From faq at mailscanner.info Sun Feb 1 00:28:01 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:14 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402010028.i110S1j4025597@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-01-26-01-41-43 2.717 error editPart 23959 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 2; in item: 3) 2004-01-26-02-15-42 2.717 error faq 30705 <(noID)> The file (16>) doesn't exist. 2004-01-27-19-17-17 2.717 error editPart 32359 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 6) 2004-01-28-14-50-48 2.717 error faq 2380 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-53-39 2.717 error faq 2871 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-53-58 2.717 error editPart 2884 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 10000; in item: 0) 2004-01-28-14-54-43 2.717 error editPart 2989 <(noID)> Part number "-1" in "211" doesn't exist. 2004-01-28-14-57-00 2.717 error editPart 3632 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: -1; in item: 2) 2004-01-28-14-57-45 2.717 error faq 3893 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2004-01-28-14-59-40 2.717 note editPart 4227 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/editPart.pm line 62. 2004-01-28-14-59-40 2.717 note editPart 4227 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic.pm line 1769. 2004-01-28-15-04-22 2.717 error editPart 5546 <(noID)> Part number "-1" in "57" doesn't exist. 2004-01-28-15-21-46 2.717 note editPart 8998 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/editPart.pm line 62. 2004-01-28-15-21-46 2.717 note editPart 8998 <(noID)> Perl warning: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic.pm line 1769. 2004-01-28-15-21-46 2.717 error editPart 8998 <(noID)> Part number 0 in 136 doesn't exist. From ejb at QL.ORG Sun Feb 1 04:44:33 2004 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 Message-ID: <200402010444.i114iXif014991@soup.in.ql.org> I see in the release announcement for 4.26.7 that the "bounce" spam action has been removed. I'm curious about this. We use this feature for spam that scores in the 5 to 10 range and send a bounce that instructs the user to send mail to a special mailbox which is not filtered. This allows us to let false positives through. We probably get about 5 messages a week for a 50 person company, and most of the messages are important. This is enough to convince me that this is an important feature. I can only guess that it's been removed because such a huge amount of spam has invalid addresses. I know our mail queue has 500 undeliverable spam bounces in it at any given time. Still, I doubt I will succeed in convincing the powers that be at my company that we can do without that feature. Have I understood this item in the announcement correctly? Is it true that "bounce" is no longer a valid spam action? If so, has something replaced it to achieve similar functionality? I suppose I could always implement this my self by forwarding to an address that uses procmail to send the bounce, but that would be a shame. I apologize if I've missed an earlier discussion on this. -- Jay Berkenbilt http://www.ql.org/q/ From ugob at CAMO-ROUTE.COM Sun Feb 1 04:58:33 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 Message-ID: <54C38A0B814C8E438EF73FC76F36292741088D@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Jay Berkenbilt [mailto:ejb@QL.ORG] > Envoy? : Saturday, January 31, 2004 11:45 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : removal of "bounce" spam action in 4.26.7 > > > I see in the release announcement for 4.26.7 that the "bounce" spam > action has been removed. I'm curious about this. We use this feature > for spam that scores in the 5 to 10 range and send a bounce that > instructs the user to send mail to a special mailbox which is not > filtered. This allows us to let false positives through. We probably > get about 5 messages a week for a 50 person company, and most of the > messages are important. This is enough to convince me that this is an > important feature. I can only guess that it's been removed because > such a huge amount of spam has invalid addresses. I know our mail > queue has 500 undeliverable spam bounces in it at any given time. > Still, I doubt I will succeed in convincing the powers that be at my > company that we can do without that feature. > > Have I understood this item in the announcement correctly? Is it true > that "bounce" is no longer a valid spam action? Yes > If so, has something > replaced it to achieve similar functionality? No > I suppose I could > always implement this my self by forwarding to an address that uses > procmail to send the bounce, but that would be a shame. > > I apologize if I've missed an earlier discussion on this. Yes, there has been a long thread about this. hth Ugo > > -- > Jay Berkenbilt > http://www.ql.org/q/ > From kevins at BMRB.CO.UK Sun Feb 1 10:41:07 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <200401311910.LAA12534@sheridan.sibble.net> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> On Sat, 2004-01-31 at 18:48, Harondel J. Sibble wrote: > The plan is to switch the primary MX to the MS box and have isp as secondary > and the MS box will forward the test accounts to the internal server and any > other mail with go to the isp. Telneting into the MS box, this all works > fine. Now however I am wondering how to have the MS box send mail for the 2 > test accounts to both the internal server and isp mailserver. > I think you can make Non Spam actions a ruleset, with the default being deliver and specific rule for those two accounts to be 'deliver forward user@othermachine' I do hope when you mentioned telneting you really meant sshing, not telnet using the telnet command. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Feb 1 10:51:23 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 In-Reply-To: <200402010444.i114iXif014991@soup.in.ql.org> References: <200402010444.i114iXif014991@soup.in.ql.org> Message-ID: <1075632693.18054.8.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 04:44, Jay Berkenbilt wrote: > Have I understood this item in the announcement correctly? Is it true > that "bounce" is no longer a valid spam action? If so, has something > replaced it to achieve similar functionality? I suppose I could > always implement this my self by forwarding to an address that uses > procmail to send the bounce, but that would be a shame. > You want to do some analysis on why the false positives are being generated. I managed to virtually eliminate them with a combination or whitelisting, tuning the threshold and adding rules to match the names of our products and assign negative scores. Typically false positive will be right at the bottom end of the score threshold, so either a) raise the lower threshold or b) lower the high score threshold and use the attachment deliver option for the low scoring spam. As someone who has recently had his address used as the forged sender of a spam run and woke up to find hundreds of such bounce messages in his inbox I welcome the removal of the bounce option, and would encourage anyone thinking of finding a way around it to think again. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Sun Feb 1 11:03:17 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <200401311910.LAA12534@sheridan.sibble.net> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <401CDCF5.9060901@themarshalls.co.uk> Harondel J. Sibble wrote: >Is there an easy way in postfix or in MS to send mail to 2 locations? > >Situation, isp currently hosts dns and email accounts for client. We have an >internal mailserver with an MS box as the mail relay for the internal server. >We want to test with a few of the accounts that currently exist with the isp, >so the we have the following transport map on the MS box > >username1@domain.com smtp:[192.168.x.x] >username2@domain.com smtp:[192.168.x.x] >domain.com smtp:isp mailserver (primary mx for domain) > >The plan is to switch the primary MX to the MS box and have isp as secondary >and the MS box will forward the test accounts to the internal server and any >other mail with go to the isp. Telneting into the MS box, this all works >fine. Now however I am wondering how to have the MS box send mail for the 2 >test accounts to both the internal server and isp mailserver. > > Just make an alias map some thing like: testuser1: test1 test1@ispdomain testuser2: test2 test2@ispdomain Then $ newaliases Should do the trick >The reason we are going this way is that we want to keep all the current mail >running as it is while still be able to test and use the internal mailserver >until we are satisfied that it is ready for production use. Can anyone >suggest a better method of accomplishing the same goal? > >-- >Harondel J. Sibble >Sibble Computer Consulting >Creating solutions for the small business and home computer user. >help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com >(604) 739-3709 (voice/fax) (604) 686-2253 (pager) > > Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From kevins at BMRB.CO.UK Sun Feb 1 11:18:27 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <401CDCF5.9060901@themarshalls.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <401CDCF5.9060901@themarshalls.co.uk> Message-ID: <1075634307.18054.25.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 11:03, Drew Marshall wrote: > Just make an alias map some thing like: > > testuser1: test1 test1@ispdomain > testuser2: test2 test2@ispdomain > This will only work if the addresses (testuser1 and testuser2) are destined for mailboxes on the local machine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Sun Feb 1 11:32:03 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075634307.18054.25.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <401CDCF5.9060901@themarshalls.co.uk> <1075634307.18054.25.camel@bach.kevinspicer.co.uk> Message-ID: <401CE3B3.6030305@themarshalls.co.uk> Kevin Spicer wrote: >On Sun, 2004-02-01 at 11:03, Drew Marshall wrote: > > >>Just make an alias map some thing like: >> >>testuser1: test1 test1@ispdomain >>testuser2: test2 test2@ispdomain >> >> >> >This will only work if the addresses (testuser1 and testuser2) are >destined for mailboxes on the local machine. > > > You are right. I miss read the original post :-( but the same principle could be used for a virtual user map I would have thought just using full addresses. > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/779971ab/attachment.html From goleotti at MISAG.IT Sun Feb 1 12:09:20 2004 From: goleotti at MISAG.IT (Gabriele Oleotti) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? Message-ID: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> I have to apologize for the last patch I sent you as the autoupdate script has a little bug (I forget the --update switch, so vexira isn't really doing the update). Sorry for that. I corrected this bug and I have adjusted the output coming from the scanner as the vexira seems to use dos/windows CR+LF new line characters which causes bad looking output to be logged on my files. Last, I have added time-out support (for the most copied from the alarm perldoc page and from the clamav-autoupdate) which I have tested and seemed to work fine. Buy for now, Gabriele -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: venerd? 30 gennaio 2004 18.00 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Vexira AV Support in 4.26.6? At 16:53 30/01/2004, you wrote: >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? No, sorry. I haven't had time to test it myself. It will have to wait for 4.27. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: vexira.patch Type: application/octet-stream Size: 8456 bytes Desc: vexira.patch Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/373b37ce/vexira.obj From Janssen at RZ.UNI-FRANKFURT.DE Sun Feb 1 12:16:45 2004 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:22:15 2006 Subject: removal of "bounce" spam action in 4.26.7 In-Reply-To: <200402010444.i114iXif014991@soup.in.ql.org> References: <200402010444.i114iXif014991@soup.in.ql.org> Message-ID: On Sat, 31 Jan 2004, Jay Berkenbilt wrote: > I see in the release announcement for 4.26.7 that the "bounce" spam > action has been removed. I'm curious about this. We use this feature > for spam that scores in the 5 to 10 range and send a bounce that > instructs the user to send mail to a special mailbox which is not > filtered. This allows us to let false positives through. We probably > get about 5 messages a week for a 50 person company, and most of the > messages are important. This is enough to convince me that this is an > important feature. I can only guess that it's been removed because > such a huge amount of spam has invalid addresses. *valid* addresses are the worse thing: spammer faking their from-address to the address of another person. This is why you can't bounce spam without making a possibly huge number of persons nervous, angry, lethargic about all the false spam-bounces they get. It's simply no good style because you would leave the work of sorting out bounces of true-negative and false-positive spam. You can do this work on your own when you forward low score spam to a special, "ugly", account and sort out false-positives by your own. Which is lot of stupid work but can be tackled down with better whitelisting and such. On our site, we provide daily informations about received spam for each account and leave it to each user to take this serious and check these spamlists for seldom false-positves (this means instead of deleting several spam per day you search one mail for ham list-entries). Works quite well because a human can distinct anonymous spam from personal important mail very fast. Michael From mailscanner at ecs.soton.ac.uk Sun Feb 1 13:41:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> <1075632074.28761.69.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040201133928.038d76e8@imap.ecs.soton.ac.uk> At 10:41 01/02/2004, you wrote: >On Sat, 2004-01-31 at 18:48, Harondel J. Sibble wrote: > > The plan is to switch the primary MX to the MS box and have isp as > secondary > > and the MS box will forward the test accounts to the internal server > and any > > other mail with go to the isp. Telneting into the MS box, this all works > > fine. Now however I am wondering how to have the MS box send mail for the 2 > > test accounts to both the internal server and isp mailserver. > > >I think you can make Non Spam actions a ruleset, with the default being >deliver and specific rule for those two accounts to be 'deliver forward >user@othermachine' If you need to copy the mail to more than one address, you can specify "forward user@address.com" more than once in the rulesets. Don't forget to do the same thing to the Spam Actions and the High Scoring Spam Actions settings as well, if you want to duplicate the spam too. But you don't need 3 identical files. You can of course make all 3 settings use the same ruleset file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 1 13:49:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? In-Reply-To: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> References: <1488394A34F6A0408FDA3841418D1442183D46@scorpio.auron.mi> Message-ID: <6.0.1.1.2.20040201134926.04480128@imap.ecs.soton.ac.uk> Hopefully I'll get this in to 4.27. At 12:09 01/02/2004, you wrote: >I have to apologize for the last patch I sent you as the autoupdate script >has a little bug (I forget the --update switch, so vexira isn't really >doing the update). Sorry for that. > >I corrected this bug and I have adjusted the output coming from the >scanner as the vexira seems to use dos/windows CR+LF new line characters >which causes bad looking output to be logged on my files. > >Last, I have added time-out support (for the most copied from the alarm >perldoc page and from the clamav-autoupdate) which I have tested and >seemed to work fine. > >Buy for now, >Gabriele > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: venerd? 30 gennaio 2004 18.00 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Vexira AV Support in 4.26.6? > > >At 16:53 30/01/2004, you wrote: > >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? > >No, sorry. I haven't had time to test it myself. It will have to wait for >4.27. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 1 15:52:53 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:15 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402011552.i11FqrZZ030027@seer.ecs.soton.ac.uk> New Guestbook-Entry from Reinier We run MailScanner plus Spamassassin with Exim, McAfee en Bitdefender.

Work greats, keep up the good work.

One wish allthough...can zip files be extracted and be checked for dangerous filetypes such as .pif and .scr ?

In case your scanner isn\'\'t up2date you don\'\'t have too worry that user\'\'s are opening zips containing .pifs and other executeble stuff.

From mike at CAMAROSS.NET Sun Feb 1 17:12:50 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <401CDCF5.9060901@themarshalls.co.uk> Message-ID: <200402011711.i11HBCH2025165@avwall.bladeware.com> On the MS box, you *could* use the Archive function to send mail to more than one user: FromTo: user1@yourdomain.com otheruser@somedomain.org Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Drew Marshall > Sent: Sunday, February 01, 2004 5:03 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sending mail to 2 locations > > Harondel J. Sibble wrote: > > >Is there an easy way in postfix or in MS to send mail to 2 locations? > > > >Situation, isp currently hosts dns and email accounts for client. We > >have an internal mailserver with an MS box as the mail relay > for the internal server. > >We want to test with a few of the accounts that currently exist with > >the isp, so the we have the following transport map on the MS box > > > >username1@domain.com smtp:[192.168.x.x] username2@domain.com > >smtp:[192.168.x.x] > >domain.com smtp:isp mailserver (primary mx for domain) > > > >The plan is to switch the primary MX to the MS box and have isp as > >secondary and the MS box will forward the test accounts to > the internal > >server and any other mail with go to the isp. Telneting into the MS > >box, this all works fine. Now however I am wondering how to > have the MS > >box send mail for the 2 test accounts to both the internal > server and isp mailserver. > > > > > Just make an alias map some thing like: > > testuser1: test1 test1@ispdomain > testuser2: test2 test2@ispdomain > > Then > > $ newaliases > > Should do the trick > > >The reason we are going this way is that we want to keep all the > >current mail running as it is while still be able to test > and use the > >internal mailserver until we are satisfied that it is ready for > >production use. Can anyone suggest a better method of > accomplishing the same goal? > > > >-- > >Harondel J. Sibble > >Sibble Computer Consulting > >Creating solutions for the small business and home computer user. > >help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > >(604) 739-3709 (voice/fax) (604) 686-2253 (pager) > > > > > Regards > > Drew > > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by MailScanner, and is believed > to be clean. > www.themarshalls.co.uk/policy > From dannyz at belgonet.com Sun Feb 1 16:56:28 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: join mailscanner danny zak Message-ID: <190197488894.20040201175628@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/4ce6036a/attachment.html From dannyz at belgonet.com Sun Feb 1 16:59:42 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <71197683674.20040201175942@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/00ba0590/attachment.html From ugob at CAMO-ROUTE.COM Sun Feb 1 18:04:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Danny Zak [mailto:dannyz@belgonet.com] Envoy? : Sunday, February 01, 2004 12:00 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : ZIP files seems not to be scanned (mydoom) Hello MAILSCANNER list; it seems that my mailscanner isn't scanning zip attaches for virusses. [Ugo Bellavance] It is the job of your anti-virus, not mailscanner's it does filter out the mydoom virus by files that are standardly attached although. -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. From kevins at BMRB.CO.UK Sun Feb 1 18:10:34 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <71197683674.20040201175942@belgonet.com> References: <71197683674.20040201175942@belgonet.com> Message-ID: <1075659034.21098.34.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-01 at 16:59, Danny Zak wrote: Hello MAILSCANNER list; >it seems that my mailscanner isn't scanning zip attaches for virusses. >it does filter out the mydoom virus by files that are standardly >attached although. As Ugo says this is the job of your antivirus, which one are you using. Have you checked that the unfiltered mails actually contain the virus in their zips (run past another virus scanner) - there are some broken copies around sending out non infected zips. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rwmailscanner at LACASITA.DEMON.CO.UK Sun Feb 1 20:31:19 2004 From: rwmailscanner at LACASITA.DEMON.CO.UK (Robert Richard Wallace) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: Also i believe some of the bounces are comming back with the whole bounce msg including virus set in a plain text mime type. All the clients i use dont therefore allow me to save off the infected attachment. NOT SURE WHAT OUTLOOK DOES ON THESE. My INBOX is becoming spammed silly with these reject Messages with a copy of the virus attached in MIME format. Question is should MailScanner be able to break up the msg and find these bounces and filter them out as well ? Anyone care to comment ? On Sun, 1 Feb 2004 18:10:34 +0000, Kevin Spicer wrote: >On Sun, 2004-02-01 at 16:59, Danny Zak wrote: Hello MAILSCANNER list; > >>it seems that my mailscanner isn't scanning zip attaches for virusses. > >>it does filter out the mydoom virus by files that are standardly >>attached although. > >As Ugo says this is the job of your antivirus, which one are you using. > >Have you checked that the unfiltered mails actually contain the virus in >their zips (run past another virus scanner) - there are some broken >copies around sending out non infected zips. > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From jaearick at COLBY.EDU Sun Feb 1 20:39:31 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Julian, I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. I got gobs of: Skipping SpamAssassin while waiting for Bayes database to rebuild messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock appeared after I restarted MS, and it never seems to go away. I tried things with both "Rebuild Bayes Every = 0" and with this set to 86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" because if it never rebuilds then no mail gets delivered, right? A rebuild should only take a few seconds, right? I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no luck. I've fallen back to 4.25-14 for the moment. BTW, I have a cron job to do bayes spam/ham learning with $SALEARN --prefs-file=$PREFS --rebuild --force-expire at the top. Should I still do this rebuild and force-expire in this script? From mailscanner at ecs.soton.ac.uk Sun Feb 1 21:33:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. In-Reply-To: References: Message-ID: <6.0.1.1.2.20040201211323.037b9598@imap.ecs.soton.ac.uk> At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, >SA 2.63. I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set >to 86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dannyz at belgonet.com Sun Feb 1 21:19:46 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> Message-ID: <125213287401.20040201221946@belgonet.com> Hello Ugo, thanks for your reponse; as also to kevin and robert... i use fprot antivirus with it; although its strange that it is't configured in my mailscanner config file .. i assume it is working although; since i notice this in my maillog Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, 1076 bytes Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. Sunday, February 1, 2004, 7:04:26 PM, you wrote: UB> -----Message d'origine----- UB> De : Danny Zak [mailto:dannyz@belgonet.com] UB> Envoy? : Sunday, February 01, 2004 12:00 PM UB> ? : MAILSCANNER@JISCMAIL.AC.UK UB> Objet : ZIP files seems not to be scanned (mydoom) UB> Hello MAILSCANNER list; UB> it seems that my mailscanner isn't scanning zip attaches for virusses. UB> [Ugo Bellavance] UB> It is the job of your anti-virus, not mailscanner's UB> it does filter out the mydoom virus by files that are standardly attached although. From mailscanner at ecs.soton.ac.uk Sun Feb 1 21:37:38 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <125213287401.20040201221946@belgonet.com> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> Message-ID: <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> At 21:19 01/02/2004, you wrote: >Hello Ugo, > >thanks for your reponse; as also to kevin and robert... > >i use fprot antivirus with it; although its strange that it is't >configured in my mailscanner config file .. > >i assume it is working although; since i notice this in my maillog No, that log section means exactly what it says. It has found it installed and is keeping it up to date for you. Unless you mention it in MailScanner.conf it won't be using it. >Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, >1076 bytes >Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting >Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed >Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot >Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting >Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages > > >-- >Best regards, > Danny mailto:dannyz@belgonet.com > >belGOnet.com a Euro-pictures division - internet solutions >place princesse elisabeth 9/11 - 1030 Brussels - Belgium >Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 > >domains - hosting - hardware - VoiP - consultancy - backuping >CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL > > >No legal consequences can be derived from the contents of the email >neither is belGOnet.com committed to them. The content of this email >is exclusively intended for adressee(s) and information purposes. >belGOnet.com accepts no liability for any damage resulting from the >use and/or acceptation of the content of this email. > > >Sunday, February 1, 2004, 7:04:26 PM, you wrote: > >UB> -----Message d'origine----- >UB> De : Danny Zak [mailto:dannyz@belgonet.com] >UB> Envoy? : Sunday, February 01, 2004 12:00 PM >UB> ? : MAILSCANNER@JISCMAIL.AC.UK >UB> Objet : ZIP files seems not to be scanned (mydoom) > > >UB> Hello MAILSCANNER list; > >UB> it seems that my mailscanner isn't scanning zip attaches for virusses. >UB> [Ugo Bellavance] >UB> It is the job of your anti-virus, not mailscanner's > >UB> it does filter out the mydoom virus by files that are standardly >attached although. > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Sun Feb 1 21:38:11 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <125213287401.20040201221946@belgonet.com> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> Message-ID: <401D71C3.2080402@ucgbook.com> Danny Zak wrote: > Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed > Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot This just means that it found F-prot so it could update the signatures for it, no need to configure that. It does *not* mean that it will use F-prot to scan messages unless you configure it to do so. > Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting This is for all kinds of checks. Does not mean it will actually virus scan with your virus scanner. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From mailscanner at pdscc.com Mon Feb 2 07:40:09 2004 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations In-Reply-To: <1075632074.28761.69.camel@bach.kevinspicer.co.uk> References: <200401311910.LAA12534@sheridan.sibble.net> Message-ID: <200402020801.AAA19480@sheridan.sibble.net> On 1 Feb 2004 at 10:41, Kevin Spicer wrote: > I do hope when you mentioned telneting you really meant sshing, not > telnet using the telnet command. no.... I meant telneting, I was testing an smtp connection, ssh is _generally_ of no use in that situation. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From dannyz at belgonet.com Sun Feb 1 21:53:09 2004 From: dannyz at belgonet.com (Danny Zak) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) In-Reply-To: <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F36292741088F@mtlnt501fs.CAMOROUTE.COM> <125213287401.20040201221946@belgonet.com> <6.0.1.1.2.20040201213635.037e4e40@imap.ecs.soton.ac.uk> Message-ID: <190215290651.20040201225309@belgonet.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/a1d634ab/attachment.html From nathan at TCPNETWORKS.NET Sun Feb 1 22:21:48 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:15 2006 Subject: many spamassassin timeouts Message-ID: Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From brose at MED.WAYNE.EDU Sun Feb 1 23:42:21 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: I get the same thing, even if Rebuild Bayes Every is set to 0. I've even removed by bayes and started over from scratch. The bayes files haven't been touched at all since I recreated them. If I disabled Bayes in the SA conf, it still says it's skipping for that reason. I'm also on Solaris but v8 with SA 2.63 -=B -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 01, 2004 4:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. >I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set to >86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From brose at MED.WAYNE.EDU Mon Feb 2 00:25:14 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: It looks like MS is trying to run a rebuild on every scan. Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore MailScanner[13610]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:32 eeyore MailScanner[13615]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:42 eeyore MailScanner[13617]: SpamAssassin Bayes database rebuild starting Feb 1 18:19:52 eeyore MailScanner[13630]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:03 eeyore MailScanner[13676]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:12 eeyore MailScanner[13710]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:22 eeyore MailScanner[13742]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:32 eeyore MailScanner[13748]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:42 eeyore MailScanner[13755]: SpamAssassin Bayes database rebuild starting Feb 1 18:20:52 eeyore MailScanner[13762]: SpamAssassin Bayes database rebuild starting Feb 1 18:21:02 eeyore MailScanner[13771]: SpamAssassin Bayes database rebuild starting -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Sunday, February 01, 2004 6:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. I get the same thing, even if Rebuild Bayes Every is set to 0. I've even removed by bayes and started over from scratch. The bayes files haven't been touched at all since I recreated them. If I disabled Bayes in the SA conf, it still says it's skipping for that reason. I'm also on Solaris but v8 with SA 2.63 -=B -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 01, 2004 4:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. At 20:39 01/02/2004, you wrote: >Julian, > > I tried an upgrade from 4.25-14 to 4.26.7. Setup: Sol 9, SA 2.63. >I got gobs of: > > Skipping SpamAssassin while waiting for Bayes database to rebuild This should only happen every day or so. Depends on your setting of "Rebuild Bayes Every". How often do you get a bunch of these? >messages with 4.26.7. The zero byte file /tmp/MS.bayes.rebuild.lock >appeared after I restarted MS, and it never seems to go away. That's fine. It's a lock file that each of the child processes will maintain a shared lock on. > I >tried things with both "Rebuild Bayes Every = 0" and with this set to >86400. Same deal. I'm afraid to try "Wait During Bayes Rebuild = yes" >because if it never rebuilds then no mail gets delivered, right? You'll soon see. >A rebuild should only take a few seconds, right? It can take a minute or two if your Bayes database is quite large. >I tried stopping MS, removing /tmp/MS.bayes*, restarting -- still no >luck. I've fallen back to 4.25-14 for the moment. > >BTW, I have a cron job to do bayes spam/ham learning with > > $SALEARN --prefs-file=$PREFS --rebuild --force-expire > >at the top. Should I still do this rebuild and force-expire in this >script? No. My scheduled rebuild is there to replace this. It is designed to solve the bayes_toks.new problem by locking out SpamAssassin during the rebuild without causing SA to just timeout. Instead of SA timing out, it skips it or waits for it to complete. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Feb 2 00:32:00 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. In-Reply-To: Message-ID: Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting > Feb 1 18:19:12 eeyore MailScanner[13587]: SpamAssassin Bayes database > rebuild starting > Feb 1 18:19:22 eeyore MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled Bayes > in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From brose at MED.WAYNE.EDU Mon Feb 2 01:52:56 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: No change. It's been an hour and MailScanner is still skipping SA checks. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Sunday, February 01, 2004 7:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: > SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore > MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled > Bayes in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From james at DENY.ORG Mon Feb 2 02:50:22 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:15 2006 Subject: Razor and tmp files in the "In Queue" Message-ID: <401DBAEE.8070603@deny.org> I have noticed that in Mailscanner 4.26-5, Razor is putting some files in the "Incoming Queue Dir" : drwx------ 2 postfix postfix 4096 Feb 1 20:26 r -rw------- 1 postfix postfix 215580 Feb 1 20:48 razor-agent.log Can this be changed? It makes it hard to get an ideal of the number of incoming messages if the queue directory has 15-30 megs of crap in it! From brose at MED.WAYNE.EDU Mon Feb 2 03:14:01 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Also if I set the "Wait on Rebuild" to yes and the rebuild option is 0, then the logs say "At start of SA checks could not get shared lock on /tmp/MS.bayes.rebuild.lock, Bad file number" and it does the SA Checks anyway. Could their be a bug in the locking or the clearing of the lock file? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Sunday, February 01, 2004 8:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. No change. It's been an hour and MailScanner is still skipping SA checks. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Sunday, February 01, 2004 7:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.26.7, bayes rebuild, confused. Hi! > Feb 1 18:19:02 eeyore MailScanner[13579]: SpamAssassin Bayes database > rebuild starting Feb 1 18:19:12 eeyore MailScanner[13587]: > SpamAssassin Bayes database rebuild starting Feb 1 18:19:22 eeyore > MailScanner[13610]: SpamAssassin Bayes database > I get the same thing, even if Rebuild Bayes Every is set to 0. I've > even removed by bayes and started over from scratch. The bayes files > haven't been touched at all since I recreated them. If I disabled > Bayes in the SA conf, it still says it's skipping for that reason. > > I'm also on Solaris but v8 with SA 2.63 Try setting the 0 to for example 3600 to see if behaviour changes? I see the same when setting it to 0 currently. Bye, Raymond. From steve.swaney at FSL.COM Mon Feb 2 03:40:20 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:15 2006 Subject: Razor and tmp files in the "In Queue" In-Reply-To: <401DBAEE.8070603@deny.org> Message-ID: <20040202034020.1625A21C135@mail.fsl.com> Look at the ~/.razor/razor-agent.conf file. This is where you specify things like: Where to put log files Debug level (yours is probably too high) On a Linux system where razor runs as root, this is typically: /root/.razor Very good documentation at: http://razor.sourceforge.net/docs/ Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of James Sizemore > Sent: Sunday, February 01, 2004 9:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Razor and tmp files in the "In Queue" > > I have noticed that in Mailscanner 4.26-5, Razor is putting some files > in the > "Incoming Queue Dir" : > > drwx------ 2 postfix postfix 4096 Feb 1 20:26 r > -rw------- 1 postfix postfix 215580 Feb 1 20:48 razor-agent.log > > Can this be changed? It makes it hard to get an ideal of the number of > incoming messages if the queue directory has 15-30 megs of crap in it! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From ugob at CAMO-ROUTE.COM Mon Feb 2 03:42:22 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:15 2006 Subject: ZIP files seems not to be scanned (mydoom) Message-ID: <54C38A0B814C8E438EF73FC76F362927410891@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Danny Zak [mailto:dannyz@belgonet.com] Envoy? : Sunday, February 01, 2004 4:53 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: ZIP files seems not to be scanned (mydoom) best; indeed .. i did change Virus Scanners = none to Virus Scanners = f-prot and it is working :) thanks .. i did assume that the reportign was enough [Ugo Bellavance] That was only the update script reporting, not mailscanner's. hth Ugo .. but it wasn't thanks ! -- Best regards, Danny mailto:dannyz@belgonet.com belGOnet.com a Euro-pictures division - internet solutions place princesse elisabeth 9/11 - 1030 Brussels - Belgium Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 domains - hosting - hardware - VoiP - consultancy - backuping CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL No legal consequences can be derived from the contents of the email neither is belGOnet.com committed to them. The content of this email is exclusively intended for adressee(s) and information purposes. belGOnet.com accepts no liability for any damage resulting from the use and/or acceptation of the content of this email. Sunday, February 1, 2004, 10:37:38 PM, you wrote: JF> At 21:19 01/02/2004, you wrote: >>Hello Ugo, >> >>thanks for your reponse; as also to kevin and robert... >> >>i use fprot antivirus with it; although its strange that it is't >>configured in my mailscanner config file .. >> >>i assume it is working although; since i notice this in my maillog JF> No, that log section means exactly what it says. It has found it installed JF> and is keeping it up to date for you. Unless you mention it in JF> MailScanner.conf it won't be using it. >>Feb 1 10:51:07 ns MailScanner[24262]: New Batch: Scanning 1 messages, >>1076 bytes >>Feb 1 10:51:07 ns MailScanner[24262]: Spam Checks: Starting >>Feb 1 10:51:12 ns update.virus.scanners: Found f-prot installed >>Feb 1 10:51:12 ns update.virus.scanners: Updating f-prot >>Feb 1 10:51:12 ns MailScanner[24262]: Virus and Content Scanning: Starting >>Feb 1 10:51:12 ns MailScanner[24262]: Uninfected: Delivered 1 messages >> >> >>-- >>Best regards, >> Danny mailto:dannyz@belgonet.com >> >>belGOnet.com a Euro-pictures division - internet solutions >>place princesse elisabeth 9/11 - 1030 Brussels - Belgium >>Tel : +32-(0)2-215.67.65 - Fax : +32-(0)2-215.66.65 >> >>domains - hosting - hardware - VoiP - consultancy - backuping >>CISCO - HP/COMPAQ - SUN - EMC - JUNIPER - IBM - DELL - NORTEL >> >> >>No legal consequences can be derived from the contents of the email >>neither is belGOnet.com committed to them. The content of this email >>is exclusively intended for adressee(s) and information purposes. >>belGOnet.com accepts no liability for any damage resulting from the >>use and/or acceptation of the content of this email. >> >> >>Sunday, February 1, 2004, 7:04:26 PM, you wrote: >> >>UB> -----Message d'origine----- >>UB> De : Danny Zak [mailto:dannyz@belgonet.com] >>UB> Envoy? : Sunday, February 01, 2004 12:00 PM >>UB> ? : MAILSCANNER@JISCMAIL.AC.UK >>UB> Objet : ZIP files seems not to be scanned (mydoom) >> >> >>UB> Hello MAILSCANNER list; >> >>UB> it seems that my mailscanner isn't scanning zip attaches for virusses. >>UB> [Ugo Bellavance] >>UB> It is the job of your anti-virus, not mailscanner's >> >>UB> it does filter out the mydoom virus by files that are standardly >>attached although. >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040201/1e2fd649/attachment.html From mickey-ml at GREENGLOW.ORG Mon Feb 2 04:02:54 2004 From: mickey-ml at GREENGLOW.ORG (Mickey Everts) Date: Thu Jan 12 21:22:15 2006 Subject: many spamassassin timeouts In-Reply-To: Message-ID: <002c01c3e941$6f728cb0$630a0a0a@gyruss> Damn...there were a ton of *lock* and *expire* files and I deleted them all. I'll give it a couple days to see if the problem is really solved, but it sounds likely. Thanks again for the tip! I haven't looked in that directory for ages since I didn't even realize the locking issue existed and every time I looked in the past, it just had the typical files: auto-whitelist bayes_journal bayes_seen bayes_toks I just found the "Bayesian shenanigans" thread but it sounds like people haven't exactly gotten to the bottom of this issue yet. It sounds like the general opinion is it is some issue with spamassassin itself...right? Mickey -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Sunday, February 01, 2004 2:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From Pascal.Maes at ELEC.UCL.AC.BE Mon Feb 2 07:56:14 2004 From: Pascal.Maes at ELEC.UCL.AC.BE (Pascal Maes) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. Message-ID: Hello, I have the same behaviour with the rebuild of bayes database and I get it every time MailScanner is launched. To avoid the "Skipping", I have to "manually" remove the lock file (for me it's not important since I do not use bayes !) In SA.pm, the lock file is created before the test on "$RebuildBayes" and the lock is removed only if the bayes database has been rebuild. If $RebuildBayes == 0, the lock will never be removed. if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish or don't begin ??? I see the "Skipping" line in the logfile but I don't see any line such as "SpamAssassin Bayes database rebuild preparing" even with $RebuildBAYES <> 0 -- -- Pascal -- -- From Kevin.Spicer at BMRB.CO.UK Mon Feb 2 08:22:07 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:15 2006 Subject: sending mail to 2 locations Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A1B@pascal.priv.bmrb.co.uk> Harondel J. Sibble wrote: > On 1 Feb 2004 at 10:41, Kevin Spicer wrote: > > no.... I meant telneting, I was testing an smtp connection, ssh is > _generally_ of no use in that situation. Ahh, you meant using telnet to connect to the SMTP port, rather than to login. My mistake. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 2 09:40:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. -- Urgent test please In-Reply-To: References: Message-ID: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Please could you try the attached SA.pm and see if it helps. Changes: - Set "Rebuild Bayes Every = 0" should disable all this code. - Locking code changed to more closely match the virus scanner locking code. The trouble is, it all works for me. But that's on a Linux system, and the underlying locking behaviour may well be different on Solaris. At 07:56 02/02/2004, you wrote: >Hello, > >I have the same behaviour with the rebuild of bayes database and I get it >every time MailScanner is launched. > >To avoid the "Skipping", I have to "manually" remove the lock file >(for me it's not important since I do not use bayes !) > >In SA.pm, the lock file is created before the test on "$RebuildBayes" >and the lock is removed only if the bayes database has been rebuild. > >If $RebuildBayes == 0, the lock will never be removed. > >if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >or don't begin ??? > > I see the "Skipping" line in the logfile but I don't see any line > such as "SpamAssassin Bayes database rebuild preparing" even with > $RebuildBAYES <> 0 > >-- >-- Pascal -- > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm Type: application/octet-stream Size: 19516 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/cec41f47/SA.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mbm+mailscanner at colondot.net Mon Feb 2 09:50:39 2004 From: mbm+mailscanner at colondot.net (Matthew Byng-Maddick) Date: Thu Jan 12 21:22:15 2006 Subject: mailscanner exim patch Message-ID: <20040202095039.GA37477@colon.colondot.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The attached patch changes the behaviour of mailscanner to deal with exim4 (>4.23) queue files, where ACL variables get stored. Unfortunately, this part of the queue files doesn't appear to be documented in the Exim Specification (I'll be posting this to the exim-users list too). Previously, such queue files would be rejected as invalid, due to the difference in the way that ACL variables are handled (as a part of the "dashvars" section). This patch seems to be happy with reading, and re-outputting such queue files, with ACL data intact. db93dae7eb0c34468f8324e7a9fd9c71 mailscanner-exim.patch Although the patch is against MailScanner-4.25-14, I believe it should also apply cleanly against 4.26.7 (with an offset of 6 lines). Cheers Matthew - -- hmmm - what's the term that comes between "tweak" and "frob"? "small, controlled change"? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFAHh1ciGjP99nB6xERAvtNAJ40AckCXoNcI5Lkwbx/nVerYomU2QCeI6+z X0+33XN4JeK94hyMnj5VpI8= =zb6Y -----END PGP SIGNATURE----- -------------- next part -------------- diff -uNr lib/MailScanner/Exim.pm.orig lib/MailScanner/Exim.pm --- lib/MailScanner/Exim.pm.orig 2003-11-26 16:35:29.000000000 +0000 +++ lib/MailScanner/Exim.pm 2004-02-02 09:20:54.000000000 +0000 @@ -244,7 +244,7 @@ my($RQf) = $message->{store}{inhhandle}; my %metadata; - my($InHeader, $InSubject, $InDel, @headers, $msginfo, $from, @to, $subject); + my($InHeader, $InSubject, $InDel, @headers, $msginfo, $from, @to, $subject, @acl); my($ip, $sender); my($line); @@ -276,12 +276,34 @@ # and tracking them in %{$metadata{dashvars}} while (chomp($line = <$RQf>)) { $line =~ s/^-(\w+) ?// or last; - $metadata{dashvars}{$1} = 0; - $line eq "" and $metadata{"dv_$1"} = 1, next; - $metadata{"dv_$1"} = $line; - $metadata{dashvars}{$1} = 1; + if($1 eq "acl") { + # we need to handle acl vars differently + if($line =~ /^(\d+) (\d+)$/) { + my $buf; + my $pos=$1; + my $len=$2; + $acl[$pos]=[]; + (read($RQf, $buf, $len + 1)==$len+1) or last; + if($buf=~/\n$/) { + chomp $buf; + } else { + # invalid format + last; + } + $acl[$pos]->[0]=$buf; + } else { + # this is a weird format, and we're not sure how to handle it + last; + } + } else { + $metadata{dashvars}{$1} = 0; + $line eq "" and $metadata{"dv_$1"} = 1, next; + $metadata{"dv_$1"} = $line; + $metadata{dashvars}{$1} = 1; + } next; } + $metadata{aclvars}=\@acl; # If it was an invalid queue file, log a warning and tell caller unless (defined $line) { @@ -959,6 +981,7 @@ sub CreateQf { my($message) = @_; + my $i; my $Qfile = ""; my $metadata = $message->{metadata}; @@ -986,6 +1009,15 @@ $Qfile .= "\n"; } + # Add the separate ACL Vars + my @acl=@{$metadata->{aclvars}}; + for($i=0; $i<=$#acl; $i++) { + if($acl[$i]) { + $Qfile .= "-acl " . $i . " " . length($acl[$i]->[0]) . "\n"; + $Qfile .= $acl[$i]->[0] . "\n"; + } + } + # Add non-recipients $Qfile .= BTreeString($metadata->{nonrcpts}); From mailscanner at ecs.soton.ac.uk Mon Feb 2 09:52:37 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:15 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402020952.i129qbV3006407@seer.ecs.soton.ac.uk> New Guestbook-Entry from sync i\'\'ve some trouble with RH9

mail with subject like this

DiasoftCLIENT:REGFIN :rf _o0008

sended from local user to local received with subject like this

DiasoftCLIENT:REGFIN:rf

any comments??? From mailscanner at ecs.soton.ac.uk Mon Feb 2 10:23:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: 4.26.7, bayes rebuild, confused. -- (2) Urgent test please In-Reply-To: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Inevitably I put a config name wrong in that one. At 09:40 02/02/2004, you wrote: >Please could you try the attached SA.pm and see if it helps. > >Changes: > - Set "Rebuild Bayes Every = 0" should disable all this code. > - Locking code changed to more closely match the virus scanner >locking code. > >The trouble is, it all works for me. But that's on a Linux system, and the >underlying locking behaviour may well be different on Solaris. > >At 07:56 02/02/2004, you wrote: >>Hello, >> >>I have the same behaviour with the rebuild of bayes database and I get it >>every time MailScanner is launched. >> >>To avoid the "Skipping", I have to "manually" remove the lock file >>(for me it's not important since I do not use bayes !) >> >>In SA.pm, the lock file is created before the test on "$RebuildBayes" >>and the lock is removed only if the bayes database has been rebuild. >> >>If $RebuildBayes == 0, the lock will never be removed. >> >>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >>or don't begin ??? >> >> I see the "Skipping" line in the logfile but I don't see any line >> such as "SpamAssassin Bayes database rebuild preparing" even with >> $RebuildBAYES <> 0 >> >>-- >>-- Pascal -- >> -- > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm Type: application/octet-stream Size: 19511 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/e8490401/SA.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dee at ASYOUNEED.COM Mon Feb 2 10:28:49 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning In-Reply-To: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> Message-ID: <000001c3e977$58d4b1a0$0201a8c0@lappy> Hi All, I am trying to recover a message that had the iframe tags in it but all I get in the folder it directs me to is the warning message why? Dee From mailscanner at ecs.soton.ac.uk Mon Feb 2 11:01:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning In-Reply-To: <000001c3e977$58d4b1a0$0201a8c0@lappy> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <000001c3e977$58d4b1a0$0201a8c0@lappy> Message-ID: <6.0.1.1.2.20040202110113.07ae3608@imap.ecs.soton.ac.uk> At 10:28 02/02/2004, you wrote: >Hi All, > > I am trying to recover a message that had the iframe tags in it >but all I get in the folder it directs me to is the warning message why? This is a bug I have not yet tracked down. I have been unable to rectify it. If you could post me your MailScanner.conf settings, that would help. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From goleotti at MISAG.IT Mon Feb 2 11:31:07 2004 From: goleotti at MISAG.IT (Gabriele Oleotti) Date: Thu Jan 12 21:22:15 2006 Subject: Vexira AV Support in 4.26.6? Message-ID: <1488394A34F6A0408FDA3841418D1442183D4B@scorpio.auron.mi> Ok, there's no problem for me!! If I can do anything else, please let me know. Bye, Gabriele -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: domenica 1 febbraio 2004 14.50 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Vexira AV Support in 4.26.6? Hopefully I'll get this in to 4.27. At 12:09 01/02/2004, you wrote: >I have to apologize for the last patch I sent you as the autoupdate script >has a little bug (I forget the --update switch, so vexira isn't really >doing the update). Sorry for that. > >I corrected this bug and I have adjusted the output coming from the >scanner as the vexira seems to use dos/windows CR+LF new line characters >which causes bad looking output to be logged on my files. > >Last, I have added time-out support (for the most copied from the alarm >perldoc page and from the clamav-autoupdate) which I have tested and >seemed to work fine. > >Buy for now, >Gabriele > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: venerd? 30 gennaio 2004 18.00 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Vexira AV Support in 4.26.6? > > >At 16:53 30/01/2004, you wrote: > >Will Support for Vexira Antivirus added in MailScanner Version 4.26.6? > >No, sorry. I haven't had time to test it myself. It will have to wait for >4.27. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dee at ASYOUNEED.COM Mon Feb 2 12:38:28 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:15 2006 Subject: Trying to recover msg but all I get is the warning {Scanned} In-Reply-To: <6.0.1.1.2.20040202110113.07ae3608@imap.ecs.soton.ac.uk> Message-ID: <000001c3e989$75a0f520$0201a8c0@lappy> Hi Julian, I sent it to your email address rather than list did you get it? Yours, Dee > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: 02 February 2004 11:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to recover msg but all I get is the warning {Scanned} > > At 10:28 02/02/2004, you wrote: > >Hi All, > > > > I am trying to recover a message that had the iframe tags in it > >but all I get in the folder it directs me to is the warning message why? > > This is a bug I have not yet tracked down. I have been unable to rectify > it. If you could post me your MailScanner.conf settings, that would help. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From AndreaC at GOTECH.IT Mon Feb 2 12:30:27 2004 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:22:15 2006 Subject: NDR strategy Message-ID: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> We use MailScanner (with Sendmail) as a mail relay to protect our Exchange Mail Server from Viruses, Spam and other threats. We configured the MS+Sendmail gateway to relay all messages for our SMTP domains to our Exchange Server. The problem is with NDRs. Every time we receive a message for a non-existing mailbox, MailScanner still scans it then Sendmail relays it to Exchange that generates an NDR. Now, as most of the messages are generated by Worms/Viruses/Spammers using fake addresses, the NDRs either remain in mail queues until timeouts or the NDR is received by some unwilling party or, worse, another NDR is generated and received by our gateway. Anyway, the process is not efficient as lots of messages are needlessly processed at least twice. We found two possible workarounds: 1. Disable NDR generation on Exchange server, which solves part of the issue to the detriment of RFC compliancy; 2. Enable relay at mailbox level instead of domain level on Sendmail (using access_db). The second solution seems the best as it solves the whole problem maintaining full RFC compliancy. Unfortunately, it's completely manual as every time we modify a mailbox on Exchange we have to modify Sendmail configuration accordingly. Anybody solved the issue with a better approach? TIA, Andrea From dh at UPTIME.AT Mon Feb 2 12:45:46 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:15 2006 Subject: [OT] Re: NDR strategy In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> Message-ID: <401E467A.7060903@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Andrea Cogliati wrote: | Anybody solved the issue with a better approach? | Can Exchange read its Account data from LDAP? If so, setup LDAP routing for Sendmail, that way non existant user accounts for the domains you serve will not even be accepted by the gateway sendmail - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFAHkZ6PMoaMn4kKR4RA0VzAJ9r4g2LyUjHqln4UvFctmzwVF5XCQCVEYjD oIWblWnFOCyIvR6M2Vd/hA== =9eZ2 -----END PGP SIGNATURE----- From raymond at PROLOCATION.NET Mon Feb 2 12:47:28 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:16 2006 Subject: Trying to recover msg but all I get is the warning {Scanned} In-Reply-To: <000001c3e989$75a0f520$0201a8c0@lappy> Message-ID: Hi! > > This is a bug I have not yet tracked down. I have been unable to > > it. If you could post me your MailScanner.conf settings, that would I get them daily, so capturing my mailflow for one day and processing it most likely will give some hits. Or is there any other debugging i could do ? bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Mon Feb 2 13:44:16 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140C9B@atlantis.gtub.corp> Message-ID: <401E5430.2050004@solid-state-logic.com> Andrea There is way of setting up sendmail so it read from an Active Directory server to validate the email address. have a google around for 'how to'. This way the inbound sendmail will reject the email for non-existant email addresses before it hit's MailScanner. