? He will then have to call you. Personally, the fewer times a C.O has to call me to ask email questions, the happier I am. Just don't upgrade to the current version and you can bounce all you want. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Tue Feb 10 20:56:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> Message-ID: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> At 20:46 10/02/2004, you wrote: >Of course it is. But he's serving "high profile customers" whom obviously >are more important than the rest of us slags! Now now, people. Let's all remain calm and polite please... I think this thread is best considered closed for now. It's clearly a debate which is going to run and run, I may have to put the "bounce" option to a vote. But in the meantime, does anyone have any good ideas for a happy medium, such as enabling it but not documenting it, or producing a nasty log message if it is used, or something like that? All constructive ideas are most welcome. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 21:06:09 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <08146035CA49D6119A36009027AC822A0264EDF2@CITY-EXCH-NTS> Well, you could also generate an autobounce to local postmaster too - make 'em eat their own dogfood as the saying goes. No option to turn it off of course! Feeling ornery today. Must be something in the water... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, February 10, 2004 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: For those of us that feel strongly that email should be a >reliable transport medium. > > >At 20:46 10/02/2004, you wrote: >>Of course it is. But he's serving "high profile customers" >whom obviously >>are more important than the rest of us slags! > >Now now, people. Let's all remain calm and polite please... > >I think this thread is best considered closed for now. >It's clearly a debate which is going to run and run, I may >have to put the >"bounce" option to a vote. >But in the meantime, does anyone have any good ideas for a >happy medium, >such as enabling it but not documenting it, or producing a nasty log >message if it is used, or something like that? >All constructive ideas are most welcome. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From newslists at PESSIMISTS.NET Tue Feb 10 21:21:00 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> Message-ID: <1076448060.7678.6.camel@andy.pessimists.net> On Tue, 2004-02-10 at 15:56, Julian Field wrote: > But in the meantime, does anyone have any good ideas for a happy medium, > such as enabling it but not documenting it, or producing a nasty log > message if it is used, or something like that? > All constructive ideas are most welcome. > -- > Julian Field Don't know if it is possible, but have an option where you can list your hosted domains and then have an option to limit bounce messages to just those those domains in the TO/FROM. This would let providers inform their customers that something did not go through while not polluting the rest of the net. I think that this would make everyone (mostly) happy. My .02 Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From bpumphrey at WOODMACLAW.COM Tue Feb 10 21:20:18 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: I like the idea of it being there but not documented. Also have a good paragraph of what it will do, because It took me a little bit