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Feb 2 14:06:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> I have just posted version 4.26.8. The problem did not appear on Linux, but does appear on Solaris. You can now disable all the relevant code by setting Rebuild Bayes Every = 0 I will look into fixing this as a priority, but it is highly OS-specific and may even be Perl-version specific. It refuses to lock a file it has just successfully opened, but seems happy when I do it elsewhere :-( Jules. P.S. thanks for your patience.... At 10:23 02/02/2004, you wrote: >Inevitably I put a config name wrong in that one. > >At 09:40 02/02/2004, you wrote: >>Please could you try the attached SA.pm and see if it helps. >> >>Changes: >> - Set "Rebuild Bayes Every = 0" should disable all this code. >> - Locking code changed to more closely match the virus scanner >>locking code. >> >>The trouble is, it all works for me. But that's on a Linux system, and the >>underlying locking behaviour may well be different on Solaris. >> >>At 07:56 02/02/2004, you wrote: >>>Hello, >>> >>>I have the same behaviour with the rebuild of bayes database and I get it >>>every time MailScanner is launched. >>> >>>To avoid the "Skipping", I have to "manually" remove the lock file >>>(for me it's not important since I do not use bayes !) >>> >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" >>>and the lock is removed only if the bayes database has been rebuild. >>> >>>If $RebuildBayes == 0, the lock will never be removed. >>> >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish >>>or don't begin ??? >>> >>> I see the "Skipping" line in the logfile but I don't see any line >>> such as "SpamAssassin Bayes database rebuild preparing" even with >>> $RebuildBAYES <> 0 >>> >>>-- >>>-- Pascal -- >>> -- >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From nathan at TCPNETWORKS.NET Mon Feb 2 14:44:34 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:16 2006 Subject: many spamassassin timeouts Message-ID: As I understand it, SpamAssassin opportunistically rebuilds the database and expires old tokens. In some cases, SpamAssassin times out (as configured in MailScanner) before the rebuilding completes. Ultimately, this leads to more timeouts and an accumulation of *.lock and *.expiry files. You may also see a bayes_toks.new file. It's not really a SpamAssassin or MailScanner issue, but more of a timing issue (presumably on slower systems). I've been closely monitoring my database and rebuilding it manually (with the --force-expire option). I also increased my SpamAssassin time out, but I've still had the same problems (although not as frequently). As mentioned below, this has been an issue for others in the list and Julian added some code that will generate the rebuild for us. I'm planning to upgrade in a few days. Fortunately, it's not really an urgent problem (as it doesn't corrupt my bayes database), just more of an inconvenience. Nathan -----Original Message----- From: Mickey Everts [mailto:mickey-ml@GREENGLOW.ORG] Sent: Sunday, February 01, 2004 8:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Damn...there were a ton of *lock* and *expire* files and I deleted them all. I'll give it a couple days to see if the problem is really solved, but it sounds likely. Thanks again for the tip! I haven't looked in that directory for ages since I didn't even realize the locking issue existed and every time I looked in the past, it just had the typical files: auto-whitelist bayes_journal bayes_seen bayes_toks I just found the "Bayesian shenanigans" thread but it sounds like people haven't exactly gotten to the bottom of this issue yet. It sounds like the general opinion is it is some issue with spamassassin itself...right? Mickey -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Sunday, February 01, 2004 2:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts Make sure you aren't havin Bayes locking issues. My timeouts were attributable to this more than once. Check /var/spool/spamassassin (or wherever your Baye's database resides) for extra bayes lock files and delete them (you may also need to delete the *.expiry files). Try running a manual rebuild of the database like so: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire If this is the cause of the problem, consider taking advantage of the bayes rebuild options available in the latest release of MailScanner (or run the command regularly via cron). Nathan -----Original Message----- From: Stephen Swaney [mailto:steve.swaney@FSL.COM] Sent: Saturday, January 31, 2004 12:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: many spamassassin timeouts > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mickey Everts > Sent: Saturday, January 31, 2004 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > Here is something very weird I just noticed in trying to track this down. > Here is just a small sample of my logs, but notice the time outs happen > almost exactly every ten minutes? I am running mailscanner-4.25-14. > [SKS] Do you have an event that is slowing down you network every 10 minutes. Try a sniffer and see. This is the typical cause for SpamAssassin timeouts. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and > was > killed, consecutive failure 1 of 10 > > Mickey > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Julian Field > Sent: Saturday, January 31, 2004 6:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: many spamassassin timeouts > > At 21:17 30/01/2004, you wrote: > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing > >output similar to below in maillog. Should I be looking elsewhere else? > I > >am trying to track down the source of some spamassassin timeouts I have > been > >having. Ideally I need to log the equivalent of "spamassassin -D" for a > few > >hours. > > Those 2 options will cause "check_mailscanner" to log all the SA output to > the terminal. It will process 1 batch of messages and then quit. > I have been getting a lot of Razor timeouts recently, and have currently > disabled it. You can do this by adding > use_razor2 0 > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > >Thanks! > > > >Mickey > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > >Of Piet Bos > >Sent: Monday, January 26, 2004 3:02 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: many spamassassin timeouts > > > >a part of the debug output. > >I find the 0 behind Net::DNS resolver unavailable rather curious > >do you agree? > > > >grtz Piet > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > >debug: running uri tests; score so far=4.3 > >debug: uri tests: Done uriRE > >debug: running full-text regexp tests; score so far=4.3 > >debug: Razor2 is not available > >debug: DCC is not available: dccproc not found > >debug: Razor1 is not available > >debug: Pyzor is not available: pyzor not found > >debug: is Net::DNS::Resolver unavailable? 0 > >debug: trying (3) gwdg.de... > >debug: looking up MX for 'gwdg.de' > >debug: MX for 'gwdg.de' exists? 1 > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available > to > >hardcode) > >debug: is DNS available? 1 > >debug: running meta tests; score so far=5.3 > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, January 26, 2004 9:39 AM > >Subject: Re: many spamassassin timeouts > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the > > > slow-down is. > > > > > > At 08:33 26/01/2004, you wrote: > > > >Experiencing many spamassassin timeouts lately. > > > >Is there a valid reason for that? > > > >I'm using version 4.26-1 starting > > > >my settings in MailScanner.conf are: > > > >SpamAssassin Timeout = 40 > > > >Max SpamAssassin Timeouts = 50 > > > > > > > >Any suggestions? > > > >brgds Piet > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mailscanner at ecs.soton.ac.uk Mon Feb 2 14:47:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: many spamassassin timeouts In-Reply-To: References: Message-ID: <6.0.1.1.2.20040202144605.06f7b820@imap.ecs.soton.ac.uk> The code to do this for you currently doesn't work on Solaris, but it does appear to work fine on Linux. It's a locking semantics problem which I haven't got to the bottom of yet. See the Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 thread for more discussion on this. At 14:44 02/02/2004, you wrote: >As I understand it, SpamAssassin opportunistically rebuilds the database >and expires old tokens. In some cases, SpamAssassin times out (as >configured in MailScanner) before the rebuilding completes. Ultimately, >this leads to more timeouts and an accumulation of *.lock and *.expiry >files. You may also see a bayes_toks.new file. It's not really a >SpamAssassin or MailScanner issue, but more of a timing issue >(presumably on slower systems). > >I've been closely monitoring my database and rebuilding it manually >(with the --force-expire option). I also increased my SpamAssassin time >out, but I've still had the same problems (although not as frequently). >As mentioned below, this has been an issue for others in the list and >Julian added some code that will generate the rebuild for us. I'm >planning to upgrade in a few days. > >Fortunately, it's not really an urgent problem (as it doesn't corrupt my >bayes database), just more of an inconvenience. > >Nathan > > >-----Original Message----- >From: Mickey Everts [mailto:mickey-ml@GREENGLOW.ORG] >Sent: Sunday, February 01, 2004 8:03 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > > >Damn...there were a ton of *lock* and *expire* files and I deleted them >all. >I'll give it a couple days to see if the problem is really solved, but >it >sounds likely. Thanks again for the tip! > >I haven't looked in that directory for ages since I didn't even realize >the >locking issue existed and every time I looked in the past, it just had >the >typical files: > >auto-whitelist >bayes_journal >bayes_seen >bayes_toks > >I just found the "Bayesian shenanigans" thread but it sounds like people >haven't exactly gotten to the bottom of this issue yet. It sounds like >the >general opinion is it is some issue with spamassassin itself...right? > >Mickey > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf >Of Nathan Johanson >Sent: Sunday, February 01, 2004 2:22 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > >Make sure you aren't havin Bayes locking issues. My timeouts were >attributable to this more than once. Check /var/spool/spamassassin (or >wherever your Baye's database resides) for extra bayes lock files and >delete them (you may also need to delete the *.expiry files). Try >running a manual rebuild of the database like so: > >sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild >--force-expire > >If this is the cause of the problem, consider taking advantage of the >bayes rebuild options available in the latest release of MailScanner (or >run the command regularly via cron). > >Nathan > > > >-----Original Message----- >From: Stephen Swaney [mailto:steve.swaney@FSL.COM] >Sent: Saturday, January 31, 2004 12:07 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: many spamassassin timeouts > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Mickey Everts > > Sent: Saturday, January 31, 2004 2:54 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: many spamassassin timeouts > > > > Here is something very weird I just noticed in trying to track this >down. > > Here is just a small sample of my logs, but notice the time outs >happen > > almost exactly every ten minutes? I am running mailscanner-4.25-14. > > >[SKS] >Do you have an event that is slowing down you network every 10 minutes. >Try a sniffer and see. > >This is the typical cause for SpamAssassin timeouts. > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out >and > > was > > killed, consecutive failure 1 of 10 > > > > Mickey > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > Of Julian Field > > Sent: Saturday, January 31, 2004 6:37 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: many spamassassin timeouts > > > > At 21:17 30/01/2004, you wrote: > > >I turned on Debug = yes and Debug SpamAssassin = yes but I am not >seeing > > >output similar to below in maillog. Should I be looking elsewhere >else? > > I > > >am trying to track down the source of some spamassassin timeouts I >have > > been > > >having. Ideally I need to log the equivalent of "spamassassin -D" >for a > > few > > >hours. > > > > Those 2 options will cause "check_mailscanner" to log all the SA >output to > > the terminal. It will process 1 batch of messages and then quit. > > I have been getting a lot of Razor timeouts recently, and have >currently > > disabled it. You can do this by adding > > use_razor2 0 > > to your spam.assassin.prefs.conf and restarting MailScanner. > > > > > > > > >Thanks! > > > > > >Mickey > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > >Of Piet Bos > > >Sent: Monday, January 26, 2004 3:02 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: many spamassassin timeouts > > > > > >a part of the debug output. > > >I find the 0 behind Net::DNS resolver unavailable rather curious > > >do you agree? > > > > > >grtz Piet > > > > > >debug: running raw-body-text per-line regexp tests; score so far=4.3 > > >debug: running uri tests; score so far=4.3 > > >debug: uri tests: Done uriRE > > >debug: running full-text regexp tests; score so far=4.3 > > >debug: Razor2 is not available > > >debug: DCC is not available: dccproc not found > > >debug: Razor1 is not available > > >debug: Pyzor is not available: pyzor not found > > >debug: is Net::DNS::Resolver unavailable? 0 > > >debug: trying (3) gwdg.de... > > >debug: looking up MX for 'gwdg.de' > > >debug: MX for 'gwdg.de' exists? 1 > > >debug: MX lookup of gwdg.de succeeded => Dns available (set >dns_available > > to > > >hardcode) > > >debug: is DNS available? 1 > > >debug: running meta tests; score so far=5.3 > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Monday, January 26, 2004 9:39 AM > > >Subject: Re: many spamassassin timeouts > > > > > > > > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where >the > > > > slow-down is. > > > > > > > > At 08:33 26/01/2004, you wrote: > > > > >Experiencing many spamassassin timeouts lately. > > > > >Is there a valid reason for that? > > > > >I'm using version 4.26-1 starting > > > > >my settings in MailScanner.conf are: > > > > >SpamAssassin Timeout = 40 > > > > >Max SpamAssassin Timeouts = 50 > > > > > > > > > >Any suggestions? > > > > >brgds Piet > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Fortress Systems Ltd. >www.fsl.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at colby.edu Mon Feb 2 15:08:29 2004 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: Julian, Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA 2.63, Razor). No more complaints about Bayes, but no SpamAssassin messages either. I ran a batch in debug mode for both MS and SA, and it looked like stuff in the debug batch got tagged by SA: debug: is spam? score=10.95 required=5 tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK but nothing in the syslog regarding SA. I also set the log level for razor to 4 and razor is busy. How to check it 4.26.8 is really using SA, if nothing appears in syslog? I'm back to running 4.25-14. Jeff Earickson Colby College On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 2 Feb 2004 14:06:40 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting > > Rebuild Bayes Every = 0 > > I will look into fixing this as a priority, but it is highly OS-specific > and may even be Perl-version specific. It refuses to lock a file it has > just successfully opened, but seems happy when I do it elsewhere :-( > > Jules. > > P.S. thanks for your patience.... > > At 10:23 02/02/2004, you wrote: > >Inevitably I put a config name wrong in that one. > > > >At 09:40 02/02/2004, you wrote: > >>Please could you try the attached SA.pm and see if it helps. > >> > >>Changes: > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > >> - Locking code changed to more closely match the virus scanner > >>locking code. > >> > >>The trouble is, it all works for me. But that's on a Linux system, and the > >>underlying locking behaviour may well be different on Solaris. > >> > >>At 07:56 02/02/2004, you wrote: > >>>Hello, > >>> > >>>I have the same behaviour with the rebuild of bayes database and I get it > >>>every time MailScanner is launched. > >>> > >>>To avoid the "Skipping", I have to "manually" remove the lock file > >>>(for me it's not important since I do not use bayes !) > >>> > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > >>>and the lock is removed only if the bayes database has been rebuild. > >>> > >>>If $RebuildBayes == 0, the lock will never be removed. > >>> > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > >>>or don't begin ??? > >>> > >>> I see the "Skipping" line in the logfile but I don't see any line > >>> such as "SpamAssassin Bayes database rebuild preparing" even with > >>> $RebuildBAYES <> 0 > >>> > >>>-- > >>>-- Pascal -- > >>> -- > >> > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From jaearick at COLBY.EDU Mon Feb 2 15:08:29 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: Julian, Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA 2.63, Razor). No more complaints about Bayes, but no SpamAssassin messages either. I ran a batch in debug mode for both MS and SA, and it looked like stuff in the debug batch got tagged by SA: debug: is spam? score=10.95 required=5 tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK but nothing in the syslog regarding SA. I also set the log level for razor to 4 and razor is busy. How to check it 4.26.8 is really using SA, if nothing appears in syslog? I'm back to running 4.25-14. Jeff Earickson Colby College On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 2 Feb 2004 14:06:40 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting > > Rebuild Bayes Every = 0 > > I will look into fixing this as a priority, but it is highly OS-specific > and may even be Perl-version specific. It refuses to lock a file it has > just successfully opened, but seems happy when I do it elsewhere :-( > > Jules. > > P.S. thanks for your patience.... > > At 10:23 02/02/2004, you wrote: > >Inevitably I put a config name wrong in that one. > > > >At 09:40 02/02/2004, you wrote: > >>Please could you try the attached SA.pm and see if it helps. > >> > >>Changes: > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > >> - Locking code changed to more closely match the virus scanner > >>locking code. > >> > >>The trouble is, it all works for me. But that's on a Linux system, and the > >>underlying locking behaviour may well be different on Solaris. > >> > >>At 07:56 02/02/2004, you wrote: > >>>Hello, > >>> > >>>I have the same behaviour with the rebuild of bayes database and I get it > >>>every time MailScanner is launched. > >>> > >>>To avoid the "Skipping", I have to "manually" remove the lock file > >>>(for me it's not important since I do not use bayes !) > >>> > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > >>>and the lock is removed only if the bayes database has been rebuild. > >>> > >>>If $RebuildBayes == 0, the lock will never be removed. > >>> > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > >>>or don't begin ??? > >>> > >>> I see the "Skipping" line in the logfile but I don't see any line > >>> such as "SpamAssassin Bayes database rebuild preparing" even with > >>> $RebuildBAYES <> 0 > >>> > >>>-- > >>>-- Pascal -- > >>> -- > >> > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Feb 2 15:32:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> I just fell foul of not having "Log Spam = yes" so you might want to double-check that. It appears to be logging fine on a Solaris 2.8 box. At 15:08 02/02/2004, you wrote: >Julian, > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA >2.63, Razor). No more complaints about Bayes, but no SpamAssassin >messages either. I ran a batch in debug mode for both MS and SA, and >it looked like stuff in the debug batch got tagged by SA: > >debug: is spam? score=10.95 required=5 >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > >but nothing in the syslog regarding SA. I also set the log level >for razor to 4 and razor is busy. How to check it 4.26.8 is really >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > >Jeff Earickson >Colby College > >On Mon, 2 Feb 2004, Julian Field wrote: > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > I have just posted version 4.26.8. > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > now disable all the relevant code by setting > > > > Rebuild Bayes Every = 0 > > > > I will look into fixing this as a priority, but it is highly OS-specific > > and may even be Perl-version specific. It refuses to lock a file it has > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > Jules. > > > > P.S. thanks for your patience.... > > > > At 10:23 02/02/2004, you wrote: > > >Inevitably I put a config name wrong in that one. > > > > > >At 09:40 02/02/2004, you wrote: > > >>Please could you try the attached SA.pm and see if it helps. > > >> > > >>Changes: > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > >> - Locking code changed to more closely match the virus scanner > > >>locking code. > > >> > > >>The trouble is, it all works for me. But that's on a Linux system, > and the > > >>underlying locking behaviour may well be different on Solaris. > > >> > > >>At 07:56 02/02/2004, you wrote: > > >>>Hello, > > >>> > > >>>I have the same behaviour with the rebuild of bayes database and I > get it > > >>>every time MailScanner is launched. > > >>> > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > >>>(for me it's not important since I do not use bayes !) > > >>> > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > >>>and the lock is removed only if the bayes database has been rebuild. > > >>> > > >>>If $RebuildBayes == 0, the lock will never be removed. > > >>> > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > >>>or don't begin ??? > > >>> > > >>> I see the "Skipping" line in the logfile but I don't see any > line > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > with > > >>> $RebuildBAYES <> 0 > > >>> > > >>>-- > > >>>-- Pascal -- > > >>> -- > > >> > > >> > > >>-- > > >>Julian Field > > >>www.MailScanner.info > > >>MailScanner thanks transtec Computers for their support > > >> > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >MailScanner thanks transtec Computers for their support > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at colby.edu Mon Feb 2 15:42:36 2004 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: Doh! Sorry. I had commented my change in the .conf file, then forgot to make it. Soooo.... With "Rebuild Bayes Every = 0", I guess we still need to run our Bayes-rebuild cron jobs until all this gets sorted out, right? Jeff On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 02 Feb 2004 15:32:49 +0000 > From: Julian Field > To: MailScanner mailing list > Cc: Jeff A. Earickson > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I just fell foul of not having "Log Spam = yes" so you might want to > double-check that. > It appears to be logging fine on a Solaris 2.8 box. > > At 15:08 02/02/2004, you wrote: > >Julian, > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > >messages either. I ran a batch in debug mode for both MS and SA, and > >it looked like stuff in the debug batch got tagged by SA: > > > >debug: is spam? score=10.95 required=5 > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > >but nothing in the syslog regarding SA. I also set the log level > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > >Jeff Earickson > >Colby College > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > I have just posted version 4.26.8. > > > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > > now disable all the relevant code by setting > > > > > > Rebuild Bayes Every = 0 > > > > > > I will look into fixing this as a priority, but it is highly OS-specific > > > and may even be Perl-version specific. It refuses to lock a file it has > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > Jules. > > > > > > P.S. thanks for your patience.... > > > > > > At 10:23 02/02/2004, you wrote: > > > >Inevitably I put a config name wrong in that one. > > > > > > > >At 09:40 02/02/2004, you wrote: > > > >>Please could you try the attached SA.pm and see if it helps. > > > >> > > > >>Changes: > > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > > >> - Locking code changed to more closely match the virus scanner > > > >>locking code. > > > >> > > > >>The trouble is, it all works for me. But that's on a Linux system, > > and the > > > >>underlying locking behaviour may well be different on Solaris. > > > >> > > > >>At 07:56 02/02/2004, you wrote: > > > >>>Hello, > > > >>> > > > >>>I have the same behaviour with the rebuild of bayes database and I > > get it > > > >>>every time MailScanner is launched. > > > >>> > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > >>>(for me it's not important since I do not use bayes !) > > > >>> > > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > >>> > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > >>> > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > > >>>or don't begin ??? > > > >>> > > > >>> I see the "Skipping" line in the logfile but I don't see any > > line > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > with > > > >>> $RebuildBAYES <> 0 > > > >>> > > > >>>-- > > > >>>-- Pascal -- > > > >>> -- > > > >> > > > >> > > > >>-- > > > >>Julian Field > > > >>www.MailScanner.info > > > >>MailScanner thanks transtec Computers for their support > > > >> > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > >-- > > > >Julian Field > > > >www.MailScanner.info > > > >MailScanner thanks transtec Computers for their support > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From jaearick at COLBY.EDU Mon Feb 2 15:42:36 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: Doh! Sorry. I had commented my change in the .conf file, then forgot to make it. Soooo.... With "Rebuild Bayes Every = 0", I guess we still need to run our Bayes-rebuild cron jobs until all this gets sorted out, right? Jeff On Mon, 2 Feb 2004, Julian Field wrote: > Date: Mon, 02 Feb 2004 15:32:49 +0000 > From: Julian Field > To: MailScanner mailing list > Cc: Jeff A. Earickson > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > I just fell foul of not having "Log Spam = yes" so you might want to > double-check that. > It appears to be logging fine on a Solaris 2.8 box. > > At 15:08 02/02/2004, you wrote: > >Julian, > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > >messages either. I ran a batch in debug mode for both MS and SA, and > >it looked like stuff in the debug batch got tagged by SA: > > > >debug: is spam? score=10.95 required=5 > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > >but nothing in the syslog regarding SA. I also set the log level > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > >Jeff Earickson > >Colby College > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > I have just posted version 4.26.8. > > > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > > now disable all the relevant code by setting > > > > > > Rebuild Bayes Every = 0 > > > > > > I will look into fixing this as a priority, but it is highly OS-specific > > > and may even be Perl-version specific. It refuses to lock a file it has > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > Jules. > > > > > > P.S. thanks for your patience.... > > > > > > At 10:23 02/02/2004, you wrote: > > > >Inevitably I put a config name wrong in that one. > > > > > > > >At 09:40 02/02/2004, you wrote: > > > >>Please could you try the attached SA.pm and see if it helps. > > > >> > > > >>Changes: > > > >> - Set "Rebuild Bayes Every = 0" should disable all this code. > > > >> - Locking code changed to more closely match the virus scanner > > > >>locking code. > > > >> > > > >>The trouble is, it all works for me. But that's on a Linux system, > > and the > > > >>underlying locking behaviour may well be different on Solaris. > > > >> > > > >>At 07:56 02/02/2004, you wrote: > > > >>>Hello, > > > >>> > > > >>>I have the same behaviour with the rebuild of bayes database and I > > get it > > > >>>every time MailScanner is launched. > > > >>> > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > >>>(for me it's not important since I do not use bayes !) > > > >>> > > > >>>In SA.pm, the lock file is created before the test on "$RebuildBayes" > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > >>> > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > >>> > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris don't finish > > > >>>or don't begin ??? > > > >>> > > > >>> I see the "Skipping" line in the logfile but I don't see any > > line > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > with > > > >>> $RebuildBAYES <> 0 > > > >>> > > > >>>-- > > > >>>-- Pascal -- > > > >>> -- > > > >> > > > >> > > > >>-- > > > >>Julian Field > > > >>www.MailScanner.info > > > >>MailScanner thanks transtec Computers for their support > > > >> > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > >-- > > > >Julian Field > > > >www.MailScanner.info > > > >MailScanner thanks transtec Computers for their support > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Feb 2 16:13:55 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: References: <6.0.1.1.2.20040202093725.03d0a668@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040202153133.06ca0ea0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040202161158.03a6ee68@imap.ecs.soton.ac.uk> At 15:42 02/02/2004, you wrote: >Doh! Sorry. I had commented my change in the .conf file, then forgot >to make it. > >Soooo.... With "Rebuild Bayes Every = 0", I guess we still need >to run our Bayes-rebuild cron jobs until all this gets sorted out, >right? Correct. >Jeff > >On Mon, 2 Feb 2004, Julian Field wrote: > > > Date: Mon, 02 Feb 2004 15:32:49 +0000 > > From: Julian Field > > To: MailScanner mailing list > > Cc: Jeff A. Earickson > > Subject: Re: 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > I just fell foul of not having "Log Spam = yes" so you might want to > > double-check that. > > It appears to be logging fine on a Solaris 2.8 box. > > > > At 15:08 02/02/2004, you wrote: > > >Julian, > > > > > > Popped 4.26.8 into place, let it run for a few minutes (Sol 9, SA > > >2.63, Razor). No more complaints about Bayes, but no SpamAssassin > > >messages either. I ran a batch in debug mode for both MS and SA, and > > >it looked like stuff in the debug batch got tagged by SA: > > > > > >debug: is spam? score=10.95 required=5 > > >tests=BAYES_20,FROM_ENDS_IN_NUMS,MIME_MISSING_BOUNDARY,MISSING_MIMEOLE, > MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK > > > > > >but nothing in the syslog regarding SA. I also set the log level > > >for razor to 4 and razor is busy. How to check it 4.26.8 is really > > >using SA, if nothing appears in syslog? I'm back to running 4.25-14. > > > > > >Jeff Earickson > > >Colby College > > > > > >On Mon, 2 Feb 2004, Julian Field wrote: > > > > > > > Date: Mon, 2 Feb 2004 14:06:40 +0000 > > > > From: Julian Field > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: [MAILSCANNER] 4.26.7, bayes rebuild, confused. -- 4.26.8 > > > > > > > > I have just posted version 4.26.8. > > > > > > > > The problem did not appear on Linux, but does appear on Solaris. > You can > > > > now disable all the relevant code by setting > > > > > > > > Rebuild Bayes Every = 0 > > > > > > > > I will look into fixing this as a priority, but it is highly > OS-specific > > > > and may even be Perl-version specific. It refuses to lock a file it has > > > > just successfully opened, but seems happy when I do it elsewhere :-( > > > > > > > > Jules. > > > > > > > > P.S. thanks for your patience.... > > > > > > > > At 10:23 02/02/2004, you wrote: > > > > >Inevitably I put a config name wrong in that one. > > > > > > > > > >At 09:40 02/02/2004, you wrote: > > > > >>Please could you try the attached SA.pm and see if it helps. > > > > >> > > > > >>Changes: > > > > >> - Set "Rebuild Bayes Every = 0" should disable all this > code. > > > > >> - Locking code changed to more closely match the virus > scanner > > > > >>locking code. > > > > >> > > > > >>The trouble is, it all works for me. But that's on a Linux system, > > > and the > > > > >>underlying locking behaviour may well be different on Solaris. > > > > >> > > > > >>At 07:56 02/02/2004, you wrote: > > > > >>>Hello, > > > > >>> > > > > >>>I have the same behaviour with the rebuild of bayes database and I > > > get it > > > > >>>every time MailScanner is launched. > > > > >>> > > > > >>>To avoid the "Skipping", I have to "manually" remove the lock file > > > > >>>(for me it's not important since I do not use bayes !) > > > > >>> > > > > >>>In SA.pm, the lock file is created before the test on > "$RebuildBayes" > > > > >>>and the lock is removed only if the bayes database has been rebuild. > > > > >>> > > > > >>>If $RebuildBayes == 0, the lock will never be removed. > > > > >>> > > > > >>>if $RebuildBAYES <> 0, it seems that the rebuild on solaris > don't finish > > > > >>>or don't begin ??? > > > > >>> > > > > >>> I see the "Skipping" line in the logfile but I don't see any > > > line > > > > >>> such as "SpamAssassin Bayes database rebuild preparing" even > > > with > > > > >>> $RebuildBAYES <> 0 > > > > >>> > > > > >>>-- > > > > >>>-- Pascal -- > > > > >>> -- > > > > >> > > > > >> > > > > >>-- > > > > >>Julian Field > > > > >>www.MailScanner.info > > > > >>MailScanner thanks transtec Computers for their support > > > > >> > > > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > > > >-- > > > > >Julian Field > > > > >www.MailScanner.info > > > > >MailScanner thanks transtec Computers for their support > > > > > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From robin at PRIMUS.CA Mon Feb 2 16:50:46 2004 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:22:16 2006 Subject: small change in the init script Message-ID: Hi Julian small thing.. can you please modify the init script so that line 234 reads $POSTFIX -c $POSTFIXINCF stop 2>/dev/null instead of $POSTFIX -c /etc/postfix.in stop 2>/dev/null and line 263 reads $POSTFIX -c $POSTFIXOUTCF stop 2>/dev/null instead of $POSTFIX -c /etc/postfix stop 2>/dev/null I can send a patch if you prefer, but I have not much expereince with requesting modification so I thought this would be a good place to start. :) From tduvally at BROWN.EDU Mon Feb 2 17:06:06 2004 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:22:16 2006 Subject: Silent virus delete ruleset Message-ID: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> I'm trying to create a ruleset for "Silent Viruses" but it isn't working. From what I've read I would have this: MailScanner.conf: Silent Viruses = /path/to/silent.virus.rules Still Deliver Silent Viruses = no silent.virus.rules: To: *@* klez To: *@* mydoom "klez" and mydoom being what would normally be on the Silent Viruses line if I didn't use a ruleset. Do I have this right? -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/3548a78a/attachment.bin From mailscanner at ecs.soton.ac.uk Mon Feb 2 17:07:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Silent virus delete ruleset In-Reply-To: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> References: <1075741565.8224.31.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20040202170632.073563c8@imap.ecs.soton.ac.uk> At 17:06 02/02/2004, you wrote: >I'm trying to create a ruleset for "Silent Viruses" but it isn't >working. > > From what I've read I would have this: > >MailScanner.conf: >Silent Viruses = /path/to/silent.virus.rules >Still Deliver Silent Viruses = no > >silent.virus.rules: >To: *@* klez >To: *@* mydoom > >"klez" and mydoom being what would normally be on the Silent Viruses >line if I didn't use a ruleset. Do I have this right? No, you have 2 "default" rules. What you mean is this: To: default klez mydoom *@* == default -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Mon Feb 2 17:19:05 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour Message-ID: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co.uk> Hi All, Quick question for those of you that might be using rules_du_jour for updating your custom SA rulesets. I've configured 'my_rules_du_jour' with an SA_RESTART command of "/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure if this is right - does MailScanner re-compile SpamAssassin on a reload (thus re-reading the custom rules) or does it actually require a 'restart' instead??? Cheers, Steve. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/823a3de4/attachment.html From AndreaC at GOTECH.IT Mon Feb 2 17:36:38 2004 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy, [OT] In-Reply-To: <401E5430.2050004@solid-state-logic.com> Message-ID: > From: Martin Hepworth > Reply-To: MailScanner mailing list > Date: Mon, 2 Feb 2004 13:44:16 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: NDR strategy > > There is way of setting up sendmail so it read from an Active Directory > server to validate the email address. have a google around for 'how to'. Martin (& David), Thanks for the excellent suggestion. I'll definitely look into it. Just a preliminary thought: I need to expose at least one DC onto the DMZ through LDAP. What are the possible security risks, if any, of this approach? Andrea From martinh at SOLID-STATE-LOGIC.COM Mon Feb 2 17:42:29 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy, [OT] In-Reply-To: References: Message-ID: <401E8C05.5040705@solid-state-logic.com> Andrea Cogliati wrote: >>From: Martin Hepworth >>Reply-To: MailScanner mailing list >>Date: Mon, 2 Feb 2004 13:44:16 +0000 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: NDR strategy >> >>There is way of setting up sendmail so it read from an Active Directory >>server to validate the email address. have a google around for 'how to'. > > > Martin (& David), > > Thanks for the excellent suggestion. I'll definitely look into it. Just a > preliminary thought: I need to expose at least one DC onto the DMZ through > LDAP. What are the possible security risks, if any, of this approach? > > Andrea ANdrea pretty minimal as it only needs read access on the LDAP port. Another idea might be to build an access file once a day from the DC, at a set time and only open the port around that set time - (eg 1am-1.15am). Depends on how 'risky' you decide this is, and how quickly you want email changed to propagate. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at LISTS.COM.AR Mon Feb 2 17:57:47 2004 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <6.0.1.1.2.20040202140416.073355e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> Message-ID: <401E656B.16959.13A0CE4@localhost> Gee... FWIW, it happened a couple of centuries ago, but I recall having serious trouble making Perl's flock() work on Solaris... same situation, all development done under linux without a hitch and Solaris ignored all the locking... and it wasn't an interoperability problem, since I was competing against my own script... The point is I don't quite remember what we did to solve it (we is an understatement, since it wasn't me programming, I was just the designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure either... Seems like you'll need a Solaris box to test it thoroughly... I wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc :-( El 2 Feb 2004 a las 14:06, Julian Field escribi?: > I have just posted version 4.26.8. > > The problem did not appear on Linux, but does appear on Solaris. You can > now disable all the relevant code by setting -- Mariano Absatz El Baby ---------------------------------------------------------- Oops. My brain just hit a bad sector. From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:03:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour In-Reply-To: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co. uk> References: <67D9E7698329D411936E00508B6590B902773E41@neelix.lbsltd.co.uk> Message-ID: <6.0.1.1.2.20040202180219.03bc2bb0@imap.ecs.soton.ac.uk> You should only require a reload, as that re-initialises SA. But doing a restart has very little impact that doesn't happen when doing a restart. So feel to restart if you prefer. At 17:19 02/02/2004, you wrote: >Hi All, > >Quick question for those of you that might be using rules_du_jour for >updating your custom SA rulesets. > >I've configured 'my_rules_du_jour' with an SA_RESTART command of >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure >if this is right - does MailScanner re-compile SpamAssassin on a reload >(thus re-reading the custom rules) or does it actually require a 'restart' >instead??? > >Cheers, >Steve. >-- >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you have received this email in error please notify the sender and >delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: 4.26.7, bayes rebuild, confused. -- 4.26.8 In-Reply-To: <401E656B.16959.13A0CE4@localhost> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> Message-ID: <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> At 17:57 02/02/2004, you wrote: >Gee... > >FWIW, it happened a couple of centuries ago, but I recall having serious >trouble making Perl's flock() work on Solaris... same situation, all >development done under linux without a hitch and Solaris ignored all the >locking... and it wasn't an interoperability problem, since I was >competing against my own script... > >The point is I don't quite remember what we did to solve it (we is an >understatement, since it wasn't me programming, I was just the >designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure >either... > >Seems like you'll need a Solaris box to test it thoroughly... I wouldn't >even trust Solaris-x86 to behave identically to Solaris-Sparc :-( I've got an Ultra-5 so I can do a real test. If necessary, I can build a Solaris-x86 box too. But as you say, the best place to try it is a real sparc. >El 2 Feb 2004 a las 14:06, Julian Field escribi?: > > > I have just posted version 4.26.8. > > > > The problem did not appear on Linux, but does appear on Solaris. You can > > now disable all the relevant code by setting > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Oops. My brain just hit a bad sector. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From FCaen at CI.LAKEWOOD.WA.US Mon Feb 2 18:16:40 2004 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy Message-ID: -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > There is way of setting up sendmail so it read from an Active > Directory server to validate the email address. have a google around for 'how to'. I suspect this is done by doing an LDAP lookup. If someone gets this to work or has a URL to post, I'd be interested. --------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 NOTICE: The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone. City of Lakewood From dwinkler at ALGORITHMICS.COM Mon Feb 2 18:33:42 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmics.com> Does allowing the MailScanner restart via "Restart Every" also re-initialize SA? Thanks, Derek -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 02, 2004 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Rules_du_jour You should only require a reload, as that re-initialises SA. But doing a restart has very little impact that doesn't happen when doing a restart. So feel to restart if you prefer. At 17:19 02/02/2004, you wrote: >Hi All, > >Quick question for those of you that might be using rules_du_jour for >updating your custom SA rulesets. > >I've configured 'my_rules_du_jour' with an SA_RESTART command of >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure >if this is right - does MailScanner re-compile SpamAssassin on a reload >(thus re-reading the custom rules) or does it actually require a 'restart' >instead??? > >Cheers, >Steve. >-- >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you have received this email in error please notify the sender and >delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 2 18:43:38 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:16 2006 Subject: Rules_du_jour In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmi cs.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B18A@tormail2.algorithmics.com> Message-ID: <6.0.1.1.2.20040202184330.03ce7f68@imap.ecs.soton.ac.uk> Yes. At 18:33 02/02/2004, you wrote: >Does allowing the MailScanner restart via "Restart Every" also re-initialize >SA? > >Thanks, > >Derek > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, February 02, 2004 1:04 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Rules_du_jour > > >You should only require a reload, as that re-initialises SA. But doing a >restart has very little impact that doesn't happen when doing a restart. So >feel to restart if you prefer. > >At 17:19 02/02/2004, you wrote: > >Hi All, > > > >Quick question for those of you that might be using rules_du_jour for > >updating your custom SA rulesets. > > > >I've configured 'my_rules_du_jour' with an SA_RESTART command of > >"/etc/init.d/MailScanner reload" - and in the back of my mind I'm not sure > >if this is right - does MailScanner re-compile SpamAssassin on a reload > >(thus re-reading the custom rules) or does it actually require a 'restart' > >instead??? > > > >Cheers, > >Steve. > >-- > >This email and any files transmitted with it are confidential and intended > >solely for the use of the individual or entity to whom they are addressed. > >If you have received this email in error please notify the sender and > >delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of computer viruses. > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From test at NEXTMILL.NET Mon Feb 2 19:05:41 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? Message-ID: I am interested in installing Mailscanner and testing it, but I would like to implement CLAM-AV to scan for viruses as well. Has anyone documented the procedure to install and use ClamAV with Mailscanner? Sorry I am not a linux expert but I get around. I plan to use Redhat Fedora, will that work? From sysadmin at FLEETONE.COM Mon Feb 2 19:20:15 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? References: Message-ID: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> First, download the latest CLAMAV and extract it. Then: The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. If you're using `csh' on an old version of System V, you might need to type `sh ./configure' instead to prevent `csh' from trying to execute `configure' itself. Running `configure' takes awhile. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. Now, edit your MailScanner.conf file and look for the line: Virus Scanners = Add clamav to the end of this line, save it, and restart MailScanner. Rob ----- Original Message ----- From: "Brian Lewis" To: Sent: Monday, February 02, 2004 1:05 PM Subject: CLAMAV installation instructions? > I am interested in installing Mailscanner and testing it, but I would like > to implement CLAM-AV to scan for viruses as well. Has anyone documented > the procedure to install and use ClamAV with Mailscanner? Sorry I am not > a linux expert but I get around. I plan to use Redhat Fedora, will that > work? > From jbuda at NOTICIASARGENTINAS.COM Mon Feb 2 19:22:49 2004 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? References: Message-ID: <002101c3e9c1$f7c700c0$6000a8c0@noticiasargentinas.com> did u see this site ? http://clamav.sourceforge.net/doc/html-0.65/ ----- Original Message ----- From: "Brian Lewis" To: Sent: Monday, February 02, 2004 4:05 PM Subject: CLAMAV installation instructions? > I am interested in installing Mailscanner and testing it, but I would like > to implement CLAM-AV to scan for viruses as well. Has anyone documented > the procedure to install and use ClamAV with Mailscanner? Sorry I am not > a linux expert but I get around. I plan to use Redhat Fedora, will that > work? From lenaig at WANADOO.FR Mon Feb 2 19:44:07 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail Message-ID: <20040202194407.GA4752@maelenn> hello, I am a little bit confused with sendmail/Mailscanner ... i just install sendmail this afternoon, i test it, everything is runnig find. I install it on my laptop, i can send ans receive mail ... I am using mutt, procmail and fetchmail. I read some documentations about exim and postfix, and about the exim one, i read something very interesting, that mailscanner was moving (scanning) from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails received. How can i do the same thing with sendmail ?? I put the right path in my MailScanner.conf: Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/incoming Quarantine Dir = /var/spool/quarantine But my mqueue.in still empty ... something to do with sendmai/fetchmail ? Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From shrek-m at GMX.DE Mon Feb 2 19:50:20 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? In-Reply-To: References: Message-ID: <401EA9FC.9030703@gmx.de> Brian Lewis wrote: >ClamAV with Mailscanner? Sorry I am not >a linux expert but I get around. I plan to use Redhat Fedora, will that >work? > yes :-) eg. At Sun Feb 1 05:32:04 2004 the virus scanner said: Sophos: >>> Virus 'W32/MyDoom-A' found in file test.scr ClamAV: test.scr contains Worm.SCO.A MailScanner: Windows Screensavers are often used to hide viruses (test.scr) $ cat /etc/fedora-release Fedora Core release 1 (Yarrow) $ rhn-applet-tui Ignoring No package updates are needed. $ clamscan --version clamscan / ClamAV version 0.65 $ rpm -q mailscanner mailscanner-4.26.5-1 $ grep "Virus Scanners" /etc/MailScanner/MailScanner.conf # then set "Virus Scanners = none" instead. # Virus Scanners = sophos f-prot mcafee Virus Scanners = sophos clamav -- shrek-m From peter at UCGBOOK.COM Mon Feb 2 19:41:39 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:16 2006 Subject: CLAMAV installation instructions? In-Reply-To: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> References: <198601c3e9c1$96371ca0$45a610ac@fleetone.com> Message-ID: <401EA7F3.9040408@ucgbook.com> Try this RPM instead: http://crash.fce.vutbr.cz/crash-hat/1/clamav/ -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From kevins at BMRB.CO.UK Mon Feb 2 19:57:24 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail In-Reply-To: <20040202194407.GA4752@maelenn> References: <20040202194407.GA4752@maelenn> Message-ID: <1075751844.14737.22.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 19:44, Thierry wrote: > hello, > I am a little bit confused with sendmail/Mailscanner ... > i just install sendmail this afternoon, i test it, everything is runnig find. > I install it on my laptop, i can send ans receive mail ... > I am using mutt, procmail and fetchmail. > I read some documentations about exim and postfix, and about the exim one, i read something very interesting, that mailscanner was moving (scanning) from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails received. > How can i do the same thing with sendmail ?? > I put the right path in my MailScanner.conf: > But my mqueue.in still empty ... something to do with sendmai/fetchmail ? You need to stop sendmail then start mailscanner which will start the sendmail processes itself. Here are the commands (assuming redhat or similar...) service MailScanner stop service sendmail stop chkconfig --level 2345 sendmail off shkconfig --level 345 MailScanner on service MailScanner start I can confirm this works fine with fetchmail as this is one of my setups. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From bpumphrey at WOODMACLAW.COM Mon Feb 2 20:38:51 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person Message-ID: I have a user that doesn't want his mailbox scanned. How do I go about disabling the scanning for one or more people specifically? From dustin.baer at IHS.COM Mon Feb 2 20:40:48 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:16 2006 Subject: Skip scan for viruses References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk> <401AA032.8FC7E858@ihs.com> <401AA25B.5050801@ucgbook.com> <1075488152.17925.7.camel@bach.kevinspicer.co.uk> <401AAB40.856224@ihs.com> Message-ID: <401EB5D0.411C1A6E@ihs.com> Dustin Baer wrote: > > Kevin Spicer wrote: > > > > Wouldn't it be better to spam whitelist the IP address of the > > MailScanner machine (which is presumably where the message would be sent > > from)? > > The MailScanner machine is whitelisted, but I add the header to the > original qf, and send the df/qf pair back through. That way, the logs > remain consistent. > > Although now that you bring it up, I might mess with changing the $_ > flag in the qf file, rather than adding the header. Which should make it: #!/bin/ksh sed -e 's/^.$/H??X-SpamRequested-Email: Requested\ ./' \ -e 's/^\$_.*/$_[PUT YOUR WHITELISTED IP HERE]/' $emailID > qf$emailID.$$ && mv qf$emailID.$$ qf$emailID cp *$i /var/spool/mqueue.in I have left the SpamRequested header in there, just for info purposes, but removed the rule from spam.assassin.prefs.conf. That way, spammers can't benefit from it. Again, thanks for mentioning it, Kevin! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From steve.swaney at FSL.COM Mon Feb 2 20:51:56 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail In-Reply-To: <20040202194407.GA4752@maelenn> Message-ID: <20040202205156.2382021C139@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Thierry > Sent: Monday, February 02, 2004 2:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: questions using sendmail > > hello, > I am a little bit confused with sendmail/Mailscanner ... > i just install sendmail this afternoon, i test it, everything is runnig > find. > I install it on my laptop, i can send ans receive mail ... > I am using mutt, procmail and fetchmail. > I read some documentations about exim and postfix, and about the exim one, > i read something very interesting, that mailscanner was moving (scanning) > from /var/spool/incoming queue to /var/spool/mqueue.in queue all mails > received. > How can i do the same thing with sendmail ?? > I put the right path in my MailScanner.conf: > > Incoming Queue Dir = /var/spool/mqueue.in > Outgoing Queue Dir = /var/spool/mqueue > Incoming Work Dir = /var/spool/incoming [SKS] Is mail being accepted by your system from other systems? Can you telnet to port 25 from another system? I also note that the incoming work directory should match your setting in MailScanner.conf Typically this is Incoming Work Dir = /var/spool/MailScanner/incoming The directory must exist and have the right permissions, typically for sendmail on linux: # ls -dl /var/spool/MailScanner/incoming drwxrwxrwt 2 root root 40 Feb 1 15:34 /var/spool/MailScanner/incoming Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Quarantine Dir = /var/spool/quarantine > > But my mqueue.in still empty ... something to do with sendmai/fetchmail ? > > Thx > > -- > Thierry > Ne faites jamais un "apt-get install new-wife" avant > un "apt-get remove --purge current-wife" > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From merkel at METALINK.NET Mon Feb 2 21:01:11 2004 From: merkel at METALINK.NET (Eric J Merkel) Date: Thu Jan 12 21:22:16 2006 Subject: Performance problems...(SOLVED) References: <54C38A0B814C8E438EF73FC76F362927410885@mtlnt501fs.CAMOROUTE.COM> Message-ID: <010701c3e9cf$b06e8140$22c8a8c0@staff.metalink.net> After loading caching DNS servers on all of our mail-relay's and changing the sendmail queue runner to about an hour, the servers were able to catch up. They're all running a load around 1.0-3.0 and only a few emails in the mqueue.in at any time. Thanks to everyone who gave me suggestions. MailScanner is now rocking along with no lag! :) Eric ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Friday, January 30, 2004 4:24 PM Subject: Re: Performance problems... > I *really* recommend running a caching DNS server on your > box (and adding the physical memory to support it). Between the > MTA, RBLs, MailScanner, SA, etc, etc, you will do a bzillion DNS > lookups to get the mail delivered. Local caching is vital. > > Jeff Earickson > Colby College > > From mike at CAMAROSS.NET Mon Feb 2 21:10:33 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person In-Reply-To: Message-ID: <200402022108.i12L8pH2008141@avwall.bladeware.com> You can do this for virus scans AND spam. Just point the directive in MailScanner.conf at a ruleset. In the ruleset: FromTo: user@nottoscan.org no FromTo: default yes Reload MailScanner and you are done. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey Sent: Monday, February 02, 2004 2:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Disabling scanning for one person I have a user that doesn't want his mailbox scanned. How do I go about disabling the scanning for one or more people specifically? From ycayer at 3WEBMEDIA.COM Mon Feb 2 22:47:30 2004 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. Message-ID: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since last week, MailScanner has been bringing the server almost to a complete halt, loads are skyrocking very suddently to 200! It is also taking at that time about 25MB per MailScanner process. It does this for several minutes to a few hours and then suddently comes back. I really don't know what can be causing this. I have read the mail archives for this problem but the solutions I found were not appropriate to my specific problem/condition. My config has the max attachments set to 5 and the MailScanner processes set to 10 (5 per CPU). Can anyone help? Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040202/e9cf6bdc/attachment.html From kevins at BMRB.CO.UK Mon Feb 2 23:11:10 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> References: <4915A8E67C498D42BAB5CB1351FD026E14AC36@3webad1.3WebMedia.int> Message-ID: <1075763470.21194.53.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 22:47, Yannick Cayer wrote: > We have about a 100 small sites configured for mail mostly and some, > web. > > This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp > > We have been running MailScanner on that machine for almost 2 years now > without any problems. > > Since last week, MailScanner has been bringing the server almost to a > complete halt, loads are skyrocking very suddently to 200! It is also > taking at that time about 25MB per MailScanner process. > > It does this for several minutes to a few hours and then suddently comes > back. > 'Since Last Week' - are you sure this isn't anything to do with the MyDoom outbreak and its associated bounce messages (the load on my production server doubled and it struggled to keep up at times). If you're not already doing so I suggest taking steps to block subjects/ email addresses used by this virus at your MTA (sendmail rulesets have ben posted several times in the last week - search the archives for 'LOCAL RULESET') BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ycayer at 3webmedia.com Mon Feb 2 23:13:55 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: A<1075763470.21194.53.camel@bach.kevinspicer.co.uk> Message-ID: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> I guess I could set a rule with spamassassin to block the subjects.... > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Monday, February 02, 2004 6:11 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner suddently taking all the CPU and a > lot of memory. > > On Mon, 2004-02-02 at 22:47, Yannick Cayer wrote: > > > We have about a 100 small sites configured for mail mostly > and some, > > web. > > > > This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp > > > > We have been running MailScanner on that machine for almost 2 years > > now without any problems. > > > > Since last week, MailScanner has been bringing the server > almost to a > > complete halt, loads are skyrocking very suddently to 200! > It is also > > taking at that time about 25MB per MailScanner process. > > > > It does this for several minutes to a few hours and then suddently > > comes back. > > > > 'Since Last Week' - are you sure this isn't anything to do > with the MyDoom outbreak and its associated bounce messages > (the load on my production server doubled and it struggled to > keep up at times). If you're not already doing so I suggest > taking steps to block subjects/ email addresses used by this > virus at your MTA (sendmail rulesets have ben posted several > times in the last week - search the archives for 'LOCAL RULESET') > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > From kevins at BMRB.CO.UK Mon Feb 2 23:21:07 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> References: <200402022314.i12NE6O16221@3webserv2.3webmedia.com> Message-ID: <1075764071.21509.5.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-02 at 23:13, Yannick Cayer wrote: > > 'Since Last Week' - are you sure this isn't anything to do > > with the MyDoom outbreak and its associated bounce messages > > (the load on my production server doubled and it struggled to > > keep up at times). If you're not already doing so I suggest > > taking steps to block subjects/ email addresses used by this > > virus at your MTA (sendmail rulesets have ben posted several > > times in the last week - search the archives for 'LOCAL RULESET') > > I guess I could set a rule with spamassassin to block the subjects.... > That won't make much difference to the load on your system, you need to do it at the MTA, so that the mail is rejected at the rcpt or data stage of the SMTP transaction. That will save your mail server the trouble of scanning it for viruses and spam and the hassle of attempting delivery to non-existent users/domains. If you post which MTA you are using maybe someone could help. Have you established that this is what is causing your problem? (If you don't have any monitoring in place even just doing a wc -l on your daily maillog over the last couple of weeks should give you a flavour of what your mail load is like. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ycayer at 3webmedia.com Mon Feb 2 23:25:07 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:16 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: A<1075764071.21509.5.camel@bach.kevinspicer.co.uk> Message-ID: <200402022325.i12NPIO17614@3webserv2.3webmedia.com> My MTA is sendmail I guess I could use some help in setting it up to block this... > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Monday, February 02, 2004 6:21 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner suddently taking all the CPU and a > lot of memory. > > On Mon, 2004-02-02 at 23:13, Yannick Cayer wrote: > > > 'Since Last Week' - are you sure this isn't anything to > do with the > > > MyDoom outbreak and its associated bounce messages (the > load on my > > > production server doubled and it struggled to keep up at > times). If > > > you're not already doing so I suggest taking steps to block > > > subjects/ email addresses used by this virus at your MTA > (sendmail > > > rulesets have ben posted several times in the last week - > search the > > > archives for 'LOCAL RULESET') > > > > I guess I could set a rule with spamassassin to block the > subjects.... > > > > That won't make much difference to the load on your system, > you need to do it at the MTA, so that the mail is rejected at > the rcpt or data stage of the SMTP transaction. That will > save your mail server the trouble of scanning it for viruses > and spam and the hassle of attempting delivery to > non-existent users/domains. If you post which MTA you are > using maybe someone could help. > > Have you established that this is what is causing your problem? (If > you don't have any monitoring in place even just doing a wc > -l on your daily maillog over the last couple of weeks should > give you a flavour of what your mail load is like. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact > the sender and delete this message immediately. Disclosure, > copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our business. > From gareth at BIM7.COM Mon Feb 2 23:29:23 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist Message-ID: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> Hi Guys I've installed MailScanner on Debain Woody, and configured Postfix to work with it using instructions at http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml. Everything seemed to go okay, and I am still receiving mail, but nothing is been filtered for spam and I have the following entries in /var/log/mail.log (about every 10 seconds!) Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner version 4.26.7 starting... Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory /var/spool/MailScanner/incoming Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) /var/spool/MailScanner/incoming does exist, and is owned by postfix and the group postfix. Permissions are 750. drwxr-x--- 2 mail mail 48 Feb 1 17:12 archive drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 incoming drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 quarantine Can anyone tell me what's going wrong? I've googled, and can't find anyone else with this problem. Thanks Gareth From rzewnickie at RFA.ORG Mon Feb 2 23:49:04 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist In-Reply-To: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> Message-ID: <20040202234904.GC4984@rfa.org> did you remember to set: Run As User = postfix Run As Group = postfix ? -Eric Rz. On Mon, Feb 02, 2004 at 11:29:23PM -0000, Gareth wrote: > Hi Guys > > I've installed MailScanner on Debain Woody, and configured Postfix to work > with it using instructions at > http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml. > > Everything seemed to go okay, and I am still receiving mail, but nothing is > been filtered for spam and I have the following entries in /var/log/mail.log > (about every 10 seconds!) > > Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner > version 4.26.7 starting... > Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory > /var/spool/MailScanner/incoming > Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line > 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not > exist (or is not readable) > > /var/spool/MailScanner/incoming does exist, and is owned by postfix and the > group postfix. Permissions are 750. > > drwxr-x--- 2 mail mail 48 Feb 1 17:12 archive > drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 incoming > drwxr-x--- 2 postfix postfix 48 Feb 1 17:12 quarantine > > Can anyone tell me what's going wrong? I've googled, and can't find anyone > else with this problem. > > Thanks > > > Gareth From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 00:17:27 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:16 2006 Subject: Perl modules in rpm Message-ID: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> I know from a previous inquiry months ago that the perl security patches are included in the .rpm package, but I'm not sure if all the other Perl modules (listed on the .tar page) are. I'm trying to document our setup so others can build/upgrade as seamlessly as possible; do I need to download/install the Perl modules prior to installing the rpm package or is it one stop shopping? Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From test at NEXTMILL.NET Tue Feb 3 00:44:51 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:16 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: Ok, I have installed Fedora Core 1, MailScanner 4.26, SpamAssassin 2.63, and ClamAV .065, what I want to do is configure it so I can change the MX record on multiple domains to point to this server, and then after a message passes the spam/virus check, its sent on to the real server. domain1.com ----> server1.whatever.com domain2.com ----> server6.whatever.com domainsoandso.com ----> server2.whatever.com domainwhatnot.com ----> 192.168.0.101 How would I do this? From steve.freegard at LBSLTD.CO.UK Tue Feb 3 00:44:45 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Hi All, I'm pleased to finally release 0.5 which you can download from http://www.sourceforge.net/projects/mailwatch. CHANGE LOG - Updated indexes for much greater performance (again!). - Added preliminary support for per-user filters (see USER_FILTERS file). - Added the ability to view quarantined items. - All tables now enable a pager when returning more than 50 rows and allow ordering by any of the displayed columns. - New tool to run SpamAssassin --lint and time the output for debugging SA. - New F-Secure status page (like Sophos). - Required PEAR modules now included. - Added reporting of Blacklisted mails. - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. - Quoted printable strings are now automatically decoded before display. - Configuration options moved from functions.php into conf.php - Automatically works out VIRUS_REGEX by using the first value in MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would activate the regexp for SophosSAVI. - New 'Virus Report' allows comparison of multiple scanners (if you run more than one) and allows you to see 1st detection date/time of each virus by each scanner. - Integration with Fortress Systems Secure Mail Gateway. FIXES - Multiple clean-ups of mailq.php to make it more robust. - Greatly improved debugging of SQL statments. - Quarantine now correctly looks in the non-spam quarantine directories. - SA Rules Description Update now reads custom rules as well. - sendmail_relay.php now works across log rotations. - Increased memory_limit to 128M for quarantine functions. Kind regards, Steve. -- MailWatch for MailScanner http://mailwatch.sourceforge.net -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From ugob at CAMO-ROUTE.COM Tue Feb 3 00:52:36 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: questions using sendmail Message-ID: <54C38A0B814C8E438EF73FC76F362927410897@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Envoy? : Monday, February 02, 2004 2:57 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: questions using sendmail > > > On Mon, 2004-02-02 at 19:44, Thierry wrote: > > hello, > > I am a little bit confused with sendmail/Mailscanner ... > > i just install sendmail this afternoon, i test it, > everything is runnig find. > > I install it on my laptop, i can send ans receive mail ... > > I am using mutt, procmail and fetchmail. > > I read some documentations about exim and postfix, and > about the exim one, i read something very interesting, that > mailscanner was moving (scanning) from /var/spool/incoming > queue to /var/spool/mqueue.in queue all mails received. > > How can i do the same thing with sendmail ?? > > I put the right path in my MailScanner.conf: > > > But my mqueue.in still empty ... something to do with > sendmai/fetchmail ? > > You need to stop sendmail then start mailscanner which will start the > sendmail processes itself. Here are the commands (assuming redhat or > similar...) > service MailScanner stop > service sendmail stop > chkconfig --level 2345 sendmail off > shkconfig --level 345 MailScanner on > service MailScanner start > > I can confirm this works fine with fetchmail as this is one of my > setups. I use fetchmail as well. No prob. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From ugob at CAMO-ROUTE.COM Tue Feb 3 00:54:13 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: Disabling scanning for one person Message-ID: <54C38A0B814C8E438EF73FC76F362927410898@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] > Envoy? : Monday, February 02, 2004 3:39 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Disabling scanning for one person > > > I have a user that doesn't want his mailbox scanned. How do > I go about > disabling the scanning for one or more people specifically? You can see the rules tutorial in the faqs. > From ugob at CAMO-ROUTE.COM Tue Feb 3 00:56:19 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:16 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: <54C38A0B814C8E438EF73FC76F362927410899@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Brian Lewis [mailto:test@NEXTMILL.NET] > Envoy? : Monday, February 02, 2004 7:45 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Redirecting multiple domains to multiple mail servers > > > Ok, I have installed Fedora Core 1, MailScanner 4.26, > SpamAssassin 2.63, > and ClamAV .065, what I want to do is configure it so I can > change the MX > record on multiple domains to point to this server, and then after a > message passes the spam/virus check, its sent on to the real server. > > domain1.com ----> server1.whatever.com > domain2.com ----> server6.whatever.com > domainsoandso.com ----> server2.whatever.com > domainwhatnot.com ----> 192.168.0.101 > > How would I do this? What mta? sendmail and postfix tutorial are available in the faqs. > From g.pentland at SOTON.AC.UK Tue Feb 3 00:52:42 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:16 2006 Subject: NDR strategy Message-ID: I'm looking at this issue and some other routing problems at the moment... For now go to sendmail.org and search for "LDAP" it describes the LASER schema extension, sadly it appears that getting sendmail to work with the "mail" attribute is a little hard. If you are not the AD admin at your site then they might be concerned... in AD 2000 you cannot remove a schema change! 2003 allegedly fixes that. I'll post a howto when I have it all in place and working... Good luck -----Original Message----- From: Francois Caen [mailto:FCaen@CI.LAKEWOOD.WA.US] Sent: 02 February 2004 18:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: NDR strategy -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > There is way of setting up sendmail so it read from an Active > Directory server to validate the email address. have a google around for 'how to'. I suspect this is done by doing an LDAP lookup. If someone gets this to work or has a URL to post, I'd be interested. --------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 NOTICE: The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone. City of Lakewood From gdoris at ROGERS.COM Tue Feb 3 03:48:17 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <1075780097.5978.9.camel@jaguar.dorfam.ca> On Mon, 2004-02-02 at 19:44, Steve Freegard wrote: > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. I've just upgraded from 0.4 on a Fedora system. All seems to be working as advertised! -- Gerry Doris From gareth at BIM7.COM Tue Feb 3 08:15:32 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:16 2006 Subject: incomingworkdir does not exist References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> Message-ID: <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> > did you remember to set: > > Run As User = postfix > Run As Group = postfix > > > Feb 2 23:20:04 lyon MailScanner[25810]: MailScanner E-Mail Virus Scanner > > version 4.26.7 starting... > > Feb 2 23:20:04 lyon MailScanner[25810]: Could not read directory > > /var/spool/MailScanner/incoming > > Feb 2 23:20:04 lyon MailScanner[25810]: Error in configuration file line > > 115, directory /var/spool/MailScanner/incoming for incomingworkdir does not > > exist (or is not readable) > > > > /var/spool/MailScanner/incoming does exist, and is owned by postfix and the > > group postfix. Permissions are 750. > > Yeah.. I did that in /etc/MailScanner/MailScanner.conf Any other suggestions much appreciated. Gareth From steve at INTELIPORT.COM Tue Feb 3 08:05:40 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:16 2006 Subject: Need some help Hijacked Returned domain Message-ID: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> Hi everyone, We have in recent days been the recipient of spammers using our domain name as a return address. They use all kinds of names etc.. I could really use some assistance in trying to stop this or at least handle the bounce mail better, we are also getting a extreme amount of mail from null senders logs are filled with from=<> on one of our server we have 20,000 entries in the last 15 hours. Any hints, comments, ideas on stopping this I just added dnsbl.sorbs.net to sendmail and it's already starting to help (BTW great job Matthew) are others having this problem also? it seems this started up a couple of days ago after MyDoom hit. Is anyone else having this happen or has seen this before. below is an example of the a org message that was returned I left off the information from where it was bounced. Thanks in advance Steve --- Start Content-Type: message/rfc822 Message-ID: From: Roseanna Escalante To: webmaster@northernbus.com Subject: FWD: Available All. X@nax , v|agR@ _ \ Va:l:ium = S0ma , Pn:t:er min 4v5tR Date: Wed, 4 Feb 2004 02:23:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" We believe ordering medication should be as simple as ordering anything else on the Internet: Private, secure, and easy. On stock: \ Xan|a|x ) Val/i/um = So+m+a = Pntermin $ V1Agr@ Plus: A'cyc|0vir, Pr0z@.c, P@`xil, Bus:p@r, Ad|p&.x, I0`nam|n, M3ri:dia, X3nic.a|, Am`bi3n, S0na.Ta, F`l3xeril, Ce|3br'ex, Fi0ri`c3t, T'ram@do|, U|t`r@m, L3:v|tra, Pr0p3ci`a Most trusted name brands. Enjoy deep discount meds here ------_=_NextPart_000_01C3EA29.1039B262-- ---End -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/dbffa802/attachment.html From jdbautista at IWSPC.COM Tue Feb 3 08:38:38 2004 From: jdbautista at IWSPC.COM (Joseph C. Bautista) Date: Thu Jan 12 21:22:16 2006 Subject: Announce: MailWatch for MailScanner 0.5 References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <00e601c3ea31$255aa360$4c04a8c0@Plnt3domain> Hi All, I think i followed the instruction correct. My Mailscanner is logging to mysql database. But everytime i point my browser to http://localhost/mailscanner it gives me an error: Fatal error: Call to undefined function: mysql_pconnect() in /home/httpd/html/mailscanner/functions.php on line 273 Anyone knows how to fixed this? Thnx. ----- Original Message ----- From: "Steve Freegard" To: Sent: Tuesday, February 03, 2004 8:44 AM Subject: Announce: MailWatch for MailScanner 0.5 > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. > > -- > MailWatch for MailScanner > http://mailwatch.sourceforge.net > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From steve.freegard at LBSLTD.CO.UK Tue Feb 3 09:06:37 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Hi Joseph, You're getting this error because your copy of PHP doesn't have the MySQL module installed or compiled in. If you are running RedHat install the php-mysql RPM from your installation CD's and restart apache and it will start working. Kind regards, Steve. > -----Original Message----- > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > Sent: 03 February 2004 08:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > Hi All, > > I think i followed the instruction correct. My > Mailscanner is logging to mysql database. But everytime i > point my browser to > > http://localhost/mailscanner it gives me an error: > > Fatal error: Call to undefined function: > mysql_pconnect() in > /home/httpd/html/mailscanner/functions.php on line 273 > > Anyone knows how to fixed this? > > Thnx. > > > ----- Original Message ----- > From: "Steve Freegard" > To: > Sent: Tuesday, February 03, 2004 8:44 AM > Subject: Announce: MailWatch for MailScanner 0.5 > > > > Hi All, > > > > I'm pleased to finally release 0.5 which you can download from > > http://www.sourceforge.net/projects/mailwatch. > > > > CHANGE LOG > > - Updated indexes for much greater performance (again!). > > - Added preliminary support for per-user filters (see USER_FILTERS > > file). > > - Added the ability to view quarantined items. > > - All tables now enable a pager when returning more than 50 > rows and allow > > ordering by any of the displayed columns. > > - New tool to run SpamAssassin --lint and time the output > for debugging > SA. > > - New F-Secure status page (like Sophos). > > - Required PEAR modules now included. > > - Added reporting of Blacklisted mails. > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > e-mails. > > - Quoted printable strings are now automatically decoded before > > display. > > - Configuration options moved from functions.php into conf.php > > - Automatically works out VIRUS_REGEX by using the first value in > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > clamavmodule' would > > activate the regexp for SophosSAVI. > > - New 'Virus Report' allows comparison of multiple scanners > (if you run > > more than one) and allows you to see 1st detection > date/time of each > > virus by each scanner. > > - Integration with Fortress Systems Secure Mail Gateway. > > > > FIXES > > - Multiple clean-ups of mailq.php to make it more robust. > > - Greatly improved debugging of SQL statments. > > - Quarantine now correctly looks in the non-spam quarantine > > directories. > > - SA Rules Description Update now reads custom rules as well. > > - sendmail_relay.php now works across log rotations. > > - Increased memory_limit to 128M for quarantine functions. > > > > Kind regards, > > Steve. > > > > -- > > MailWatch for MailScanner > > http://mailwatch.sourceforge.net > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From stephane.branchoux at UNIV-PERP.FR Tue Feb 3 09:41:10 2004 From: stephane.branchoux at UNIV-PERP.FR (stephane BRANCHOUX) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files Message-ID: <467301c3ea39$db6216e0$0688a7c2@belleile> Hello, i use mailscanner 4.12 with mcafee. Zip files are authorized but is there a way to scan zip files ? Last virus is sent in a zip file and i would like to scan it without blocking all zip files. Many thanks in advance. stephane BRANCHOUX Centre de Ressources Informatiques de l'Universit? de Perpignan. Syst?mes/R?seaux mailto:stephane.branchoux@univ-perp.fr 04 68 66 21 24 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3827 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/183c9afd/smime.bin From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 3 10:13:42 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:17 2006 Subject: CLAMAV installation instructions? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4D3@jessica.herefordshire.gov.uk> Or: Virus Scanners = clamavmodule Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of shrek-m@gmx.de > Sent: 02 February 2004 19:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: CLAMAV installation instructions? > > > Brian Lewis wrote: > > >ClamAV with Mailscanner? Sorry I am not > >a linux expert but I get around. I plan to use Redhat > Fedora, will that > >work? > > > > yes :-) > > eg. > > At Sun Feb 1 05:32:04 2004 the virus scanner said: > Sophos: >>> Virus 'W32/MyDoom-A' found in file test.scr > ClamAV: test.scr contains Worm.SCO.A > MailScanner: Windows Screensavers are often used to hide > viruses (test.scr) > > > > > $ cat /etc/fedora-release > Fedora Core release 1 (Yarrow) > > $ rhn-applet-tui > Ignoring > No package updates are needed. > > $ clamscan --version > clamscan / ClamAV version 0.65 > > $ rpm -q mailscanner > mailscanner-4.26.5-1 > > $ grep "Virus Scanners" /etc/MailScanner/MailScanner.conf > # then set "Virus Scanners = none" instead. > # Virus Scanners = sophos f-prot mcafee > Virus Scanners = sophos clamav > > > -- > shrek-m > From mailscanner at ecs.soton.ac.uk Tue Feb 3 09:07:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Perl modules in rpm In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264ED9B@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20040203090707.073a8680@imap.ecs.soton.ac.uk> At 00:17 03/02/2004, you wrote: >I know from a previous inquiry months ago that the perl security patches are >included in the .rpm package, but I'm not sure if all the other Perl modules >(listed on the .tar page) are. I'm trying to document our setup so others >can build/upgrade as seamlessly as possible; do I need to download/install >the Perl modules prior to installing the rpm package or is it one stop >shopping? Thanks much... The RPM distributions of MailScanner include everything you need. Just unpack them and "./install.sh". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 09:09:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain In-Reply-To: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> References: <02af01c3ea2c$88b50090$f90010ac@iplanet2385> Message-ID: <6.0.1.1.2.20040203090855.073aba60@imap.ecs.soton.ac.uk> Take a look at using the "access database" in sendmail to block unknown recipients at the SMTP level. It's all documented at www.sendmail.org. At 08:05 03/02/2004, you wrote: >Hi everyone, > >We have in recent days been the recipient of spammers using our domain >name as a return address. They use all kinds of names etc.. >I could really use some assistance in trying to stop this or at least >handle the bounce mail better, we are also getting a extreme amount >of mail from null senders logs are filled with from=<> on one of our >server we have 20,000 entries in the last 15 hours. > >Any hints, comments, ideas on stopping this I just added dnsbl.sorbs.net >to sendmail and it's already starting to help (BTW great job Matthew) >are others having this problem also? it seems this started up a couple of >days ago after MyDoom hit. Is anyone else having this happen or has >seen this before. > >below is an example of the a org message that was returned I left off the >information from where it was bounced. > >Thanks in advance >Steve >--- Start > >Content-Type: message/rfc822 > >Message-ID: ><QVMEELMZZSXALGDVYHSPYZ@fidalgo.net> >From: Roseanna Escalante ><webmaster@inteliport.com> >To: webmaster@northernbus.com >Subject: FWD: Available All. X@nax , v|agR@ _ \ Va:l:ium = >S0ma , Pn:t:er > min 4v5tR >Date: Wed, 4 Feb 2004 02:23:41 -0500 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2656.59) >X-MS-Embedded-Report: >Content-Type: text/plain; > charset="iso-8859-1" > >We believe ordering medication should be as simple as ordering anything else >on the Internet: Private, secure, and easy. >On stock: \ Xan|a|x ) Val/i/um = So+m+a = Pntermin $ V1Agr@ >Plus: A'cyc|0vir, Pr0z@.c, P@`xil, Bus:p@r, >Ad|p&.x, I0`nam|n, M3ri:dia, >X3nic.a|, Am`bi3n, S0na.Ta, F`l3xeril, Ce|3br'ex, Fi0ri`c3t, >T'ram@do|, >U|t`r@m, L3:v|tra, Pr0p3ci`a > >Most trusted name brands. >Enjoy deep discount meds here ><http://www.affordablemeds.biz> >------_=_NextPart_000_01C3EA29.1039B262-- > >---End -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From gareth at BIM7.COM Tue Feb 3 10:42:57 2004 From: gareth at BIM7.COM (Gareth) Date: Thu Jan 12 21:22:17 2006 Subject: incomingworkdir does not exist In-Reply-To: <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> Message-ID: <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com> >> did you remember to set: >> >> Run As User = postfix >> Run As Group = postfix >> > Yeah.. I did that in /etc/MailScanner/MailScanner.conf > I've just changed the owernship /var/spool/MailScanner/ to 'postfix' and this seems to have stopped the error messages in mail.log. However, none of my incoming email has any MailScanner headers appended... how can I test everything is work? Email is still sent and received okay, and MailScanner is running if I do a ps -edf | grep MailScanner. Gareth From Tim.Hadlow at BL.UK Tue Feb 3 10:59:51 2004 From: Tim.Hadlow at BL.UK (Hadlow, Tim) Date: Thu Jan 12 21:22:17 2006 Subject: JANET RBL+ time-outs Message-ID: <5D6AD0E24C704645A0F1F1431B9F21610433A034@NT-LONEX2> Hello, Since yesterday (I think) our MailScanner has been reporting rather a lot of "RBL Check MAPS-RBL+ timed out and was killed" messages. This is the rbl-plus.mail-abuse.ja.net service used by the UK Academic Community. Has anyone else noticed if they are having the same problem? Regards, Tim. ************************************************************************** Experience the British Library online at www.bl.uk Adopt a Book this season ! Help the British Library conserve the world's knowledge. www.bl.uk/adoptabook ************************************************************************* The information contained in this e-mail is confidential and may be legally privileged. It is intended for the addressee(s) only. If you are not the intended recipient, please delete this e-mail and notify the postmaster@bl.uk : The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the British Library. The British Library does not take any responsibility for the views of the author. ************************************************************************* From mailscanner at ecs.soton.ac.uk Tue Feb 3 10:55:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: incomingworkdir does not exist In-Reply-To: <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com > References: <023d01c3e9e4$63c2c530$0a11a8c0@dijon> <20040202234904.GC4984@rfa.org> <027801c3ea2d$e4b6d0c0$0a11a8c0@dijon> <4160.62.49.205.2.1075804977.squirrel@squirrelmail.bim7.com> Message-ID: <6.0.1.1.2.20040203105459.04148758@imap.ecs.soton.ac.uk> At 10:42 03/02/2004, you wrote: > >> did you remember to set: > >> > >> Run As User = postfix > >> Run As Group = postfix > >> > > Yeah.. I did that in /etc/MailScanner/MailScanner.conf > > > >I've just changed the owernship /var/spool/MailScanner/ to 'postfix' and >this seems to have stopped the error messages in mail.log. Can someone add that to the FAQ please? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve at INTELIPORT.COM Tue Feb 3 11:23:38 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain Message-ID: If I do use the access list or sendmail.cf won't that break the DSN rule, and if so what will the affect of doing so be. From steve at INTELIPORT.COM Tue Feb 3 11:23:38 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Need some help Hijacked Returned domain Message-ID: If I do use the access list or sendmail.cf won't that break the DSN rule, and if so what will the affect of doing so be. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 11:45:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy Message-ID: > I suspect this is done by doing an LDAP lookup. Correct which is why we are not using it. I would like to have my Exim/Sendmail only talk to Exchange via SMTP. Therefore we push this information towards Exim. We wrote a little script that exports all valid e-mail adresses to the unix box, convert this to a cdb and have exim look this up. Works automatically and flawlessly. Regards, JP From martinh at SOLID-STATE-LOGIC.COM Tue Feb 3 11:50:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy In-Reply-To: References: Message-ID: <401F8B03.7040802@solid-state-logic.com> Jan-Peter Koopmann wrote: >>I suspect this is done by doing an LDAP lookup. > > > Correct which is why we are not using it. I would like to have my > Exim/Sendmail only talk to Exchange via SMTP. Therefore we push this > information towards Exim. We wrote a little script that exports all > valid e-mail adresses to the unix box, convert this to a cdb and have > exim look this up. Works automatically and flawlessly. > > Regards, > JP JP have you got this script and the exim settings? I'd love to setup this on our exim system. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 11:53:15 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: BSD pb running MailScanner Message-ID: Thierry, as you know I answered to your question and in turn asked you several. Again: From what you told me off list I am pretty sure your MTA setup is wrong. Your mail is probably received by ssmtp and delivered right away instead of being stored in a queue. Therefore MailScanner never sees it. Again: Please check if you receive mail if mailscanner is not running. If you do, my assumption is correct. Moreover: Why do you not use sendmail/exim/postfix but ssmtp? That is really not the MTA you would like to use for this kind of purpose. Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 12:05:05 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: SPF and MailScanner Message-ID: > I have yet to see a solution to the problem that actually > will work in real life. SPF requires me to keep track of all > the IP addresses of every outgoing-mail-server used by > BTInternet, for example.They change their setup (for > maintenance or whatever) and all of a sudden all my mail is > rejected. Yeah, great idea :-( Not necessarily true. First of all this is voluntarily. If you decide not to give your domain SPF records nothing will change. If you do you could use things like ptr, mx or include directive: Mx: Allow mail being sent from all hosts that also accept mail for this domain Ptr: Allow mail for this host from all IPs that resolve to your domain. Include: If BTInternet support SPF simply include btinternet and you do not need to worry. I fail to see why BTInternet is a problem for you? Are you behind a dial-up like connection and run your own mailserver? That might be a problem I agree. Companies tend to run their MTAs behind a static IP though and have their remote users use SMTP AUTH to make sure, outgoing mail is proberly scanned etc. Personally I think SPF is a good concept. Not perfect, but good! Regards, JP From ronan at NOC.ULCC.AC.UK Tue Feb 3 12:00:28 2004 From: ronan at NOC.ULCC.AC.UK (Ronan Flood) Date: Thu Jan 12 21:22:17 2006 Subject: JANET RBL+ time-outs In-Reply-To: <5D6AD0E24C704645A0F1F1431B9F21610433A034@NT-LONEX2> from "Hadlow, Tim" at Feb 03, 2004 10:59:51 AM Message-ID: Tim Hadlow wrote: > Since yesterday (I think) our MailScanner has been reporting rather a lot of > "RBL Check MAPS-RBL+ timed out and was killed" messages. This is the > rbl-plus.mail-abuse.ja.net service used by the UK Academic Community. That's probably because one of the servers is currently in transit; sorry about that. Should be back in service tomorrow afternoon. Perhaps I should have taken it out of the zone, but I thought the DNS would cope ... ---**--- Ronan Flood Tel: +44 20 7692 1432 Fax: +44 20 7692 1234 Network Services, University of London Computer Centre From christo at IT4AFRICA.CO.ZA Tue Feb 3 11:16:28 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Message-ID: <015d01c3ea47$2b0b6310$660210ac@christoxp> After I upgraded my Mailwatch I get the following error in my log and no mail is delivered. My queues are filling up. My config RH9 MS latest stable Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert row: Column count doesn't match value count at row 1 From spamtrap71892316634 at ANIME.NET Tue Feb 3 12:27:19 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:17 2006 Subject: SPF and MailScanner In-Reply-To: Message-ID: On Tue, 3 Feb 2004, Jan-Peter Koopmann wrote: > Personally I think SPF is a good concept. Not perfect, but good! Exactly. *my* domain, *my* rules. Period. That's all SPF does, it lets *me* enforce *my* rules on usage of *my* domain. -Dan From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 12:38:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: NDR strategy Message-ID: Hi Martin, > JP > > have you got this script and the exim settings? I'd love to > setup this on our exim system. sure. On the DC we use the following vbs script: const FILENAME= "whitelist-adresses.txt" 'File name for exporting data from AD const LDAPQUERY= "LDAP://yourserver/DC=intern,DC=youractivedirectory,DC=de" 'LDAP query to Active Directory, where Dim con, com, rs, fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(FILENAME, 2, True) ' ForReading = 1, ForWriting = 2, ForAppending = 8 Set con = CreateObject("ADODB.Connection") Set com = CreateObject("ADODB.Command") con.Provider = "ADsDSOObject" con.Open "Active Directory Provider" Set com.ActiveConnection = con com.CommandText = "select proxyAddresses from '" & LDAPQUERY & "' where objectClass= 'user' or objectClass='group' order by sn " com.Properties("Page Size") = 1000 Set rs = com.Execute rs.MoveFirst While Not rs.EOF TProxyAddresses = rs.Fields("proxyAddresses") If Not IsNull(TProxyAddresses) Then TProxyAddressesCount = UBound(TProxyAddresses) For i = 0 To TProxyAddressesCount If LCase(Left(TProxyAddresses(i),4))="smtp" Then f.Write lcase(trim(Mid(TProxyAddresses(i),6))) & VBLf End If Next End iF rs.MoveNext Wend rs.Close f.Close wscript.quit This script is running every 30 minutes. You will have to adjust the LDAPQUERY to suit your DC structure of course. If whitelist-adresses.txt differs from the old version we scp it to our exim server in the DMZ. On that server we check for a new version, convert the .txt into a .map and then convert that to a cdb. The .txt file has the format Validemail@yourdomain.com We simply change that to validemail@yourdomain.com 1 and then convert this to a cdb using this little script (which we use for all kinds of cdbs...) #! /usr/bin/perl while(<>) { # skip comments next if /^\s*#/; # skip empty lines next if /^\s*$/; # chop off trailing newline chop; # delete leading whitespace s/^\s+//; # retrieve key and value from the input line ($key, $value) = split(/:\s*/, $_, 2); # emit cdbmake input line printf "+%d,%d:%s->%s\n", length($key), length($value), $key, $value; } print "\n"; After this all you need to do is run cdbmake and store the cdb to the location you want it. In Exims configure (the incoming one obvisously) we define a domainlist domainlist check_rcpt_domains = yourdomain1 : yourdomain2 Only mails for domains in this list will be checked against the whitelist. In the rcpt_acl you need to put accept domains = +check_rcpt_domains endpass message = user unknown recipients = cdb;/usr/local/etc/exim/whitelist-rcpt.cdb And that's it. Moreover we manually maintain a blacklist for the e-mails that exist in the company but should not be able to receive mails from the internet. I hope this gives you a kick start. Regards, JP From m.sapsed at BANGOR.AC.UK Tue Feb 3 12:53:08 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:17 2006 Subject: Enterprise Library + MailScanner References: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside> <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk> Message-ID: <401F99B4.9090108@bangor.ac.uk> Julian Field wrote: >> Sophos has a replacement for their Enterprise Manager called >> Enterprise Library, and it now supports Linux (and other >> *nix and Novell) instead of just Windows clients. How >> difficult would it be to have MailScanner update Sophos >> from a CID or a web CID? >> >> Or is it a bad idea to automaticaly upgrade the engine? > > The only time I ever automatically upgraded the engine, it broke SAVI. I > had to rebuild the perl SAVI module to get it to work again. > So I'm a little wary of going down that path. I've been using EM Library to update the copy of Sophos I use on my Linux MailScanner testbed for some time now as I was trying out the beta version. It appears to run ok and has upgraded the engine at least once while I've been using it. I cobbled a perl script to use the same lock file as Julian's autoupdate prog while the update ran (or at least I think I did!) but it could probably do with more error checking. Basically there is a script in the EM distribution of Sophos for *ix which maintains a copy of the CID and if anything changes, it updates the cache and then runs Sophos' install.sh. The script reads some settings from a config file in /etc so you can "MailScanner-ise" the folders it uses and it appears to work ok but this is on a lightly loaded server. I'm contemplating setting it up on our 3 Solaris mail hubs but haven't had the bottle yet! Given Julian's comments about SAVI, maybe using EM in conjunction with SAVI isn't wise but if you're just using sweep then it might be of interest, if you're already running EM anyway. We seem to have had a couple of cases where the mail hubs didn't get their engine upgraded promptly enough and hence were unable to get the latest updates with Julian's script - I could do without that happening again...! Julian - have you looked at this stuff at all?? Would you be interested in looking at the scripts etc? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From steve.freegard at LBSLTD.CO.UK Tue Feb 3 12:56:13 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} Message-ID: <67D9E7698329D411936E00508B6590B902773E46@neelix.lbsltd.co.uk> Hi Christo, Make sure that you have copied MailWatch.pm from the mailwatch-0.5 tarball into /usr/lib/MailScanner/MailScanner as this could cause the symptons you report. Kind regards, Steve. > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: 03 February 2004 11:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > After I upgraded my Mailwatch I get the following error in my > log and no mail is delivered. My queues are filling up. > > My config RH9 MS latest stable > > Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert > row: Column count doesn't match value count at row 1 > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From carles at UNLIMITEDMAIL.ORG Tue Feb 3 13:11:08 2004 From: carles at UNLIMITEDMAIL.ORG (Carles Xavier Munyoz =?iso-8859-15?q?Bald=F3?=) Date: Thu Jan 12 21:22:17 2006 Subject: 2 MailScanners, 1 Bayes DataBase. Message-ID: <200402031411.08171.carles@unlimitedmail.org> Hi, I must use two MailScanners for two differents Sendmails installed in the same computer (one for the MX server and the other used as RELAY SMTP for my internet users). I would like that the two MailScanners use the same Bayes DataBase for the SpamAssassin. I will use the bayes_path configuration option in the spam.assassin.prefs.conf file to point to the same bayes database in the two MailScanner instances: bayes_path /var/spool/spamassassin/bayes Is there any problem in this ? Any race condition ? Any suggestion about this 2 MailScanners setup ? May I install only one MailScanner and then run two MailScanner instances using a different MailScanner.conf file for each one (I need two MailScanner because each Sendmail uses its own email queue) ? Which configuration parameters mut I take in account ? Greetings. --- Carles Xavier Munyoz Bald? carles@unlimitedmail.org http://www.unlimitedmail.net/ --- From martinh at SOLID-STATE-LOGIC.COM Tue Feb 3 13:44:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:17 2006 Subject: 2 MailScanners, 1 Bayes DataBase. In-Reply-To: <200402031411.08171.carles@unlimitedmail.org> References: <200402031411.08171.carles@unlimitedmail.org> Message-ID: <401FA5BB.7090409@solid-state-logic.com> Carles Xavier Munyoz Bald? wrote: > Hi, > I must use two MailScanners for two differents Sendmails installed in the same > computer (one for the MX server and the other used as RELAY SMTP for my > internet users). > > I would like that the two MailScanners use the same Bayes DataBase for the > SpamAssassin. > I will use the bayes_path configuration option in the spam.assassin.prefs.conf > file to point to the same bayes database in the two MailScanner instances: > bayes_path /var/spool/spamassassin/bayes > > Is there any problem in this ? > Any race condition ? > > Any suggestion about this 2 MailScanners setup ? > May I install only one MailScanner and then run two MailScanner instances > using a different MailScanner.conf file for each one (I need two MailScanner > because each Sendmail uses its own email queue) ? > Which configuration parameters mut I take in account ? > > Greetings. > --- > Carles Xavier Munyoz Bald? > carles@unlimitedmail.org > http://www.unlimitedmail.net/ > --- Carles there was some talk on this on the spamassassin email list a couple of weeks ago. basically you should be OK provided only of the SA instances (or MS in this case) is writing to the bayes DB for autolearning and manual spam training. Also the MailScanner doing the writing should be the one which has the bayes DB locally. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Ulysees at ULYSEES.COM Tue Feb 3 13:53:44 2004 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:22:17 2006 Subject: [OT ish] converting charsets Message-ID: <000501c3ea5d$2364e9e0$3201010a@nimitz> Running 4.25-14 with sendmail on Fedora passing through to exchange and I've been getting a few funky messages & I'm not sure if it's the MTA or mailscanner that's to blame Mails come through to the exchange box with the following message: This message uses a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set. <> message.txt appears to be the actual email + headers interesting bit is below, any ideas ? Content-Type: text/plain; charset=unknown-8bit Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mailscanner.ulysees.com id i0S9MQxp027610 From steve at INTELIPORT.COM Tue Feb 3 14:05:48 2004 From: steve at INTELIPORT.COM (Stephen Lane) Date: Thu Jan 12 21:22:17 2006 Subject: Located issue Joe-Job attack Was Hijacked Returned domain Message-ID: I've located what this is attack is called "Joe-Job" and I'm trying to figure out how to accept from=<> then discard it at the MTA. Does anyone have a sendmail.cf config rule that shows how to do this. Thanks in advance Steve From ugob at CAMO-ROUTE.COM Tue Feb 3 14:05:55 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files Message-ID: <54C38A0B814C8E438EF73FC76F36292741089E@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : stephane BRANCHOUX [mailto:stephane.branchoux@UNIV-PERP.FR] > Envoy? : Tuesday, February 03, 2004 4:41 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : scan zip files > > > Hello, > > i use mailscanner 4.12 with mcafee. > > Zip files are authorized but is there a way to scan zip files ? The zip files are usually scanned by your virus scanner. > > Last virus is sent in a zip file and i would like to scan it without > > blocking all zip files. > > Many thanks in advance. > > stephane BRANCHOUX > Centre de Ressources Informatiques de l'Universit? de Perpignan. > Syst?mes/R?seaux > mailto:stephane.branchoux@univ-perp.fr > 04 68 66 21 24 > > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 3 14:07:16 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:17 2006 Subject: [OT ish] converting charsets Message-ID: > exchange and I've been getting a few funky messages & I'm not > sure if it's the MTA or mailscanner that's to blame Most probably not mailscanner and perhaps not your MTA. Is the sender MUA/MTA corretly configured? Is this happening for all mails or just for one sender? Regards, JP From mailscanner at ecs.soton.ac.uk Tue Feb 3 13:51:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: 200,000 downloads of MailScanner Message-ID: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> MailScanner has just passed the 200,000 downloads milestone! Many thanks to all of you for helping to spread the word and make my little bit of code possibly the most widely-used combined email virus scanner and spam detector in the world. Let's see how fast the web site can munch through the next 200,000 :-) Jules. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 13:33:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:17 2006 Subject: Enterprise Library + MailScanner In-Reply-To: <401F99B4.9090108@bangor.ac.uk> References: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside> <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk> <401F99B4.9090108@bangor.ac.uk> Message-ID: <6.0.1.1.2.20040203133154.07c3d7b8@imap.ecs.soton.ac.uk> At 12:53 03/02/2004, you wrote: >Julian Field wrote: >>>Sophos has a replacement for their Enterprise Manager called >>>Enterprise Library, and it now supports Linux (and other >>>*nix and Novell) instead of just Windows clients. How >>>difficult would it be to have MailScanner update Sophos >>>from a CID or a web CID? >>> >>>Or is it a bad idea to automaticaly upgrade the engine? >> >>The only time I ever automatically upgraded the engine, it broke SAVI. I >>had to rebuild the perl SAVI module to get it to work again. >>So I'm a little wary of going down that path. > >I've been using EM Library to update the copy of Sophos I use on my >Linux MailScanner testbed for some time now as I was trying out the beta >version. It appears to run ok and has upgraded the engine at least once >while I've been using it. > >I cobbled a perl script to use the same lock file as Julian's autoupdate >prog while the update ran (or at least I think I did!) but it could >probably do with more error checking. > >Basically there is a script in the EM distribution of Sophos for *ix >which maintains a copy of the CID and if anything changes, it updates >the cache and then runs Sophos' install.sh. The script reads some >settings from a config file in /etc so you can "MailScanner-ise" the >folders it uses and it appears to work ok but this is on a lightly >loaded server. I'm contemplating setting it up on our 3 Solaris mail >hubs but haven't had the bottle yet! > >Given Julian's comments about SAVI, maybe using EM in conjunction with >SAVI isn't wise but if you're just using sweep then it might be of >interest, if you're already running EM anyway. We seem to have had a >couple of cases where the mail hubs didn't get their engine upgraded >promptly enough and hence were unable to get the latest updates with >Julian's script - I could do without that happening again...! > >Julian - have you looked at this stuff at all?? Would you be interested >in looking at the scripts etc? No, I haven't looked into it myself, I just do the upgrade by hand every 3 months. My experience with the SAVI perl problem was enough to put me off doing this for a while. I guess I could automate the build and installation of the perl module too. Would be good to take a quick look at the scripts though. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Tue Feb 3 14:34:31 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:17 2006 Subject: a ghost in filetype.rules.conf Message-ID: Julian, I've been scratching my head on this one for several versions of MailScanner now. The head of our athletics dept (who uses a Mac) will send emails to other coaches, plain text. Two coaches who reply (they use Windows) sporadically get their replies rejected with: No programs allowed (msg-8402-111.txt) ^^^^^^^^ numbers differ This same rejection message pops up with other users on rare occasions, but mostly with these two coaches and the Athletic Director. I've had our PC staff look at all three machines for viruses, nothing. I've put my system into quarantine mode, with "Quarantine Whole Message = yes", and stared at the result. There is no attachment. I've run the entire message thru clam and sophos, clean. Nothing there but plain text reply to a plain text message. My only oddball change in MS relating to text is my specification of ISO-8859-1 charset instead of ascii. I've modified my filetype.rules.conf so that I can figure out which rule causes the rejection (ELF or executable). Any ideas or suggestions on this one? I can provide an example if need be. (setup: Sol9, MS 4.26.8, SA 2.63, razor). Jeff Earickson Colby College From christo at IT4AFRICA.CO.ZA Tue Feb 3 13:53:50 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E46@neelix.lbsltd.co.uk> Message-ID: <017501c3ea5d$2754c1b0$660210ac@christoxp> Thanx I missed the part of copying the file. Working like a charm now. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard > Sent: 03 February 2004 02:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > Hi Christo, > > Make sure that you have copied MailWatch.pm from the > mailwatch-0.5 tarball into /usr/lib/MailScanner/MailScanner > as this could cause the symptons you report. > > Kind regards, > Steve. > > > -----Original Message----- > > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > > Sent: 03 February 2004 11:16 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Announce: MailWatch for MailScanner 0.5 {Virus Scanned} > > > > > > After I upgraded my Mailwatch I get the following error in > my log and > > no mail is delivered. My queues are filling up. > > > > My config RH9 MS latest stable > > > > Feb 3 13:17:51 mailtest MailScanner[22842]: Cannot insert > > row: Column count doesn't match value count at row 1 > > > > -- > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the sender and delete the message from > your mailbox. > > This footnote also confirms that this email message has been > swept by MailScanner (www.mailscanner.info) for the presence > of computer viruses. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > From ryan at MARINOCRANE.COM Tue Feb 3 14:42:41 2004 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:22:17 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <401FB361.3030500@marinocrane.com> Thanks Steve, Awesome job, as always! Ryan Pitt Steve Freegard wrote: >Hi All, > >I'm pleased to finally release 0.5 which you can download from >http://www.sourceforge.net/projects/mailwatch. > >CHANGE LOG >- Updated indexes for much greater performance (again!). >- Added preliminary support for per-user filters (see USER_FILTERS file). >- Added the ability to view quarantined items. >- All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. >- New tool to run SpamAssassin --lint and time the output for debugging SA. >- New F-Secure status page (like Sophos). >- Required PEAR modules now included. >- Added reporting of Blacklisted mails. >- Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. >- Quoted printable strings are now automatically decoded before display. >- Configuration options moved from functions.php into conf.php >- Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. >- New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. >- Integration with Fortress Systems Secure Mail Gateway. > >FIXES >- Multiple clean-ups of mailq.php to make it more robust. >- Greatly improved debugging of SQL statments. >- Quarantine now correctly looks in the non-spam quarantine directories. >- SA Rules Description Update now reads custom rules as well. >- sendmail_relay.php now works across log rotations. >- Increased memory_limit to 128M for quarantine functions. > >Kind regards, >Steve. > >-- >MailWatch for MailScanner >http://mailwatch.sourceforge.net > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From taz at AZTEK-ENG.COM Tue Feb 3 15:15:33 2004 From: taz at AZTEK-ENG.COM (taz) Date: Thu Jan 12 21:22:17 2006 Subject: Dual-headed email servers Message-ID: <00f001c3ea68$91c43840$270100bf@backlab> Please don't overpost on this one. You can just email me directly. I would like to know if anyone knows where I can find information about dual-heading an email server, if that is what it is called. (two or more email servers with users spread across them for load-balancing, speed and such). We are needing something like this or similar to test a new email server that is going into the DMZ, but not online yet. We want it to function like a normal email server, but only with 5-10 users on it. This would be in a sendmail configuration. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040203/25a729a8/attachment.html From mkettler at EVI-INC.COM Tue Feb 3 16:01:00 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:17 2006 Subject: scan zip files In-Reply-To: <467301c3ea39$db6216e0$0688a7c2@belleile> References: <467301c3ea39$db6216e0$0688a7c2@belleile> Message-ID: <6.0.0.22.0.20040203105953.0270cf60@xanadu.evi-inc.com> At 04:41 AM 2/3/2004, stephane BRANCHOUX wrote: >i use mailscanner 4.12 with mcafee. > >Zip files are authorized but is there a way to scan zip files ? > >Last virus is sent in a zip file and i would like to scan it without > >blocking all zip files. That should work out-of-the-box without any additional configuration.. Have you tested it (ie: email yourself a zipfile containing EICAR or something of the sort?) From email at ace.net.au Tue Feb 3 15:59:57 2004 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:22:17 2006 Subject: Located issue Joe-Job attack Was Hijacked Returned domain In-Reply-To: References: Message-ID: <200402040229570674.0049AF19@smtp1.ace.net.au> I don't think there is any simple way to defeat this. If you want to get brutal, there was some stuff posted last year to add to sendmail.mc that allowed you to block by various words in the subject, so you could for eg block the following undeliverable mail undelivered mail returned mail delivery fail etc etc, breaks the rules though. I got lucky as most of these return addresses had numbers in them, eg joe25r@domain.com and I have never allowed numbers in the first part of the email address - due to a limitation in the opriginal accounting system I used. I managed to make an entry that rejected any To: address here that had a number in it, and that has virtually eliminated the problem. Peter *********** REPLY SEPARATOR *********** On 3/02/2004 at 2:05 PM Stephen Lane wrote: >I've located what this is attack is called "Joe-Job" and I'm trying to >figure out how to accept from=<> then discard it at the MTA. Does anyone >have a sendmail.cf config rule that shows how to do this. > >Thanks in advance > >Steve From jwilliam at KCR.UKY.EDU Tue Feb 3 16:04:52 2004 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.2.20040203105723.01b97460@mail.kcr.uky.edu> Congrats! Just this morning I was talking to Sendmail.com about upgrading our version of Sendmail. While on the phone I was curious and asked them about their anti-spam package. She said it would cost a little over $8000, the minimum 500 user license. I said that being a University and facing budget cuts we couldn't afford it and told her we would continue to use MailScanner and Sophos. She said that she had heard of MailScanner and many of her customers told her the same thing. Just thought you might want to know. Thanks for filling such a great need! With gratitude, John At 08:51 AM 2/3/2004, you wrote: >MailScanner has just passed the 200,000 downloads milestone! > >Many thanks to all of you for helping to spread the word and make my little >bit of code possibly the most widely-used combined email virus scanner and >spam detector in the world. > >Let's see how fast the web site can munch through the next 200,000 :-) > >Jules. John P. Williams, MA Systems Analyst, Sr. University of Kentucky/Kentucky Cancer Registry 2365 Harrodsburg Rd, Suite A230 Lexington, KY 40504-3381 Telephone: (859)219-0773 x283 Fax: (859)219-0557 mailto:jwilliam@kcr.uky.edu http://www.kcr.uky.edu --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From Eric.Doutreleau at INT-EVRY.FR Tue Feb 3 16:26:09 2004 From: Eric.Doutreleau at INT-EVRY.FR (Eric Doutreleau) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E42@neelix.lbsltd.co.uk> Message-ID: <1075825568.6884.9.camel@rezo.int-evry.fr> Does we still have to use the perl-DBD-MySQL 2.1028 version or can we switch to the latest version available? Le mar 03/02/2004 ? 01:44, Steve Freegard a ?crit : > Hi All, > > I'm pleased to finally release 0.5 which you can download from > http://www.sourceforge.net/projects/mailwatch. > > CHANGE LOG > - Updated indexes for much greater performance (again!). > - Added preliminary support for per-user filters (see USER_FILTERS file). > - Added the ability to view quarantined items. > - All tables now enable a pager when returning more than 50 rows and allow > ordering by any of the displayed columns. > - New tool to run SpamAssassin --lint and time the output for debugging SA. > - New F-Secure status page (like Sophos). > - Required PEAR modules now included. > - Added reporting of Blacklisted mails. > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted e-mails. > - Quoted printable strings are now automatically decoded before display. > - Configuration options moved from functions.php into conf.php > - Automatically works out VIRUS_REGEX by using the first value in > MailScanner.conf - e.g. 'Virus Scanners = sophossavi clamavmodule' would > activate the regexp for SophosSAVI. > - New 'Virus Report' allows comparison of multiple scanners (if you run > more than one) and allows you to see 1st detection date/time of each > virus by each scanner. > - Integration with Fortress Systems Secure Mail Gateway. > > FIXES > - Multiple clean-ups of mailq.php to make it more robust. > - Greatly improved debugging of SQL statments. > - Quarantine now correctly looks in the non-spam quarantine directories. > - SA Rules Description Update now reads custom rules as well. > - sendmail_relay.php now works across log rotations. > - Increased memory_limit to 128M for quarantine functions. > > Kind regards, > Steve. > > -- > MailWatch for MailScanner > http://mailwatch.sourceforge.net > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From Ulysees at ULYSEES.COM Tue Feb 3 16:32:53 2004 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:22:18 2006 Subject: [OT ish] converting charsets References: Message-ID: <000701c3ea73$5f951410$3201010a@nimitz> The mails that cause this always come from the same group of sites. I've also found that it happens if I turn on full headers in the virus reports. This doesn't happen on a 4.23-11 on rh7.2 box that I'm retiring. Uly ----- Original Message ----- From: "Jan-Peter Koopmann" To: Sent: Tuesday, February 03, 2004 2:07 PM Subject: Re: [MAILSCANNER] [OT ish] converting charsets > exchange and I've been getting a few funky messages & I'm not > sure if it's the MTA or mailscanner that's to blame Most probably not mailscanner and perhaps not your MTA. Is the sender MUA/MTA corretly configured? Is this happening for all mails or just for one sender? Regards, JP From gdoris at rogers.com Tue Feb 3 16:48:52 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <62310.129.80.22.143.1075826932.squirrel@tiger.dorfam.ca> > MailScanner has just passed the 200,000 downloads milestone! > > Many thanks to all of you for helping to spread the word and make my > little > bit of code possibly the most widely-used combined email virus scanner and > spam detector in the world. > > Let's see how fast the web site can munch through the next 200,000 :-) > > Jules. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support Congratulations! However, I heard a rumour that it was really your mother that downloaded most of those copies...is that true? Gerry From dwinkler at ALGORITHMICS.COM Tue Feb 3 16:50:27 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:18 2006 Subject: MAPS-RBL Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B197@tormail2.algorithmics.com> We're considering paying for MAPS-RBL services. Any comments on it's effectiveness? Thanks, Derek Winkler Security Administrator Algorithmics 185 Spadina Ave Toronto, Ontario Canada M5T 2C6 Phone: 416-217-4107 Fax: 416-971-6100 From bpumphrey at WOODMACLAW.COM Tue Feb 3 17:07:28 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions Message-ID: 1. In the web site about the MailScanner.conf it says (with some text taking out) talking about spam.whitelist.rules: Is Definitely Not Spam You will probably want to include your own site (or your own site's IP addresses) in this ruleset. Does that mean put: From: *@domain.com or FromOrTo *@domain.com It would seem that if it said FromOrTo, that it would treat all mail as not spam and "not" perform any blocking. 2. Is this how to disable blocking for a user ID: FromOrTo: user@domain.com yes 3. Do you have to configure the spamassassin white list also, being that you have to configure the whitelist in 2 places? Spam.whitelist.rules and spam.assassin.prefs.conf? Thank you for any answers. Billy Pumphrey From test at NEXTMILL.NET Tue Feb 3 17:20:05 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error Message-ID: Fresh Install Fedora Core 1 (Perl 5.8.1 selected at installation) MailScanner: mailscanner-4.26.8-1.rpm.tar SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- 1.i386.rpm Antivirus: clamav-0.65-4.i386.rpm Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage /var/log/maillog shows every 10 seconds: Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation could not be found Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted server, still does not help. Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ as the FAQ states and it didn't help. Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in the FAQ under SpamAssassin:installation could not be found Any advise on what next to troubleshoot would be greatly appreciated From marco at MUW.EDU Tue Feb 3 17:42:49 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <1075830169.401fdd9998bdc@webmail.MUW.Edu> Uninstall the SpamAssassin RPMS and install SA from CPAN: perl -MCPAN -e shell o con prerequisites_policy ask install Mail::SpamAssassin This is guaranteed to work !!! Quoting Brian Lewis : > Fresh Install > Fedora Core 1 (Perl 5.8.1 selected at installation) > MailScanner: mailscanner-4.26.8-1.rpm.tar > SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- > 1.i386.rpm > Antivirus: clamav-0.65-4.i386.rpm > Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage > > /var/log/maillog shows every 10 seconds: > Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation > could not be found > > Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), > uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted > server, still does not help. > > Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ > as the FAQ states and it didn't help. > > Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in > the FAQ under SpamAssassin:installation could not be found > > Any advise on what next to troubleshoot would be greatly appreciated > From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 17:27:33 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner Message-ID: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> >Let's see how fast the web site can munch through the next 200,000 :-) It'll be no time at all once we get you knighted! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From marco at MUW.EDU Tue Feb 3 17:44:35 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <1075830274.401fde0303cf4@webmail.MUW.Edu> Please correct this line from my previous response to: o conf prerequisites_policy ask Quoting Brian Lewis : > Fresh Install > Fedora Core 1 (Perl 5.8.1 selected at installation) > MailScanner: mailscanner-4.26.8-1.rpm.tar > SpamAssassin: spamassassin-2.63-1.i386.rpm & perl-mail-spamassassin-2.63- > 1.i386.rpm > Antivirus: clamav-0.65-4.i386.rpm > Installed via CPAN - Net::DNS, Time::HiRes, Pod::Usage > > /var/log/maillog shows every 10 seconds: > Feb 4 09:11:10 mailcheck MailScanner[2840]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 4 09:11:10 mailcheck MailScanner[2840]: SpamAssassin installation > could not be found > > Listed all RPMs, there was only one Perl (5.8.1) and SpamAssassin (2.63), > uninstalled SpamAssassin and its perl-mail rpms, reinstalled, rebooted > server, still does not help. > > Copied /usr/lib/perl5/site_perl/5.8.1/ to /usr/lib/perl5/site_perl/5.6.1/ > as the FAQ states and it didn't help. > > Don't have a /usr/lib/perl5/site_perl/5.8.1/Mail FOLDER as mentioned in > the FAQ under SpamAssassin:installation could not be found > > Any advise on what next to troubleshoot would be greatly appreciated > "I don't know the key to success, but the key to failure is trying to please everybody." -Bill Cosby ____________________________________________________________ _/ _/ _/ _/ _/ _/ | Marco Obaid _/_/ _/_/ _/ _/ _/ _/ | Network Administrator _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 _/ _/ _/_/_/ _/ _/ | Columbus MS 39701 ____________________________________________________________ M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N From marco at MUW.EDU Tue Feb 3 17:46:10 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264ED9F@CITY-EXCH-NTS> Message-ID: <1075830370.401fde6240d87@webmail.MUW.Edu> Hi Jules, 200,000+ thank-yous for your work and efforts !!! Marco > >Let's see how fast the web site can munch through the next 200,000 :-) > From test at NEXTMILL.NET Tue Feb 3 17:33:12 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error Message-ID: Ok I solved my own problem perl-mail-spamassassin-2.63-1.i386.rpm installs in /usr/lib/perl5/site_perl/5.6.1/Mail I had to copy the files in there to /usr/lib/perl5/site_perl/5.8.1/Mail Restarted MailScanner and it worked! Why don't these rpms intelligently figure out what the latest version of Perl is on the machine and install Spamassassin Perl Mail stuff into the correct folder? Uhhggg From m.sapsed at BANGOR.AC.UK Tue Feb 3 17:36:19 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: Silent Virus List References: <005501c3e57d$089a79c0$660210ac@christoxp> <40177E3C.4090903@solid-state-logic.com> <6.0.1.1.2.20040128112404.03e603e0@imap.ecs.soton.ac.uk> Message-ID: <401FDC13.8050302@bangor.ac.uk> Julian Field wrote: > At 10:43 28/01/2004, you wrote: > >> When viruses fake 'from' info, do they just fake the 'From:' header, >> or do >> they fake the envelope sender too? > > Yes. To be slightly picky, this is an over generalisation. Some worms e.g. SirCam, Hybris fake the From: address but leave the sender address as that of the victim. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From steve.freegard at LBSLTD.CO.UK Tue Feb 3 17:40:40 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: <67D9E7698329D411936E00508B6590B902773E4F@neelix.lbsltd.co.uk> Hi Eric, You'll still need 2.1028. However I saw a neat trick done by an admin recently who installed the DBD-MySQL module into /usr/lib/MailScanner/MailScanner/DBD-MySQL and did something like "use lib '/usr/lib/MailScanner/MailScanner/DBD-MySQL/';" to the top of MailWatch.pm to use the older version instead. Kind regards, Steve. > -----Original Message----- > From: Eric Doutreleau [mailto:Eric.Doutreleau@INT-EVRY.FR] > Sent: 03 February 2004 16:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > Does we still have to use the perl-DBD-MySQL 2.1028 version > or can we switch to the latest version available? > > > Le mar 03/02/2004 ? 01:44, Steve Freegard a ?crit : > > Hi All, > > > > I'm pleased to finally release 0.5 which you can download from > > http://www.sourceforge.net/projects/mailwatch. > > > > CHANGE LOG > > - Updated indexes for much greater performance (again!). > > - Added preliminary support for per-user filters (see USER_FILTERS > > file). > > - Added the ability to view quarantined items. > > - All tables now enable a pager when returning more than 50 > rows and allow > > ordering by any of the displayed columns. > > - New tool to run SpamAssassin --lint and time the output > for debugging SA. > > - New F-Secure status page (like Sophos). > > - Required PEAR modules now included. > > - Added reporting of Blacklisted mails. > > - Integrated the reporting of SpamAssassin > Blacklisted/Whitelisted e-mails. > > - Quoted printable strings are now automatically decoded > before display. > > - Configuration options moved from functions.php into conf.php > > - Automatically works out VIRUS_REGEX by using the first value in > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > clamavmodule' would > > activate the regexp for SophosSAVI. > > - New 'Virus Report' allows comparison of multiple scanners > (if you run > > more than one) and allows you to see 1st detection > date/time of each > > virus by each scanner. > > - Integration with Fortress Systems Secure Mail Gateway. > > > > FIXES > > - Multiple clean-ups of mailq.php to make it more robust. > > - Greatly improved debugging of SQL statments. > > - Quarantine now correctly looks in the non-spam quarantine > > directories. > > - SA Rules Description Update now reads custom rules as well. > > - sendmail_relay.php now works across log rotations. > > - Increased memory_limit to 128M for quarantine functions. > > > > Kind regards, > > Steve. > > > > -- > > MailWatch for MailScanner > > http://mailwatch.sourceforge.net > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Tue Feb 3 17:46:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Getting SpamAssassin installation could not be found error In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203174502.03f0eea0@imap.ecs.soton.ac.uk> At 17:33 03/02/2004, you wrote: >Ok I solved my own problem >perl-mail-spamassassin-2.63-1.i386.rpm >installs in /usr/lib/perl5/site_perl/5.6.1/Mail >I had to copy the files in there to /usr/lib/perl5/site_perl/5.8.1/Mail > >Restarted MailScanner and it worked! > > >Why don't these rpms intelligently figure out what the latest version of >Perl is on the machine and install Spamassassin Perl Mail stuff into the >correct folder? Uhhggg That's only possible if you rebuild the RPM from the SRPM on your machine, then install your shiny new RPM. You now have a system that isn't consistent with its own RPM database. :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 17:44:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> At 17:07 03/02/2004, you wrote: >1. In the web site about the MailScanner.conf it says (with some text >taking out) talking about spam.whitelist.rules: >Is Definitely Not Spam >You will probably want to include your own site (or your own site's IP >addresses) in this ruleset. > >Does that mean put: >From: *@domain.com or Yes, but it is even better to whitelist your IP addresses. You can put in IP addresses in any of the common syntaxes for specifying netblocks. >FromOrTo *@domain.com No >It would seem that if it said FromOrTo, that it would treat all mail as >not spam and "not" perform any blocking. Correct >2. Is this how to disable blocking for a user ID: >FromOrTo: user@domain.com yes Yes >3. Do you have to configure the spamassassin white list also, being that >you have to configure the whitelist in 2 places? >Spam.whitelist.rules and spam.assassin.prefs.conf? No. The spam.whitelist.rules entries will cause all spam checking to be bypassed, including SpamAssassin. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Tue Feb 3 17:56:49 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed References: <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com> <40183962.1010304@uptime.at> <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com> <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com> <6.0.0.22.0.20040128182805.025c8f48@xanadu.evi-inc.com> Message-ID: <401FE0E1.8010103@bangor.ac.uk> (Catching up with a backlog again - can't let this one go) Matt Kettler wrote: > At 06:09 PM 1/28/2004, Leonard Hermens wrote: > >> >Can you cite an example of when, at the present time, it is a good >> idea to >> >have a mailserver configured to auto respond to a sender and notify them >> >that a message sent contained a live virus infection? >> >> Any virus or macro virus that is sent manually by the sender. > > I'll agree that is a particular email where it is good for a server to > autorespond. > > However, that's not an answer to the question. > > A mailserver can't be configured to tell the difference between a manual > send and an automated one, so your example is a single isolated email > example. I'm asking for a situation where it's a good idea to configure > your mailserver in such a manner, not a single message case. > > Real world, real mailserver, present time, realistic situation where it > would be a good idea to have a server do this. (ie: how can you do it on an > automated basis without inflicting casualties, and still reap some useful > benefit.) I'll give you several examples where it's worth notifying the sender of a virus. 2784 instances of Gibe-F we had in December - the From: address is forged but the sender address isn't. a dozen or so people with no or very old a-v resulting in them having word macro viruses. They attach an infected document and mail it here, they get a wake-up call. People e-mailing so called "Joke" programs to their mates - they're not welcome here. By my reckoning there are just over a dozen families of viruses that fake the sender address. I don't see managing a list of that size to be an issue. I would like to do my bit to reduce the quantity of malware out there where I can. I do agree though that too many people have run with the old default and applaud Julian's move to change the default. I would, however, strongly object to the removal of the code altogether just because some people don't use it properly. I am also mildly fascincated that outfits of the size of messagelabs were sending virus reports to the "senders" of MyDoom.... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Tue Feb 3 18:02:54 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:18 2006 Subject: mailling list subject tag References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS> <1075456331.9785.12.camel@localhost.localdomain> Message-ID: <401FE24E.4020304@bangor.ac.uk> Neil Robst wrote: > Hi Julian et al, > > Would it be possible to setup the mailling list software that manages > this list to tag the subject of each mail with [MailScanner] or > something similiar please so I can see at a glance which mails are from > this list...? Please bear in mind though that if you do this, and leave the tags in the Subject line when you reply you can cause people who filter MailScanner messages to a folder using other methods to have grief following threads (depending on what software they use). (Same applies to foreign language alternatives to Re:, and we won't go in to leaving {Spam} and {Virus} tags in subjects...) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dustin.baer at IHS.COM Tue Feb 3 18:16:29 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B197@tormail2.algorithmics.com> Message-ID: <401FE57D.C4F9E7EC@ihs.com> Derek Winkler wrote: > > We're considering paying for MAPS-RBL services. > > Any comments on it's effectiveness? > > Thanks, > > Derek Winkler > Security Administrator We use RBL+ and reject about 4,000 messages/day. It is quite useful. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 18:19:14 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed Message-ID: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> >By my reckoning there are just over a dozen families of viruses that >fake the sender address. I don't see managing a list of that size to be >an issue. I would like to do my bit to reduce the quantity of malware >out there where I can. Since it's (inter)national beat a dead horse day, , what I'd like to see is for the AV companies to add a flag to their definitions as to whether it's a spooffer or not. Could be as little as a single bit turned on or off in their pattern file database. Not knowing the structure of the database, it may be possible to set it w/o even adding any new fields in some cases. Of course, they would have to reconfigure the scan engine to return true or false and things like MS would have to have a snippet of code added to check it, but as viruses get more sophisticated, maybe it's time for virus scanners/responders to get more sophisticated too. Sadly, the onus has to be on the AV companies at this point and I'm not holding my breath that they're ever gonna read my humble suggestion. But I dunno - maybe someone from that universe does follow this list. Guess I better patent the idea quick! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From cstamas at digitus.itk.ppke.hu Tue Feb 3 18:21:45 2004 From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=) Date: Thu Jan 12 21:22:18 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <20040203182145.GF25916@digitus> Hi On 02/03, Julian Field wrote: > MailScanner has just passed the 200,000 downloads milestone! > This means the downloads from mailscanner.info ? It can be much more (from CPAN, rpm) and I installed it from deb. but, MailScanner works perfectly.... thanks -- cstamas From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 3 18:24:47 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> Message-ID: <009c01c3ea83$00ff69e0$0501a8c0@darkside> >Since it's (inter)national beat a dead horse day, , what >I'd like to see >is for the AV companies to add a flag to their definitions as >to whether FYI: a recent correspondance between myself and Sophos. Hi Jason, We are looking at adding this feature into our definitions as it would be very useful. Watch this space. [name removed]@sophos.com On 28/01/2004 21:31:04 "Jason Balicki" wrote: >Would it be possible to include a "forged sender" Boolean >value in the sophos IDE and have Sophos AV report that >value when a file is scanned (via the appropriate >switches)? I use Sophos with MailScanner and the >ability to send or not send notifications intelligently >would be a godsend. > >I know the vast majority of worms and viruses these >days forge, but it would still be helpful. > >TIA, > >--J(K) > From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 3 18:29:18 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed Message-ID: <08146035CA49D6119A36009027AC822A0264EDA5@CITY-EXCH-NTS> >FYI: a recent correspondance between myself and Sophos. Dang! See, I knew I should have patented it. Then I could sue everybody like Darl! Now I'll still have to work for a living... ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dot at DOTAT.AT Tue Feb 3 18:31:21 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:18 2006 Subject: SPF and MailScanner In-Reply-To: Message-ID: "Spicer, Kevin" wrote: > >There is a page addressing common objections to SPF on their site http://spf.pobox.com/objections.html I note that their Sender Rewriting Scheme as proposed would turn most mail servers into open relays, in the same way as the % hack does. You need to make the rewritten return path cryptographically unforgeable. The requirement for this in the SRS I-D is laughably weak. http://spf.pobox.com/srs.html Tony. -- f.a.n.finch http://dotat.at/ ROCKALL MALIN: SOUTH OR SOUTHWEST 7 TO SEVERE GALE 9, OCCASIONALLY STORM 10, BECOMING CYCLONIC 5 TO 7 LATER. OCCASIONAL RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. From dot at DOTAT.AT Tue Feb 3 18:33:35 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:18 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current In-Reply-To: References: Message-ID: Eric Dantan Rzewnicki wrote: > >Thank you for clearing this up. I'm still puzzled as to why they weren't >created when I first ran the script, but it seems to be ok now. You might have splatted them afterwards, e.g. by reinstalling uvscan. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT TIMES. MODERATE OR GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. From raymond at PROLOCATION.NET Tue Feb 3 19:33:21 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: <401FE57D.C4F9E7EC@ihs.com> Message-ID: Hi > > Security Administrator > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. Its not bad, we also have a subscription, but we see a multiple of the hits on RBL+ on the NJABL and DSBL lists... I would try lists like that before moving to a payed list. Bye, Raymond. From bpumphrey at WOODMACLAW.COM Tue Feb 3 19:46:37 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:18 2006 Subject: Error in line 3 in filename.rules.conf Message-ID: Thank you for your answers!!!! I have not changed this file, and line 3 looks to be ok. In the log I get this error: Feb 3 14:39:43 MailScanner MailScanner[5743]: Possible syntax error on line 3 o f /etc/MailScanner/filename.rules.conf Feb 3 14:39:43 MailScanner MailScanner[5743]: Remember to separate fields with tab characters! # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info. deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email From mailscanner at ecs.soton.ac.uk Tue Feb 3 20:06:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Error in line 3 in filename.rules.conf In-Reply-To: References: Message-ID: <6.0.1.1.2.20040203200535.044e4308@imap.ecs.soton.ac.uk> At 19:46 03/02/2004, you wrote: >Thank you for your answers!!!! >I have not changed this file, and line 3 looks to be ok. You must have done, this file is correct as shipped, as far as I am aware (and over 2000 people have downloaded and run the latest version). I suggest you have had 1 line either broken into 2 or else the fields are not separated by tabs alone. >In the log I get this error: >Feb 3 14:39:43 MailScanner MailScanner[5743]: Possible syntax error on >line 3 o >f /etc/MailScanner/filename.rules.conf >Feb 3 14:39:43 MailScanner MailScanner[5743]: Remember to separate >fields with >tab characters! > ># See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more >info. >deny \.cnf$ Possible SpeedDial attack > SpeedDials are very dangerous in email >deny \.hta$ Possible Microsoft HTML archive attack > HTML archives are very dangerous in email >deny \.ins$ Possible Microsoft Internet Comm. Settings >attack > Windows Internet Settings are dangerous in email >deny \.jse?$ Possible Microsoft JScript attack > JScript Scripts are dangerous in email >deny \.lnk$ Possible Eudora *.lnk security hole attack > Eudora *.lnk security hole attack >deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut >attack > Microsoft Access Shortcuts are dangerous in >email >deny \.pif$ Possible MS-Dos program shortcut attack > Shortcuts to MS-Dos programs are very dangerous >in email >deny \.scf$ Possible Windows Explorer Command attack > Windows Explorer Commands are dangerous in email >deny \.sct$ Possible Microsoft Windows Script Component >attack > Windows Script Components are dangerous in email >deny \.shb$ Possible document shortcut attack > Shortcuts Into Documents are very dangerous in >email >deny \.shs$ Possible Shell Scrap Object attack > Shell Scrap Objects are very dangerous in email >deny \.vb[es]$ Possible Microsoft Visual Basic script attack > Visual Basic Scripts are dangerous in email >deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack > Windows Script Host files are dangerous in email >deny \.xnk$ Possible Microsoft Exchange Shortcut attack > Microsoft Exchange Shortcuts are dangerous in >email -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 3 20:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: References: <401FE57D.C4F9E7EC@ihs.com> Message-ID: <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> At 19:33 03/02/2004, you wrote: > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. > >Its not bad, we also have a subscription, but we see a multiple of the >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >before moving to a payed list. And definitely try the combined XBL+SBL list from spamhaus.org too. Very good in my experience. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dwinkler at ALGORITHMICS.COM Tue Feb 3 20:23:04 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B19D@tormail2.algorithmics.com> Already using all 3 mentioned. Would using MAPS-RBL just push scores higher? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, February 03, 2004 3:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Re: MAPS-RBL At 19:33 03/02/2004, you wrote: > > We use RBL+ and reject about 4,000 messages/day. It is quite useful. > >Its not bad, we also have a subscription, but we see a multiple of the >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >before moving to a payed list. And definitely try the combined XBL+SBL list from spamhaus.org too. Very good in my experience. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Feb 3 20:29:09 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Its not bad, we also have a subscription, but we see a multiple of the > >hits on RBL+ on the NJABL and DSBL lists... I would try lists like that > >before moving to a payed list. > > And definitely try the combined XBL+SBL list from spamhaus.org too. Very > good in my experience. Yes, very true. A good new one, if i may plug :) RFC-IGNORANT-BOGUSMX We get nice results with list that just started... Bye, Raymond. From k.raven at FREENET.DE Tue Feb 3 21:15:09 2004 From: k.raven at FREENET.DE (Kai Raven) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour Message-ID: <20040203221509.04730876@raven.localdomain.intern> Hi, today, i have used RulesDuJour the first time. After the first run, all the *.cf files are saved under the /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move or copy them to /etc/mail/spamassassin? -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From hywel at BURRIS.ORG.UK Tue Feb 3 21:20:37 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <67D9E7698329D411936E00508B6590B902773E4F@neelix.lbsltd.co.uk> Message-ID: <200402032120.i13LKbNS024510@mail.burris.org.uk> Hi Steve, I have run into this problem after upgrading from version 0.4 to 0.5 on fedora, surprisingly it seemed to work ok with perl-DBD-MySQL-2.9002-1 before I upgraded. I am getting the error: - Feb 3 21:16:13 mail MailScanner[23332]: Database ping failure attempting to re-connect Feb 3 21:16:13 mail MailScanner[23332]: Cannot insert row: MySQL server has gone away I assume that this is caused by me using the incorrect version? Would there be any chance of advising how I could install this old version like you seen below as fedora is advising that the above version of perl is required for MySQL. Thanks Hywel -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard Sent: 03 February 2004 17:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Announce: MailWatch for MailScanner 0.5 Hi Eric, You'll still need 2.1028. However I saw a neat trick done by an admin recently who installed the DBD-MySQL module into /usr/lib/MailScanner/MailScanner/DBD-MySQL and did something like "use lib '/usr/lib/MailScanner/MailScanner/DBD-MySQL/';" to the top of MailWatch.pm to use the older version instead. Kind regards, Steve. [snip] From steve.swaney at FSL.COM Tue Feb 3 21:23:17 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203221509.04730876@raven.localdomain.intern> Message-ID: <20040203212319.6AE9D21C142@mail.fsl.com> Nope. Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Kai Raven > Sent: Tuesday, February 03, 2004 4:15 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: RulesDuJour > > Hi, > > today, i have used RulesDuJour the first time. > After the first run, all the *.cf files are saved under the > /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move > or copy them to /etc/mail/spamassassin? > > -- > Ciao > Kai > > HP: http://kai.iks-jena.de/ > Blog: http://rabenhorst.blogg.de/ > GnuPG-Key: 0x76C65282 > ICQ:146714798 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mkettler at EVI-INC.COM Tue Feb 3 21:30:47 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203221509.04730876@raven.localdomain.intern> References: <20040203221509.04730876@raven.localdomain.intern> Message-ID: <6.0.0.22.0.20040203162546.026d22c8@xanadu.evi-inc.com> At 04:15 PM 2/3/2004, Kai Raven wrote: >Hi, > >today, i have used RulesDuJour the first time. >After the first run, all the *.cf files are saved under the >/etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move >or copy them to /etc/mail/spamassassin? SA will not parse the files in subdirectories.. However, if you look closely, the ones in the RulesDuJour subdir should be your *old* files, not the freshly downloaded ones. From the script itself: TMPDIR="${SA_DIR}/RulesDuJour"; # Where we store old rulesets. If you delete # this directory, RuleSets may be detected as # out of date the next time you run rules_du_jour. Also, for reference you're probably better off directing general RulesDuJour questions to the spamassassin mailing list if you can. The author of the RDJ script, Chris Thielen, subscribes to the spamassassin list, but AFAIK not this list. Of course, if your question is about mailscanner-specific things, your're probably better off posting here. From brose at MED.WAYNE.EDU Tue Feb 3 21:28:48 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:18 2006 Subject: [OT]RE: RulesDuJour Message-ID: That's where it downloads them, they should get moved to /etc/mail/spamassassin by the script itself if there are changes. The reason for this is so that if the download fails, you still have working copy. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kai Raven Sent: Tuesday, February 03, 2004 4:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: RulesDuJour Hi, today, i have used RulesDuJour the first time. After the first run, all the *.cf files are saved under the /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move or copy them to /etc/mail/spamassassin? -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From miguelk at KONSULTEX.COM.BR Tue Feb 3 21:35:37 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:22:18 2006 Subject: [OT] Re: MAPS-RBL References: <401FE57D.C4F9E7EC@ihs.com> <6.0.1.1.2.20040203200449.04509a10@imap.ecs.soton.ac.uk> Message-ID: <40201429.4080705@konsultex.com.br> Julian; I have to disagree completely with these databases. I think that MAPS has a lot of bad information in it, like a virus scanner with many false alarms, only with graver consequences. A virus scanner maintainer puts a pattern in and mostly forgets about it because that pattern identifies a virus which will most likely never change into a benevolent file. Somebody putting a host or network into a 'pattern' database has a much harder job and an infinitely greater responsability because these 'patterns' (ips or networks) would have to come and go according to correct, dynamic information which decides without a doubt if the ip is 'a virus' (spamming) or not. Imagine a company that finds a virus and identifies that the string '0A' is in the file. So they decide to mark every file with '0A' as a virus. Then they leave it up to the user of a given executable to make the third party developer prove to this hypothetical company that their use of '0A' is justified, not a virus, so that the program is finally able to run for the user. To make the analogy closer to reality, imagine that the user is not allowed to unisntall the virus scanner while he waits for all this to happen. You call themfor help and they say "ask Microsoft to contact us"! I was an innocent victim of the MAPS gang in December during over a month. I had to jump through hoops to get my IP out of a DUL range, which I found out about when all of a sudden some of our users could not communicate with their major customer. I don't have a dynamic IP and I have my reverse DNS configured, even though the ISP probably assigns some dynamic ones in the net range. My influence on what the ISP does tends to zero. Getting an IP "cleared" is very difficult and time consuming because mailabuse.com is not proactive and leaves the problem for the victim to solve. I believe that the reason is that their database appears more valuable if it has more IPs in it. They proved to me that they don't care if I can't communicate. The irony is that you can't communicate by email even with them! I bet most people don't bother to go all the way like I did and just convince the receiving party of the emails to ignore MAPS for their case. And so the database fills up with junk. That's my experience with MAPS. Maybe others are better. Miguel Julian Field wrote: > At 19:33 03/02/2004, you wrote: > >> > We use RBL+ and reject about 4,000 messages/day. It is quite useful. >> >> Its not bad, we also have a subscription, but we see a multiple of the >> hits on RBL+ on the NJABL and DSBL lists... I would try lists like that >> before moving to a payed list. > > > And definitely try the combined XBL+SBL list from spamhaus.org too. Very > good in my experience. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Esta mensagem foi verificada pelo sistema de antiv�rus e acredita-se estar livre de perigo. From steve.swaney at FSL.COM Tue Feb 3 22:04:13 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:18 2006 Subject: RulesDuJour In-Reply-To: <20040203212319.6AE9D21C142@mail.fsl.com> Message-ID: <20040203220413.7465E21C13F@mail.fsl.com> Sorry I misread you message. If you haven't changed the rules_du_jour defaults, the rules will be downloaded into the /etc/mail/spamassassin directory. If you haven't changed the MailScanner defaults, they will be read from /etc/mail/spamassassin directory and used when MailScanner calls the SpamAssassin routines. The fact that your rules live in /etc/mail/spamassassin/rules_du_jour directory indicates that the spamassassin --lint command is failing and the downloaded rules are being backed out and stored in /etc/mail/spamassassin/rules_du_jour. What happens when you run the rules_du_jour script from a command line. That should tell you what is happening. Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephen Swaney > Sent: Tuesday, February 03, 2004 4:23 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: RulesDuJour > > Nope. > > Stephen Swaney > President > Fortress Systems Ltd. > Steve.Swaney@FSL.com > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Kai Raven > > Sent: Tuesday, February 03, 2004 4:15 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: RulesDuJour > > > > Hi, > > > > today, i have used RulesDuJour the first time. > > After the first run, all the *.cf files are saved under the > > /etc/mail/spamassassin/RulesDuJour directory. Is it necessary to move > > or copy them to /etc/mail/spamassassin? > > > > -- > > Ciao > > Kai > > > > HP: http://kai.iks-jena.de/ > > Blog: http://rabenhorst.blogg.de/ > > GnuPG-Key: 0x76C65282 > > ICQ:146714798 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From roddy at NETSPACE.NET.AU Tue Feb 3 22:19:51 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: <40201E87.8040702@netspace.net.au> Hi, Just installed Mailscanner on Freebsd 5.1, however have ran into some problems. I followed the install.FREEBSD instructions, however on system startup, i get Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 4 08:52:02 mail sm-mta[2129]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 4 08:52:02 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket Feb 4 08:52:02 mail MailScanner[2157]: Using locktype = flock It looks like MailScanner actually loads, but it won't scan any incoming mail. I tried another way by executing the .sh script. This loads MailScanner no problems, but again it doesn't look it scans the mail coming in, did some tests and no headers are added, its as though it isn't passing it onto F-Prot. Thanks P.S A very similar if not the same problem discussed here at the bottom : http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0205&L=mailscanner&P=R10295&I=-1 From raymond at PROLOCATION.NET Tue Feb 3 22:34:08 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <40201E87.8040702@netspace.net.au> Message-ID: Hi! > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket > Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... You didnt stop your original MTA as it seems. The socket was in use like the logs report. Bye, Raymond. From roddy at NETSPACE.NET.AU Tue Feb 3 22:38:04 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <402022CC.2070805@netspace.net.au> > Hi! > > >>Just installed Mailscanner on Freebsd 5.1, however have ran into some >>problems. >> >>I followed the install.FREEBSD instructions, however on system startup, >>i get >> >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): >>opendaemonsocket: daemon MTA: cannot bind: Address already in use >>Feb 4 08:51:57 mail sm-mta[2129]: daemon MTA: problem creating SMTP socket >>Feb 4 08:52:01 mail MailScanner[2157]: MailScanner E-Mail Virus Scanner >>version 4.26.8 starting... > > > You didnt stop your original MTA as it seems. The socket was in use like > the logs report. Ok that brings me to the next question, in the install.FREEBSD it says to add certain lines to /etc/rc.conf sendmail_enable="YES" # MailScanner starts here mta_start_script="/opt/MailScanner/bin/rc.MailScanner start" MailScanner_incoming_queue="/var/spool/mqueue.in" MailScanner_queue_time="15m" MailScanner_check="/opt/MailScanner/bin/check_mailscanner" MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid" # MailScanner ends here Thats what my rc.conf looks like, should i make sendmail_enable=NO ? And then allow mailscanner to start it ? From jdbautista at IWSPC.COM Tue Feb 3 22:50:04 2004 From: jdbautista at IWSPC.COM (Joseph C. Bautista) Date: Thu Jan 12 21:22:18 2006 Subject: Announce: MailWatch for MailScanner 0.5 References: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> Message-ID: <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> Thank you. Its now working... ----- Original Message ----- From: "Steve Freegard" To: Sent: Tuesday, February 03, 2004 5:06 PM Subject: Re: Announce: MailWatch for MailScanner 0.5 > Hi Joseph, > > You're getting this error because your copy of PHP doesn't have the MySQL > module installed or compiled in. > > If you are running RedHat install the php-mysql RPM from your installation > CD's and restart apache and it will start working. > > Kind regards, > Steve. > > > -----Original Message----- > > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > > Sent: 03 February 2004 08:39 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > > > Hi All, > > > > I think i followed the instruction correct. My > > Mailscanner is logging to mysql database. But everytime i > > point my browser to > > > > http://localhost/mailscanner it gives me an error: > > > > Fatal error: Call to undefined function: > > mysql_pconnect() in > > /home/httpd/html/mailscanner/functions.php on line 273 > > > > Anyone knows how to fixed this? > > > > Thnx. > > > > > > ----- Original Message ----- > > From: "Steve Freegard" > > To: > > Sent: Tuesday, February 03, 2004 8:44 AM > > Subject: Announce: MailWatch for MailScanner 0.5 > > > > > > > Hi All, > > > > > > I'm pleased to finally release 0.5 which you can download from > > > http://www.sourceforge.net/projects/mailwatch. > > > > > > CHANGE LOG > > > - Updated indexes for much greater performance (again!). > > > - Added preliminary support for per-user filters (see USER_FILTERS > > > file). > > > - Added the ability to view quarantined items. > > > - All tables now enable a pager when returning more than 50 > > rows and allow > > > ordering by any of the displayed columns. > > > - New tool to run SpamAssassin --lint and time the output > > for debugging > > SA. > > > - New F-Secure status page (like Sophos). > > > - Required PEAR modules now included. > > > - Added reporting of Blacklisted mails. > > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > > e-mails. > > > - Quoted printable strings are now automatically decoded before > > > display. > > > - Configuration options moved from functions.php into conf.php > > > - Automatically works out VIRUS_REGEX by using the first value in > > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > > clamavmodule' would > > > activate the regexp for SophosSAVI. > > > - New 'Virus Report' allows comparison of multiple scanners > > (if you run > > > more than one) and allows you to see 1st detection > > date/time of each > > > virus by each scanner. > > > - Integration with Fortress Systems Secure Mail Gateway. > > > > > > FIXES > > > - Multiple clean-ups of mailq.php to make it more robust. > > > - Greatly improved debugging of SQL statments. > > > - Quarantine now correctly looks in the non-spam quarantine > > > directories. > > > - SA Rules Description Update now reads custom rules as well. > > > - sendmail_relay.php now works across log rotations. > > > - Increased memory_limit to 128M for quarantine functions. > > > > > > Kind regards, > > > Steve. > > > > > > -- > > > MailWatch for MailScanner > > > http://mailwatch.sourceforge.net > > > > > > -- > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual or entity to > > whom they > > > are addressed. If you have received this email in error > > please notify > > > the sender and delete the message from your mailbox. > > > > > > This footnote also confirms that this email message has > > been swept by > > > MailScanner (www.mailscanner.info) for the presence of computer > > > viruses. > > > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. From jdavis at CS.ARIZONA.EDU Tue Feb 3 22:35:38 2004 From: jdavis at CS.ARIZONA.EDU (Jim Davis) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <40201E87.8040702@netspace.net.au> References: <40201E87.8040702@netspace.net.au> Message-ID: <4020223A.90603@cs.arizona.edu> Roddy Strachan wrote: > Hi, > > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use Sounds like you already have a sendmail process running, so port 25 is already in use. On my 4.9 system, I ended up putting sendmail_enable="YES" sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" in /etc/rc.conf, and then also ran /usr/sbin/sendmail -q15m (by hand, though I should put that in /usr/local/etc/rc.d or something). Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you should see something like 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for /var/spool/client 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for /var/spool/mqueue if you run a ps -ax | grep sendmail From rzewnickie at RFA.ORG Tue Feb 3 22:47:11 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:18 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current In-Reply-To: References: Message-ID: <20040203224710.GG5626@rfa.org> After further thought, I think someone (possibly myself, possibly not ...) ran the old simple script that just dumped the .dat's in /usr/local/uvscan/ thereby overwriting the links created by your autoupdate script. I have since banished that script to avoid any such future mishaps. Thanks Tony, Eric Rz. On Tue, Feb 03, 2004 at 06:33:35PM +0000, Tony Finch wrote: > Eric Dantan Rzewnicki wrote: > > > >Thank you for clearing this up. I'm still puzzled as to why they weren't > >created when I first ran the script, but it seems to be ok now. > > You might have splatted them afterwards, e.g. by reinstalling uvscan. > > Tony. > -- > f.a.n.finch http://dotat.at/ > THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT TIMES. MODERATE OR > GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. From raymond at PROLOCATION.NET Tue Feb 3 23:00:01 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <402022CC.2070805@netspace.net.au> Message-ID: Hi! > Ok that brings me to the next question, in the install.FREEBSD it says > to add certain lines to /etc/rc.conf > > sendmail_enable="YES" > # MailScanner starts here > mta_start_script="/opt/MailScanner/bin/rc.MailScanner start" > MailScanner_incoming_queue="/var/spool/mqueue.in" > MailScanner_queue_time="15m" > MailScanner_check="/opt/MailScanner/bin/check_mailscanner" > MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid" > # MailScanner ends here > > > Thats what my rc.conf looks like, should i make sendmail_enable=NO ? > And then allow mailscanner to start it ? I am no BSD hero but yes, it seems you now first start SM and then MS, and then it cant bind since there is allready a SM process running on pot 25. Bye, Raymond. From martyn at INVICTAWIZ.COM Tue Feb 3 23:01:31 2004 From: martyn at INVICTAWIZ.COM (Martyn Routley) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <4020223A.90603@cs.arizona.edu> Message-ID: I use 2 cute scripts which run from /usr/local/etc/rc.d, I can't remember where they came from. One is called mta.sh and starts/stops/restarts sendmail. The other (unsurprisingly) is called mailscanner.sh and does the same for mailscanner. I don't have any references to MS in /etc/rc.conf and I have sendmail_enable="NO" I can't get at them at the moment, but if they are wanted, let me know. Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jim Davis Sent: 03 February 2004 22:36 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] Mailscanner & Freebsd Roddy Strachan wrote: > Hi, > > Just installed Mailscanner on Freebsd 5.1, however have ran into some > problems. > > I followed the install.FREEBSD instructions, however on system startup, > i get > > Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use Sounds like you already have a sendmail process running, so port 25 is already in use. On my 4.9 system, I ended up putting sendmail_enable="YES" sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" in /etc/rc.conf, and then also ran /usr/sbin/sendmail -q15m (by hand, though I should put that in /usr/local/etc/rc.d or something). Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you should see something like 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for /var/spool/client 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for /var/spool/mqueue if you run a ps -ax | grep sendmail ---------------------------------------------------------------------------- - This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ---------------------------------------------------------------------------- - From roddy at NETSPACE.NET.AU Tue Feb 3 23:22:38 2004 From: roddy at NETSPACE.NET.AU (Roddy Strachan) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <40202D3E.6030907@netspace.net.au> Thanks for the help guys. Looks like its working, however am still getting cannot bind messages, but it still sends mail and receives it and mainly scans it, so i'll leave it as is :). Thanks Martyn Routley wrote: > I use 2 cute scripts which run from /usr/local/etc/rc.d, I can't remember > where they came from. > One is called mta.sh and starts/stops/restarts sendmail. > The other (unsurprisingly) is called mailscanner.sh and does the same for > mailscanner. > > I don't have any references to MS in /etc/rc.conf and I have > sendmail_enable="NO" > > I can't get at them at the moment, but if they are wanted, let me know. > > > Martyn Routley > ----------------------------------------------------------------- > InvictaWiz - The Internet in Plain English, Guaranteed > http://www.invictawiz.com > martyn@invictawiz.com > phone: 08707 440180 > fax: 08707 440181 > Ask us about our online Antivirus and Junk mail scanning service. > Ask us how you could save money on your telephone bill. > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jim Davis > Sent: 03 February 2004 22:36 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > > Roddy Strachan wrote: > >>Hi, >> >>Just installed Mailscanner on Freebsd 5.1, however have ran into some >>problems. >> >>I followed the install.FREEBSD instructions, however on system startup, >>i get >> >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): >>opendaemonsocket: daemon MTA: cannot bind: Address already in use > > > Sounds like you already have a sendmail process running, so port 25 is > already in use. > > On my 4.9 system, I ended up putting > > sendmail_enable="YES" > sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn > -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" > > in /etc/rc.conf, and then also ran > > /usr/sbin/sendmail -q15m > > (by hand, though I should put that in /usr/local/etc/rc.d or something). > > Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you > should see something like > > 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for > /var/spool/client > 167 ?? Ss 0:29.89 sendmail: accepting connections (sendmail) > 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for > /var/spool/mqueue > > if you run a ps -ax | grep sendmail > > > ---------------------------------------------------------------------------- > - > This message has been scanned for viruses and > dangerous content by the http://www.anti84787.com > MailScanner, and is believed to be clean. > ---------------------------------------------------------------------------- > - > From ugob at CAMO-ROUTE.COM Wed Feb 4 00:52:17 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Roddy Strachan [mailto:roddy@NETSPACE.NET.AU] > Envoy? : Tuesday, February 03, 2004 6:23 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Mailscanner & Freebsd > > > Thanks for the help guys. > > Looks like its working, however am still getting cannot bind messages, > but it still sends mail and receives it and mainly scans it, so i'll > leave it as is :). It is probably your standalone sendmail that is trying to start. Can you see mailscanner's headers in your messages? If not, standalone sendmail starts but not mailscanner's. You must disable standalone sendmail and let mailscanner starts its instance. hth Ugo > > Thanks > > > Martyn Routley wrote: > > > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember > > where they came from. > > One is called mta.sh and starts/stops/restarts sendmail. > > The other (unsurprisingly) is called mailscanner.sh and > does the same for > > mailscanner. > > > > I don't have any references to MS in /etc/rc.conf and I have > > sendmail_enable="NO" > > > > I can't get at them at the moment, but if they are wanted, > let me know. > > > > > > Martyn Routley > > ----------------------------------------------------------------- > > InvictaWiz - The Internet in Plain English, Guaranteed > > http://www.invictawiz.com > > martyn@invictawiz.com > > phone: 08707 440180 > > fax: 08707 440181 > > Ask us about our online Antivirus and Junk mail scanning service. > > Ask us how you could save money on your telephone bill. > > ----------------------------------------------------------------- > > > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Jim Davis > > Sent: 03 February 2004 22:36 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > > > > > Roddy Strachan wrote: > > > >>Hi, > >> > >>Just installed Mailscanner on Freebsd 5.1, however have ran > into some > >>problems. > >> > >>I followed the install.FREEBSD instructions, however on > system startup, > >>i get > >> > >>Feb 4 08:51:57 mail sm-mta[2129]: NOQUEUE: SYSERR(root): > >>opendaemonsocket: daemon MTA: cannot bind: Address already in use > > > > > > Sounds like you already have a sendmail process running, so > port 25 is > > already in use. > > > > On my 4.9 system, I ended up putting > > > > sendmail_enable="YES" > > sendmail_flags="-L sm-mta -bd -OPrivacyOptions=noetrn > > -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" > > > > in /etc/rc.conf, and then also ran > > > > /usr/sbin/sendmail -q15m > > > > (by hand, though I should put that in /usr/local/etc/rc.d > or something). > > > > Then restart sendmail (ie, cd /etc/mail; sudo make restart) and you > > should see something like > > > > 109 ?? Is 0:00.09 sendmail: Queue runner@00:30:00 for > > /var/spool/client > > 167 ?? Ss 0:29.89 sendmail: accepting connections > (sendmail) > > 52737 ?? Is 0:00.01 sendmail: Queue runner@00:15:00 for > > /var/spool/mqueue > > > > if you run a ps -ax | grep sendmail > > > > > > > -------------------------------------------------------------- > -------------- > > - > > This message has been scanned for viruses and > > dangerous content by the http://www.anti84787.com > > MailScanner, and is believed to be clean. > > > -------------------------------------------------------------- > -------------- > > - > > > From postmaster at codestone.sphereosoft.net Wed Feb 4 07:40:15 2004 From: postmaster at codestone.sphereosoft.net (MailScanner) Date: Thu Jan 12 21:22:18 2006 Subject: Unsolicited commercial email rejected Message-ID: <200402040740.i147eFU06445@codestone.sphereosoft.net> Our UCE (spam) detectors have been triggered by a message you sent:- To: adam@sfogs.com Subject: Status Date: Wed Feb 4 15:40:15 2004 This message has been rejected. The detector that triggered is SpamAssassin. The content of your message indicates that it is probably spam e-mail, which is why it has been rejected. We do not accept unsolicited commercial (spam) e-mail and actively work to stop it. If you are sending spam and continue to do so, your Internet Service Provider may be contacted and requested to close your account. If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From oldmaxgit at YAHOO.COM Wed Feb 4 07:34:20 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working Message-ID: Doing a search of the archive I found a similar question asked but I cannot find a resolution, apologies if I have missed it. I am using MailScanner 4.25-11 and ApamAssassin 2.60 on a RaQ4 Problem : Spam is getting through which has come from IP numbers which are listed on Spamcop (maybe listed on others too but I?ve not found them). In mailscanner.conf I have : Spam Checks = yes Spam List = ORDB-RBL Infinite-Monkeys spamcop.net And in spam.lists.conf I have : ORDB-RBL relays.ordb.org. spamhaus.org sbl.spamhaus.org. spamcop.net bl.spamcop.net. Infinite-Monkeys proxies.relays.monkeys.com. I notice that under ?Spam List? in the page about mailscanner.conf says ?These lists are based on the numeric IP address of the server that sent the message to your MailScanner server.? My implementation involves an extra hop for email directly before the server which is running Mailscanner, If Spamcop is only ever checked against the previous IP, it will never find the IP listed. If this is the case, is there a way to specify which hop is checked ? Thanks in advance for any help you can offer. Going quietly nuts ! From P.G.M.Peters at utwente.nl Wed Feb 4 07:57:21 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:18 2006 Subject: MailScanner.conf questions In-Reply-To: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040203174218.03f1bb88@imap.ecs.soton.ac.uk> Message-ID: On Tue, 3 Feb 2004 17:44:20 +0000, you wrote: >At 17:07 03/02/2004, you wrote: >>1. In the web site about the MailScanner.conf it says (with some text >>taking out) talking about spam.whitelist.rules: >>Is Definitely Not Spam >>You will probably want to include your own site (or your own site's IP >>addresses) in this ruleset. >> >>Does that mean put: >>From: *@domain.com or > >Yes, but it is even better to whitelist your IP addresses. You can put in >IP addresses in any of the common syntaxes for specifying netblocks. Yes, but only when you are absolutly sure no system on your network is ever going to send spam. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Wed Feb 4 08:00:03 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:18 2006 Subject: rant about anti-virus and spam, MS flamed In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDA4@CITY-EXCH-NTS> Message-ID: <5i9120l21g78g6of72flguh65iohu5lftv@4ax.com> On Tue, 3 Feb 2004 09:19:14 -0900, you wrote: >Sadly, the onus has to be on the AV companies at this point and I'm not >holding my breath that they're ever gonna read my humble suggestion. But I >dunno - maybe someone from that universe does follow this list. Guess I >better patent the idea quick! I think the most change of implementing this would be from the people of clamav. If the technicians of the vendors see it as a good feature, the sales will forbid it because they will lose a lot of free publicity. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Feb 4 08:43:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204084247.0821b6c0@imap.ecs.soton.ac.uk> At 07:34 04/02/2004, you wrote: >Doing a search of the archive I found a similar question asked but I cannot >find a resolution, apologies if I have missed it. > >I am using MailScanner 4.25-11 and ApamAssassin 2.60 on a RaQ4 > >Problem : >Spam is getting through which has come from IP numbers which are listed on >Spamcop (maybe listed on others too but I've not found them). > > >In mailscanner.conf I have : >Spam Checks = yes >Spam List = ORDB-RBL Infinite-Monkeys spamcop.net > >And in spam.lists.conf I have : >ORDB-RBL relays.ordb.org. >spamhaus.org sbl.spamhaus.org. >spamcop.net bl.spamcop.net. >Infinite-Monkeys proxies.relays.monkeys.com. > > > >I notice that under "Spam List" in the page about mailscanner.conf >says "These lists are based on the numeric IP address of the server that >sent the message to your MailScanner server." > >My implementation involves an extra hop for email directly before the >server which is running Mailscanner, If Spamcop is only ever checked >against the previous IP, it will never find the IP listed. That is indeed what is happening. >If this is the case, is there a way to specify which hop is checked ? No, but SpamAssassin checks all the hops. If you find the rules relating to spamcop, you could increase their scores so they have more influence. >Thanks in advance for any help you can offer. > >Going quietly nuts ! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lenaig at WANADOO.FR Wed Feb 4 09:30:00 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629274108B1@mtlnt501fs.CAMOROUTE.COM> Message-ID: <20040204093000.GA1792@maelenn> I am running sendmai/mailscanner on freebsd 5.1 box too ... (i am not alone hurra !! ) What people told me, is that it should be mailscanner who start sendmail ... but for me, it never works .... Now i am using MTA.sh too start sendmail correctly ... But i do not know where i should see Mailscanner header ..?? /etc/rc.conf : sendmail_enable="NONE" sendmail_outbound_enable="YES" sendmail_submit_enable="YES" sendmail_msp_queue_enable="YES" thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From mailscanner at ecs.soton.ac.uk Wed Feb 4 09:41:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:18 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> At 18:05 02/02/2004, you wrote: >At 17:57 02/02/2004, you wrote: >>Gee... >> >>FWIW, it happened a couple of centuries ago, but I recall having serious >>trouble making Perl's flock() work on Solaris... same situation, all >>development done under linux without a hitch and Solaris ignored all the >>locking... and it wasn't an interoperability problem, since I was >>competing against my own script... >> >>The point is I don't quite remember what we did to solve it (we is an >>understatement, since it wasn't me programming, I was just the >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not sure >>either... >> >>Seems like you'll need a Solaris box to test it thoroughly... I wouldn't >>even trust Solaris-x86 to behave identically to Solaris-Sparc :-( > >I've got an Ultra-5 so I can do a real test. If necessary, I can build a >Solaris-x86 box too. But as you say, the best place to try it is a real sparc. I have found the problem. Attached is a very short patch to SA.pm. This should let you enable the "Rebuild Bayes Every" feature that does scheduled Bayes database rebuilds. If you turn this feature on in MailScanner.conf, you will want to set bayes_auto_expire 0 in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts at letting SpamAssassin rebuild its Bayes database when it feels like it. -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm.patch Type: application/octet-stream Size: 960 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/52e561af/SA.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 09:56:49 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: Hi Roddy, you did not use the port did you? Try /usr/ports/mail/mailscanner (or mailscanner-devel if you want the latest beta). Moreover have a look here: http://www.sng.ecs.soton.ac.uk/mailscanner/FreeBSD.html Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 09:58:00 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: Hi Martyn, > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember where they came from. I do. They are mine and they are part of the FreeBSD port! Disable all MTA stuff in rc.conf and simply use those start/stop scripts. :-) Regards, JP From alan at ESSEX.AC.UK Wed Feb 4 09:56:59 2004 From: alan at ESSEX.AC.UK (Stanier, Alan M) Date: Thu Jan 12 21:22:18 2006 Subject: Curious behaviour of MyDoom Message-ID: <811D385AE1CEBB42839C50DF0B0D38E04D7D53@sernt4.essex.ac.uk> Hi We have two SMTP servers. Our statistics show that roughly 2/3 of mail comes in through smtp0, and 1/3 through smtp1. And until recently, 2/3 of the spam came in through smtp0, and 2/3 of the virus-infected mail, as I would expect. But our logs show that about 50% of MyDoom-A is coming through smtp0, and 50% through smtp1. Has anyone else seen such behaviour? And can anyone explain why it happens ... I can only think that MyDoom gets the MX records of sites, and load balances between all the SMTP servers, but why? Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/5efa46f5/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 10:01:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd Message-ID: > I am running sendmai/mailscanner on freebsd 5.1 box too ... > (i am not alone hurra !! ) What people told me, is that it > should be mailscanner who start sendmail ... but for me, it That is not entirely correct. You need several things: 1. An incoming MTA (Sendmail/Exim) instance that runs independently of MailScanner, accepts incoming mail and puts it in the inbound queue only. It must be configured in a way that it does NOT deliver mail itself. 2. A queue runner MTA which tries to deliver mail that is already in the outbound queue in case the first delivery attempt failed. 3. In the standard mailscanner config, mailscanner will scan your mail and if it is supposed to be delivered it will move the mail to the outbound queue and will run a seperate instance of your MTA to deliver that mail. You are responsible for running part 1 and part 2. The mta.sh script in /usr/local/etc/rc.d will take care of this. MailScanner itself only takes care of part 3! Regards, JP From pmb1 at YORK.AC.UK Wed Feb 4 10:23:25 2004 From: pmb1 at YORK.AC.UK (Mike Brudenell) Date: Thu Jan 12 21:22:18 2006 Subject: Spamcop not working In-Reply-To: References: Message-ID: <2147483647.1075890205@pippin.york.ac.uk> Greetings - Just to reiterate past advice... --On Wednesday, February 4, 2004 7:34 am +0000 Miserable Old Git wrote: > spamhaus.org sbl.spamhaus.org. Consider switching to using the combined SBL and XBL database, which is even more effective: > Infinite-Monkeys proxies.relays.monkeys.com. The Infinite Monkeys database closed down in the Autumn of last year. You should remove it from your list. (Using the Spamhaus XBL will be a useful replacement.) Cheers, Mike Brudenell -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From lenaig at WANADOO.FR Wed Feb 4 10:31:25 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:18 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <20040204103125.GA2305@maelenn> On 04/02/04 11:01, Jan-Peter Koopmann wrote: > > I am running sendmai/mailscanner on freebsd 5.1 box too ... > > (i am not alone hurra !! ) What people told me, is that it > > should be mailscanner who start sendmail ... but for me, it > > That is not entirely correct. You need several things: > > 1. An incoming MTA (Sendmail/Exim) instance that runs independently of MailScanner, accepts incoming mail and puts it in the inbound queue only. It must be configured in a way that it does NOT deliver mail itself. > Could you please give more informations about this point : configured in a way that it does NOT deliver mail itself ? How do you do it ? -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 4 10:48:33 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd Message-ID: > Could you please give more informations about this point : > configured in a way that it does NOT deliver mail itself ? > How do you do it ? What MTA are you using? If you are using exim: http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml (Deferring incoming messages). Postfix: http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml Sendmail: http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml (have a look for -ODeliveryMode=queueonly) I really want to help you, Thierry, but please do me a favour and at least have a look at the information I am giving you. I already sent you these links together with a few questions a week ago... No answers yet. Regards, JP From lenaig at WANADOO.FR Wed Feb 4 10:55:30 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <20040204105530.GA2574@maelenn> yes, that 's right, i forgot to tell you that sendmail was working well ... I am using mta.sh and mailscanner.sh ... so it's using : incoming_args="-L sm-mta-in -bd \ -OPrivacyOptions=noetrn \ -OQueueDirectory=${incoming_queue} \ -ODeliveryMode=queueonly \ -OPidFile=${inpidfile}" so no pb .... Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From k.raven at FREENET.DE Wed Feb 4 11:42:29 2004 From: k.raven at FREENET.DE (Kai Raven) Date: Thu Jan 12 21:22:19 2006 Subject: RulesDuJour In-Reply-To: <20040203220413.7465E21C13F@mail.fsl.com> References: <20040203212319.6AE9D21C142@mail.fsl.com> <20040203220413.7465E21C13F@mail.fsl.com> Message-ID: <20040204124229.2a297707@raven.localdomain.intern> Hi Stephen, On Tue, 3 Feb 2004 17:04:13 -0500 you wrote: > If you haven't changed the rules_du_jour defaults, the rules will be > downloaded into the /etc/mail/spamassassin directory. I have used the rules_du_jour file, modified by Gerry Doris http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R50073&I=-1 and yes, SA_DIR refers to the /etc/mail/spamassassin directory > If you haven't changed the MailScanner defaults, they will be read > from/etc/mail/spamassassin directory and used when MailScanner calls > the SpamAssassin routines. Yes, from my MailScanner.conf: SpamAssassin Site Rules Dir = /etc/mail/spamassassin And I think it works (after i have copied the rules from the rules_du_jour dir): X-MailScanner-SpamCheck: spam, SpamAssassin(Wertung=34.59, benoetigt 3, J_CHICKENPOX_110 0.60,TW_CN 0.08, TW_GB 0.08, TW_GD 0.08, TW_IK 0.08(...) > The fact that your rules live in /etc/mail/spamassassin/rules_du_jour > directory indicates that the spamassassin --lint command is failing mmh, spamassassin --lint works from the command line. > and the downloaded rules are being backed out and stored in > /etc/mail/spamassassin/rules_du_jour. I wrote it was *the first run*, so i haven't any rules like bigevil, tripwire etc. before the run. I think, the script will do an update the next run, if a rule has changed(?), because i have copied the rules from the rules_do_jour directory to the parent directory so the script can compare them(?) > What happens when you run the rules_du_jour script from a command > line. That should tell you what is happening. I get the output for all rules: Old rule.cf already existed in /etc/mail/spamassassin/RulesDuJour... Retrieving file from http://www.somehost/rule.cf... rule.cf was up to date (skipped downloading of http://www.somehost/rule.cf)... No files updated; No restart required. And sorry for the OT posting, but i saw in the MS-ML archive a lot of postings about custom SA rules and the rules_du_jour script so i thought it is OK to ask here on the list. Nevertheless, thx for all responses :) -- Ciao Kai HP: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:03:33 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> It would be interesting to know how many live sites use MailScanner. Your graphs suggest it is around 11,000, but maybe some users aren't fastidious about upgrading to the latest version. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 03 February 2004 13:51 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: 200,000 downloads of MailScanner > > > MailScanner has just passed the 200,000 downloads milestone! > > Many thanks to all of you for helping to spread the word and > make my little > bit of code possibly the most widely-used combined email > virus scanner and > spam detector in the world. > > Let's see how fast the web site can munch through the next 200,000 :-) > > Jules. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:08:05 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DE@jessica.herefordshire.gov.uk> That's exactly what I did. :-) Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Finch > Sent: 03 February 2004 18:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mcafee uvscan not using > /usr/local/uvscan/datfiles/current > > > Eric Dantan Rzewnicki wrote: > > > >Thank you for clearing this up. I'm still puzzled as to why > they weren't > >created when I first ran the script, but it seems to be ok now. > > You might have splatted them afterwards, e.g. by reinstalling uvscan. > > Tony. > -- > f.a.n.finch http://dotat.at/ > THE WASH TO NORTH FORELAND: SOUTHWEST 6 TO GALE 8. RAIN AT > TIMES. MODERATE OR > GOOD. SLIGHT OR MODERATE, OCCASIONALLY ROUGH WELL OFFSHORE. > From mailscanner at ecs.soton.ac.uk Wed Feb 4 12:29:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040204122744.08637f20@imap.ecs.soton.ac.uk> At 12:03 04/02/2004, you wrote: >It would be interesting to know how many live sites use MailScanner. > >Your graphs suggest it is around 11,000, but maybe some users aren't >fastidious about upgrading to the latest version. Most people don't upgrade every version, you folks are in a minority. Based on the download figures, and knowing the number of people who contact me directly, and a guess on the proportion of users who would need to email me personally for help (which is small), my best guess is about 40,000 sites. >Cheers, > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 03 February 2004 13:51 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: 200,000 downloads of MailScanner > > > > > > MailScanner has just passed the 200,000 downloads milestone! > > > > Many thanks to all of you for helping to spread the word and > > make my little > > bit of code possibly the most widely-used combined email > > virus scanner and > > spam detector in the world. > > > > Let's see how fast the web site can munch through the next 200,000 :-) > > > > Jules. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Wed Feb 4 12:42:36 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:19 2006 Subject: a ghost in filetype.rules.conf References: Message-ID: <4020E8BC.1060705@bangor.ac.uk> Jeff A. Earickson wrote: > I've been scratching my head on this one for several versions > of MailScanner now. The head of our athletics dept (who uses a > Mac) will send emails to other coaches, plain text. Two coaches > who reply (they use Windows) sporadically get their replies rejected > with: > > No programs allowed (msg-8402-111.txt) > ^^^^^^^^ > numbers differ Bear in mind that the information MailScanner puts into reports is a sanitised version that it generates from the actual attachment file name. Julian's hightened state of paranoia made him cautious about the possibility of a DoS or something in the actual filename. Check the mail logs - I think the actual filename appears in there somewhere and that may show up why it was blocked. I've been bitten by this before!! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From P.G.M.Peters at utwente.nl Wed Feb 4 12:48:49 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: On Wed, 4 Feb 2004 12:03:33 -0000, you wrote: >It would be interesting to know how many live sites use MailScanner. Perhaps changing the X-%site%-MailScanner-Information: header to "Scanned by MailScanner %version%. ..." >Your graphs suggest it is around 11,000, but maybe some users aren't >fastidious about upgrading to the latest version. At least the new installations will show the version and people can contact organizations (they know people at) about upgrading. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 4 12:57:31 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4E3@jessica.herefordshire.gov.uk> That's very impressive. Well done. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 04 February 2004 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: 200,000 downloads of MailScanner > > > At 12:03 04/02/2004, you wrote: > >It would be interesting to know how many live sites use MailScanner. > > > >Your graphs suggest it is around 11,000, but maybe some users aren't > >fastidious about upgrading to the latest version. > > Most people don't upgrade every version, you folks are in a > minority. Based > on the download figures, and knowing the number of people who > contact me > directly, and a guess on the proportion of users who would > need to email me > personally for help (which is small), my best guess is about > 40,000 sites. > > > >Cheers, > > > >Phil > > > >--------------------------------------------- > >Phil Randal > >Network Engineer > >Herefordshire Council > >Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: 03 February 2004 13:51 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: 200,000 downloads of MailScanner > > > > > > > > > MailScanner has just passed the 200,000 downloads milestone! > > > > > > Many thanks to all of you for helping to spread the word and > > > make my little > > > bit of code possibly the most widely-used combined email > > > virus scanner and > > > spam detector in the world. > > > > > > Let's see how fast the web site can munch through the > next 200,000 :-) > > > > > > Jules. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Wed Feb 4 14:14:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4DD@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040204141322.084b4bb0@imap.ecs.soton.ac.uk> I am very against giving out exact version details to anyone who asks. Knowing the precise version number is a classic starting point for hackers as they know exactly what they are up against. At 12:48 04/02/2004, you wrote: >On Wed, 4 Feb 2004 12:03:33 -0000, you wrote: > > >It would be interesting to know how many live sites use MailScanner. > >Perhaps changing the X-%site%-MailScanner-Information: header to >"Scanned by MailScanner %version%. ..." > > >Your graphs suggest it is around 11,000, but maybe some users aren't > >fastidious about upgrading to the latest version. > >At least the new installations will show the version and people can >contact organizations (they know people at) about upgrading. > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailing-oit at tttech.com Wed Feb 4 15:04:01 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had Message-ID: <200402041604.02066.mailing-oit@tttech.com> Hello, recently set up another debian-sarge with MS+SA using exim ... the Virus and delivery part works fine, but icant find out how to help SA to do its work i run testmails with `date` as content and get fine response when parsing it on CLI ... so this works , but from within MS it seems that SA is not running properly ( i run MS with both debug-options and i get nothing useful on log) i used packages to install both software , and then ( after this troubles ) reinstalled all important perl-mod via CPAN .. i also changed in /usr/sbin/MailScanner the require-argument fomr 5.005 to 5.8.2 .. but thats not the problem thanks for any suggestions best regards to all -c- MS-delivered-test: ============ From ralexand at HOODINDUSTRIES.COM Wed Feb 4 15:06:17 2004 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:22:19 2006 Subject: Updated MS/SA now i don't get the mailing list :( Message-ID: I updated my versions of MS/SA on Saturday afternoon and now I'm not receiving my daily MS list email. Anyone no of any issue with the list or why this might have happened. I went to the site and still shows me subscribed. Thanks all for the upgrade advice that helped everything go smoothly. From mailscanner at ecs.soton.ac.uk Wed Feb 4 15:17:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Updated MS/SA now i don't get the mailing list :( In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204151625.084743f8@imap.ecs.soton.ac.uk> At 15:06 04/02/2004, you wrote: >I updated my versions of MS/SA on Saturday afternoon and now I'm not >receiving my daily MS list email. Anyone no of any issue with the list or >why this might have happened. I went to the site and still shows me >subscribed. > >Thanks all for the upgrade advice that helped everything go smoothly. Try adding From: *mailscanner@jiscmail.ac.uk yes to your spam.whitelist.rules file and reload MailScanner. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailing-oit at tttech.com Wed Feb 4 15:36:00 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <40210F55.30804@solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <40210F55.30804@solid-state-logic.com> Message-ID: <200402041636.00869.mailing-oit@tttech.com> hi Martin, thanks for reply well this debug looks quite fine to me .. in the meentime i also fixed the home-dir of the user running exim & MS to a valid path ( there were some changes in the the user-naming from mail to Debian-exim when upgrading to Debian-Sarge ) .. but no change to this behavior it seems that from within MS , SA doent process any config :-/ .. config-file-permissions are ok ( readable ) .. maybe there are some files that are slently refused to be processed due to 'non-private' filepermissions ?? .. almost everything used for mail-dekivery is owned by Debian-exim-user ( JFYI ) thanks -c- > hi > When you say you see nothing useful in the debug, what do you see? Can > you send the output? > Feb 4 16:22:16 tttprime MailScanner[10243]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Feb 4 16:22:17 tttprime MailScanner[10243]: Enabling SpamAssassin auto-whitelist functionality... Feb 4 16:22:18 tttprime MailScanner[10223]: Using locktype = posix Feb 4 16:22:18 tttprime MailScanner[10223]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:22:24 tttprime MailScanner[10175]: New Batch: Scanning 1 messages, 592 bytes Feb 4 16:22:24 tttprime MailScanner[10175]: MCP Checks completed at 592 bytes per second Feb 4 16:22:27 tttprime MailScanner[10243]: Using locktype = posix Feb 4 16:22:27 tttprime MailScanner[10243]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:22:33 tttprime MailScanner[10175]: Spam Checks completed at 65 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Virus and Content Scanning: Starting Feb 4 16:22:33 tttprime MailScanner[10175]: Virus Scanning completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Uninfected: Delivered 1 messages Feb 4 16:22:33 tttprime MailScanner[10175]: Virus Processing completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Disinfection completed at 592 bytes per second Feb 4 16:22:33 tttprime MailScanner[10175]: Batch completed at 65 bytes per second (592 / 9) From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 15:42:48 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041636.00869.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <40210F55.30804@solid-state-logic.com> <200402041636.00869.mailing-oit@tttech.com> Message-ID: <402112F8.5070001@solid-state-logic.com> Chris Ok like you say - nothing interesting there. Did you also enable the SA-debug a couple of lines after the main DEBUG line in MailScanner.conf. I get lot more info about the SA setup when I set that... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailing-oit at tttech.com Wed Feb 4 16:04:38 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <402112F8.5070001@solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041636.00869.mailing-oit@tttech.com> <402112F8.5070001@solid-state-logic.com> Message-ID: <200402041704.38202.mailing-oit@tttech.com> > MailScanner.conf. I get lot more info about the SA setup when I set that... ;-) thats exactly my problem .. and absolutely no idea why .. shouldnt it lokk like the -D output of spamassassin I attached my config also .. but i think its in the modules within MS= 4.25.14-3 SA= 2.63 -c- SYSLOG: ====== syslog says a bit more , but not really (both debug opts. are given ) Feb 4 16:50:05 tttprime MailScanner[13434]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Feb 4 16:50:06 tttprime MailScanner[13434]: Enabling SpamAssassin auto-whitelist functionality... Feb 4 16:50:14 tttprime MailScanner[13434]: lock.pl sees Config LockType = posix Feb 4 16:50:14 tttprime MailScanner[13434]: lock.pl sees have_module = 0 Feb 4 16:50:14 tttprime MailScanner[13434]: Using locktype = posix Feb 4 16:50:14 tttprime MailScanner[13434]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 4 16:50:29 tttprime MailScanner[13434]: New Batch: Scanning 1 messages, 592 bytes Feb 4 16:50:29 tttprime MailScanner[13434]: MCP Checks completed at 592 bytes per second Feb 4 16:50:33 tttprime MailScanner[13434]: SpamAssassin returned 0 Feb 4 16:50:33 tttprime MailScanner[13434]: Spam Checks completed at 148 bytes per second Feb 4 16:50:33 tttprime MailScanner[13434]: Created attachment dirs for 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Virus and Content Scanning: Starting Feb 4 16:50:34 tttprime MailScanner[13434]: Commencing scanning by f-prot... Feb 4 16:50:34 tttprime MailScanner[13434]: Completed scanning by f-prot Feb 4 16:50:34 tttprime MailScanner[13434]: Completed checking by /usr/bin/ file Feb 4 16:50:34 tttprime MailScanner[13434]: Virus Scanning completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: About to deliver 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Uninfected: Delivered 1 messages Feb 4 16:50:34 tttprime MailScanner[13434]: Virus Processing completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: Disinfection completed at 592 bytes per second Feb 4 16:50:34 tttprime MailScanner[13434]: Batch completed at 118 bytes per second (592 / 5) Feb 4 16:50:34 tttprime MailScanner[13434]: MailScanner child dying of old age ##################################################################### Full config : ##################################################################### %report-dir% = /etc/MailScanner/reports/en %etc-dir% = /etc/MailScanner %rules-dir% = /etc/MailScanner/rules %org-name% = TTT Max Children = 5 Run As User = Debian-exim Run As Group = Debian-exim Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/exim4_incoming/input Outgoing Queue Dir = /var/spool/exim4_outgoing/input Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner/MailScanner.pid Restart Every = 14400 MTA = exim Sendmail = /usr/lib/sendmail -oMr MailScanner Sendmail2 = /usr/sbin/exim -C /etc/exim/exim4_outgoing.conf -DMAILSCANNER_OUTGOING=On Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 1000 Maximum Attachments Per Message = 200 Expand TNEF = yes Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Maximum Message Size = 0 Maximum Attachment Size = -1 Virus Scanning = yes Virus Scanners = f-prot Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = All-Viruses Still Deliver Silent Viruses = yes Block Encrypted Messages = no Block Unencrypted Messages = no Allowed Sophos Error Messages = Sophos IDE Dir = /usr/local/Sophos/ide Sophos Lib Dir = /usr/local/Sophos/lib Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd Allow Partial Messages = no Allow External Message Bodies = no Allow IFrame Tags = no Log IFrame Tags = no Allow Form Tags = disarm Allow Object Codebase Tags = no Convert Dangerous HTML To Text = yes Convert HTML To Text = no Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Language Strings = %report-dir%/languages.conf Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/ deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = no Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Spam Score Character = s SpamScore Number Instead Of Stars = no Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Multiple Headers = append Hostname = MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Other Blocked Content = no Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = [::Scanned::] Virus Modify Subject = yes Virus Subject Text = [::Virus?::] Filename Modify Subject = yes Filename Subject Text = [::Filename?::] Content Modify Subject = yes Content Subject Text = [::Blocked Content::] Spam Modify Subject = yes Spam Subject Text = [::Spam?::] High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = [::Spam::] Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-15 Archive Mail = Send Notices = no Notices Include Full Headers = no Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = Spam Domain List = Spam Lists To Reach High Score = 5 Spam List Timeout = 10 Max Spam List Timeouts = 7 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes Use SpamAssassin = yes Max SpamAssassin Size = 90000 Required SpamAssassin Score = 6 High SpamAssassin Score = 20 SpamAssassin Auto Whitelist = yes SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf SpamAssassin Timeout = 40 Max SpamAssassin Timeouts = 20 Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = yes Spam Score = yes Spam Actions = striphtml attachment deliver High Scoring Spam Actions = striphtml attachment deliver Non Spam Actions = deliver Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Syslog Facility = mail Log Speed = yes Log Spam = no Log Permitted Filenames = no Log Permitted Filetypes = no SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = /etc/spamassassin SpamAssassin Default Rules Dir = /usr/share/spamassassin Use Default Rules With Multiple Recipients = yes Debug = yes Debug SpamAssassin = yes Always Looked Up Last = no Deliver In Background = yes Delivery Method = queue Split Exim Spool = no Lockfile Dir = /tmp Lock Type = posix Minimum Code Status = supported From sveinn at SVEINNG.COM Wed Feb 4 15:25:21 2004 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> Message-ID: <200402041523.i14FNSwQ5906536@cg.c.is> Hi Julian. I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting of non-exploit subject lines. These mails are sent from Lotus Notes server. I have not seen this happening when receiving mail from other servers. Here is a header-snip of one such email: From: yy@yy.is In-Reply-To: Subject: Re: WinCABAS: =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= To: xx@xx.is I have disabled these three lines in SweepContent.pm to let these subjects through, but a more elegant soulution would be nice :) # $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end of filename # $newsubject =~ s/\s*$//g; # $newsubject =~ s/\s{20,}//g; Thanks in advance ! Sveinn G. Gunnarsson UNIX Specialist Og Vodafone Sidumuli 28 108 Reykjavik Iceland www.ogvodafone.is From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 15:27:17 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041604.02066.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> Message-ID: <40210F55.30804@solid-state-logic.com> Christoph Resch wrote: > Hello, > > recently set up another debian-sarge with MS+SA using exim ... the Virus and > delivery part works fine, but icant find out how to help SA to do its work > > i run testmails with `date` as content and get fine response when parsing it > on CLI ... so this works , but from within MS it seems that SA is not running > properly ( i run MS with both debug-options and i get nothing useful on log) > > i used packages to install both software , and then ( after this troubles ) > reinstalled all important perl-mod via CPAN .. > > i also changed in /usr/sbin/MailScanner the require-argument fomr 5.005 to > 5.8.2 .. but thats not the problem > > thanks for any suggestions > > best regards to all > > -c- > hi When you say you see nothing useful in the debug, what do you see? Can you send the output? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Wed Feb 4 16:12:13 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <200402041523.i14FNSwQ5906536@cg.c.is> References: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> <200402041523.i14FNSwQ5906536@cg.c.is> Message-ID: <6.0.1.1.2.20040204161132.03b42008@imap.ecs.soton.ac.uk> What is it reducing them to? I can't see anything in the code snippet that would touch the sample subject line you gave. At 15:25 04/02/2004, you wrote: >Hi Julian. > >I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting >of non-exploit subject lines. These mails are sent from Lotus Notes server. >I have not seen this happening when receiving mail from other servers. > >Here is a header-snip of one such email: > > >From: yy@yy.is >In-Reply-To: > >Subject: Re: WinCABAS: > =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= > =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= >To: xx@xx.is > > >I have disabled these three lines in SweepContent.pm to let these subjects >through, but a more elegant soulution would be nice :) > ># $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end >of filename ># $newsubject =~ s/\s*$//g; ># $newsubject =~ s/\s{20,}//g; > > > >Thanks in advance ! > >Sveinn G. Gunnarsson >UNIX Specialist > >Og Vodafone >Sidumuli 28 >108 Reykjavik >Iceland >www.ogvodafone.is -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Wed Feb 4 16:26:55 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:19 2006 Subject: Easily Training Spam Assassin? In-Reply-To: <1075514831.21246.17.camel@jepdesk.projectdesign.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> Message-ID: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> I am trying to work out an ongoing method so that users with any user agent, whether it be Outlook, or Eudora can easily submit spam/ham to an account for proper classification. I am so overwhelmed by going through a mailbox with hundreds of email's and sorting through each message. There has to be an easier method and I was hoping someone could recommend that method to me? Errol Neal From edu at ICARUS.COM.BR Wed Feb 4 16:38:20 2004 From: edu at ICARUS.COM.BR (Eduardo Andre) Date: Thu Jan 12 21:22:19 2006 Subject: SpamAssassin Score In-Reply-To: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> Message-ID: <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> Hi, somebody know what options MailScanner use in spamassassin command to output the score of scannead emails? Tnx. Ed. From jaearick at COLBY.EDU Wed Feb 4 17:06:56 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040202101726.07ace620@imap.ecs.soton.ac.uk> <401E656B.16959.13A0CE4@localhost> <6.0.1.1.2.20040202180427.037198c8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040204093642.08455e48@imap.ecs.soton.ac.uk> Message-ID: Julian, I applied the patch (had to do it by hand, an extra space in there on the second chunk), uncommented bayes_auto_expire in spam.assassin.prefs.conf, restarted. No apparent problems. I just noticed the "autolearn=spam" note in mails tagged as spam by SA. No mention of this in the docs. What is this about? Jeff Earickson Colby College From raymond at PROLOCATION.NET Wed Feb 4 17:13:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: Message-ID: Hi! > I applied the patch (had to do it by hand, an extra space in > there on the second chunk), uncommented bayes_auto_expire in > spam.assassin.prefs.conf, restarted. No apparent problems. > > I just noticed the "autolearn=spam" note in mails tagged as spam > by SA. No mention of this in the docs. What is this about? Most likely bayes autolearning ? :) Bye, Raymond. From mailscanner at WOGRI.AT Wed Feb 4 17:17:27 2004 From: mailscanner at WOGRI.AT (Wolfgang Hennerbichler) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. Message-ID: <1075915046.2886.77.camel@judas.stall> Hi! I am having heavy troubles using Mailscanner with Kaspersky version 5.0. I want Mailscanner to start the client portion of kaspersky called aveclient in version 5. I modified the wrapper-script slightly, and it seems to work: This is what the wrapper looks like: =============================== #!/bin/sh PackageDir=$1/bin shift Scanner=aveclient ScanOptions="-p /var/run/aveserver -s " if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/$Scanner ] && exit 0 exit 1 fi exec ${PackageDir}/$Scanner $ScanOptions "$@" =============================================== when I start the wrapper-script like this: ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe i get: /SampleVirus.exe INFECTED LINFECTED I-Worm.Swen so I assume this works. Also the return code ist other than zero: ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe > /dev/null && echo asfd returns nothing, as it shoud. The Problem is, that when Mailscanner starts this script, mailscanner never detects any virus, although it SURELY starts the wrapper script (i tried this with using a touch /tmp/asdf command just before the exec-part). Doesn't Mailscanner look at the return-code of the program? Due to which criteria does mailscanner decide that the object is a virus? I just don't know a solution. Thank you for help! wogri -- wogri@wogri.at http://www.wogri.at -- wogri@wogri.at http://www.wogri.at From martinh at SOLID-STATE-LOGIC.COM Wed Feb 4 18:31:35 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402041704.38202.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041636.00869.mailing-oit@tttech.com> <402112F8.5070001@solid-state-logic.com> <200402041704.38202.mailing-oit@tttech.com> Message-ID: <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> >> MailScanner.conf. I get lot more info about the SA setup when I set >> that... > > ;-) thats exactly my problem .. and absolutely no idea why .. shouldnt it > lokk > like the -D output of spamassassin > > I attached my config also .. but i think its in the modules within > MS= 4.25.14-3 > SA= 2.63 > > > -c- > > Log Spam = no Try changing that to yes.. the output when using debug (in my case) drops to the terminal, rather than syslog, so it would be good to get a dump from that too.. Also how did you install SA? from the RPM's or from CPAN. If you installed from the RPM's do it from CPAN instead, that way you know you have all the dependencies. It's also worth checking that all the MailScanner perl modules are installed as well, again CPAN is useful in this and better than the RPM's. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From test at NEXTMILL.NET Wed Feb 4 18:40:15 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: Fedora Core 1 MailWatch .5 Perl-DBD-mysql-2.9002-1.i386.rpm does this: Feb 4 10:14:51 mailcheck MailScanner[4329]: Database ping failure attempting to re-connect Feb 4 10:14:51 mailcheck MailScanner[4266]: Cannot insert row: MySQL server has gone away So I tried using Perl-DBD-mysql-2.1028 and it just pauses on the MailScanner[xxxxx]: Initialising database connection line for about 4 seconds and then continues thru, nothing gets delivered. Nothing is logged to the Mysql Database. Mailscanner/Mailwatch web interface accesses database fine New database setup, using root username and a root password, /usr/lib/MailScanner/MailScanner/Mailwatch.pm has correct root username/pw/localhost settings Any advise or troubleshooting techniques would be greatly appreciated From mkettler at EVI-INC.COM Wed Feb 4 16:46:41 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: Easily Training Spam Assassin? In-Reply-To: <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> Message-ID: <6.0.0.22.0.20040204114321.02617a00@xanadu.evi-inc.com> At 11:26 AM 2/4/2004, Admin Team wrote: >I am trying to work out an ongoing method so that users with any user >agent, whether it be Outlook, or Eudora can easily submit spam/ham to an >account for proper classification. I am so overwhelmed by going through a >mailbox with hundreds of email's and sorting through each message. There >has to be an easier method and I was hoping someone could recommend that >method to me? The best recommendation I've heard is to have users forward their spam/ham as an attachment with COMPLETE headers. Then set up an account, ie: spam_training27@evi-inc.com, and use procmail or some other system to automatically strip off attachments to the address and feed em to sa-learn. However, this will only work if your users mailclient is capable of forwarding as an attachment with complete headers... normal forwards with inline text won't work. I'd be VERY careful about training mail that has damaged headers.. SA learns a lot from the headers.. From mkettler at EVI-INC.COM Wed Feb 4 16:49:14 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: SpamAssassin Score In-Reply-To: <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se> <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk> <1075514831.21246.17.camel@jepdesk.projectdesign.com> <6.0.2.0.0.20040204110704.02458520@mail.enhtech.com> <46352.200.244.152.3.1075912700.squirrel@10.0.1.3> Message-ID: <6.0.0.22.0.20040204114724.027f8e48@xanadu.evi-inc.com> At 11:38 AM 2/4/2004, you wrote: >somebody know what options MailScanner use in spamassassin command to >output the score of scannead emails? Your english is a bit rough, so it's tough for me to understand exactly what your asking. It looks like you're wondering what options MailScanner passes to spamassassin. It doesn't. MailScanner doesn't use the spamassassin command-line.. it directly loads the perl API and calls that. From mailscanner at ecs.soton.ac.uk Wed Feb 4 18:55:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. In-Reply-To: <1075915046.2886.77.camel@judas.stall> References: <1075915046.2886.77.camel@judas.stall> Message-ID: <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> At 17:17 04/02/2004, you wrote: >Hi! > >I am having heavy troubles using Mailscanner with Kaspersky version 5.0. > >I want Mailscanner to start the client portion of kaspersky called >aveclient in version 5. I modified the wrapper-script slightly, and it >seems to work: > >This is what the wrapper looks like: > >=============================== >#!/bin/sh >PackageDir=$1/bin >shift >Scanner=aveclient > >ScanOptions="-p /var/run/aveserver -s " > >if [ "x$1" = "x-IsItInstalled" ]; then > [ -x ${PackageDir}/$Scanner ] && exit 0 > exit 1 >fi > >exec ${PackageDir}/$Scanner $ScanOptions "$@" > >=============================================== > > >when I start the wrapper-script like this: ./kavdaemonclient-wrapper >/opt/kav/ /SampleVirus.exe > >i get: > >/SampleVirus.exe >INFECTED >LINFECTED I-Worm.Swen > >so I assume this works. Also the return code ist other than zero: > ./kavdaemonclient-wrapper /opt/kav/ /SampleVirus.exe > /dev/null && echo > asfd > >returns nothing, as it shoud. > >The Problem is, that when Mailscanner starts this script, mailscanner never >detects any virus, although it SURELY starts the wrapper script (i tried this >with using a touch /tmp/asdf command just before the exec-part). Doesn't >Mailscanner look at the return-code of the program? No. That only tells it that it found a virus somewhere. It scans lots of messages at once, and parses the output of the virus scanner. > Due to which criteria does >mailscanner decide that the object is a virus? I just don't know a solution. > >Thank you for help! > >wogri > >-- >wogri@wogri.at >http://www.wogri.at >-- >wogri@wogri.at >http://www.wogri.at -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 4 18:53:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: References: Message-ID: <6.0.1.1.2.20040204185322.03763bf8@imap.ecs.soton.ac.uk> At 17:13 04/02/2004, you wrote: >Hi! > > > I applied the patch (had to do it by hand, an extra space in > > there on the second chunk), uncommented bayes_auto_expire in > > spam.assassin.prefs.conf, restarted. No apparent problems. > > > > I just noticed the "autolearn=spam" note in mails tagged as spam > > by SA. No mention of this in the docs. What is this about? > >Most likely bayes autolearning ? :) Someone wanted notification of when a message was auto-learned, so they got it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jflowers at EZO.NET Wed Feb 4 19:08:12 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:19 2006 Subject: Redirecting multiple domains to multiple mail servers Message-ID: <20040204190812.M93179@ezo.net> Assuming sendmail for your outbound transport, there are seemingly endless possibilities. Perhaps the simplest all-in-one method is to use mailertable entrys: domain1.com server1.whatever.com domain2.com server6.whatever.com domainsoandso.com server2.whatever.com domainwhatnot.com [192.168.0.101] Note that you can avoid some potential dns looping problems by using ip addresses and including them in the brackets [] to prevent lookups. If you anticipate multiple fqdn (including host portion) then you may also want to include: .domain1.com server1.whatever.com .domain2.com server6.whatever.com .domainsoandso.com server2.whatever.com .domainwhatnot.com [192.168.0.101] You will also have to identify these as acceptable domains using a relay- domains table or, if you prefer, virtual-domains after adding VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-domains') to your mc file. You DON'T want to identify them as local. The access file can still be used in all it's glory but you can't use virtusertable to reroute individual users as mailertable bypasses that. With a relay, using access to validate real users and reject all others is probably a good idea but can be tedious if you have many users (say more than 100). If routing user1@domain1.com to one mail server and user2@domain1.com to a different mail server is needed there are better approaches using virtusertable or aliases. original message ----------------------------------------- domain1.com ----> server1.whatever.com domain2.com ----> server6.whatever.com domainsoandso.com ----> server2.whatever.com domainwhatnot.com ----> 192.168.0.101 -- Jim Flowers From campbell at CNPAPERS.COM Wed Feb 4 19:11:45 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems Message-ID: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> I upgraded to the latest greatest on Monday. I noticed the listing about having to whitelist this mailing list today and thought nothing of it, as I have always received the mailings from this list. I upgraded MailWatch today, and was watching the screen go by, and noticed that this list was flagged as spam. So I looked at the headers and sure enough, there is an "autolearn" component in the header. After going back to when the upgrade of MS took place and reviewing some of those headers, they too have "autolearn". Now I'm not getting any mail at all. I checked my MailScanner.conf and it has the following in it: SpamAssassin Auto Whitelist = no So now I'm lost. And I also don't know if I'll ever hear from you again. Is there some new function in the new MS that turns this on, related to something else? Steve Campbell campbell@cnpapers.com Charleston Newspapers From campbell at CNPAPERS.COM Wed Feb 4 19:15:40 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems Message-ID: <004b01c3eb53$472f4900$5001a8c0@cnpapers.net> After whitelisting this mail list, I am now receiving from you all again, so maybe I will hear from you again. Steve Campbell campbell@cnpapers.com Charleston Newspapers From hermit921 at YAHOO.COM Wed Feb 4 19:18:08 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages In-Reply-To: References: Message-ID: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> I am still trying to figure out why some messages don't get tagged by MailScanner 4-23, postfix 2. Every email should get tagged with at least one MailScanner header, but some don't. I came up with an idea. Is this feasible: Spammer sets up his client to use our mail server as his smtp gateway. Should work for any message addressed to a user in our domain, but he can't send mail outside. So spammer addresses a message to usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get fuzzy.... One message appears here, postfix dumps it in the hold queue. Postfix splits it up at the same time, so only the original message gets the MailScanner headers. Since I can't track the original, I can't verify the presence of headers. Am I way off? From acschmitt at BPA.GOV Wed Feb 4 19:42:31 2004 From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages Message-ID: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.gov> This may be completely off base, since I don't know if you already posted your network config, but are you delivering directly to Unix accounts after MailScanner, or forwarding on to an Exchange box on an internal network? The reason why I ask is that here, we use MS Exchange for internal mail, and it seems like headers get replaced at random times by the words "Microsoft Mail Internet Headers 2.0" followed by a sanitized version of headers, which still shows the server route, but nothing useful such as MailScanner headers. I've heard vague rumors as to why this happens, but have not heard of anyone being able to fix it. -----Original Message----- From: hermit921 [mailto:hermit921@YAHOO.COM] Sent: Wednesday, February 04, 2004 11:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: untagged messages I am still trying to figure out why some messages don't get tagged by MailScanner 4-23, postfix 2. Every email should get tagged with at least one MailScanner header, but some don't. I came up with an idea. Is this feasible: Spammer sets up his client to use our mail server as his smtp gateway. Should work for any message addressed to a user in our domain, but he can't send mail outside. So spammer addresses a message to usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get fuzzy.... One message appears here, postfix dumps it in the hold queue. Postfix splits it up at the same time, so only the original message gets the MailScanner headers. Since I can't track the original, I can't verify the presence of headers. Am I way off? From mailscanner at ecs.soton.ac.uk Wed Feb 4 21:31:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> At 19:11 04/02/2004, you wrote: >I upgraded to the latest greatest on Monday. I noticed the listing about >having to whitelist this mailing list today and thought nothing of it, as I >have always received the mailings from this list. > >I upgraded MailWatch today, and was watching the screen go by, and noticed >that this list was flagged as spam. So I looked at the headers and sure >enough, there is an "autolearn" component in the header. After going back to >when the upgrade of MS took place and reviewing some of those headers, they >too have "autolearn". Now I'm not getting any mail at all. > >I checked my MailScanner.conf and it has the following in it: > >SpamAssassin Auto Whitelist = no Autolearn is related to the Bayes engine, it's nothing to do with auto-whitelisting. >So now I'm lost. And I also don't know if I'll ever hear from you again. > >Is there some new function in the new MS that turns this on, related to >something else? > > > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Wed Feb 4 21:18:06 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Mr. Field, Can you explain what you mean by your reply to the reference to the autolearn=spam "Someone wanted notification of when a message was auto-learned, so they got it." This is causing quite a problem here and I do not know where it's coming from or how to stop it. Is this related anyway to MailWatch. And I also haven't noticed any material to read. Please and thank you. Steve Campbell campbell@cnpapers.com Charleston Newspapers From hermit921 at yahoo.com Wed Feb 4 20:06:33 2004 From: hermit921 at yahoo.com (hermit921) Date: Thu Jan 12 21:22:19 2006 Subject: untagged messages In-Reply-To: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.go v> References: <242663BECAD80B4DAAF2E62788F96917044F3401@exhq01.bud.bpa.gov> Message-ID: <6.0.0.22.2.20040204120547.01e66e88@pop.mail.yahoo.com> Postfix sends mail on to our internal mail server running sendmail on unix. hermit921 At 11:42 AM 2/4/2004, you wrote: >This may be completely off base, since I don't know if you already posted >your network config, but are you delivering directly to Unix accounts >after MailScanner, or forwarding on to an Exchange box on an internal network? > >The reason why I ask is that here, we use MS Exchange for internal mail, >and it seems like headers get replaced at random times by the words >"Microsoft Mail Internet Headers 2.0" followed by a sanitized version of >headers, which still shows the server route, but nothing useful such as >MailScanner headers. I've heard vague rumors as to why this happens, but >have not heard of anyone being able to fix it. > > >-----Original Message----- >From: hermit921 [mailto:hermit921@YAHOO.COM] >Sent: Wednesday, February 04, 2004 11:18 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: untagged messages > > >I am still trying to figure out why some messages don't get tagged by >MailScanner 4-23, postfix 2. Every email should get tagged with at least >one MailScanner header, but some don't. > >I came up with an idea. Is this feasible: >Spammer sets up his client to use our mail server as his smtp >gateway. Should work for any message addressed to a user in our domain, >but he can't send mail outside. So spammer addresses a message to >usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get >fuzzy.... > >One message appears here, postfix dumps it in the hold queue. Postfix >splits it up at the same time, so only the original message gets the >MailScanner headers. Since I can't track the original, I can't verify the >presence of headers. > >Am I way off? From jflowers at EZO.NET Wed Feb 4 20:06:58 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:19 2006 Subject: Mailscanner & Freebsd Message-ID: <20040204200659.M8361@ezo.net> You would probably have much better luck installing the FreeBSD port (which is where mta.sh and mailscanner.sh come from) instead of the method in INSTALL.FreeBSD. It puts things in the usual FreeBSD places and uses traditional FreeBSD methods as well as installing any depends that are needed. The port maintainer may be a few versions behind (4.26.4) because MS is evolving so rapidly. Not to worry. Just download the latest version (MailScanner-4.26.7-1.tar.gz) to /usr/ports/distfiles and run md5 MailScanner-4.26.7-1.tar.gz to give you the line to update the port distinfo and edit the Makefile to include: PORTVERSION= 4.26.7 DISTNAME= MailScanner-4.26.7 DISTFILES= MailScanner-4.26.7-1.tar.gz and run make; make install. Some details in the FreeBSD README file. -- Jim Flowers From mailscanner at ecs.soton.ac.uk Wed Feb 4 21:57:52 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204215641.03cf3690@imap.ecs.soton.ac.uk> At 21:18 04/02/2004, you wrote: >Mr. Field, > >Can you explain what you mean by your reply to the reference to the >autolearn=spam It's merely an indication that the message was autolearned by the Bayes database as being ham or spam. >"Someone wanted notification of when a message was auto-learned, so they got >it." > >This is causing quite a problem here and I do not know where it's coming >from or how to stop it. Why is it a problem? I don't understand. It's just a little notification, it wasn't intended to cause any problems for anyone. > Is this related anyway to MailWatch. No. > And I also >haven't noticed any material to read. > >Please and thank you. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 4 22:07:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204220627.0453f608@imap.ecs.soton.ac.uk> Feel free to comment out line 437 of SA.pm if you don't like it. It just says this: $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; At 21:18 04/02/2004, you wrote: >Mr. Field, > >Can you explain what you mean by your reply to the reference to the >autolearn=spam > >"Someone wanted notification of when a message was auto-learned, so they got >it." > >This is causing quite a problem here and I do not know where it's coming >from or how to stop it. Is this related anyway to MailWatch. And I also >haven't noticed any material to read. > >Please and thank you. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Wed Feb 4 21:54:18 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> Message-ID: <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> Mr. Field, OK, my mistake. Total confusion here on my part. Thanks for the quick answer. Do you have any ideas though on why the list began catching a high bayes score. Do I need to "refresh" my Bayes files (relearn or something)? Almost everything is receiving high Bayesian probabilities. Seems like a SA problem, but I haven't changed that for a while. Thanks and sorry for the extra effort I caused. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, February 04, 2004 4:31 PM Subject: Re: Upgrade Autolearn problems > At 19:11 04/02/2004, you wrote: > >I upgraded to the latest greatest on Monday. I noticed the listing about > >having to whitelist this mailing list today and thought nothing of it, as I > >have always received the mailings from this list. > > > >I upgraded MailWatch today, and was watching the screen go by, and noticed > >that this list was flagged as spam. So I looked at the headers and sure > >enough, there is an "autolearn" component in the header. After going back to > >when the upgrade of MS took place and reviewing some of those headers, they > >too have "autolearn". Now I'm not getting any mail at all. > > > >I checked my MailScanner.conf and it has the following in it: > > > >SpamAssassin Auto Whitelist = no > > Autolearn is related to the Bayes engine, it's nothing to do with > auto-whitelisting. > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > >Is there some new function in the new MS that turns this on, related to > >something else? > > > > > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Wed Feb 4 21:53:25 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:19 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> References: <00ae01c3eb64$622429e0$5001a8c0@cnpapers.net> Message-ID: Y'all, I'm running 4.26.8 with the following settings on Solaris 9, with no problems due to the bayes autolearn (but I'm worried because of your tale of woe): * SpamAssassin Auto Whitelist = no * the patch to SA.pm that Julian put out this morning * uncommented "bayes_auto_expire 0" in spam.assassin.prefs.conf, per Julian's patch instructions this morning. * I have the auto_whitelist_path defined in this file, but there is no whitelist file in /var/spool/spamassassin. I wouldn't expect there to be. I ran auto-whitelist once in the past, but it was such a pig that I turned it off, per Julian's advice. Do you have gobs of lock and/or expire files in /var/spool/spamassassin? What OS are you running on? Have you disabled any force-expire or force-rebuild in your ham/spam autolearn script? I've checked my spamassassin tagging numbers for today, both regular and high-test spam, and my numbers look about right. If everything was getting tagged as spam my phone would be ringing. Jeff Earickson Colby College PS. Note to Southerners on this list. Please don't be offended by my "Y'all" greeting that I sometimes use in my emails. Having lived in Mississippi and Alabama for many years, I have concluded that this pronoun is one of the South's great contributions to the English language. I once had an HP software engineer in Atlanta blow up because he thought my emails were poking fun at the Southern dialect (I live in Maine now). It was a total misunderstanding on his part and I hope not to repeat it. Now if the Queen would only use "Y'all", the revival of second-person plural in English would be complete. On Wed, 4 Feb 2004, Stephe Campbell wrote: > Date: Wed, 4 Feb 2004 16:18:06 -0500 > From: Stephe Campbell > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Fix for bayes rebuild bug on Solaris > > Mr. Field, > > Can you explain what you mean by your reply to the reference to the > autolearn=spam > > "Someone wanted notification of when a message was auto-learned, so they got > it." > > This is causing quite a problem here and I do not know where it's coming > from or how to stop it. Is this related anyway to MailWatch. And I also > haven't noticed any material to read. > > Please and thank you. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > From mailscanner at ecs.soton.ac.uk Wed Feb 4 22:28:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> It's possible your Bayes database has been poisoned beyond recovery :-( No ideas otherwise, I'm afraid. At 21:54 04/02/2004, you wrote: >Mr. Field, > >OK, my mistake. Total confusion here on my part. > >Thanks for the quick answer. Do you have any ideas though on why the list >began catching a high bayes score. Do I need to "refresh" my Bayes files >(relearn or something)? Almost everything is receiving high Bayesian >probabilities. Seems like a SA problem, but I haven't changed that for a >while. > >Thanks and sorry for the extra effort I caused. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, February 04, 2004 4:31 PM >Subject: Re: Upgrade Autolearn problems > > > > At 19:11 04/02/2004, you wrote: > > >I upgraded to the latest greatest on Monday. I noticed the listing about > > >having to whitelist this mailing list today and thought nothing of it, as >I > > >have always received the mailings from this list. > > > > > >I upgraded MailWatch today, and was watching the screen go by, and >noticed > > >that this list was flagged as spam. So I looked at the headers and sure > > >enough, there is an "autolearn" component in the header. After going back >to > > >when the upgrade of MS took place and reviewing some of those headers, >they > > >too have "autolearn". Now I'm not getting any mail at all. > > > > > >I checked my MailScanner.conf and it has the following in it: > > > > > >SpamAssassin Auto Whitelist = no > > > > Autolearn is related to the Bayes engine, it's nothing to do with > > auto-whitelisting. > > > > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > > > >Is there some new function in the new MS that turns this on, related to > > >something else? > > > > > > > > > > > >Steve Campbell > > >campbell@cnpapers.com > > >Charleston Newspapers > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at WOGRI.AT Thu Feb 5 07:18:38 2004 From: mailscanner at WOGRI.AT (Wolfgang Hennerbichler) Date: Thu Jan 12 21:22:19 2006 Subject: (Kaspersky 5) Wrapper Script does not seem to work. In-Reply-To: <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> References: <1075915046.2886.77.camel@judas.stall> <6.0.1.1.2.20040204185443.037b79b0@imap.ecs.soton.ac.uk> Message-ID: <1075965518.2885.95.camel@judas.stall> On Wed, 2004-02-04 at 19:55, Julian Field wrote: > >The Problem is, that when Mailscanner starts this script, mailscanner never > >detects any virus, although it SURELY starts the wrapper script (i tried this > >with using a touch /tmp/asdf command just before the exec-part). Doesn't > >Mailscanner look at the return-code of the program? > > No. That only tells it that it found a virus somewhere. It scans lots of > messages at once, and parses the output of the virus scanner. Ah. Sounds logically. So I guess the only chance I have, is to upgrade Mailscanner (I have a debian-box, on which this scenario (without the daemons, but I read what Julian thinks about virus-scanner daemons) works perfectly, and mailscanner is in a new version. Hm... I wonder, if I upgrade this box (it is a SuSE 7.2), rpm behaves as .deb, and does not overwrite my config-files, or asks to overwrite. I don't have much experience with rpms. Thank you, Julian wogri -- wogri@wogri.at http://www.wogri.at From campbell at CNPAPERS.COM Wed Feb 4 23:04:34 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> Message-ID: <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> Mr. Field: Looks like a pretty good idea to me. Mail is flowing again after I deleted my Bayes files. Now that I've had experience with this and know a little about what I'm thinking, will the new expiry (Rebuild Bayes Every) function in MS generally take care of this? Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, February 04, 2004 5:28 PM Subject: Re: Upgrade Autolearn problems > It's possible your Bayes database has been poisoned beyond recovery :-( > No ideas otherwise, I'm afraid. > > At 21:54 04/02/2004, you wrote: > >Mr. Field, > > > >OK, my mistake. Total confusion here on my part. > > > >Thanks for the quick answer. Do you have any ideas though on why the list > >began catching a high bayes score. Do I need to "refresh" my Bayes files > >(relearn or something)? Almost everything is receiving high Bayesian > >probabilities. Seems like a SA problem, but I haven't changed that for a > >while. > > > >Thanks and sorry for the extra effort I caused. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Wednesday, February 04, 2004 4:31 PM > >Subject: Re: Upgrade Autolearn problems > > > > > > > At 19:11 04/02/2004, you wrote: > > > >I upgraded to the latest greatest on Monday. I noticed the listing about > > > >having to whitelist this mailing list today and thought nothing of it, as > >I > > > >have always received the mailings from this list. > > > > > > > >I upgraded MailWatch today, and was watching the screen go by, and > >noticed > > > >that this list was flagged as spam. So I looked at the headers and sure > > > >enough, there is an "autolearn" component in the header. After going back > >to > > > >when the upgrade of MS took place and reviewing some of those headers, > >they > > > >too have "autolearn". Now I'm not getting any mail at all. > > > > > > > >I checked my MailScanner.conf and it has the following in it: > > > > > > > >SpamAssassin Auto Whitelist = no > > > > > > Autolearn is related to the Bayes engine, it's nothing to do with > > > auto-whitelisting. > > > > > > > > > >So now I'm lost. And I also don't know if I'll ever hear from you again. > > > > > > > >Is there some new function in the new MS that turns this on, related to > > > >something else? > > > > > > > > > > > > > > > >Steve Campbell > > > >campbell@cnpapers.com > > > >Charleston Newspapers > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From frmitchell at BROOKES.AC.UK Wed Feb 4 23:05:47 2004 From: frmitchell at BROOKES.AC.UK (Faye Mitchell) Date: Thu Jan 12 21:22:19 2006 Subject: Debian wierdness Message-ID: <40217ACB.28029.5860BD9@localhost> Hi, Just curious (and hopefull) - has any other debian user experienced this? Mailscanner/exim/SpamAssassin combo working perfectly (although struggling a little under MyDoom :-) ) on my little debian box. Next day, Mailscanner is pointblankly refusing to copy messages from the incoming exim mail spool to the outgoing one. The previous evening I installed routed and I noticed dselect picked up some security updates for perl modules. Apart from that, no change to the box or to any of the config files. I tried putting Mailscanner into debug mode, but all mailscanner is saying is that it's starting and then no more logs from Mailscanner. It's still happily running as witnessed by top, and kicking in and out as it should - it's just not doing anything :-(. I tried putting the AV to none (thinking that may Sophos was causing the problem), but still no joy :-( I tried doing a debug run and it seemed to be trying to start up SA (despite the Spam Checks config option being set to no - for a variety of reasons (primarily performance related) I want exim to do the Spam checks, not MailScanner) and getting no where. I altered the config file so that use SpamAssassin was set to no, and commented out the lines in the mail MailScanner prog that initialised it to be on the safe side. And now it starts working. Has anybody else experienced this and knows why it behaved the way it did? I've got the thing working, but I'd kind of like to know why it stopped working in the first place! TTFN Faye -- -=+=- Faye Mitchell, Senior Lecturer, Department of Computing, Oxford Brookes University email frmitchell@brookes.ac.uk WWW http://wwwcms.brookes.ac.uk/~p0072371/ PGP public Key @ http://macallan.brookes.ac.uk/Personal/pgp/dr.f.mitchell.asc Tel. Work +44 1865 48 4544 Disclaimer: The views represented here, should in no way be taken to be the opinion or views of Oxford Brookes University. -=+=- Thought for the day: Light? Heck I can't even see the tunnel! From peter at UCGBOOK.COM Wed Feb 4 23:07:36 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:19 2006 Subject: Upgrade Autolearn problems In-Reply-To: <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> References: <002401c3eb52$bcccf460$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204213109.03d1b320@imap.ecs.soton.ac.uk> <00c601c3eb69$70d4e600$5001a8c0@cnpapers.net> <6.0.1.1.2.20040204222736.0414fed0@imap.ecs.soton.ac.uk> <001d01c3eb73$419ed300$5001a8c0@cnpapers.net> Message-ID: <40217B38.3020604@ucgbook.com> Stephe Campbell wrote: > Now that I've had experience with this and know a little about what I'm > thinking, will the new expiry (Rebuild Bayes Every) function in MS generally > take care of this? The rebuild will sync new tokens into the main db and the expire will flush old tokens out. It seems that SA is unable to do this itself in many cases. It can help with SA timeouts but it will not help against Bayes poisoning. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From rzewnickie at RFA.ORG Wed Feb 4 23:34:03 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:19 2006 Subject: Debian wierdness In-Reply-To: <40217ACB.28029.5860BD9@localhost> References: <40217ACB.28029.5860BD9@localhost> Message-ID: <20040204233403.GI6691@rfa.org> We also had issues around the time we did the perl update. I couldn't exactly pin it down to being related vs. just a coincidence. But, in our case the bayes database seemed to have gotten corrupted somehow around the time of the upgrade. Again, I'm not certain it's related, but I have not had any other issues with the bayes database previously. After I moved the existing bayes_* files asside everything was fine ... I retrained bayes with my saved corpus of ~1000 known spam and several thousand more site specific known ham. -Eric Rz. [OT] PS We have this line in our crontab to check for new packages every night: 05 5 * * * root apt-get -qq update && apt-get -dqq upgrade && apt-get -sqq upgrade It checks for and downloads updated packages, but does not install them. When there are new packages root gets an email. Another good thing is to subscribe to the debian security announce list. That way you get an explanation for any packages updated for security fixes. -edrz On Wed, Feb 04, 2004 at 11:05:47PM -0000, Faye Mitchell wrote: > Hi, > > Just curious (and hopefull) - has any other debian user experienced > this? > > Mailscanner/exim/SpamAssassin combo working perfectly (although > struggling a little under MyDoom :-) ) on my little debian box. Next day, > Mailscanner is pointblankly refusing to copy messages from the > incoming exim mail spool to the outgoing one. The previous evening I > installed routed and I noticed dselect picked up some security updates > for perl modules. Apart from that, no change to the box or to any of the > config files. > > I tried putting Mailscanner into debug mode, but all mailscanner is > saying is that it's starting and then no more logs from Mailscanner. It's > still happily running as witnessed by top, and kicking in and out as it > should - it's just not doing anything :-(. I tried putting the AV to none > (thinking that may Sophos was causing the problem), but still no joy :-( > > I tried doing a debug run and it seemed to be trying to start up SA > (despite the Spam Checks config option being set to no - for a variety > of reasons (primarily performance related) I want exim to do the Spam > checks, not MailScanner) and getting no where. I altered the config file > so that use SpamAssassin was set to no, and commented out the lines > in the mail MailScanner prog that initialised it to be on the safe side. > > And now it starts working. > > Has anybody else experienced this and knows why it behaved the way > it did? I've got the thing working, but I'd kind of like to know why it > stopped working in the first place! > > TTFN > > Faye > > > -- > -=+=- > Faye Mitchell, Senior Lecturer, > Department of Computing, > Oxford Brookes University > email frmitchell@brookes.ac.uk > WWW http://wwwcms.brookes.ac.uk/~p0072371/ > PGP public Key @ > http://macallan.brookes.ac.uk/Personal/pgp/dr.f.mitchell.asc > Tel. Work +44 1865 48 4544 > Disclaimer: The views represented here, should in no way be taken to > be the opinion or views of Oxford Brookes University. > -=+=- > > Thought for the day: > Light? Heck I can't even see the tunnel! From kevin at KEVINSPICER.CO.UK Wed Feb 4 23:55:25 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:19 2006 Subject: Beating bayes Message-ID: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> Interesting article on beating bayes filters at the BBC http://news.bbc.co.uk/1/hi/technology/3458457.stm Discuss... -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040204/af99f890/attachment.bin From sveinn at SVEINNG.COM Thu Feb 5 00:14:30 2004 From: sveinn at SVEINNG.COM (Sveinn Gunnarsson) Date: Thu Jan 12 21:22:19 2006 Subject: FixMaliciousSubjects is cutting legim Subject lines. In-Reply-To: <6.0.1.1.2.20040204161132.03b42008@imap.ecs.soton.ac.uk> Message-ID: The Subject line apperas last in the headers of the modified emails like this: --%<------ X-OgVodafone-MailScanner-SpamScore: ss Subject: Re: WinCABAS: ---%<------ Thanks, Svenni... > What is it reducing them to? I can't see anything in the code snippet that > would touch the sample subject line you gave. > > At 15:25 04/02/2004, you wrote: > >Hi Julian. > > > >I have found that the FixMaliciousSubjects sub in SweepContent.pm is cutting > >of non-exploit subject lines. These mails are sent from Lotus Notes server. > >I have not seen this happening when receiving mail from other servers. > > > >Here is a header-snip of one such email: > > > > > >From: yy@yy.is > >In-Reply-To: > > > >Subject: Re: WinCABAS: > > =?iso-8859-1?Q?Bifei=F0averkst=E6=F0i_=C1rna_G=EDslasonar_hf=2C_MV128-02?= > > =?us-ascii?Q?=2E=2E?= =?iso-8859-1?Q?=ED__cabas=2C_G=F3l?= > >To: xx@xx.is > > > > > >I have disabled these three lines in SweepContent.pm to let these subjects > >through, but a more elegant soulution would be nice :) > > > ># $newsubject =~ s/\s{20,}.*\..{1,4}\s*$//; # Delete file extensions at end > >of filename > ># $newsubject =~ s/\s*$//g; > ># $newsubject =~ s/\s{20,}//g; > > > > > > > >Thanks in advance ! > > > >Sveinn G. Gunnarsson > >UNIX Specialist > > > >Og Vodafone > >Sidumuli 28 > >108 Reykjavik > >Iceland > >www.ogvodafone.is > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From test at NEXTMILL.NET Thu Feb 5 00:16:05 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 Message-ID: Got it working!! installed MySQL-shared-3.23.58-1.i386.rpm MySQL-bevel-3.23.58-1.i386.rpm then reran Perl Makefile.pl, make, make test, and make install which successfully installed DBD:mysql v2.1028-8 and now Mailwatch talks to the MySQL server properly!!! Very Very slick!! Now we just need quarantine messages to database, self cleaning up to remove older database entries after a period of time (two settings, one for MESSAGE CONTENT and one for MESSAGE HEADER info) and the option to release a message for delivery and this product will be really sweet! From mkettler at EVI-INC.COM Thu Feb 5 00:42:03 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:19 2006 Subject: Beating bayes In-Reply-To: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> References: <1075938926.2858.99.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.0.22.0.20040204193553.0269baa0@xanadu.evi-inc.com> At 06:55 PM 2/4/2004, you wrote: >Interesting article on beating bayes filters at the BBC >http://news.bbc.co.uk/1/hi/technology/3458457.stm > >Discuss... It points out the fundamental reason why SpamAssassin isn't a pure bayes system. It's also why SA tokenizes headers, not just message bodies when it does bayes (if you tokenize headers, that section isn't as easy to obfuscate and/or add poison to). And let's face it.. my most recent bayes-poison loaded spam got: BAYES_99 5.40, HTML_MESSAGE 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 1.50, RCVD_IN_SORBS 0.10) Some benefit the 280 words of bayes poison they stuffed at the end got them. For reference the email in question is a bayes-poison loaded, random charachter-insert obfuscated super v-drug spam. It offered to: "Suxper chajrge your lolve linfe!" /yawn. From joebaker at DCRESEARCH.COM Thu Feb 5 02:09:07 2004 From: joebaker at DCRESEARCH.COM (Joe Baker) Date: Thu Jan 12 21:22:19 2006 Subject: Maximum Notifications Limit Message-ID: <1075946947.31331.89.camel@mail.dcresearch.com> There should be a maximum number of virus infection notifications sent per day value. After so many infection bounce notifications, the system should stop sending them. Otherwise our messages that alert "senders" that they have sent a virus infected message could bring the Internet to it's knees. Typically, I register a new virus as "silent" in the configurations right away. Here's an interesting article on the subject. http://www.raeinternet.com/newsletter/interview_skulason_092303.html -- Joe Baker Digital Communications Research, Inc. From kfliong at WOFS.COM Thu Feb 5 02:16:22 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:19 2006 Subject: Announce: MailWatch for MailScanner 0.5 In-Reply-To: <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> References: <67D9E7698329D411936E00508B6590B902773E43@neelix.lbsltd.co.uk> <013b01c3eaa8$10b70120$4c04a8c0@Plnt3domain> Message-ID: <6.0.0.22.0.20040205100713.03a69f90@192.168.10.2> I can't wait to upgrade my mailwatch to 0.5. But as of now, only my company's email is working as we have problems with our broadband internet connection. But have one question. The last time i tried to go to mailwatch screen, it took me very long to connect and usually it will timeout. Since then I have had other problems and didn't have time to check mailwatch properly. Could this be due to mysql queries taking too long? Maybe if my database is indexed, the queries will go faster? I only tried keeping 1 month's of data as this itself is taking over 700mb. Could this be the problem? Thanks for continuing the effort to improve mailwatch. It is a very good tool for mailscanner users. At 06:50 AM 2/4/2004, you wrote: >Thank you. Its now working... > >----- Original Message ----- >From: "Steve Freegard" >To: >Sent: Tuesday, February 03, 2004 5:06 PM >Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > Hi Joseph, > > > > You're getting this error because your copy of PHP doesn't have the MySQL > > module installed or compiled in. > > > > If you are running RedHat install the php-mysql RPM from your installation > > CD's and restart apache and it will start working. > > > > Kind regards, > > Steve. > > > > > -----Original Message----- > > > From: Joseph C. Bautista [mailto:jdbautista@IWSPC.COM] > > > Sent: 03 February 2004 08:39 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Announce: MailWatch for MailScanner 0.5 > > > > > > > > > Hi All, > > > > > > I think i followed the instruction correct. My > > > Mailscanner is logging to mysql database. But everytime i > > > point my browser to > > > > > > http://localhost/mailscanner it gives me an error: > > > > > > Fatal error: Call to undefined function: > > > mysql_pconnect() in > > > /home/httpd/html/mailscanner/functions.php on line 273 > > > > > > Anyone knows how to fixed this? > > > > > > Thnx. > > > > > > > > > ----- Original Message ----- > > > From: "Steve Freegard" > > > To: > > > Sent: Tuesday, February 03, 2004 8:44 AM > > > Subject: Announce: MailWatch for MailScanner 0.5 > > > > > > > > > > Hi All, > > > > > > > > I'm pleased to finally release 0.5 which you can download from > > > > http://www.sourceforge.net/projects/mailwatch. > > > > > > > > CHANGE LOG > > > > - Updated indexes for much greater performance (again!). > > > > - Added preliminary support for per-user filters (see USER_FILTERS > > > > file). > > > > - Added the ability to view quarantined items. > > > > - All tables now enable a pager when returning more than 50 > > > rows and allow > > > > ordering by any of the displayed columns. > > > > - New tool to run SpamAssassin --lint and time the output > > > for debugging > > > SA. > > > > - New F-Secure status page (like Sophos). > > > > - Required PEAR modules now included. > > > > - Added reporting of Blacklisted mails. > > > > - Integrated the reporting of SpamAssassin Blacklisted/Whitelisted > > > e-mails. > > > > - Quoted printable strings are now automatically decoded before > > > > display. > > > > - Configuration options moved from functions.php into conf.php > > > > - Automatically works out VIRUS_REGEX by using the first value in > > > > MailScanner.conf - e.g. 'Virus Scanners = sophossavi > > > clamavmodule' would > > > > activate the regexp for SophosSAVI. > > > > - New 'Virus Report' allows comparison of multiple scanners > > > (if you run > > > > more than one) and allows you to see 1st detection > > > date/time of each > > > > virus by each scanner. > > > > - Integration with Fortress Systems Secure Mail Gateway. > > > > > > > > FIXES > > > > - Multiple clean-ups of mailq.php to make it more robust. > > > > - Greatly improved debugging of SQL statments. > > > > - Quarantine now correctly looks in the non-spam quarantine > > > > directories. > > > > - SA Rules Description Update now reads custom rules as well. > > > > - sendmail_relay.php now works across log rotations. > > > > - Increased memory_limit to 128M for quarantine functions. > > > > > > > > Kind regards, > > > > Steve. > > > > > > > > -- > > > > MailWatch for MailScanner > > > > http://mailwatch.sourceforge.net > > > > > > > > -- > > > > This email and any files transmitted with it are confidential and > > > > intended solely for the use of the individual or entity to > > > whom they > > > > are addressed. If you have received this email in error > > > please notify > > > > the sender and delete the message from your mailbox. > > > > > > > > This footnote also confirms that this email message has > > > been swept by > > > > MailScanner (www.mailscanner.info) for the presence of computer > > > > viruses. > > > > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has been swept by > > MailScanner (www.mailscanner.info) for the presence of computer viruses. thanks From john at TRADOC.FR Thu Feb 5 07:26:07 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:19 2006 Subject: upgrade_MailScanner_conf help text inconsistency Message-ID: When you run upgrade_mailscanner_conf with no arguments, it suggests running it with the command | upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new When you then do so, at the end it says | If you ran this with a command like this | upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.conf.new | then you should do | diff MailScanner.conf.rpmnew MailScanner.conf.new | and check for any differences in values you have not changed yourself. Note that the suggested filename has changed from MailScanner.new to MailScanner.conf.new Not a big deal - I'm sure all but the most clueless of admins will work it out for themselves - but it would be nice to be consistent just so that copying and pasting the suggested commands unchanged will work! Or better still, make the suggestion use the arguments actually passed. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From christo at IT4AFRICA.CO.ZA Thu Feb 5 07:16:56 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade Message-ID: <002601c3ebb8$0a04ea70$660210ac@christoxp> After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/4e62e8fe/attachment.html From martinh at SOLID-STATE-LOGIC.COM Thu Feb 5 10:00:22 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade In-Reply-To: <002601c3ebb8$0a04ea70$660210ac@christoxp> References: <002601c3ebb8$0a04ea70$660210ac@christoxp> Message-ID: <40221436.2020909@solid-state-logic.com> Christo Bezuidenhout wrote: > After upgrading to the latest version of MailWatch and Mailscanner my > server started to take huge load. > > I Found the following in my maillogs. > > Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon > MTA: load average: 13 > Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and > was killed, consecutive failure 6 of 20 > Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out > and was killed, consecutive failure 1 of 7 > > The Spamassassin keeps on going up to 20 of 20. > > I have a caching DNS and is working properly. My config is. > mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 > 2Ghz with 512 MB ram > > Thanx > Christo Christo looks like you've got problems with ORDB which is causing the issues, not mailwatch.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From steve.freegard at LBSLTD.CO.UK Thu Feb 5 10:28:09 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade Message-ID: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Hi Christo, Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show what is slowing SpamAssassin down. Also are you running any custom SA rulesets that might be slowing SpamAssassin down?? - I've had problems in the past with the sa-blacklist and sa-blacklist-uri custom sets as they are so big. If you want to disable MailWatch to confirm that it is not causing your problems, you can do this by commenting the line in CustomConfig.pm that says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and see if that helps at all. Kind regards, Steve. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: 05 February 2004 07:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: High Load after MS and Mailwatch Upgrade After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/627d4f15/attachment.html From martinh at SOLID-STATE-LOGIC.COM Thu Feb 5 10:42:11 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:19 2006 Subject: High Load after MS and Mailwatch Upgrade In-Reply-To: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Message-ID: <40221E03.7080406@solid-state-logic.com> Steve Freegard wrote: > Hi Christo, > > Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p > /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show > what is slowing SpamAssassin down. > > Also are you running any custom SA rulesets that might be slowing > SpamAssassin down?? - I've had problems in the past with the > sa-blacklist and sa-blacklist-uri custom sets as they are so big. > > If you want to disable MailWatch to confirm that it is not causing your > problems, you can do this by commenting the line in CustomConfig.pm that > says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and > see if that helps at all. > > Kind regards, > Steve. > Another thought is where are you doing the RBL checks? if you are duplication RBL checks on SA as well as Mailscanner then this could be an issue.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From christo at IT4AFRICA.CO.ZA Thu Feb 5 10:44:45 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:20 2006 Subject: High Load after MS and Mailwatch Upgrade {Virus Scanned} In-Reply-To: <67D9E7698329D411936E00508B6590B902773E75@neelix.lbsltd.co.uk> Message-ID: <006301c3ebd5$11ff20c0$660210ac@christoxp> I found the problem. One of my custom cf files was corrupt. I ust replaced this file with the backup of two days ago and all is working fine again. Thanx for the assist -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard Sent: 05 February 2004 12:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: High Load after MS and Mailwatch Upgrade {Virus Scanned} Hi Christo, Post the output of: "time spamassassin -D rbl=-3,rulesrun=255 -p /etc/MailScanner/spam.assassin.prefs.conf --lint" as that should show what is slowing SpamAssassin down. Also are you running any custom SA rulesets that might be slowing SpamAssassin down?? - I've had problems in the past with the sa-blacklist and sa-blacklist-uri custom sets as they are so big. If you want to disable MailWatch to confirm that it is not causing your problems, you can do this by commenting the line in CustomConfig.pm that says "require 'MailScanner/MailWatch.pm';" and restart MailScanner and see if that helps at all. Kind regards, Steve. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: 05 February 2004 07:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: High Load after MS and Mailwatch Upgrade After upgrading to the latest version of MailWatch and Mailscanner my server started to take huge load. I Found the following in my maillogs. Feb 5 09:03:29 mailtest sendmail[6833]: rejecting connections on daemon MTA: load average: 13 Feb 5 09:05:33 mailtest MailScanner[10934]: SpamAssassin timed out and was killed, consecutive failure 6 of 20 Feb 5 09:11:39 mailtest MailScanner[4900]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 The Spamassassin keeps on going up to 20 of 20. I have a caching DNS and is working properly. My config is. mailscanner-4.26.8-1 RH9 mailwatch-0.5 MailScanner-MRTG-0.07 on a P4 2Ghz with 512 MB ram Thanx Christo -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks IT For Africa for their support. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/0c9ef083/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 5 10:55:39 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4EA@jessica.herefordshire.gov.uk> I for one find it very useful. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 04 February 2004 18:54 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Fix for bayes rebuild bug on Solaris > > > At 17:13 04/02/2004, you wrote: > >Hi! > > > > > I applied the patch (had to do it by hand, an extra space in > > > there on the second chunk), uncommented bayes_auto_expire in > > > spam.assassin.prefs.conf, restarted. No apparent problems. > > > > > > I just noticed the "autolearn=spam" note in mails tagged as spam > > > by SA. No mention of this in the docs. What is this about? > > > >Most likely bayes autolearning ? :) > > Someone wanted notification of when a message was > auto-learned, so they got > it. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From ugob at CAMO-ROUTE.COM Thu Feb 5 11:21:05 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B4@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Schmitt, Andy C - CIDD-2 [mailto:acschmitt@BPA.GOV] > Envoy? : Wednesday, February 04, 2004 2:43 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: untagged messages > > > This may be completely off base, since I don't know if you > already posted your network config, but are you delivering > directly to Unix accounts after MailScanner, or forwarding on > to an Exchange box on an internal network? > > The reason why I ask is that here, we use MS Exchange for > internal mail, and it seems like headers get replaced at > random times by the words "Microsoft Mail Internet Headers > 2.0" followed by a sanitized version of headers, which still > shows the server route, but nothing useful such as > MailScanner headers. I've heard vague rumors as to why this > happens, but have not heard of anyone being able to fix it. > Hmmm, I always see "Microsoft Mail Internet Headers 2.0,", but I never saw a message w/o MailScanner's headers, though. But I don't receive a lot of messages. Ugo > > -----Original Message----- > From: hermit921 [mailto:hermit921@YAHOO.COM] > Sent: Wednesday, February 04, 2004 11:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: untagged messages > > > I am still trying to figure out why some messages don't get tagged by > MailScanner 4-23, postfix 2. Every email should get tagged > with at least > one MailScanner header, but some don't. > > I came up with an idea. Is this feasible: > Spammer sets up his client to use our mail server as his smtp > gateway. Should work for any message addressed to a user in > our domain, > but he can't send mail outside. So spammer addresses a message to > usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get > fuzzy.... > > One message appears here, postfix dumps it in the hold queue. Postfix > splits it up at the same time, so only the original message gets the > MailScanner headers. Since I can't track the original, I > can't verify the > presence of headers. > > Am I way off? > From carles at UNLIMITEDMAIL.ORG Thu Feb 5 13:40:24 2004 From: carles at UNLIMITEDMAIL.ORG (Carles Xavier Munyoz =?iso-8859-15?q?Bald=F3?=) Date: Thu Jan 12 21:22:20 2006 Subject: Bayes database size. Message-ID: <200402051440.24833.carles@unlimitedmail.org> Hi, I'm using MailScanner with SpamAssassin and the auto_learn option enabled for the Bayes DataBase. My question is: will the learning process stop when there is enougth information on the database or will it continuosly learn new spam and ham messages ? That it is, is there any limit in the number of spam and ham messages learned by the Bayes database ? If there is no limit, will my database continuosly increase its size until I run out of disk space ? Greetings. --- Carles Xavier Munyoz Bald? carles@unlimitedmail.org http://www.unlimitedmail.net/ --- From brose at MED.WAYNE.EDU Thu Feb 5 14:19:22 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris Message-ID: Ok it seems to be working. I'm confused by the scheduling though. I set the rebuild to 300 secs last night so I could check adequately but it never ran a rebuild every 5 mins. Before anyone asks why 5 mins, this was only to "test" the code. Anyway, this morning I checked the logs and the rebuld did occur. But it looks like it just ran twice 5mins apart after the 4hr Mailscanner restart time. Is this correct? Feb 5 03:16:37 eeyore MailScanner[2023]: Bayes database rebuild is due Feb 5 03:16:38 eeyore MailScanner[2023]: SpamAssassin Bayes database rebuild preparing Feb 5 03:16:43 eeyore MailScanner[2023]: SpamAssassin Bayes database rebuild starting Feb 5 03:22:09 eeyore MailScanner[2658]: Bayes database rebuild is due Feb 5 03:22:11 eeyore MailScanner[2658]: SpamAssassin Bayes database rebuild preparing Feb 5 03:22:25 eeyore MailScanner[2658]: SpamAssassin Bayes database rebuild starting Feb 5 07:17:47 eeyore MailScanner[18646]: Bayes database rebuild is due Feb 5 07:17:48 eeyore MailScanner[18646]: SpamAssassin Bayes database rebuild preparing Feb 5 07:18:22 eeyore MailScanner[18646]: SpamAssassin Bayes database rebuild starting Feb 5 07:23:02 eeyore MailScanner[19177]: Bayes database rebuild is due Feb 5 07:23:03 eeyore MailScanner[19177]: SpamAssassin Bayes database rebuild preparing Feb 5 07:23:09 eeyore MailScanner[19177]: SpamAssassin Bayes database rebuild starting -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, February 04, 2004 4:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Fix for bayes rebuild bug on Solaris At 18:05 02/02/2004, you wrote: >At 17:57 02/02/2004, you wrote: >>Gee... >> >>FWIW, it happened a couple of centuries ago, but I recall having >>serious trouble making Perl's flock() work on Solaris... same >>situation, all development done under linux without a hitch and >>Solaris ignored all the locking... and it wasn't an interoperability >>problem, since I was competing against my own script... >> >>The point is I don't quite remember what we did to solve it (we is an >>understatement, since it wasn't me programming, I was just the >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not >>sure either... >> >>Seems like you'll need a Solaris box to test it thoroughly... I >>wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc >>:-( > >I've got an Ultra-5 so I can do a real test. If necessary, I can build >a >Solaris-x86 box too. But as you say, the best place to try it is a real sparc. I have found the problem. Attached is a very short patch to SA.pm. This should let you enable the "Rebuild Bayes Every" feature that does scheduled Bayes database rebuilds. If you turn this feature on in MailScanner.conf, you will want to set bayes_auto_expire 0 in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts at letting SpamAssassin rebuild its Bayes database when it feels like it. From rgreen at TRAYERPRODUCTS.COM Thu Feb 5 15:02:18 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV Message-ID: <40225AFA.9050908@trayerproducts.com> Hello. I'm testing MailScanner and ClamAV. When I receive a message with the MyDoom worm attached in a zip file the attachment is blocked and quarantined upon arrival. When I send a message with the same zip file attached through the server it gets through to the remote server without being blocked. Is there a way to have mail filtered on the way out too? Thanks, Rod From ycayer at 3WEBMEDIA.COM Thu Feb 5 15:04:33 2004 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:22:20 2006 Subject: Cannot parse /var/spool/MailScanner/incoming/25111/i15F3CI26572.header and , Message-ID: <4915A8E67C498D42BAB5CB1351FD026E14AC8C@3webad1.3WebMedia.int> I am getting the following error many many times in my MailScanner logs... Can anyone tell me what this means? Cannot parse /var/spool/MailScanner/incoming/25111/i15F3CI26572.header and , Thank you again -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/75e827e9/attachment.html From sits at CAEDERUS.COM Thu Feb 5 15:09:43 2004 From: sits at CAEDERUS.COM (Sitsofe Wheeler) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies Message-ID: <1075993782.1528.86.camel@subsub.caederus.com> Hi, I've noticed that the MailScanner specfile does not actually list dependencies on all the RPMs it needs to run. This means it is hard to get working with tools like apt and yum when all the RPMs are provided by a repository (also the tnef was not picked up even those it is listed as a requires) . Was this intentional? From ugob at CAMO-ROUTE.COM Thu Feb 5 15:23:00 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV Message-ID: <54C38A0B814C8E438EF73FC76F3629274108B8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Rodney Green [mailto:rgreen@TRAYERPRODUCTS.COM] > Envoy? : Thursday, February 05, 2004 10:02 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : MailScanner/ClamAV > > > Hello. I'm testing MailScanner and ClamAV. When I receive a > message with > the MyDoom worm attached in a zip file the attachment is blocked and > quarantined upon arrival. When I send a message with the same zip file > attached through the server it gets through to the remote > server without > being blocked. Is there a way to have mail filtered on the > way out too? It is supposed to be filtered both ways. > > Thanks, > Rod > From HancockS at MORGANCO.COM Thu Feb 5 15:31:19 2004 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:22:20 2006 Subject: NDR strategy Message-ID: <3EA1A302A4978A4C970D2C63F327156E02406D12@worc-mail2.int.morganco.com> I use a batch command that calls a resource util ldifde to get info out of AD. I then compare it for changes on the windows side and copy it to the mailscanner for processing with a Perl script. Change the object class to "group" for dist. lists. ldifde -f c:\temp\Exportuser.ldf -s -d "dc=internal,dc=domain,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(proxyAddresses=*))" -l "cn,proxyAddresses" FWIW Scott From robv at DISASTER.COM Thu Feb 5 15:35:01 2004 From: robv at DISASTER.COM (Vicchiullo, Rob) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update Message-ID: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> For some reason I always get this error in y mail logs when mailscanner tries to update f-prot Updates download from http://updates.f-prot.com failed. Suspect server could not be reached, But if I run the mailscanner virus update script manually it works fine. Any ideas why this would happen ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/68407519/attachment.html From miguelk at KONSULTEX.COM.BR Thu Feb 5 15:36:47 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV References: <54C38A0B814C8E438EF73FC76F3629274108B8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4022630F.7020808@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/076697f8/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Thu Feb 5 16:02:32 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: Message-ID: You could look at using something like BigEvil Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jonathan Lampe > Sent: 05 February 2004 15:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Restricted Word List with MailScanner > > > Is there an easy way to use a restricted word list with MailScanner? > > (No, I don't want a "self-learning" Bayesian filter - I want a word list > which into which I can put words which will always flag spam as spam.) > From rgreen at TRAYERPRODUCTS.COM Thu Feb 5 16:03:56 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner/ClamAV In-Reply-To: <40225AFA.9050908@trayerproducts.com> References: <40225AFA.9050908@trayerproducts.com> Message-ID: <4022696C.4010604@trayerproducts.com> Thanks for your replies. I'm using Thunderbird as my mail client and found that the SMTP server I was using to send mail was not the test server I have MailScanner/ClamAV running on. :-) I changed it to the proper one and tested again and it blocked the outgoing attachment just fine. Rod Rodney Green wrote: > Hello. I'm testing MailScanner and ClamAV. When I receive a message with > the MyDoom worm attached in a zip file the attachment is blocked and > quarantined upon arrival. When I send a message with the same zip file > attached through the server it gets through to the remote server without > being blocked. Is there a way to have mail filtered on the way out too? > > Thanks, > Rod > > From steinkel at PA.NET Thu Feb 5 16:11:20 2004 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> Message-ID: <40226B28.5020904@pa.net> hermit921 wrote: > I am still trying to figure out why some messages don't get tagged by > MailScanner 4-23, postfix 2. Every email should get tagged with at least > one MailScanner header, but some don't. > > I came up with an idea. Is this feasible: > Spammer sets up his client to use our mail server as his smtp > gateway. Should work for any message addressed to a user in our domain, > but he can't send mail outside. So spammer addresses a message to > usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get > fuzzy.... > > One message appears here, postfix dumps it in the hold queue. Postfix > splits it up at the same time, so only the original message gets the > MailScanner headers. Since I can't track the original, I can't verify the > presence of headers. > > Am I way off? > As I recall, the cleanup daemon is what puts the arriving message into the hold queue, but it is downstream where the qmgr daemon that actually splits the message up for different destinations via the trivial-rewrite daemon. See http://www.postfix.org/big-picture.html. I saw one of these untagged messages this morning. I was able to track it through our logs where it did, in fact, get a SA score of 9.7, but there were no MS headers in the message at all. This was in the headers that did make it through: Message-ID: References: <200402051440.24833.carles@unlimitedmail.org> Message-ID: <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: >My question is: will the learning process stop when there is enougth >information on the database or will it continuosly learn new spam and ham >messages ? It will keep learning. >That it is, is there any limit in the number of spam and ham messages learned >by the Bayes database ? Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. >If there is no limit, will my database continuosly increase its size until I >run out of disk space ? No it won't, as long as the expiry process can successfully run now and again. The expiry pushes old tokens out of the bayes database if it's over the size limits. If you're using an older version of MailScanner on a busy server, you may need to run sa-learn --force-expire in your crontab. Newer versions of MailScanner manage bayes expiry automatically. (SA will try to "opportunistically" run expiry as it scans mail, but on a busy server, with multiple MailScanner children, it's unlikely to be successful, as it can only succeed in locking the bayes database when only one message is being SA'ed at the time it tries. Same rules of opportunism apply to autolearning. It only happens if it can be done without waiting for a lock.) From mkettler at EVI-INC.COM Thu Feb 5 16:24:59 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: References: Message-ID: <6.0.0.22.0.20040205112054.024a09b0@xanadu.evi-inc.com> At 10:39 AM 2/5/2004, Jonathan Lampe wrote: >Is there an easy way to use a restricted word list with MailScanner? > >(No, I don't want a "self-learning" Bayesian filter - I want a word list >which into which I can put words which will always flag spam as spam.) Although it's a bit of work, you can use/abuse SpamAssassin to do that.. it's overkill for the job, and probably not the simpliest thing to set up, but it's possible. Just set up MailScanner to use SA, disable bayes, awl, dnsbls and hack out most of the SA rules.. replace them with rules that search for single rules and apply huge point scores to each of those rules. As an added benefit, you can search for any perl-regex you want, not just words. If your MailScanner box does delivery, you could also use procmail as a MDA and have a procmail script filter words.. That's the old-fashioned simple way of doing it, and doesn't involve MailScanner at all per-se. From steve.swaney at FSL.COM Thu Feb 5 16:27:16 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> Message-ID: <20040205162715.846F521C149@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Vicchiullo, Rob > Sent: Thursday, February 05, 2004 10:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: f-prot update > > For some reason I always get this error in y mail logs when mailscanner > tries to update f-prot > > Updates download from http://updates.f-prot.com failed. Suspect server > could not be reached, > > But if I run the mailscanner virus update script manually it works fine. > Any ideas why this would happen ? > > Rob, Try adding a statement at the beginning of the update script that will store the environment that script is running in. In Linux with a bash shell this line would look like: printenv > /tmp/updates-f-prot.env Then run the printenv command in the interactive shell that runs the command correctly: printenv > /tmp/ok-shell.evn then diff /tmp/updates-f-prot.env /tmp/ok-shell.evn And you should see a hint on why one is working and the other command is not. Steve Steve Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > This message has been scanned for viruses and > dangerous content by MailScanner at Fortress Systems Ltd. > , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From steve.swaney at FSL.COM Thu Feb 5 16:33:00 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner In-Reply-To: <6.0.0.22.0.20040205112054.024a09b0@xanadu.evi-inc.com> Message-ID: <20040205163259.9EC2D21C149@mail.fsl.com> Check out the MCP feature is MailScanner. It should do what you want. It will use additional resources. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Matt Kettler > Sent: Thursday, February 05, 2004 11:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Restricted Word List with MailScanner > > At 10:39 AM 2/5/2004, Jonathan Lampe wrote: > >Is there an easy way to use a restricted word list with MailScanner? > > > >(No, I don't want a "self-learning" Bayesian filter - I want a word list > >which into which I can put words which will always flag spam as spam.) > > Although it's a bit of work, you can use/abuse SpamAssassin to do that.. > it's overkill for the job, and probably not the simpliest thing to set up, > but it's possible. > > Just set up MailScanner to use SA, disable bayes, awl, dnsbls and hack out > most of the SA rules.. replace them with rules that search for single > rules > and apply huge point scores to each of those rules. As an added benefit, > you can search for any perl-regex you want, not just words. > > If your MailScanner box does delivery, you could also use procmail as a > MDA > and have a procmail script filter words.. That's the old-fashioned simple > way of doing it, and doesn't involve MailScanner at all per-se. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From campbell at CNPAPERS.COM Thu Feb 5 16:39:35 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:20 2006 Subject: TNEF question Message-ID: <006501c3ec06$a3df86c0$5001a8c0@cnpapers.net> I have upgraded to the latest release, but don't really think this is a new problem. I have an Outlook user who seems to be getting his attachments deleted. I have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef to internal, and both fail to send the attachment. I am waiting for the last test where I have set Deliver Unparseable TNEF to yes. The real problem is that there is no notification anywhere that the attachment was removed. Nothing in the mail to the admin, the maillog, or the recipient that an attachment was dropped. Is there something like "Silent Viruses" that this falls under? I do see in the maillog that the TNEF Expander was called, but nothing else regarding this message ID. Does anyone have a clue -- Thanks very much for any help. Steve Campbell campbell@cnpapers.com Charleston Newspapers From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Feb 5 16:35:47 2004 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> tnef shows up on the RPM I have installed.. $ rpm -q mailscanner -R | grep tnef tnef >= 1.1.1 I believe some of the other dependencies (i.e.: Perl modules) aren't included because some people install them via CPAN or other locations. If this is the case, then RPM wouldn't know about them and still complain about dependency issues even though they do exist on the system. Cheers, -Joshua From campbell at CNPAPERS.COM Thu Feb 5 16:52:19 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:20 2006 Subject: TNEF question References: <006501c3ec06$a3df86c0$5001a8c0@cnpapers.net> Message-ID: <008f01c3ec08$6add7e20$5001a8c0@cnpapers.net> The final test with Deliver Unparseable TNEF to yes failed to send the attachment also. Thank for any help. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Stephe Campbell" To: Sent: Thursday, February 05, 2004 11:39 AM Subject: TNEF question > I have upgraded to the latest release, but don't really think this is a new > problem. > > I have an Outlook user who seems to be getting his attachments deleted. I > have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef > to internal, and both fail to send the attachment. I am waiting for the last > test where I have set Deliver Unparseable TNEF to yes. > > The real problem is that there is no notification anywhere that the > attachment was removed. Nothing in the mail to the admin, the maillog, or > the recipient that an attachment was dropped. Is there something like > "Silent Viruses" that this falls under? I do see in the maillog that the > TNEF Expander was called, but nothing else regarding this message ID. > > Does anyone have a clue -- Thanks very much for any help. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers From jonathan at STDNET.COM Thu Feb 5 15:39:11 2004 From: jonathan at STDNET.COM (Jonathan Lampe) Date: Thu Jan 12 21:22:20 2006 Subject: Restricted Word List with MailScanner Message-ID: Is there an easy way to use a restricted word list with MailScanner? (No, I don't want a "self-learning" Bayesian filter - I want a word list which into which I can put words which will always flag spam as spam.) From so-mlist-alias at all-about-shift.com Thu Feb 5 15:53:36 2004 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:22:20 2006 Subject: Bayes database size. In-Reply-To: <200402051440.24833.carles@unlimitedmail.org> References: <200402051440.24833.carles@unlimitedmail.org> Message-ID: <64688.205.191.194.164.1075996416.squirrel@miyako.all-about-shift.com> Hello Carles, > Hi, > I'm using MailScanner with SpamAssassin and the auto_learn option enabled > for > the Bayes DataBase. > > My question is: will the learning process stop when there is enougth > information on the database or will it continuosly learn new spam and ham > messages ? > That it is, is there any limit in the number of spam and ham messages > learned > by the Bayes database ? > > If there is no limit, will my database continuosly increase its size until > I > run out of disk space ? Your bayes database will increase continuously althoug the absolute rate will decrease. There is a possibility to expire old entries on request as well as using the "bayes_auto_expire" configuration parameter for automatically expiring old entries. You may want to check http://au.spamassassin.org/doc/Mail_SpamAssassin_Conf.html for details. regards, Soeren Gerlach From lenaig at WANADOO.FR Thu Feb 5 16:59:38 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> References: <8BD06A60242B4341B8919A4AC958C1D01816CC@busted.dandd.com> Message-ID: <20040205165938.GB4915@maelenn> Hi, Same problem for me, i am running freebsd. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From robv at DISASTER.COM Thu Feb 5 17:07:29 2004 From: robv at DISASTER.COM (Vicchiullo, Rob) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update Message-ID: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> I'm on Solaris, no printenv -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Thierry Sent: Thursday, February 05, 2004 12:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: f-prot update Hi, Same problem for me, i am running freebsd. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From raymond at PROLOCATION.NET Thu Feb 5 17:11:45 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: Hi! > Same problem for me, i am running freebsd. Works here, what version MS, what version f-prot ? They just released version 4.3.4. Bye, Raymond. From tmurphy at ICMCONTROLS.COM Thu Feb 5 17:06:57 2004 From: tmurphy at ICMCONTROLS.COM (Tim Murphy) Date: Thu Jan 12 21:22:20 2006 Subject: F-secure Seems not to be scanning Message-ID: <076e01c3ec0a$76b1fcb0$6a01a8c0@DCQR0G11> System is RH / cpanel / exim / I just installed the new version of MailScanner as of right now Virus Scanners = rav clamav f-prot f-secure mcafee Rav (Works) Clamav (Works) F-prot (Trial) (Works) Mcafee (Works) F-secure (Seems Not To Work) i can do the command line for f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fsav /tmp -And that works Database version: 2004-02-05_01 Scan started at Thu Feb 5 09:05:31 2004 Scan ended at Thu Feb 5 09:05:32 2004 11 files scanned But it is not catching any virus in incoming emails ---------------paste from email--------------------- MessageID: 1Aojlz-0002FM-LP Report: Rav: ./1Aojlz-0002FM-LP/body.zip->body.txt .pif Infected: Win32/Mydoom.A@mm ClamAV: body.zip contains Worm.SCO.A F-Prot: /var/spool/MailScanner/incoming/30908/1Aojlz-0002FM-LP/body.zip-body.txt Infection: W32/Mydoom.A@mm McAfee: /1Aojlz-0002FM-LP/body.zip Found the W32/Mydoom.a@MM virus !!! -----------------End Paste------------------- I dont see any thing in any of the infected mails about f-secure ----------paste from maillog--------------- Feb 5 09:01:07 srv1 update.virus.scanners: Found f-secure installed Feb 5 09:01:07 srv1 update.virus.scanners: Running autoupdate for f-secure -------------End Paste------------------------- Mailscanner is seeing it.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/2de9472b/attachment.html From sits at CAEDERUS.COM Thu Feb 5 17:23:03 2004 From: sits at CAEDERUS.COM (Sitsofe Wheeler) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> References: <75FEDC422E2309419A9303E7B18F206E04DB5FBE@eqmail1.efni.vpn> Message-ID: <1076001782.1528.106.camel@subsub.caederus.com> On Thu, 2004-02-05 at 16:35, Hirsh, Joshua wrote: > tnef shows up on the RPM I have installed.. > > $ rpm -q mailscanner -R | grep tnef > tnef >= 1.1.1 Ah but this doesn't appear to be enough to suck in the provided RPM via apt/yum. > I believe some of the other dependencies (i.e.: Perl modules) aren't > included because some people install them via CPAN or other locations. If > this is the case, then RPM wouldn't know about them and still complain about > dependency issues even though they do exist on the system. Thanks (I thought it might be deliberate). Any chance we could have a commented out Requires line that does have all the dependencies for the spec file? From steve.swaney at FSL.COM Thu Feb 5 17:48:42 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <20040205174842.E3AA121C149@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Vicchiullo, Rob > Sent: Thursday, February 05, 2004 12:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: f-prot update > > I'm on Solaris, no printenv > What shell are you are you running: 1. Using to call f-prot auto update? 2. Using in the command window that successfully runs the f-prot auto update? Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Thierry > Sent: Thursday, February 05, 2004 12:00 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: f-prot update > > Hi, > Same problem for me, i am running freebsd. > > Thx > > -- > Thierry > Ne faites jamais un "apt-get install new-wife" avant > un "apt-get remove --purge current-wife" > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From rzewnickie at RFA.ORG Thu Feb 5 18:01:00 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> Message-ID: <20040205180100.GB7760@rfa.org> I added --force-expire to my nightly 3am sa-learn cronjob. (previously done with only --rebuild). Since 3am no messages have bayes scores at all and it looks like autolearning is not working. Could I have done something stupid? -Eric Rz. On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > >My question is: will the learning process stop when there is enougth > >information on the database or will it continuosly learn new spam and ham > >messages ? > > It will keep learning. > > >That it is, is there any limit in the number of spam and ham messages > >learned > >by the Bayes database ? > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > >If there is no limit, will my database continuosly increase its size until > >I > >run out of disk space ? > > No it won't, as long as the expiry process can successfully run now and > again. The expiry pushes old tokens out of the bayes database if it's over > the size limits. > > If you're using an older version of MailScanner on a busy server, you may > need to run sa-learn --force-expire in your crontab. Newer versions of > MailScanner manage bayes expiry automatically. > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > busy server, with multiple MailScanner children, it's unlikely to be > successful, as it can only succeed in locking the bayes database when only > one message is being SA'ed at the time it tries. Same rules of opportunism > apply to autolearning. It only happens if it can be done without waiting > for a lock.) From mailing-oit at tttech.com Thu Feb 5 18:03:49 2004 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:22:20 2006 Subject: New installation -- and problems i never had In-Reply-To: <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041704.38202.mailing-oit@tttech.com> <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> Message-ID: <200402051903.50240.mailing-oit@tttech.com> hi martin , thanks for support and this mail is just for the ML and for information .. i know installed mailscanner from latest debian unstable package .. but i think the problem was, tha Mailscanner handled the mails funny ... mails sent from the commandline to local users have no additional spam-reports .. everything that goes through SMTP does .. just interresting From DARYL at MONM.EDU Thu Feb 5 18:22:17 2004 From: DARYL at MONM.EDU (Carr, Daryl B.) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <995C465EA5BB0D42A493986D8D2E075089D9@ntmail2.monm.edu> Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/31b6d7be/attachment.html From ugob at CAMO-ROUTE.COM Thu Feb 5 18:26:09 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <54C38A0B814C8E438EF73FC76F3629274108BA@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Carr, Daryl B. [mailto:DARYL@MONM.EDU] Envoy? : Thursday, February 05, 2004 1:22 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. [Ugo Bellavance] You must put the IP address of your exchange server in /etc/mail/access like this 192.168.x.x RELAY Thanks for any help! [Ugo Bellavance] No prob. Please don't use HTML on mailing lists From Kevin_Miller at CI.JUNEAU.AK.US Thu Feb 5 18:31:44 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: <08146035CA49D6119A36009027AC822A0264EDC3@CITY-EXCH-NTS> I think what you need to do is to put this line in your /etc/mail/access file: 192.168.8.33 RELAY ourdomain.com RELAY ... Be sure to run the makemap command after you edit /etc/mail/access to rebuid the database, and of course, use your own IP addresses for your hosts or subnet ranges rather than the sample one above. Be sure to use tabs rather than spaces in the entries. HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 9:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/8ae11bde/attachment.html From jaearick at COLBY.EDU Thu Feb 5 18:32:29 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: <20040205180100.GB7760@rfa.org> References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> <20040205180100.GB7760@rfa.org> Message-ID: Are you running 4.26.8, maybe with Julian's patch to SA.pm from a couple of days ago? If so, then you *do not* want to do force-expire via a cron job. MS handles this internally in 4.26.8. Jeff Earickson On Thu, 5 Feb 2004, Eric Dantan Rzewnicki wrote: > Date: Thu, 5 Feb 2004 13:01:00 -0500 > From: Eric Dantan Rzewnicki > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: force-expire broke bayes? [Re: Bayes database size.] > > I added --force-expire to my nightly 3am sa-learn cronjob. (previously > done with only --rebuild). Since 3am no messages have bayes scores at > all and it looks like autolearning is not working. > > Could I have done something stupid? > > -Eric Rz. > > On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > > >My question is: will the learning process stop when there is enougth > > >information on the database or will it continuosly learn new spam and ham > > >messages ? > > > > It will keep learning. > > > > >That it is, is there any limit in the number of spam and ham messages > > >learned > > >by the Bayes database ? > > > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > > > > >If there is no limit, will my database continuosly increase its size until > > >I > > >run out of disk space ? > > > > No it won't, as long as the expiry process can successfully run now and > > again. The expiry pushes old tokens out of the bayes database if it's over > > the size limits. > > > > If you're using an older version of MailScanner on a busy server, you may > > need to run sa-learn --force-expire in your crontab. Newer versions of > > MailScanner manage bayes expiry automatically. > > > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > > busy server, with multiple MailScanner children, it's unlikely to be > > successful, as it can only succeed in locking the bayes database when only > > one message is being SA'ed at the time it tries. Same rules of opportunism > > apply to autolearning. It only happens if it can be done without waiting > > for a lock.) > From mspieth at NEOD.NET Thu Feb 5 18:32:40 2004 From: mspieth at NEOD.NET (Mark Spieth) Date: Thu Jan 12 21:22:20 2006 Subject: How to scan mail going out? Message-ID: 2 parts here. 1. On the Redhat Box setup in /etc/mail/access a relay entry so that the exchange server can relay mail via your redhat box. E.g. 10.10.1.2 relay 2. Then on your exchange server open your exchange manager. Open Servers->servername->protocols->smtp->default smtp Virtual Server Right click on the default smtp server and choose properties. Then go to the delivery tab and click advanced. Put the IP address of your redhat box in the Smart Host section and restart the smtp service. All outbound email will then route through the redhat box rather than having the exchange server attempt to deliver it directly. Also make sure that the attempt direct delivery box is unchecked. Mark Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 1:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/8a50de4e/attachment.html From taz at AZTEK-ENG.COM Thu Feb 5 18:48:58 2004 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner Message-ID: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Quick question on a Mandrake 9.1 install. I have downloaded the rpm of MailScanner 4.26.8-1 and after stopping sendmail and starting Mailscanner I was getting an error about the Module CIDR.pm. So, I installed that module. Now when I try to start MailScanner I get the following error (with sendmail stopped): incoming sendmail: sendmail: invalid option -- O sendmail: fatal: usage: sendmail [options] where can I fix this problem at. Thanks From dustin.baer at IHS.COM Thu Feb 5 18:46:01 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update References: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <40228F69.8F35276B@ihs.com> "Vicchiullo, Rob" wrote: > > I'm on Solaris, no printenv /usr/ucb/printenv ? Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From raymond at PROLOCATION.NET Thu Feb 5 18:58:02 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner In-Reply-To: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Message-ID: Hi! > installed that module. Now when I try to start MailScanner I get the > following error (with sendmail stopped): incoming sendmail: sendmail: > > invalid option -- O > sendmail: fatal: usage: sendmail [options] > > where can I fix this problem at. What version sendmail are you running ? Bye, Raymond. From kevins at BMRB.CO.UK Thu Feb 5 19:00:22 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner In-Reply-To: <000001c3ec18$b6ff22d0$e90200bf@tazpc> References: <000001c3ec18$b6ff22d0$e90200bf@tazpc> Message-ID: <1076007629.22416.16.camel@bach.kevinspicer.co.uk> On Thu, 2004-02-05 at 18:48, Travis Zadikem wrote: > Quick question on a Mandrake 9.1 install. I have downloaded the rpm of > MailScanner 4.26.8-1 and after stopping sendmail and starting > Mailscanner I was getting an error about the Module CIDR.pm. So, I > installed that module. Now when I try to start MailScanner I get the > following error (with sendmail stopped): incoming sendmail: sendmail: > > invalid option -- O > sendmail: fatal: usage: sendmail [options] > > where can I fix this problem at. > Absurd as it sounds I think your problem is that you actually have postfix installed, not sendmail! The error message above is in the format postfix uses for reporting errors, sendmail looks differnt Mandrake uses Debian's 'alternatives' system, which means that sendmail is a symlink to /etc/alternatives/mta - which in turn is a symlink to whichever mta you have installed. so either configure mailscanner/postfix to work together or, if you have already installed sendmail use the update-alternatives command to change the configuration. If sendmail isn't installed... rpm -e postfix rpm -i sendmail BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rzewnickie at RFA.ORG Thu Feb 5 19:01:14 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:20 2006 Subject: force-expire broke bayes? [Re: Bayes database size.] In-Reply-To: References: <200402051440.24833.carles@unlimitedmail.org> <6.0.0.22.0.20040205111514.025f3fd0@xanadu.evi-inc.com> <20040205180100.GB7760@rfa.org> Message-ID: <20040205190114.GF7760@rfa.org> No, I'm still on 4.25-14. It's a permissions problem. My crontab entry was in root's crontab. This apparently worked fine for --rebuild, but adding --force-expire caused the ownership of bayes_toks to change to root.root from postfix.postfix. As soon as I did chown postfix.postfix bayes_toks things started working again. -Eric Rz. On Thu, Feb 05, 2004 at 01:32:29PM -0500, Jeff A. Earickson wrote: > Are you running 4.26.8, maybe with Julian's patch to SA.pm from > a couple of days ago? If so, then you *do not* want to do force-expire > via a cron job. MS handles this internally in 4.26.8. > > Jeff Earickson > > On Thu, 5 Feb 2004, Eric Dantan Rzewnicki wrote: > > > Date: Thu, 5 Feb 2004 13:01:00 -0500 > > From: Eric Dantan Rzewnicki > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: force-expire broke bayes? [Re: Bayes database size.] > > > > I added --force-expire to my nightly 3am sa-learn cronjob. (previously > > done with only --rebuild). Since 3am no messages have bayes scores at > > all and it looks like autolearning is not working. > > > > Could I have done something stupid? > > > > -Eric Rz. > > > > On Thu, Feb 05, 2004 at 11:20:25AM -0500, Matt Kettler wrote: > > > At 08:40 AM 2/5/2004, Carles Xavier Munyoz Bald? wrote: > > > >My question is: will the learning process stop when there is enougth > > > >information on the database or will it continuosly learn new spam and ham > > > >messages ? > > > > > > It will keep learning. > > > > > > >That it is, is there any limit in the number of spam and ham messages > > > >learned > > > >by the Bayes database ? > > > > > > Yes, read man Mail::SpamAssassin::Conf if you want to try to change it. > > > > > > > > > >If there is no limit, will my database continuosly increase its size until > > > >I > > > >run out of disk space ? > > > > > > No it won't, as long as the expiry process can successfully run now and > > > again. The expiry pushes old tokens out of the bayes database if it's over > > > the size limits. > > > > > > If you're using an older version of MailScanner on a busy server, you may > > > need to run sa-learn --force-expire in your crontab. Newer versions of > > > MailScanner manage bayes expiry automatically. > > > > > > (SA will try to "opportunistically" run expiry as it scans mail, but on a > > > busy server, with multiple MailScanner children, it's unlikely to be > > > successful, as it can only succeed in locking the bayes database when only > > > one message is being SA'ed at the time it tries. Same rules of opportunism > > > apply to autolearning. It only happens if it can be done without waiting > > > for a lock.) > > From jfraley at glenraven.com Thu Feb 5 19:42:25 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:20 2006 Subject: not scan local mail Message-ID: <1076010144.2141.13.camel@jfraleyx.glenraven.com> How can I tell MailScanner not to scan messages that originate from the server that MailScanner is running. Jon From hermit921 at YAHOO.COM Thu Feb 5 19:49:12 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages In-Reply-To: <40226B28.5020904@pa.net> References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> Message-ID: <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> At 08:11 AM 2/5/2004, Leland J. Steinke wrote: >hermit921 wrote: >>I am still trying to figure out why some messages don't get tagged by >>MailScanner 4-23, postfix 2. Every email should get tagged with at least >>one MailScanner header, but some don't. >> >>I came up with an idea. Is this feasible: >>Spammer sets up his client to use our mail server as his smtp >>gateway. Should work for any message addressed to a user in our domain, >>but he can't send mail outside. So spammer addresses a message to >>usera@mydomain, with CC or BCC to userb, userc, userd, etc. Now I get >>fuzzy.... >> >>One message appears here, postfix dumps it in the hold queue. Postfix >>splits it up at the same time, so only the original message gets the >>MailScanner headers. Since I can't track the original, I can't verify the >>presence of headers. >> >>Am I way off? > >As I recall, the cleanup daemon is what puts the arriving message into the >hold queue, but it is downstream where the qmgr daemon that actually splits >the message up for different destinations via the trivial-rewrite daemon. >See http://www.postfix.org/big-picture.html. > >I saw one of these untagged messages this morning. I was able to track it >through our logs where it did, in fact, get a SA score of 9.7, but there >were no MS headers in the message at all. This was in the headers that did >make it through: > >Message-ID: >We are researching to see if this would make postfix, MailScanner, or >SpamAssassin choke. Other than the Message-ID, we saw nothing structurally >pathological with this message. Did your untagged message have a similar >header? > > >Leland Here is an example with headers and body, with a few changes to protect my names and IP addresses. >Received: from mail3.me.com (mail3.me.com [a.b.c.d]) > by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 > for ; Wed, 4 Feb 2004 01:37:42 -0800 >Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) > by mail3.me.com (Postfix) with SMTP id 7AC0B124003 > for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >Date: Wed, 04 Feb 2004 04:37:38 -0500 >From: "Norris Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >To: undisclosed-recipients:; >X-UIDL: >-9"!NO+!!Gmf"!$TC!! > > >nurtoplpn@enter7.com hermit921 From mailscanner at ecs.soton.ac.uk Thu Feb 5 20:00:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: f-prot update In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> References: <8BD06A60242B4341B8919A4AC958C1D01816D1@busted.dandd.com> Message-ID: <6.0.1.1.2.20040205195959.03cdb410@imap.ecs.soton.ac.uk> At 17:07 05/02/2004, you wrote: >I'm on Solaris, no printenv It's not OS-dependent, it's shell-dependent. Please learn how to use your shell :-) Try "env" instead. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Thierry >Sent: Thursday, February 05, 2004 12:00 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: f-prot update > >Hi, >Same problem for me, i am running freebsd. > >Thx > >-- >Thierry >Ne faites jamais un "apt-get install new-wife" avant >un "apt-get remove --purge current-wife" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:56:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: MailScanner RPM dependencies In-Reply-To: <1075993782.1528.86.camel@subsub.caederus.com> References: <1075993782.1528.86.camel@subsub.caederus.com> Message-ID: <6.0.1.1.2.20040205195523.05c1be68@imap.ecs.soton.ac.uk> At 15:09 05/02/2004, you wrote: >Hi, > >I've noticed that the MailScanner specfile does not actually list >dependencies on all the RPMs it needs to run. This means it is hard to >get working with tools like apt and yum when all the RPMs are provided >by a repository (also the tnef was not picked up even those it is listed >as a requires) . Was this intentional? Yes. You might well have installed the Perl modules through something other than RPM (CPAN for example). Having all the dependencies caused a lot of problems. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:44:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: Maximum Notifications Limit In-Reply-To: <1075946947.31331.89.camel@mail.dcresearch.com> References: <1075946947.31331.89.camel@mail.dcresearch.com> Message-ID: <6.0.1.1.2.20040205194417.05dbeec0@imap.ecs.soton.ac.uk> By default, new or upgraded installations don't notify senders. Notifying senders is now a bad idea and shouldn't be done. At 02:09 05/02/2004, you wrote: >There should be a maximum number of virus infection notifications sent >per day value. After so many infection bounce notifications, the system >should stop sending them. Otherwise our messages that alert "senders" >that they have sent a virus infected message could bring the Internet >to it's knees. Typically, I register a new virus as "silent" in the >configurations right away. Here's an interesting article on the >subject. > >http://www.raeinternet.com/newsletter/interview_skulason_092303.html > > >-- >Joe Baker >Digital Communications Research, Inc. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:46:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: upgrade_MailScanner_conf help text inconsistency In-Reply-To: References: Message-ID: <6.0.1.1.2.20040205194641.05d0ec88@imap.ecs.soton.ac.uk> Well spotted. Fixed. At 07:26 05/02/2004, you wrote: >When you run upgrade_mailscanner_conf with no arguments, it suggests >running it with the command >| upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.new > >When you then do so, at the end it says > >| If you ran this with a command like this >| upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.conf.new >| then you should do >| diff MailScanner.conf.rpmnew MailScanner.conf.new >| and check for any differences in values you have not changed yourself. > >Note that the suggested filename has changed from MailScanner.new to >MailScanner.conf.new > >Not a big deal - I'm sure all but the most clueless of admins will work >it out for themselves - but it would be nice to be consistent just so >that copying and pasting the suggested commands unchanged will work! >Or better still, make the suggestion use the arguments actually passed. > >John. > >-- >-- Over 2400 webcams from ski resorts around the world - www.snoweye.com >-- Translate your technical documents and web pages - www.tradoc.fr -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 5 19:51:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:20 2006 Subject: Fix for bayes rebuild bug on Solaris In-Reply-To: References: Message-ID: <6.0.1.1.2.20040205195036.0376b438@imap.ecs.soton.ac.uk> At 14:19 05/02/2004, you wrote: >Ok it seems to be working. I'm confused by the scheduling though. I >set the rebuild to 300 secs last night so I could check adequately but >it never ran a rebuild every 5 mins. Before anyone asks why 5 mins, >this was only to "test" the code. > >Anyway, this morning I checked the logs and the rebuld did occur. But >it looks like it just ran twice 5mins apart after the 4hr Mailscanner >restart time. Is this correct? Yes. It's intended that Rebuild Every > Restart Every and the timing is only approximate anyway. It gets done at the start of a new child process after the timeout has occurred. >Feb 5 03:16:37 eeyore MailScanner[2023]: Bayes database rebuild is due >Feb 5 03:16:38 eeyore MailScanner[2023]: SpamAssassin Bayes database >rebuild preparing >Feb 5 03:16:43 eeyore MailScanner[2023]: SpamAssassin Bayes database >rebuild starting >Feb 5 03:22:09 eeyore MailScanner[2658]: Bayes database rebuild is due >Feb 5 03:22:11 eeyore MailScanner[2658]: SpamAssassin Bayes database >rebuild preparing >Feb 5 03:22:25 eeyore MailScanner[2658]: SpamAssassin Bayes database >rebuild starting >Feb 5 07:17:47 eeyore MailScanner[18646]: Bayes database rebuild is due >Feb 5 07:17:48 eeyore MailScanner[18646]: SpamAssassin Bayes database >rebuild preparing >Feb 5 07:18:22 eeyore MailScanner[18646]: SpamAssassin Bayes database >rebuild starting >Feb 5 07:23:02 eeyore MailScanner[19177]: Bayes database rebuild is due >Feb 5 07:23:03 eeyore MailScanner[19177]: SpamAssassin Bayes database >rebuild preparing >Feb 5 07:23:09 eeyore MailScanner[19177]: SpamAssassin Bayes database >rebuild starting > > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, February 04, 2004 4:41 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Fix for bayes rebuild bug on Solaris > >At 18:05 02/02/2004, you wrote: > >At 17:57 02/02/2004, you wrote: > >>Gee... > >> > >>FWIW, it happened a couple of centuries ago, but I recall having > >>serious trouble making Perl's flock() work on Solaris... same > >>situation, all development done under linux without a hitch and > >>Solaris ignored all the locking... and it wasn't an interoperability > >>problem, since I was competing against my own script... > >> > >>The point is I don't quite remember what we did to solve it (we is an > >>understatement, since it wasn't me programming, I was just the > >>designer)... it must have been perl 5.6.x and Solaris 7, but I'm not > >>sure either... > >> > >>Seems like you'll need a Solaris box to test it thoroughly... I > >>wouldn't even trust Solaris-x86 to behave identically to Solaris-Sparc > > >>:-( > > > >I've got an Ultra-5 so I can do a real test. If necessary, I can build > >a > >Solaris-x86 box too. But as you say, the best place to try it is a real >sparc. > >I have found the problem. Attached is a very short patch to SA.pm. This >should let you enable the "Rebuild Bayes Every" feature that does >scheduled Bayes database rebuilds. > >If you turn this feature on in MailScanner.conf, you will want to set > bayes_auto_expire 0 >in your spam.assassin.prefs.conf to disable the (unsuccessful) attempts >at letting SpamAssassin rebuild its Bayes database when it feels like >it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Thu Feb 5 20:56:08 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:20 2006 Subject: not scan local mail References: <1076010144.2141.13.camel@jfraleyx.glenraven.com> Message-ID: <4022ADE8.A0861F4D@ihs.com> Jon Fraley wrote: > > How can I tell MailScanner not to scan messages that originate from the > server that MailScanner is running. > > Jon Hi Jon, Which scan? Spam scanning, or virus scanning? Do the README, or EXAMPLES files in MailScanner/etc/rules help you? Basically, just create a rule for your server. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From taz at AZTEK-ENG.COM Thu Feb 5 21:03:34 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:20 2006 Subject: sendmail error after trying to start mailscanner References: Message-ID: <013d01c3ec2b$87bcc4b0$e90200bf@tazpc> Sendmail version 8.12.9. Removed postfix package and now this error goes away. But now, the mail is just sitting in mqueue ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Thursday, February 05, 2004 11:58 AM Subject: Re: sendmail error after trying to start mailscanner > Hi! > > > installed that module. Now when I try to start MailScanner I get the > > following error (with sendmail stopped): incoming sendmail: sendmail: > > > > invalid option -- O > > sendmail: fatal: usage: sendmail [options] > > > > where can I fix this problem at. > > What version sendmail are you running ? > > Bye, > Raymond. From steinkel at PA.NET Thu Feb 5 21:40:34 2004 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> Message-ID: <4022B852.2070901@pa.net> hermit921 wrote: > > Here is an example with headers and body, with a few changes to protect my > names and IP addresses. > >> Received: from mail3.me.com (mail3.me.com [a.b.c.d]) >> by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 >> for ; Wed, 4 Feb 2004 01:37:42 -0800 >> Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) >> by mail3.me.com (Postfix) with SMTP id 7AC0B124003 >> for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >> Date: Wed, 04 Feb 2004 04:37:38 -0500 >> From: "Norris > Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >> To: undisclosed-recipients:; >> X-UIDL: >-9"!NO+!!Gmf"!$TC!! >> >> >> nurtoplpn@enter7.com > Here is the complete message as quarantined on our MS server: ==8<===8<=== Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net [200.104.134.59]) by mx05.pa.net (Postfix) with SMTP id 6A140111526 for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 -0100 Message-ID: Delivered-To: steinkel@pa.net Received: from [local delivery stuff irrelevant to the discussion] Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net [200.104.134.59]) by mx05.pa.net (Postfix) with SMTP id 6A140111526 for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 -0100 Message-ID: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> <4022B852.2070901@pa.net> Message-ID: <4022BFD3.9080303@pa.net> Leland J. Steinke wrote: > hermit921 wrote: > >> >> Here is an example with headers and body, with a few changes to >> protect my >> names and IP addresses. well, I shoved my original message through the mailscanner gauntlet again and here is what happened. The envelope sender was replicated as the (originally null) message body and the MS headers were nowhere to be seen. I do not believe that this is a postfix issue, since I "netcat"ted the message to our smtp delivery server (also running postfix) directly and the message came through with no message body added. We are running 4.25-14. If MailScanner were written in C, I would suspect pointer arithmetic gone awry. Must... test... more... tomorrow... Leland From bpumphrey at WOODMACLAW.COM Thu Feb 5 22:29:52 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:20 2006 Subject: Mail pending 754 Message-ID: On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From lee at SJU.EDU Thu Feb 5 22:43:10 2004 From: lee at SJU.EDU (Stephen Lee) Date: Thu Jan 12 21:22:20 2006 Subject: virus detected but still delivered Message-ID: <4022C6FE.C2AEBD8A@sju.edu> Hello, MailScanner-4.25-14 Mail-SpamAssassin-2.63 Solaris 9 McAfee engine 4.3.20 and DAT 4322 McAfee stopped running some time ago for me. My file extension rules were keeping out so many viruses I never realized it stopped until today. I got it running again but still have a problem. Below is a log snippet that shows the virus in this batch of three messages being detected but still delivered. What confinguration setting did I screw up? Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 messages waiting Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 messages, 49642 bytes Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 found in spamhaus.org Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from 64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 0.23, HTML_WEB_BUGS 0.10) Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 found in spamhaus.org Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from 69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS 0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam messages Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message i15MGrbt004289 actions are striphtml,deliver Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message i15MEDbd001213 actions are striphtml,deliver Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: Starting Feb 5 17:27:46 mailhost MailScanner[9732]: /datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the W32/Mydoom.a@MM virus !!! Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found 1 infections Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 came from Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 viruses Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and will convert HTML message to plain text in i15MGrbt004289 Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and will convert HTML message to plain text in i15MEDbd001213 Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 messages Regards, Steve -- Stephen J. Lee Saint Joseph's University Senior Systems Administrator 5600 City Avenue Networking & Telecommunications Philadelphia, PA 19131-1395 E-mail: lee@sju.edu Voice: (610) 660-1679 Fax: (610) 660-1573 From mike at CAMAROSS.NET Thu Feb 5 22:58:16 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:20 2006 Subject: Mail pending 754 In-Reply-To: Message-ID: <200402052256.i15MuTD7028802@avwall.bladeware.com> Run 'mailq' and see what the output is. It should tell you what's pending AND why. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey Sent: Thursday, February 05, 2004 4:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From hermit921 at YAHOO.COM Thu Feb 5 23:02:34 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:20 2006 Subject: untagged messages Message-ID: <6.0.0.22.2.20040205150117.01b439d0@popserv.ucop.edu> At 01:40 PM 2/5/2004, Leland J. Steinke wrote: >hermit921 wrote: >> >>Here is an example with headers and body, with a few changes to protect my >>names and IP addresses. >> >>>Received: from mail3.me.com (mail3.me.com [a.b.c.d]) >>> by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118 >>> for ; Wed, 4 Feb 2004 01:37:42 -0800 >>>Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10]) >>> by mail3.me.com (Postfix) with SMTP id 7AC0B124003 >>> for ; Wed, 4 Feb 2004 01:37:35 -0800 (PST) >>>Date: Wed, 04 Feb 2004 04:37:38 -0500 >>>From: "Norris >>Message-Id: <20040204093735.7AC0B124003@mail3.me.com> >>>To: undisclosed-recipients:; >>>X-UIDL: >-9"!NO+!!Gmf"!$TC!! >>> >>> >>>nurtoplpn@enter7.com > >Here is the complete message as quarantined on our MS server: > >==8<===8<=== >Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net >[200.104.134.59]) > by mx05.pa.net (Postfix) with SMTP id 6A140111526 > for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) >Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 >-0100 >Message-ID: Date: Wed, 4 Feb 2004 17:41:35 -0500 (EST) >From: Russell_Omari053@yahoo.com >To: undisclosed-recipients:; >==8<===8<=== > >What I downloaded is as follows: > >==8<===8<=== > From - Wed Feb 4 17:42:24 2004 >X-Mozilla-Status2: 00000000 >Return-Path: >Delivered-To: steinkel@pa.net >Received: from [local delivery stuff irrelevant to the discussion] >Received: from CM-vina1-134-59.cm.vtr.net (CM-vina1-134-59.cm.vtr.net >[200.104.134.59]) > by mx05.pa.net (Postfix) with SMTP id 6A140111526 > for ; Wed, 4 Feb 2004 17:41:35 -0500 (EST) >Received: from 183.240.155.128 by 200.104.134.59; Wed, 04 Feb 2004 21:38:34 >-0100 >Message-ID: Date: Wed, 4 Feb 2004 17:41:35 -0500 (EST) >From: Russell_Omari053@yahoo.com >To: undisclosed-recipients: ; > > >Russell_Omari053@yahoo.com >==8<===8<=== > >I notice that your From: header has an unmatched "<". Coincidence? I just >hand-jammed a message over port 25 with a Message-ID similar to the one I >received but all MS headers came through on the delivered message. > >Still a mystery. > >Leland Good catch. I checked the other message given me yesterday and it is missing the same >. But then I noticed it is inside the "" prepended to @enter7.com. Doesn't that make it some normal character and not a delimiter? I can't see this From field in the maillog, so I can't tell how often it happens. >well, I shoved my original message through the mailscanner gauntlet again >and here is what happened. > >The envelope sender was replicated as the (originally null) message body >and the MS headers were nowhere to be seen. I do not believe that this is >a postfix issue, since I "netcat"ted the message to our smtp delivery >server (also running postfix) directly and the message came through with no >message body added. > >We are running 4.25-14. If MailScanner were written in C, I would suspect >pointer arithmetic gone awry. Must... test... more... tomorrow... > >Leland I am glad you can replicate this problem of missing MS headers. My mail knowledge is insufficient for such things. hermit921 From kevin at KEVINSPICER.CO.UK Thu Feb 5 23:16:50 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released Message-ID: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> I'm pleased to announce that the latest version of MailScanner-MRTG is now available from http://mailscannermrtg.sourceforge.net This release corrects all known bugs and adds a few minor features. It is an essential upgrade for most users of the 0.07 series (particularly anyone using net-snmp, or running on Solaris or FreeBSD, or who uses perl-5.005) Users of older version may also wish to upgrade to benefit from the extra graphs and performance enhancements introduced at 0.07. Please report all issues using the forums on the sourceforge site. Regards Kevin -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040205/f6ff7203/attachment.bin From pete at eatathome.com.au Fri Feb 6 00:29:00 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach Message-ID: <4022DFCC.60305@eatathome.com.au> We are Domino shop, we have MailScanner/postfix/sa filtering all inbound mail. Very vanilla installation. We have merged with a company who used Exchange. Tnhey are sending messages from thier site, from exchange, over the net, into MailScanner to us. Suddenly we have started seeing messages from this company only that have the attachments icon in the client, to indicate that there is an attachment, but there is NO sign of an attachment. All other messages from people with attachments come through with no issue, or if they are noxious we get the inline spam warning as per usual. We have NO rules, just basic/default filename/type/warnjing settings in MS.conf. The only messages with attachments to have the X_MS_has_attach "yes" header are the ones from this new company, they have NO anti spam tools at all. There is no entry in the logs for these messages to have had an attachment modfied or anything. Maybe there is a way to modify this header?, but what are the implications of this? IS this header generated by mailscanner, why? We are in a situation where the new company (controlling) wants to force MS Exchange onto us in place of Lotus Domino, so incompabilities, that seems to be our fault work against in a hieous way - please help me fend off these marauding ms exchange loving heathens...for the love of Man, the benefit of the world and all that we stand for - etc :) From penguin at DHCP.NET Fri Feb 6 00:41:52 2004 From: penguin at DHCP.NET (A. Eijkhoudt) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <003901c3ec4a$039669b0$0200a8c0@penguin> Kevin Spicer wrote: > I'm pleased to announce that the latest version of MailScanner-MRTG is > now available from http://mailscannermrtg.sourceforge.net > ... I'll give the new version a go and let you know how it went. Thanks for the heads-up, Arnim. -- This E-mail has been checked for spam and viruses. From gdoris at ROGERS.COM Fri Feb 6 01:29:35 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:21 2006 Subject: Trend scanner log data missing Message-ID: <1076030975.1991.17.camel@jaguar.dorfam.ca> I am using three virus scanners...f-prot, clamav module, and trend. They are happily finding virii and when they do I get the following typical message: The following e-mail messages were found to have viruses in them: Sender: fedora-list-admin@redhat.com IP Address: 127.0.0.1 Recipient: gerry@localhost Subject: Test MessageID: i15Ft8e4009530 Report: ClamAV Module: data.zip was infected: Worm.SCO.A F-Prot: /var/spool/MailScanner/incoming/388/i15Ft8e4009530/data.zip->data.htm Infection: W32/Mydoom.A@mm Trend: Found virus WORM_MYDOOM.A in file ./i15Ft8e4009530/data.zip Notice that Trend has identified the virus in a separate line. However, in /var/log/maillog everything is there except for the Trend data. The log only contains a line that says "Trend found one infections". Is there a way to get the Trend data into the mail log or is this part of the trend scanning binary? -- Gerry Doris From mailscanner at ecs.soton.ac.uk Fri Feb 6 07:23:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: virus detected but still delivered In-Reply-To: <4022C6FE.C2AEBD8A@sju.edu> References: <4022C6FE.C2AEBD8A@sju.edu> Message-ID: <6.0.1.1.2.20040206072249.03b69930@imap.ecs.soton.ac.uk> What do you have set as your incoming working dir (what was /var/spool/MailScanner/incoming)? You need to have the real absolute path to it in your MailScanner.conf, i.e. /datavol15/incoming At 22:43 05/02/2004, you wrote: >Hello, > >MailScanner-4.25-14 >Mail-SpamAssassin-2.63 >Solaris 9 >McAfee engine 4.3.20 and DAT 4322 > > McAfee stopped running some time ago for me. My file extension rules >were keeping out so many viruses I never realized it stopped until >today. I got it running again but still have a problem. Below is a log >snippet that shows the virus in this batch of three messages being >detected but still delivered. What confinguration setting did I screw >up? > > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 >messages waiting >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 >messages, 49642 bytes >Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting >Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 >found in spamhaus.org >Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from >64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) >to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, >BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 >0.23, HTML_WEB_BUGS 0.10) >Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 >found in spamhaus.org >Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from >69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to >sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, >BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS >0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, >HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, >HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam >messages >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message >i15MGrbt004289 actions are striphtml,deliver >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message >i15MEDbd001213 actions are striphtml,deliver >Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: >Starting >Feb 5 17:27:46 mailhost MailScanner[9732]: >/datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the >W32/Mydoom.a@MM virus !!! >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found >1 infections >Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 >came from >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 >viruses >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and >will convert HTML message to plain text in i15MGrbt004289 >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and >will convert HTML message to plain text in i15MEDbd001213 >Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 >messages > >Regards, >Steve >-- >Stephen J. Lee Saint Joseph's University >Senior Systems Administrator 5600 City Avenue >Networking & Telecommunications Philadelphia, PA 19131-1395 >E-mail: lee@sju.edu Voice: (610) 660-1679 > Fax: (610) 660-1573 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 6 07:22:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: untagged messages In-Reply-To: <4022BFD3.9080303@pa.net> References: <6.0.0.22.2.20040204104406.01e4a2b8@pop.mail.yahoo.com> <40226B28.5020904@pa.net> <6.0.0.22.2.20040205114428.01fcfb38@pop.mail.yahoo.com> <4022B852.2070901@pa.net> <4022BFD3.9080303@pa.net> Message-ID: <6.0.1.1.2.20040206072138.03897e60@imap.ecs.soton.ac.uk> Upgrade to 4.26 and see if that helps. It may well do as I fixed some of the Postfix code in 4.26 (as explained in the ChangeLog). At 22:12 05/02/2004, you wrote: >Leland J. Steinke wrote: >>hermit921 wrote: >> >>> >>>Here is an example with headers and body, with a few changes to >>>protect my >>>names and IP addresses. > >well, I shoved my original message through the mailscanner gauntlet again >and here is what happened. > >The envelope sender was replicated as the (originally null) message body >and the MS headers were nowhere to be seen. I do not believe that this is >a postfix issue, since I "netcat"ted the message to our smtp delivery >server (also running postfix) directly and the message came through with no >message body added. > >We are running 4.25-14. If MailScanner were written in C, I would suspect >pointer arithmetic gone awry. Must... test... more... tomorrow... > >Leland -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lenaig at WANADOO.FR Fri Feb 6 08:02:03 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> References: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <20040206080203.GB1380@maelenn> Hi, Which version did you gave me ? (MSMRTG.tar.gz) Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From kevins at BMRB.CO.UK Fri Feb 6 08:06:43 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: <20040206080203.GB1380@maelenn> References: <1076023010.22569.49.camel@bach.kevinspicer.co.uk> <20040206080203.GB1380@maelenn> Message-ID: <1076054804.22416.70.camel@bach.kevinspicer.co.uk> On Fri, 2004-02-06 at 08:02, Thierry wrote: > Hi, > Which version did you gave me ? (MSMRTG.tar.gz) > Can't quite remember, it was kind of a midpoint CVS thingy - with almost all of the fixes that are in 0.08. If its working okay then you probably don't need to bother upgrading. If you wish to continue this thread please email me off-list as I daresay the specifics of which files I sent you probably are only of interest to you and I. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lenaig at WANADOO.FR Fri Feb 6 08:34:50 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:21 2006 Subject: pb working Spam Message-ID: <20040206083450.GA1952@maelenn> Hi, Actually, i am using procmail to move Spam in special box : :0fw | spamassassin -P :0: * ^X-Spam-Flag: YES Bin So if i comment this lines, i receive Spam in my pricipal box, i mean that, mailscanner/spamassassin are not working. I need them to work because i am using mailscanner-mrtg. Mailscaner.conf: Spam Checks = yes Use SpamAssassin = yes Spam Score = yes Spam Actions = delete High Scoring Spam Actions = delete Log Spam = yes SpamAssassin User State Dir = /var/spool/spamassassin In /var/spool/spamassassin, i have two files : -rw-r-xr-x 1 root wheel 65536 Feb 6 09:30 bayes_seen -rw-r-xr-x 1 root wheel 114688 Feb 6 09:30 bayes_toks I think that i made a mistake, but i still do not know where. Thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 08:55:37 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: New installation -- and problems i never had In-Reply-To: <200402051903.50240.mailing-oit@tttech.com> References: <200402041604.02066.mailing-oit@tttech.com> <200402041704.38202.mailing-oit@tttech.com> <1202.81.86.182.54.1075919495.squirrel@mail.solid-state-logic.com> <200402051903.50240.mailing-oit@tttech.com> Message-ID: <40235689.7080604@solid-state-logic.com> Christoph Resch wrote: > hi martin , > > thanks for support and this mail is just for the ML and for information .. > > i know installed mailscanner from latest debian unstable package .. but i > think the problem was, tha Mailscanner handled the mails funny ... mails sent > from the commandline to local users have no additional spam-reports .. > everything that goes through SMTP does .. > > just interresting There's some rules in the MailScanner.conf that say whether or not to spam scan certain hosts. The default is probably not to scan local host. either that or the way your MTA is setup the 'post mailscanner' queue (ie delivery) is the default queue for /usr/sbin/sendmail (or whatever your MTA is). Well I think that was really badly explained, if you need it clearer I can try again, after I've finished my first coffee :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 09:14:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <4022DFCC.60305@eatathome.com.au> References: <4022DFCC.60305@eatathome.com.au> Message-ID: <40235B0B.1020507@solid-state-logic.com> Pete wrote: > We are Domino shop, we have MailScanner/postfix/sa filtering all inbound > mail. Very vanilla installation. > > We have merged with a company who used Exchange. Tnhey are sending > messages from thier site, from exchange, over the net, into MailScanner > to us. > > Suddenly we have started seeing messages from this company only that > have the attachments icon in the client, to indicate that there is an > attachment, but there is NO sign of an attachment. > > All other messages from people with attachments come through with no > issue, or if they are noxious we get the inline spam warning as per > usual. We have NO rules, just basic/default filename/type/warnjing > settings in MS.conf. > > The only messages with attachments to have the X_MS_has_attach "yes" > header are the ones from this new company, they have NO anti spam tools > at all. There is no entry in the logs for these messages to have had an > attachment modfied or anything. > > Maybe there is a way to modify this header?, but what are the > implications of this? IS this header generated by mailscanner, why? > > We are in a situation where the new company (controlling) wants to force > MS Exchange onto us in place of Lotus Domino, so incompabilities, that > seems to be our fault work against in a hieous way - please help me fend > off these marauding ms exchange loving heathens...for the love of Man, > the benefit of the world and all that we stand for - etc :) Hi you might want to setup a whitelist rule for the new companies email server so SA doesn't scan - I guess you'll still need the virus scanning???? Given the fact the other half is a m-sexchange site you might want to investigate the TNEF settings on the MS host. doing TNEF from the perl module is generally more powerful and less error prone than the binary, but YMMV so check that. Another option might be to setup a VPN between to two LAN's, quite easy now-adays.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martyn at invictawiz.com Fri Feb 6 10:30:23 2004 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:22:21 2006 Subject: Mailscanner & Freebsd In-Reply-To: Message-ID: A briliant piece of work, thanks. I have made a couple of small changes to my copy of mta.sh I am using a perl script called "sendmail.logs.pl" to analyse my maillog and generate mrtg stats on simple numbers of mail, viruses & spam passing through the server. The script doesn't have any license/authorinfo in it! I had to change mta.sh to record "sendmail-in" etc instead of "sm-mta-in" as the analysis script stopped working because it was looking for the default "sendmail" Martyn Routley -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: 04 February 2004 09:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] Mailscanner & Freebsd Hi Martyn, > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > can't remember where they came from. I do. They are mine and they are part of the FreeBSD port! Disable all MTA stuff in rc.conf and simply use those start/stop scripts. :-) Regards, JP ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From pete at eatathome.com.au Fri Feb 6 11:29:35 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <40235B0B.1020507@solid-state-logic.com> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> Message-ID: <40237A9F.1000401@eatathome.com.au> Martin Hepworth wrote: > Pete wrote: > >> We are Domino shop, we have MailScanner/postfix/sa filtering all inbound >> mail. Very vanilla installation. >> >> We have merged with a company who used Exchange. Tnhey are sending >> messages from thier site, from exchange, over the net, into MailScanner >> to us. >> >> Suddenly we have started seeing messages from this company only that >> have the attachments icon in the client, to indicate that there is an >> attachment, but there is NO sign of an attachment. >> >> All other messages from people with attachments come through with no >> issue, or if they are noxious we get the inline spam warning as per >> usual. We have NO rules, just basic/default filename/type/warnjing >> settings in MS.conf. >> >> The only messages with attachments to have the X_MS_has_attach "yes" >> header are the ones from this new company, they have NO anti spam tools >> at all. There is no entry in the logs for these messages to have had an >> attachment modfied or anything. >> >> Maybe there is a way to modify this header?, but what are the >> implications of this? IS this header generated by mailscanner, why? >> >> We are in a situation where the new company (controlling) wants to force >> MS Exchange onto us in place of Lotus Domino, so incompabilities, that >> seems to be our fault work against in a hieous way - please help me fend >> off these marauding ms exchange loving heathens...for the love of Man, >> the benefit of the world and all that we stand for - etc :) > > > Hi > > you might want to setup a whitelist rule for the new companies email > server so SA doesn't scan - I guess you'll still need the virus > scanning???? > > Given the fact the other half is a m-sexchange site you might want to > investigate the TNEF settings on the MS host. doing TNEF from the perl > module is generally more powerful and less error prone than the binary, > but YMMV so check that. > > Another option might be to setup a VPN between to two LAN's, quite easy > now-adays.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Thanks a lot, i should have thought of that, i will whitelist them on Monday. Is this simple to do, but ensuring that virus scanning continues? I cant see any point turning AV off... Thanks Pete From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 11:52:26 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: [Fwd: Re: [MAILSCANNER] X_MS_has_attach] Message-ID: <40237FFA.50903@solid-state-logic.com> oops - errant reply to :-) -- martin ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Martin Hepworth Subject: Re: [MAILSCANNER] X_MS_has_attach Date: Fri, 06 Feb 2004 11:51:48 +0000 Size: 2100 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/9ecf417e/MAILSCANNERX_MS_has_attach.mht From mailscanner at ecs.soton.ac.uk Fri Feb 6 12:01:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <40237A9F.1000401@eatathome.com.au> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> <40237A9F.1000401@eatathome.com.au> Message-ID: <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> At 11:29 06/02/2004, you wrote: >Martin Hepworth wrote: > >>Pete wrote: >> >>>We are Domino shop, we have MailScanner/postfix/sa filtering all inbound >>>mail. Very vanilla installation. >>> >>>We have merged with a company who used Exchange. Tnhey are sending >>>messages from thier site, from exchange, over the net, into MailScanner >>>to us. >>> >>>Suddenly we have started seeing messages from this company only that >>>have the attachments icon in the client, to indicate that there is an >>>attachment, but there is NO sign of an attachment. >>> >>>All other messages from people with attachments come through with no >>>issue, or if they are noxious we get the inline spam warning as per >>>usual. We have NO rules, just basic/default filename/type/warnjing >>>settings in MS.conf. >>> >>>The only messages with attachments to have the X_MS_has_attach "yes" >>>header are the ones from this new company, they have NO anti spam tools >>>at all. There is no entry in the logs for these messages to have had an >>>attachment modfied or anything. >>> >>>Maybe there is a way to modify this header?, but what are the >>>implications of this? IS this header generated by mailscanner, why? >>> >>>We are in a situation where the new company (controlling) wants to force >>>MS Exchange onto us in place of Lotus Domino, so incompabilities, that >>>seems to be our fault work against in a hieous way - please help me fend >>>off these marauding ms exchange loving heathens...for the love of Man, >>>the benefit of the world and all that we stand for - etc :) >> >> >>Hi >> >>you might want to setup a whitelist rule for the new companies email >>server so SA doesn't scan - I guess you'll still need the virus >>scanning???? >> >>Given the fact the other half is a m-sexchange site you might want to >>investigate the TNEF settings on the MS host. doing TNEF from the perl >>module is generally more powerful and less error prone than the binary, >>but YMMV so check that. >> >>Another option might be to setup a VPN between to two LAN's, quite easy >>now-adays.. >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************** >> >> >Thanks a lot, i should have thought of that, i will whitelist them on >Monday. Is this simple to do, but ensuring that virus scanning >continues? I cant see any point turning AV off... You can control just about everything in MailScanner with a ruleset that lets you switch features on/off and change values for any arbitrary groups of users or domains. Read /etc/MailScanner/rules/* and see the FAQ too. There's plenty about rulesets there. You just want to tie a ruleset to "Spam Checks". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 6 12:00:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: Mailscanner & Freebsd In-Reply-To: References: Message-ID: <6.0.1.1.2.20040206115916.06a14c98@imap.ecs.soton.ac.uk> At 10:30 06/02/2004, you wrote: >A briliant piece of work, thanks. > >I have made a couple of small changes to my copy of mta.sh > >I am using a perl script called "sendmail.logs.pl" to analyse my maillog >and generate mrtg stats on >simple numbers of mail, viruses & spam passing through the server. The >script doesn't have any >license/authorinfo in it! I think that's one of mine. It's pretty basic, you would be better off with MailScanner-MRTG or even MailWatch (rather bigger, needs a database) than my little old script. >I had to change mta.sh to record "sendmail-in" etc instead of "sm-mta-in" >as the analysis script >stopped working because it was looking for the default "sendmail" > >Martyn Routley > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jan-Peter Koopmann >Sent: 04 February 2004 09:58 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] Mailscanner & Freebsd > > >Hi Martyn, > > > I use 2 cute scripts which run from /usr/local/etc/rc.d, I > > can't remember where they came from. > >I do. They are mine and they are part of the FreeBSD port! Disable all MTA >stuff in rc.conf and >simply use those start/stop scripts. :-) > >Regards, > JP > > >----------------------------------------------------------------------------- >This message has been scanned for viruses and >dangerous content by the http://www.anti84787.com >MailScanner, and is believed to be clean. >----------------------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From davidj at IMPOL.NET Fri Feb 6 13:11:32 2004 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/c75f77ae/attachment.html From mike at CAMAROSS.NET Fri Feb 6 13:17:31 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: Message-ID: <200402061315.i16DFiD7014534@avwall.bladeware.com> In MailScanner.conf: Spam Checks = /etc/MailScanner/rules/spamcheck.rules In spamcheck.rules FromTo: user_not_to_scan@domain.org no FromTo: default yes Save and reload MailScanner Mike ________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Jacobson Sent: Friday, February 06, 2004 7:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam ruleset Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. From pete at eatathome.com.au Fri Feb 6 13:33:51 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: X_MS_has_attach In-Reply-To: <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> References: <4022DFCC.60305@eatathome.com.au> <40235B0B.1020507@solid-state-logic.com> <40237A9F.1000401@eatathome.com.au> <6.0.1.1.2.20040206120021.069dc4f8@imap.ecs.soton.ac.uk> Message-ID: <402397BF.9070800@eatathome.com.au> Julian Field wrote: > At 11:29 06/02/2004, you wrote: > >> Martin Hepworth wrote: >> >>> Pete wrote: >>> >>>> We are Domino shop, we have MailScanner/postfix/sa filtering all >>>> inbound >>>> mail. Very vanilla installation. >>>> >>>> We have merged with a company who used Exchange. Tnhey are sending >>>> messages from thier site, from exchange, over the net, into >>>> MailScanner >>>> to us. >>>> >>>> Suddenly we have started seeing messages from this company only that >>>> have the attachments icon in the client, to indicate that there is an >>>> attachment, but there is NO sign of an attachment. >>>> >>>> All other messages from people with attachments come through with no >>>> issue, or if they are noxious we get the inline spam warning as per >>>> usual. We have NO rules, just basic/default filename/type/warnjing >>>> settings in MS.conf. >>>> >>>> The only messages with attachments to have the X_MS_has_attach "yes" >>>> header are the ones from this new company, they have NO anti spam >>>> tools >>>> at all. There is no entry in the logs for these messages to have >>>> had an >>>> attachment modfied or anything. >>>> >>>> Maybe there is a way to modify this header?, but what are the >>>> implications of this? IS this header generated by mailscanner, why? >>>> >>>> We are in a situation where the new company (controlling) wants to >>>> force >>>> MS Exchange onto us in place of Lotus Domino, so incompabilities, that >>>> seems to be our fault work against in a hieous way - please help me >>>> fend >>>> off these marauding ms exchange loving heathens...for the love of Man, >>>> the benefit of the world and all that we stand for - etc :) >>> >>> >>> >>> Hi >>> >>> you might want to setup a whitelist rule for the new companies email >>> server so SA doesn't scan - I guess you'll still need the virus >>> scanning???? >>> >>> Given the fact the other half is a m-sexchange site you might want to >>> investigate the TNEF settings on the MS host. doing TNEF from the perl >>> module is generally more powerful and less error prone than the binary, >>> but YMMV so check that. >>> >>> Another option might be to setup a VPN between to two LAN's, quite easy >>> now-adays.. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> ********************************************************************** >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they >>> are addressed. If you have received this email in error please notify >>> the system manager. >>> >>> This footnote confirms that this email message has been swept >>> for the presence of computer viruses and is believed to be clean. >>> >>> ********************************************************************** >>> >>> >> Thanks a lot, i should have thought of that, i will whitelist them on >> Monday. Is this simple to do, but ensuring that virus scanning >> continues? I cant see any point turning AV off... > > > You can control just about everything in MailScanner with a ruleset that > lets you switch features on/off and change values for any arbitrary > groups > of users or domains. Read /etc/MailScanner/rules/* and see the FAQ too. > There's plenty about rulesets there. You just want to tie a ruleset to > "Spam Checks". > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Thanks, i have alread6y been searching since i posted, and another helpful fellow posted a tip, so I will proceed on Monday. Does anyone know anything else about this mail header? i can find no info on the net, but it APPEARS to have been generated by exchange? Is there any way to tell why it is include and maked as YES and the mail is disaplying attachment icon, but no attachment is present? From bpumphrey at WOODMACLAW.COM Fri Feb 6 13:51:59 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: In your spam.whitelist.rules put: FromOrTo: user@domain.com yes _____ From: David Jacobson [mailto:davidj@IMPOL.NET] Sent: Friday, February 06, 2004 8:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam ruleset Hi, Can someone please post me an example on how to disable spam checking for just one e-mail address? Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/4d6ffe6f/attachment.html From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:02:04 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: Now it says 954. Someone please tell me what this means? Does it mean what it says, that there are almost a 1000 emails waiting to be delivered? No one has said anything to make it seem this way though. -----Original Message----- From: Billy A. Pumphrey Sent: Thursday, February 05, 2004 5:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From David.While at UCE.AC.UK Fri Feb 6 14:04:43 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: <107DE25EC0216C45AEF670016024245F6FEA@exchangea.staff.uce.ac.uk> Mailstats counts the number of mails pending by counting the number of qf files in the directories configured. It is possible that you have qf files being left without the corresponding df files. As someone previously said you could type mailq at the prompt to see what the queue tells you. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Now it says 954. Someone please tell me what this means? Does it mean what it says, that there are almost a 1000 emails waiting to be delivered? No one has said anything to make it seem this way though. -----Original Message----- From: Billy A. Pumphrey Sent: Thursday, February 05, 2004 5:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail pending 754 On my stats it says "Mail pending 754" Is this a big number? I use mailstats and that's what it shows. More: Mail Analysis General Mail Statistics Data since December 23 2003 13:42:20 - Data up to February 5 2004 17:20:02 EST (44.2 days) Total messages handled 87,995 Messages rejected 187 Total data handled 1.09G bytes Spam received 42,062 Messages handled successfully 87,808 Rejection rate 0.21% Average message size 13K bytes Blocked IPs 0 Average messages per day 1,995 Viruses detected 2,088 Rejected in last 5 mins 0 Spam rate 47.90% Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 AV Updated Feb 5 17:01:03 From pete at eatathome.com.au Fri Feb 6 14:10:53 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: References: Message-ID: <4023A06D.2000900@eatathome.com.au> Billy A. Pumphrey wrote: > In your spam.whitelist.rules put: > > > > FromOrTo: user@domain.com yes > > > > ------------------------------------------------------------------------ > > *From:* David Jacobson [mailto:davidj@IMPOL.NET] > *Sent:* Friday, February 06, 2004 8:12 AM > *To:* MAILSCANNER@JISCMAIL.AC.UK > *Subject:* Spam ruleset > > > > > Hi, > > Can someone please post me an example on how to disable spam checking > for just one e-mail address? > > Thanks. > > Kind regards, > > David Jacobson > Network Security Administrator > RHCE > > Imperial Online - The Imperial Connection > > Switchboard (+27) 11 723-8000 > Helpdesk (+27) 11 723-8181 > Mobile (+27) 83 235-0760 > Facsimile (+27) 11 454 1236 > Email davidj@impol.net > > www.imperialonline.co.za / www.imperialtoday.co.za > > Confidentiality Notice: > This communication and the information it contains are intended for > the person(s) or organisation(s) named above and for no other > person(s) or organisation(s). > The content of this communication may be confidential, legally > privileged and protected. Unauthorised use, copying or disclosure of > any part of this communication may be unlawful. > IS the difference between the above 2 suggestions, 1. use whitelists 2. use a spoam check rule that 1 will even prevent virus scanning, while 2 will only disable the spame/filetype/content filtering? Thanks pete From lee at SJU.EDU Fri Feb 6 14:05:41 2004 From: lee at SJU.EDU (Stephen Lee) Date: Thu Jan 12 21:22:21 2006 Subject: virus detected but still delivered References: <4022C6FE.C2AEBD8A@sju.edu> <6.0.1.1.2.20040206072249.03b69930@imap.ecs.soton.ac.uk> Message-ID: <40239F35.49485154@sju.edu> Julian, I changed the path from a symbolic link to absolute path and the viruses have been stopped. Thanks very much, Steve Julian Field wrote: > > What do you have set as your incoming working dir (what was > /var/spool/MailScanner/incoming)? > You need to have the real absolute path to it in your MailScanner.conf, i.e. > /datavol15/incoming > > At 22:43 05/02/2004, you wrote: > >Hello, > > > >MailScanner-4.25-14 > >Mail-SpamAssassin-2.63 > >Solaris 9 > >McAfee engine 4.3.20 and DAT 4322 > > > > McAfee stopped running some time ago for me. My file extension rules > >were keeping out so many viruses I never realized it stopped until > >today. I got it running again but still have a problem. Below is a log > >snippet that shows the virus in this batch of three messages being > >detected but still delivered. What confinguration setting did I screw > >up? > > > > > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408 > >messages waiting > >Feb 5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3 > >messages, 49642 bytes > >Feb 5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting > >Feb 5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289 > >found in spamhaus.org > >Feb 5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from > >64.253.207.198 (6-5567031-sju.edu?jh127389@stderr.emarketmachine2.com) > >to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6, > >BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10, > >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06 > >0.23, HTML_WEB_BUGS 0.10) > >Feb 5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213 > >found in spamhaus.org > >Feb 5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from > >69.56.42.89 (bounce-rllrwsssgvrewz@jaadvjjjc.planetaryorbitz.com) to > >sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6, > >BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS > >0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10, > >HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10, > >HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23, > >HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68) > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam > >messages > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message > >i15MGrbt004289 actions are striphtml,deliver > >Feb 5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message > >i15MEDbd001213 actions are striphtml,deliver > >Feb 5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning: > >Starting > >Feb 5 17:27:46 mailhost MailScanner[9732]: > >/datavol15/incoming/9732/i15MM5bV010213/readme.zip2 Found the > >W32/Mydoom.a@MM virus !!! > >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found > >1 infections > >Feb 5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15 > >came from > >Feb 5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1 > >viruses > >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and > >will convert HTML message to plain text in i15MGrbt004289 > >Feb 5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and > >will convert HTML message to plain text in i15MEDbd001213 > >Feb 5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3 > >messages > > > >Regards, > >Steve > >-- > >Stephen J. Lee Saint Joseph's University > >Senior Systems Administrator 5600 City Avenue > >Networking & Telecommunications Philadelphia, PA 19131-1395 > >E-mail: lee@sju.edu Voice: (610) 660-1679 > > Fax: (610) 660-1573 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Stephen J. Lee Saint Joseph's University Senior Systems Administrator 5600 City Avenue Networking & Telecommunications Philadelphia, PA 19131-1395 E-mail: lee@sju.edu Voice: (610) 660-1679 Fax: (610) 660-1573 From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 14:18:23 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset In-Reply-To: <4023A06D.2000900@eatathome.com.au> References: <4023A06D.2000900@eatathome.com.au> Message-ID: <4023A22F.9070601@solid-state-logic.com> Pete wrote: > Billy A. Pumphrey wrote: > >> In your spam.whitelist.rules put: >> >> >> >> FromOrTo: user@domain.com yes >> >> >> > IS the difference between the above 2 suggestions, > 1. use whitelists > 2. use a spoam check rule > that 1 will even prevent virus scanning, while 2 will only disable the > spame/filetype/content filtering? > > Thanks > pete Pete Billy's rule will still use the spam checks, but will give a score of -100 to start with - ie it will be very very unlikely to trigger the spam catch (default of +5). The rule that myself and Julian suggest won;t run SA at all for those emails, thus saving CPU time.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:20:59 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Spam ruleset Message-ID: Thanks for the additional note, I will change mine to your suggestion mailto: -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] Sent: Friday, February 06, 2004 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam ruleset Pete wrote: > Billy A. Pumphrey wrote: > >> In your spam.whitelist.rules put: >> >> >> >> FromOrTo: user@domain.com yes >> >> >> > IS the difference between the above 2 suggestions, > 1. use whitelists > 2. use a spoam check rule > that 1 will even prevent virus scanning, while 2 will only disable the > spame/filetype/content filtering? > > Thanks > pete Pete Billy's rule will still use the spam checks, but will give a score of -100 to start with - ie it will be very very unlikely to trigger the spam catch (default of +5). The rule that myself and Julian suggest won;t run SA at all for those emails, thus saving CPU time.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From campbell at CNPAPERS.COM Fri Feb 6 14:23:33 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:21 2006 Subject: TNEF problem - Not handling winmail.dat Message-ID: <00cd01c3ecbc$cd97f2c0$5001a8c0@cnpapers.net> I am reposting since I couldn't find my prior posts in the archive. I've been having some problems here and am not sure I have received or sent my list messages. BTW - I have searched the archives and have found only references to problems with TNEF, but no answers. I have upgraded to the latest release, but don't really think this is a new problem, just one that was never reported to me. I have an Outlook user who seems to be getting his attachments deleted. I have changed the TNEF Expander line in MailScanner.conf from /usr/bin/tnef to internal, and both fail to send the attachment. The final test of setting Deliver Unparseable TNEF to yes failed to send the attachment also. The real problem is that there is no notification anywhere that the attachment was removed. Nothing in the mail to the admin, the maillog, or the recipient that an attachment was dropped. Is there something like "Silent Viruses" that this falls under? I do see in the maillog that the TNEF Expander was called, but nothing else regarding this message ID. Any help or clues would be greatly appreciated. Steve Campbell campbell@cnpapers.com Charleston Newspapers From bpumphrey at WOODMACLAW.COM Fri Feb 6 14:24:32 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Message-ID: <200402061434.i16EYwD7021834@avwall.bladeware.com> Are you bouncing spam? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey > Sent: Friday, February 06, 2004 8:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Sorry for my newbness to Linux in general. > > Ok, I did mailq and it came up with 480 entries. From the > entries I'm guessing that I shouldn't care about these > because they are for example: > > i13I6CcX001139 747 Tue Feb 3 13:06 <> > (Deferred: Connection timed out with > mail2.prizeservers.com.) > > > They look like spam things. So what happened to the other > 500 or so emails that mailstats saids in que? Or should I > not even worry about it. It just seems that my 500mhz > machine might not be keeping up. > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Mailstats counts the number of mails pending by counting the > number of qf files in the directories configured. It is > possible that you have qf files being left without the > corresponding df files. As someone previously said you could > type mailq at the prompt to see what the queue tells you. > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Now it says 954. Someone please tell me what this means? > Does it mean what it says, that there are almost a 1000 > emails waiting to be delivered? No one has said anything to > make it seem this way though. > > -----Original Message----- > From: Billy A. Pumphrey > Sent: Thursday, February 05, 2004 5:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail pending 754 > > On my stats it says "Mail pending 754" > > Is this a big number? I use mailstats and that's what it shows. > > More: > Mail Analysis > General Mail Statistics > Data since December 23 2003 13:42:20 - Data up to February 5 2004 > 17:20:02 EST (44.2 days) > Total messages handled 87,995 Messages rejected 187 Total data > handled 1.09G bytes Spam received 42,062 > Messages handled successfully 87,808 Rejection rate 0.21% Average > message size 13K bytes Blocked IPs 0 > Average messages per day 1,995 Viruses detected 2,088 Rejected in > last 5 mins 0 Spam rate 47.90% > Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 > AV Updated Feb 5 17:01:03 > From cwharris at MORGAN.NET Fri Feb 6 14:42:02 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade Message-ID: <002b01c3ecbf$61e349a0$2105a8c0@delta> I upgraded SA to 2.63, and now tons of spam messages are coming through. There are still messages being flagged as spam, but the amount that is not flagged has went up quite a bit. Has anyone else had this problem? Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/15c6eb7f/attachment.html From David.While at UCE.AC.UK Fri Feb 6 14:33:50 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: <107DE25EC0216C45AEF670016024245F6FED@exchangea.staff.uce.ac.uk> A couple of questions/comments: 1. You shouldn't be bouncing any spam responses. If you have 480 of these then they are taking up system resources every time your MTA tries to send them. 2. Do you have more than one queue directory configured? Most MTAs will allow it and mailstats can be configured to count messages in those directories as well. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:25 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Hello, Thank you for the reponses to my question about directing outgoing mail through MailScanner. The suggestions were accurate. Mail seems to be flowing and scanned! I did however, have to go to (Exchange System Manager) Admin Groups->MyGroup->Routing Groups->MyGroup->Connectors->Main Internet Service->Properties and set the IP in "Forward all mail...". Thanks again and sorry about the HTML. Daryl -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mark Spieth Sent: Thursday, February 05, 2004 12:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How to scan mail going out? 2 parts here. On the Redhat Box setup in /etc/mail/access a relay entry so that the exchange server can relay mail via your redhat box. E.g. 10.10.1.2 relay Then on your exchange server open your exchange manager. Open Servers->servername->protocols->smtp->default smtp Virtual Server Right click on the default smtp server and choose properties. Then go to the delivery tab and click advanced. Put the IP address of your redhat box in the Smart Host section and restart the smtp service. All outbound email will then route through the redhat box rather than having the exchange server attempt to deliver it directly. Also make sure that the attempt direct delivery box is unchecked. Mark Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: Carr, Daryl B. [mailto:DARYL@MONM.EDU] Sent: Thursday, February 05, 2004 1:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to scan mail going out? Hello, We have just set up MailScanner 4.25-10 on a Redhad Linux 9 machine. We are using Sendmail 8.12.8 and Perl 5.8.0. Currently, the flow of messages is like this: all SMTP traffic incoming to ourdomain.com -> firewall(with rule) -> MailScanner -> Exchange 2003 server (ip: 10.10.1.2) To make the last step happen (MailScanner->Exchange 2003), we added a line to /etc/mail/mailertable like this: ourdomain.com smtp:[10.10.1.2] So that flow works perfectly. But now we would like to add the outgoing traffic to the mix. The Exchange 2003 server is delivering directly and not going through MailScanner. We would like mail to travel: Exchange 2003 Server (all messages from @ourdomain.com) -> MailScanner -> Recipient We have used telnet to drop messages off to the MailScanner machine and they are delivered through the firewall just fine. But when we tell the exchange 2003 server to deliver the messages to the MailScanner, they do not get delivered although we can tell that they are getting pushed off to the MailScanner machine. We had also added a line to the relay-domains file for ourdomain.com. Thanks for any help! From DERMODYR at ITCARLOW.IE Fri Feb 6 14:37:29 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023A6A8.6653.9EA1CD@localhost> Hi Guys, I am running RH9 , Sendmail-8.12.8-9.90 and MailScanner-4.26.8-1. I had sendmail running fine and it was running as my mail server without any problems. I then uninstalled MailScanner but now all my mails are getting stuck in /var/spool/mqueue.in/ In the /var/log/message file I see the following being repeated consistently Feb 6 11:18:32 mailtest root: Process did not exit cleanly, returned 255 with signal 0 Feb 6 11:19:13 mailtest last message repeated 4 times Feb 6 11:20:23 mailtest last message repeated 7 times Feb 6 11:21:33 mailtest last message repeated 7 times Feb 6 11:22:43 mailtest last message repeated 7 times Feb 6 11:23:54 mailtest last message repeated 7 times Can anybody point me in the right direction?. Many thanks. Ray. From DERMODYR at ITCARLOW.IE Fri Feb 6 14:38:54 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023A6FE.18313.9FEEA0@localhost> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040206/b9d544c5/attachment.html From ycayer at 3webmedia.com Fri Feb 6 15:02:26 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: A<1076023010.22569.49.camel@bach.kevinspicer.co.uk> Message-ID: <200402061502.i16F2KY03247@3webserv2.3webmedia.com> If I have mrtg setup in a weird place, how can I tell mailscanner-mrtg? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > Sent: Thursday, February 05, 2004 6:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner-MRTG version 0.08.01 released > > I'm pleased to announce that the latest version of > MailScanner-MRTG is now available from > http://mailscannermrtg.sourceforge.net > > This release corrects all known bugs and adds a few minor features. > > It is an essential upgrade for most users of the 0.07 series > (particularly anyone using net-snmp, or running on Solaris or > FreeBSD, or who uses perl-5.005) Users of older version may > also wish to upgrade to benefit from the extra graphs and > performance enhancements introduced at 0.07. > > Please report all issues using the forums on the sourceforge site. > > Regards > > Kevin > -- > Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) > > This message is digitally signed using the GNU Privacy Guard. > My public key may be obtained from http://www.keyserver.net > From martinh at SOLID-STATE-LOGIC.COM Fri Feb 6 15:05:33 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <002b01c3ecbf$61e349a0$2105a8c0@delta> References: <002b01c3ecbf$61e349a0$2105a8c0@delta> Message-ID: <4023AD3D.80702@solid-state-logic.com> Chris Harris wrote: > I upgraded SA to 2.63, and now tons of spam messages are coming through. > There are still messages being flagged as spam, but the amount that is > not flagged has went up quite a bit. Has anyone else had this problem? > > > Chris Chris check the permissions on the bayes DB...also make sure any local rules were put in /etc/mail/spamassassin and not in /usr/local/share/spamassassin check spamassassin -D --lint -C /path/to/spam.assassin.prefs.conf -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ycayer at 3webmedia.com Fri Feb 6 15:05:43 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released In-Reply-To: A<200402061502.i16F2KY03247@3webserv2.3webmedia.com> Message-ID: <200402061505.i16F5bY03861@3webserv2.3webmedia.com> :-( Never mind, I found it. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer > Sent: Friday, February 06, 2004 10:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-MRTG version 0.08.01 released > > If I have mrtg setup in a weird place, how can I tell > mailscanner-mrtg? > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer > > Sent: Thursday, February 05, 2004 6:17 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: MailScanner-MRTG version 0.08.01 released > > > > I'm pleased to announce that the latest version of > MailScanner-MRTG is > > now available from http://mailscannermrtg.sourceforge.net > > > > This release corrects all known bugs and adds a few minor features. > > > > It is an essential upgrade for most users of the 0.07 series > > (particularly anyone using net-snmp, or running on Solaris > or FreeBSD, > > or who uses perl-5.005) Users of older version may also wish to > > upgrade to benefit from the extra graphs and performance > enhancements > > introduced at 0.07. > > > > Please report all issues using the forums on the sourceforge site. > > > > Regards > > > > Kevin > > -- > > Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) > > > > This message is digitally signed using the GNU Privacy Guard. > > My public key may be obtained from http://www.keyserver.net > > > From mike at CAMAROSS.NET Fri Feb 6 15:06:46 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <002b01c3ecbf$61e349a0$2105a8c0@delta> Message-ID: <200402061504.i16F4xD7025912@avwall.bladeware.com> No. How did you upgrade SA? ________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Harris Sent: Friday, February 06, 2004 8:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SA 2.63 upgrade I upgraded SA to 2.63, and now tons of spam messages are coming through. There are still messages being flagged as spam, but the amount that is not flagged has went up quite a bit. Has anyone else had this problem? Chris From Kevin.Spicer at BMRB.CO.UK Fri Feb 6 15:06:17 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:21 2006 Subject: MailScanner-MRTG version 0.08.01 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A41@pascal.priv.bmrb.co.uk> Yannick Cayer wrote: > If I have mrtg setup in a weird place, how can I tell > mailscanner-mrtg? If you install using the install.pl script then just do --mrtg=/path/ If you use rpms then after installing edit the /etc/cron.d/mailscanner-mrtg.cron file to change the path there (its only a one line file!) >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer >> Sent: Thursday, February 05, 2004 6:17 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: MailScanner-MRTG version 0.08.01 released >> >> I'm pleased to announce that the latest version of >> MailScanner-MRTG is now available from >> http://mailscannermrtg.sourceforge.net >> >> This release corrects all known bugs and adds a few minor features. >> >> It is an essential upgrade for most users of the 0.07 series >> (particularly anyone using net-snmp, or running on Solaris or >> FreeBSD, or who uses perl-5.005) Users of older version may >> also wish to upgrade to benefit from the extra graphs and >> performance enhancements introduced at 0.07. >> >> Please report all issues using the forums on the sourceforge site. >> >> Regards >> >> Kevin >> -- >> Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) >> >> This message is digitally signed using the GNU Privacy Guard. >> My public key may be obtained from http://www.keyserver.net BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From DERMODYR at itcarlow.ie Fri Feb 6 15:11:55 2004 From: DERMODYR at itcarlow.ie (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 In-Reply-To: <200402061506.i16F6WD7026082@avwall.bladeware.com> References: <4023A6FE.18313.9FEEA0@localhost> Message-ID: <4023AEBA.2771.BE259C@localhost> Thanks for replying Mike. Yep I did that. MailScanner runs fine along with sendmail and spamassassin. sendmail (pid 4570 4564 4559) is running... Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] spamd (pid 1705) is running... On 6 Feb 2004 at 9:08, Mike Kercher wrote: > Did you: > > chkconfig sendmail off > service sendmail stop > chkconfig MailScanner on > service MailScanner start > > > > > ________________________________ > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] > On Behalf Of Ray Dermody > Sent: Friday, February 06, 2004 8:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Process did not exit cleanly, returned 255 with signal > 0 > > > "I then uninstalled MailScanner but now all my mails" > > Sorry I meant I installed MailScanner. > > > Hi Guys, > > I am running RH9 , Sendmail-8.12.8-9.90 and MailScanner-4.26.8-1. > > I had sendmail running fine and it was running as my mail server > without any problems. > > I then uninstalled MailScanner but now all my mails are getting > stuck in > > /var/spool/mqueue.in/ > > In the /var/log/message file I see the following being repeated > consistently > > > > Feb 6 11:18:32 mailtest root: Process did not exit cleanly, > returned 255 with signal 0 > > Feb 6 11:19:13 mailtest last message repeated 4 times > > Feb 6 11:20:23 mailtest last message repeated 7 times > > Feb 6 11:21:33 mailtest last message repeated 7 times > > Feb 6 11:22:43 mailtest last message repeated 7 times > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > Can anybody point me in the right direction?. > > Many thanks. > > Ray. > > > > > Ray Dermody > Computing Services Technician > I.T. Carlow > 059 9176271 > > From DERMODYR at ITCARLOW.IE Fri Feb 6 15:19:51 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 Message-ID: <4023B097.28175.C56C38@localhost> Ok shut down spamd and restarted MailScanner. Still no luck :( > > On 6 Feb 2004 at 9:14, Mike Kercher wrote: > > > spamd should NOT be running. MailScanner calls it on its own > > > > Mike > > > > > > > -----Original Message----- > > > From: MailScanner mailing list > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ray Dermody > > > Sent: Friday, February 06, 2004 9:12 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Process did not exit cleanly, returned 255 with signal 0 > > > > > > Thanks for replying Mike. > > > Yep I did that. MailScanner runs fine along with sendmail and > > > spamassassin. > > > > > > sendmail (pid 4570 4564 4559) is running... > > > Checking MailScanner daemons: > > > MailScanner: [ OK ] > > > incoming sendmail: [ OK ] > > > outgoing sendmail: [ OK ] > > > spamd (pid 1705) is running... > > > > > > > > > > > > On 6 Feb 2004 at 9:08, Mike Kercher wrote: > > > > > > > Did you: > > > > > > > > chkconfig sendmail off > > > > service sendmail stop > > > > chkconfig MailScanner on > > > > service MailScanner start > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > > On Behalf Of Ray Dermody > > > > Sent: Friday, February 06, 2004 8:39 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Process did not exit cleanly, returned 255 with > > > > signal 0 > > > > > > > > > > > > "I then uninstalled MailScanner but now all my mails" > > > > > > > > Sorry I meant I installed MailScanner. > > > > > > > > > Hi Guys, > > > > > I am running RH9 , Sendmail-8.12.8-9.90 and > > > MailScanner-4.26.8-1. > > > > > I had sendmail running fine and it was running as my mail > > > > server without any problems. > > > > > I then uninstalled MailScanner but now all my mails are > > > > getting stuck in > > > > > /var/spool/mqueue.in/ > > > > > In the /var/log/message file I see the following being > > > > repeated consistently > > > > > > > > > > Feb 6 11:18:32 mailtest root: Process did not exit > > > cleanly, > > > > returned 255 with signal 0 > > > > > Feb 6 11:19:13 mailtest last message repeated 4 times > > > > > Feb 6 11:20:23 mailtest last message repeated 7 times > > > > > Feb 6 11:21:33 mailtest last message repeated 7 times > > > > > Feb 6 11:22:43 mailtest last message repeated 7 times > > > > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > > > > > > > Can anybody point me in the right direction?. > > > > > Many thanks. > > > > > Ray. > > > > > > > > > > > > > > > > > Ray Dermody > > > > Computing Services Technician > > > > I.T. Carlow > > > > 059 9176271 > > > > > > > > > > > > > > > From eja at URBAKKEN.DK Fri Feb 6 15:43:41 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:21 2006 Subject: Antivir. Message-ID: <4023B62D.5070307@urbakken.dk> Hi. I'm back with my Antivir problem. Now I have written with an employed at the H+DEV, and he has told me, that my Antivir looks like being set up correct: I have run the: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp And the result is here: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp AntiVir / Linux Version 2.0.9-16 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.53 created 30 Jan 2004 For private, non-commercial use only. AntiVir license: 12345678 for Erik Jakobsen, Brovst checking drive/path (list): /tmp ----- scan results ----- directories: 1 files: 15 alerts: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. I dont know where the problem is to be found. Does anybody do that ?. -- Erik From mailscanner at ecs.soton.ac.uk Fri Feb 6 16:18:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:21 2006 Subject: Process did not exit cleanly, returned 255 with signal 0 In-Reply-To: <4023B097.28175.C56C38@localhost> References: <4023B097.28175.C56C38@localhost> Message-ID: <6.0.1.1.2.20040206161751.03b73150@imap.ecs.soton.ac.uk> What does your maillog say? Anything from MailScanner in there? At 15:19 06/02/2004, you wrote: >Ok shut down spamd and restarted MailScanner. Still no luck :( > > > > On 6 Feb 2004 at 9:14, Mike Kercher wrote: > > > > > spamd should NOT be running. MailScanner calls it on its own > > > > > > Mike > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ray Dermody > > > > Sent: Friday, February 06, 2004 9:12 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Process did not exit cleanly, returned 255 with signal 0 > > > > > > > > Thanks for replying Mike. > > > > Yep I did that. MailScanner runs fine along with sendmail and > > > > spamassassin. > > > > > > > > sendmail (pid 4570 4564 4559) is running... > > > > Checking MailScanner daemons: > > > > MailScanner: [ OK ] > > > > incoming sendmail: [ OK ] > > > > outgoing sendmail: [ OK ] > > > > spamd (pid 1705) is running... > > > > > > > > > > > > > > > > On 6 Feb 2004 at 9:08, Mike Kercher wrote: > > > > > > > > > Did you: > > > > > > > > > > chkconfig sendmail off > > > > > service sendmail stop > > > > > chkconfig MailScanner on > > > > > service MailScanner start > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > From: MailScanner mailing list > > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > > > On Behalf Of Ray Dermody > > > > > Sent: Friday, February 06, 2004 8:39 AM > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: Process did not exit cleanly, returned 255 with > > > > > signal 0 > > > > > > > > > > > > > > > "I then uninstalled MailScanner but now all my mails" > > > > > > > > > > Sorry I meant I installed MailScanner. > > > > > > > > > > > Hi Guys, > > > > > > I am running RH9 , Sendmail-8.12.8-9.90 and > > > > MailScanner-4.26.8-1. > > > > > > I had sendmail running fine and it was running as my mail > > > > > server without any problems. > > > > > > I then uninstalled MailScanner but now all my mails are > > > > > getting stuck in > > > > > > /var/spool/mqueue.in/ > > > > > > In the /var/log/message file I see the following being > > > > > repeated consistently > > > > > > > > > > > > Feb 6 11:18:32 mailtest root: Process did not exit > > > > cleanly, > > > > > returned 255 with signal 0 > > > > > > Feb 6 11:19:13 mailtest last message repeated 4 times > > > > > > Feb 6 11:20:23 mailtest last message repeated 7 times > > > > > > Feb 6 11:21:33 mailtest last message repeated 7 times > > > > > > Feb 6 11:22:43 mailtest last message repeated 7 times > > > > > > Feb 6 11:23:54 mailtest last message repeated 7 times > > > > > > > > > > > > Can anybody point me in the right direction?. > > > > > > Many thanks. > > > > > > Ray. > > > > > > > > > > > > > > > > > > > > > Ray Dermody > > > > > Computing Services Technician > > > > > I.T. Carlow > > > > > 059 9176271 > > > > > > > > > > > > > > > > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Fri Feb 6 16:35:26 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:21 2006 Subject: Mail pending 754 Message-ID: 1. Ok, I'll turn that off. 2. I don't know how to check to see what queue directories are configured, any tips? Thank you -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Friday, February 06, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 A couple of questions/comments: 1. You shouldn't be bouncing any spam responses. If you have 480 of these then they are taking up system resources every time your MTA tries to send them. 2. Do you have more than one queue directory configured? Most MTAs will allow it and mailstats can be configured to count messages in those directories as well. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Billy A. Pumphrey Sent: 06 February 2004 14:25 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mail pending 754 Sorry for my newbness to Linux in general. Ok, I did mailq and it came up with 480 entries. From the entries I'm guessing that I shouldn't care about these because they are for example: i13I6CcX001139 747 Tue Feb 3 13:06 <> (Deferred: Connection timed out with mail2.prizeservers.com.) Message-ID: <200402061652.i16Gq0D7009936@avwall.bladeware.com> mailq will tell you > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Billy A. Pumphrey > Sent: Friday, February 06, 2004 10:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > 1. Ok, I'll turn that off. > > 2. I don't know how to check to see what queue directories > are configured, any tips? > > Thank you > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > A couple of questions/comments: > > 1. You shouldn't be bouncing any spam responses. If you have > 480 of these then they are taking up system resources every > time your MTA tries to send them. > > 2. Do you have more than one queue directory configured? Most > MTAs will allow it and mailstats can be configured to count > messages in those directories as well. > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Sorry for my newbness to Linux in general. > > Ok, I did mailq and it came up with 480 entries. From the > entries I'm guessing that I shouldn't care about these > because they are for example: > > i13I6CcX001139 747 Tue Feb 3 13:06 <> > (Deferred: Connection timed out with > mail2.prizeservers.com.) > > > They look like spam things. So what happened to the other > 500 or so emails that mailstats saids in que? Or should I > not even worry about it. It just seems that my 500mhz > machine might not be keeping up. > > -----Original Message----- > From: David While [mailto:David.While@UCE.AC.UK] > Sent: Friday, February 06, 2004 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > Mailstats counts the number of mails pending by counting the > number of qf files in the directories configured. It is > possible that you have qf files being left without the > corresponding df files. As someone previously said you could > type mailq at the prompt to see what the queue tells you. > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English University of > Central England > Tel: 0121 331 6211 > ----------------------------------------------------------------- > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 06 February 2004 14:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mail pending 754 > > > Now it says 954. Someone please tell me what this means? > Does it mean what it says, that there are almost a 1000 > emails waiting to be delivered? No one has said anything to > make it seem this way though. > > -----Original Message----- > From: Billy A. Pumphrey > Sent: Thursday, February 05, 2004 5:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail pending 754 > > On my stats it says "Mail pending 754" > > Is this a big number? I use mailstats and that's what it shows. > > More: > Mail Analysis > General Mail Statistics > Data since December 23 2003 13:42:20 - Data up to February 5 2004 > 17:20:02 EST (44.2 days) > Total messages handled 87,995 Messages rejected 187 Total data > handled 1.09G bytes Spam received 42,062 > Messages handled successfully 87,808 Rejection rate 0.21% Average > message size 13K bytes Blocked IPs 0 > Average messages per day 1,995 Viruses detected 2,088 Rejected in > last 5 mins 0 Spam rate 47.90% > Messages in last 5 mins 25 Infection rate 2.38% Mail pending 754 > AV Updated Feb 5 17:01:03 > From webmaster at sapl.ab.ca Fri Feb 6 18:07:27 2004 From: webmaster at sapl.ab.ca (webmaster) Date: Thu Jan 12 21:22:21 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner Message-ID: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> I've been watching some of the spam I've been recieving as of late and noticing that some spam with a score above the mark I've set has been getting into the mailbox declared as non-spam (auto whitelisted). Here is a sample header: X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) Until just recently I had: SpamAssassin Auto Whitelist = yes in my MailScanner.conf set. I just changed this to 'no' 5 minutes ago I changed this and reset SIGHUP'd all my MailScanner Processes on the mail server. Am I right in thinking that by setting this option in MailScanner.conf *should* be able to take high-scoring spam (and in my case, as set in my high scoring spam options, delete) the spam and not pass it along to the mailbox? Is there a way in SpamAssassin to automatically blacklist highscoring spam? I'm a MailScanner/SpamAssassin novice so any suggestions are greatly appriciated. I'm currently running MailScanner version 4.23-11 and SpamAssassin 2.61. Thanks In Advance, Peter Verhagen St. Albert Public Library From cwharris at MORGAN.NET Fri Feb 6 19:22:33 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade References: <200402061504.i16F4xD7025912@avwall.bladeware.com> Message-ID: <000801c3ece6$923c3b80$2105a8c0@delta> I upgraded SA via CPAN ----- Original Message ----- From: "Mike Kercher" To: Sent: Friday, February 06, 2004 9:06 AM Subject: Re: SA 2.63 upgrade > No. How did you upgrade SA? > > > > ________________________________ > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] > On Behalf Of Chris Harris > Sent: Friday, February 06, 2004 8:42 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SA 2.63 upgrade > > > I upgraded SA to 2.63, and now tons of spam messages are coming > through. There are still messages being flagged as spam, but the amount that > is not flagged has went up quite a bit. Has anyone else had this problem? > > > Chris > From dickenson at CFMC.COM Fri Feb 6 20:16:40 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <000801c3ece6$923c3b80$2105a8c0@delta> Message-ID: I am seeing the same problem. I updated, as I have always done, via RPM. What I am seeing is that none of the standard rules are getting tripped, just the RulesDuJour additions I have installed. I originally had the RulesDuJour .cf file in /usr/share/spamassassin along with the ones distributed with SA. I have moved them to /etc/mail/spamassassin but I am still seeing the same behavior. I also see that all the stuff that is spam is being auto-learned in my bayes files. What is the best way to stop using bayes files and then creating new ones. I need to get this problem sorted out before I can try to get my bayes files loaded again. TIA, -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: Chris Harris > Reply-To: MailScanner mailing list > Date: Fri, 6 Feb 2004 13:22:33 -0600 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > I upgraded SA via CPAN > > ----- Original Message ----- > From: "Mike Kercher" > To: > Sent: Friday, February 06, 2004 9:06 AM > Subject: Re: SA 2.63 upgrade > > >> No. How did you upgrade SA? >> >> >> >> ________________________________ >> >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] >> On Behalf Of Chris Harris >> Sent: Friday, February 06, 2004 8:42 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: SA 2.63 upgrade >> >> >> I upgraded SA to 2.63, and now tons of spam messages are coming >> through. There are still messages being flagged as spam, but the amount > that >> is not flagged has went up quite a bit. Has anyone else had this problem? >> >> >> Chris >> From mike at CAMAROSS.NET Fri Feb 6 20:37:46 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: Message-ID: <200402062036.i16KZxD7008730@avwall.bladeware.com> The recommendation is to NOT use the rpm to install/upgrade SpamAssassin unless you recompile the rpm from the .src.rpm Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson > Sent: Friday, February 06, 2004 2:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > I am seeing the same problem. I updated, as I have always > done, via RPM. > What I am seeing is that none of the standard rules are > getting tripped, just the RulesDuJour additions I have installed. > > I originally had the RulesDuJour .cf file in > /usr/share/spamassassin along with the ones distributed with > SA. I have moved them to /etc/mail/spamassassin but I am > still seeing the same behavior. > > I also see that all the stuff that is spam is being > auto-learned in my bayes files. What is the best way to stop > using bayes files and then creating new ones. I need to get > this problem sorted out before I can try to get my bayes > files loaded again. > > TIA, > -- > Jim Dickenson > mailto:dickenson@cfmc.com > > Computers for Marketing Corporation > http://www.cfmc.com/ > > > > > From: Chris Harris > > Reply-To: MailScanner mailing list > > Date: Fri, 6 Feb 2004 13:22:33 -0600 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SA 2.63 upgrade > > > > I upgraded SA via CPAN > > > > ----- Original Message ----- > > From: "Mike Kercher" > > To: > > Sent: Friday, February 06, 2004 9:06 AM > > Subject: Re: SA 2.63 upgrade > > > > > >> No. How did you upgrade SA? > >> > >> > >> > >> ________________________________ > >> > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] > >> On Behalf Of Chris Harris > >> Sent: Friday, February 06, 2004 8:42 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: SA 2.63 upgrade > >> > >> > >> I upgraded SA to 2.63, and now tons of spam messages are > >> coming through. There are still messages being flagged as > spam, but > >> the amount > > that > >> is not flagged has went up quite a bit. Has anyone else > had this problem? > >> > >> > >> Chris > >> > From dickenson at CFMC.COM Fri Feb 6 20:57:22 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: <200402062036.i16KZxD7008730@avwall.bladeware.com> Message-ID: I have seen that mentioned in the list before but as it has always worked for me I did not know exactly why people make the recommendation. In addition SA is being called, what is not happening is that email that had tripped many rules before are not tripping those rules. I have seen email that for some time had been receiving scores in the teens now receive a score of 0. -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: Mike Kercher > Reply-To: MailScanner mailing list > Date: Fri, 6 Feb 2004 14:37:46 -0600 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > The recommendation is to NOT use the rpm to install/upgrade SpamAssassin > unless you recompile the rpm from the .src.rpm > > Mike > > >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >> Sent: Friday, February 06, 2004 2:17 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: SA 2.63 upgrade >> >> I am seeing the same problem. I updated, as I have always >> done, via RPM. >> What I am seeing is that none of the standard rules are >> getting tripped, just the RulesDuJour additions I have installed. >> >> I originally had the RulesDuJour .cf file in >> /usr/share/spamassassin along with the ones distributed with >> SA. I have moved them to /etc/mail/spamassassin but I am >> still seeing the same behavior. >> >> I also see that all the stuff that is spam is being >> auto-learned in my bayes files. What is the best way to stop >> using bayes files and then creating new ones. I need to get >> this problem sorted out before I can try to get my bayes >> files loaded again. >> >> TIA, >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> >> >> >>> From: Chris Harris >>> Reply-To: MailScanner mailing list >>> Date: Fri, 6 Feb 2004 13:22:33 -0600 >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: Re: SA 2.63 upgrade >>> >>> I upgraded SA via CPAN >>> >>> ----- Original Message ----- >>> From: "Mike Kercher" >>> To: >>> Sent: Friday, February 06, 2004 9:06 AM >>> Subject: Re: SA 2.63 upgrade >>> >>> >>>> No. How did you upgrade SA? >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: MailScanner mailing list >>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>> On Behalf Of Chris Harris >>>> Sent: Friday, February 06, 2004 8:42 AM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: SA 2.63 upgrade >>>> >>>> >>>> I upgraded SA to 2.63, and now tons of spam messages are >>>> coming through. There are still messages being flagged as >> spam, but >>>> the amount >>> that >>>> is not flagged has went up quite a bit. Has anyone else >> had this problem? >>>> >>>> >>>> Chris >>>> >> From andy at WILDBRAIN.COM Fri Feb 6 20:58:05 2004 From: andy at WILDBRAIN.COM (Andy Moran) Date: Thu Jan 12 21:22:21 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: References: Message-ID: <4023FFDD.5030802@wildbrain.com> Can anyone verify if this bug is still a problem in MailScanner 4.26.8 or if it has been fixed? We, like Garry, had to set "Quarantine Entire Message" on as a workaround in 4.25-14. --Andy Garry Glendown wrote: > Hi, > > one of our users just requested the HTML contents of a mail that was > filtered by MailScanner (4.25-11). Anyway, the file in the quarantine > directory is not the content of the mail, but rather the mail that was sent > out instead - the original content is lost. I have checked other HTML files > that MailScanner removed from incoming mails - it seems like about half of > all the files are the original content, whereas the other half is the > warning mails instead. > Has anybody else noticed this yet? > > Tnx, -garry > From mkettler at EVI-INC.COM Fri Feb 6 21:06:14 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:21 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner In-Reply-To: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> References: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> Message-ID: <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> At 01:07 PM 2/6/2004, webmaster wrote: >I've been watching some of the spam I've been recieving as of late and >noticing that some spam with a score above the mark I've set has been >getting into the mailbox declared as non-spam (auto whitelisted). Here is >a sample header: > >X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, > BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, > DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, > LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, > RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) Um.. the (whitelisted) does not mean that SA's AWL kicked in.. that means that MAILSCANNER whitelisted it. From shrek-m at GMX.DE Fri Feb 6 21:04:34 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <40240162.7010707@gmx.de> Jim Dickenson wrote: >I have seen that mentioned > what have you seen mentioned ?? ;-) > in the list before but as it has always worked >for me I did not know exactly why people make the recommendation. > >In addition SA is being called, what is not happening is that email that had >tripped many rules before are not tripping those rules. I have seen email >that for some time had been receiving scores in the teens now receive a >score of 0. >-- >Jim Dickenson >mailto:dickenson@cfmc.com > >Computers for Marketing Corporation >http://www.cfmc.com/ > > > > > >>From: Mike Kercher >>Reply-To: MailScanner mailing list >>Date: Fri, 6 Feb 2004 14:37:46 -0600 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: SA 2.63 upgrade >> >>The recommendation is to NOT use the rpm to install/upgrade SpamAssassin >>unless you recompile the rpm from the .src.rpm >> >>Mike >> >> >> >> >>>-----Original Message----- >>>From: MailScanner mailing list >>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >>>Sent: Friday, February 06, 2004 2:17 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: SA 2.63 upgrade >>> >>>I am seeing the same problem. I updated, as I have always >>>done, via RPM. >>>What I am seeing is that none of the standard rules are >>>getting tripped, just the RulesDuJour additions I have installed. >>> >>>I originally had the RulesDuJour .cf file in >>>/usr/share/spamassassin along with the ones distributed with >>>SA. I have moved them to /etc/mail/spamassassin but I am >>>still seeing the same behavior. >>> >>>I also see that all the stuff that is spam is being >>>auto-learned in my bayes files. What is the best way to stop >>>using bayes files and then creating new ones. I need to get >>>this problem sorted out before I can try to get my bayes >>>files loaded again. >>> >>>TIA, >>>-- >>>Jim Dickenson >>>mailto:dickenson@cfmc.com >>> >>>Computers for Marketing Corporation >>>http://www.cfmc.com/ >>> >>> >>> >>> >>> >>>>From: Chris Harris >>>>Reply-To: MailScanner mailing list >>>>Date: Fri, 6 Feb 2004 13:22:33 -0600 >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: SA 2.63 upgrade >>>> >>>>I upgraded SA via CPAN >>>> >>>>----- Original Message ----- >>>>From: "Mike Kercher" >>>>To: >>>>Sent: Friday, February 06, 2004 9:06 AM >>>>Subject: Re: SA 2.63 upgrade >>>> >>>> >>>> >>>> >>>>>No. How did you upgrade SA? >>>>> >>>>> >>>>> >>>>>________________________________ >>>>> >>>>> From: MailScanner mailing list >>>>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>>>On Behalf Of Chris Harris >>>>> Sent: Friday, February 06, 2004 8:42 AM >>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>> Subject: SA 2.63 upgrade >>>>> >>>>> >>>>> I upgraded SA to 2.63, and now tons of spam messages are >>>>>coming through. There are still messages being flagged as >>>>> >>>>> >>>spam, but >>> >>> >>>>>the amount >>>>> >>>>> >>>>that >>>> >>>> >>>>>is not flagged has went up quite a bit. Has anyone else >>>>> >>>>> >>>had this problem? >>> >>> >>>>> Chris >>>>> >>>>> >>>>> > > > > -- shrek-m From henker at S-H-COM.DE Fri Feb 6 21:05:55 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:21 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: On Fri, 6 Feb 2004, Jim Dickenson wrote: > I have seen that mentioned in the list before but as it has always worked > for me I did not know exactly why people make the recommendation. ...because if often does *not* work. There were so many people who had probs with the rpm, so manual installation is recommended. Regards, Steffan From webmaster at sapl.ab.ca Fri Feb 6 21:20:47 2004 From: webmaster at sapl.ab.ca (webmaster) Date: Thu Jan 12 21:22:22 2006 Subject: OT? Spamassassin's auto-whitelisting and MailScanner In-Reply-To: <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> References: <3749.192.168.128.190.1076090847.squirrel@192.168.128.190> <6.0.0.22.0.20040206160548.0264c390@xanadu.evi-inc.com> Message-ID: <3938.192.168.128.190.1076102447.squirrel@192.168.128.190> Interesting indeed. Then it must mean that I have a problem with my blacklist rules file. I'm going to take out the reference to my blacklist rules file and see if that helps. Thanks for the heads up. Peter Verhagen > At 01:07 PM 2/6/2004, webmaster wrote: >>I've been watching some of the spam I've been recieving as of late and >>noticing that some spam with a score above the mark I've set has been >>getting into the mailbox declared as non-spam (auto whitelisted). Here is >>a sample header: >> >>X-sapl.ab.ca-MailScanner-SpamCheck: not spam (whitelisted), >> SpamAssassin (score=22.391, required 9, AS_SEEN_ON 1.49, >> BANG_GUARANTEE 1.00, BAYES_99 5.40, DATE_IN_PAST_96_XX 1.53, >> DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, INCREASE_SEX 1.73, >> LOSEBODYFAT 2.88, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY >> 0.32, >> RAVAGESOFAGING 1.98, REVERSE_AGING 1.00, WRINKLES 4.10) > > Um.. the (whitelisted) does not mean that SA's AWL kicked in.. that means > that MAILSCANNER whitelisted it. > > From rzewnickie at RFA.ORG Fri Feb 6 21:33:00 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: <000801c3ece6$923c3b80$2105a8c0@delta> Message-ID: <20040206213300.GE9261@rfa.org> On Fri, Feb 06, 2004 at 12:16:40PM -0800, Jim Dickenson wrote: > files. What is the best way to stop using bayes files and then creating new > ones. I need to get this problem sorted out before I can try to get my bayes > files loaded again. I don't know if it's the right way, but I just moved my /var/spool/MailScanner/spamassassin/bayes_* to /tmp and retrained bayes Seemed to work for me. Note: I have not upgraded to 2.63, yet. My bayes files were corrupted somehow around the time of the debian perl security update that came out earlier this week. -Eric From james at grayonline.id.au Fri Feb 6 22:43:04 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <200402070943.04859.james@grayonline.id.au> On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: > I am seeing the same problem. I updated, as I have always done, via RPM. > What I am seeing is that none of the standard rules are getting tripped, > just the RulesDuJour additions I have installed. > > I originally had the RulesDuJour .cf file in /usr/share/spamassassin > along with the ones distributed with SA. I have moved them to > /etc/mail/spamassassin but I am still seeing the same behavior. > > I also see that all the stuff that is spam is being auto-learned in my > bayes files. What is the best way to stop using bayes files and then > creating new ones. I need to get this problem sorted out before I can try > to get my bayes files loaded again. > > TIA, > -- > Jim Dickenson Jim, I posted a similar problem to this list a few weeks ago when I upgraded my FreeBSD box via "ports" (fBSD "packages" for want of a better term). All my custom rules were being tripped but none of the standard SA2.63 rules. The problem was that between 2.61 -> 2.63 the fBSD port maintainer had moved the location of the standard rules from /usr/share/spamassassin to /usr/local/share/spamassassin. All I needed to do was manually tell MailScanner where the SpamAssassin files were, restart and voila! Here's the relevent lines from MailScanner.conf: SpamAssassin Local Rules Dir = /etc/mail/spamassassin SpamAssassin Default Rules Dir = /usr/local/share/spamassassin Hope that helps :) The problem is that all the default SA rules are version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds like your spamassassin is finding the older 2.61 rules with the 2.63 engine which means it will ignore them - have a look in the standard rules files; there's a "require 2.63" or something similar at the top of each one. DONT change this BTW, this will break things even worse than it already is. Cheers, James -- Fortune cookies says: The price one pays for pursuing any profession, or calling, is an intimate knowledge of its ugly side. -- James Baldwin From dickenson at CFMC.COM Fri Feb 6 22:50:10 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <40240162.7010707@gmx.de> Message-ID: What I have seen is people recommend not using the RPM. I have not seen a reason for that. This is why I am asking. I have not had a problem using the RPM since I started using MS a few months ago, until this update. My original install of SA was via RPM files and I have used them to do updates since. I had SA running without MS at first and added MS with clamAV some time after. I do not know what is going on with the current version of SA but some scanning is being done as I get some spam flagged like this: X-CfMC-MailScanner-SpamCheck: spam, SpamAssassin (score=17.565, required 5, BigEvilList_108 3.00, BigEvilList_79 3.00, FORGED_OUTLOOK_TAGS 1.10, J_BACKHAIR_12 1.00, J_BACKHAIR_13 1.00, J_BACKHAIR_15 1.00, J_BACKHAIR_22 1.00, J_BACKHAIR_35 1.00, J_BACKHAIR_42 1.00, J_BACKHAIR_51 1.00, J_BACKHAIR_53 1.00, TW_BF 0.08, TW_BT 0.08, TW_BZ 0.08, TW_CQ 0.08, TW_DJ 0.08, TW_DW 0.08, TW_FC 0.08, TW_FQ 0.08, TW_JD 0.08, TW_JP 0.08, TW_KK 0.08, TW_KP 0.08, TW_LB 0.08, TW_MV 0.08, TW_PD 0.08, TW_QD 0.08, TW_QH 0.08, TW_QR 0.08, TW_QU 0.08, TW_QY 0.08, TW_SF 0.08, TW_TD 0.08, TW_VG 0.08, TW_VU 0.08, TW_WB 0.08, TW_WC 0.08, TW_WQ 0.08, TW_WZ 0.08, TW_XV 0.08, TW_YZ 0.08, TW_ZT 0.08, TW_ZW 0.08) but only a very few non RulesDuJour rules are being triggered. I think I have successfully disabled bayes but that has not changed things. I updated SA yesterday at about 8AM. As you can see the "caught" spam has fallen off since then: Date Mail Spam % Virus % Volume 28/01 2,289 1,179 51.5 58 2.5 13.3Mb?? 29/01 8,223 4,224 51.4 222 2.7 73Mb?? 30/01 8,185 4,245 51.9 198 2.4 89Mb?? 31/01 6,883 3,685 53.5 94 1.4 27.6Mb?? 01/02 7,167 3,992 55.7 83 1.2 46.1Mb?? 02/02 8,304 4,280 51.5 138 1.7 66.1Mb?? 03/02 8,724 4,375 50.1 138 1.6 67.2Mb?? 04/02 8,498 4,282 50.4 125 1.5 120.3Mb?? 05/02 8,454 2,376 28.1 121 1.4 137.3Mb?? 06/02 5,143 828 16.1 81 1.6 66.2Mb?? -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: "shrek-m@gmx.de" > Reply-To: MAILSCANNER@JISCMAIL.AC.UK > Date: Fri, 6 Feb 2004 22:04:34 +0100 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > Jim Dickenson wrote: > >> I have seen that mentioned >> > > what have you seen mentioned ?? ;-) > > >> in the list before but as it has always worked >> for me I did not know exactly why people make the recommendation. >> >> In addition SA is being called, what is not happening is that email that had >> tripped many rules before are not tripping those rules. I have seen email >> that for some time had been receiving scores in the teens now receive a >> score of 0. >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> >> >> >> >> >>> From: Mike Kercher >>> Reply-To: MailScanner mailing list >>> Date: Fri, 6 Feb 2004 14:37:46 -0600 >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: Re: SA 2.63 upgrade >>> >>> The recommendation is to NOT use the rpm to install/upgrade SpamAssassin >>> unless you recompile the rpm from the .src.rpm >>> >>> Mike >>> >>> >>> >>> >>>> -----Original Message----- >>>> From: MailScanner mailing list >>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jim Dickenson >>>> Sent: Friday, February 06, 2004 2:17 PM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: Re: SA 2.63 upgrade >>>> >>>> I am seeing the same problem. I updated, as I have always >>>> done, via RPM. >>>> What I am seeing is that none of the standard rules are >>>> getting tripped, just the RulesDuJour additions I have installed. >>>> >>>> I originally had the RulesDuJour .cf file in >>>> /usr/share/spamassassin along with the ones distributed with >>>> SA. I have moved them to /etc/mail/spamassassin but I am >>>> still seeing the same behavior. >>>> >>>> I also see that all the stuff that is spam is being >>>> auto-learned in my bayes files. What is the best way to stop >>>> using bayes files and then creating new ones. I need to get >>>> this problem sorted out before I can try to get my bayes >>>> files loaded again. >>>> >>>> TIA, >>>> -- >>>> Jim Dickenson >>>> mailto:dickenson@cfmc.com >>>> >>>> Computers for Marketing Corporation >>>> http://www.cfmc.com/ >>>> >>>> >>>> >>>> >>>> >>>>> From: Chris Harris >>>>> Reply-To: MailScanner mailing list >>>>> Date: Fri, 6 Feb 2004 13:22:33 -0600 >>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>> Subject: Re: SA 2.63 upgrade >>>>> >>>>> I upgraded SA via CPAN >>>>> >>>>> ----- Original Message ----- >>>>> From: "Mike Kercher" >>>>> To: >>>>> Sent: Friday, February 06, 2004 9:06 AM >>>>> Subject: Re: SA 2.63 upgrade >>>>> >>>>> >>>>> >>>>> >>>>>> No. How did you upgrade SA? >>>>>> >>>>>> >>>>>> >>>>>> ________________________________ >>>>>> >>>>>> From: MailScanner mailing list >>>>>> [mailto:MAILSCANNER@JISCMAIL.AC.UK] >>>>>> On Behalf Of Chris Harris >>>>>> Sent: Friday, February 06, 2004 8:42 AM >>>>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>>>> Subject: SA 2.63 upgrade >>>>>> >>>>>> >>>>>> I upgraded SA to 2.63, and now tons of spam messages are >>>>>> coming through. There are still messages being flagged as >>>>>> >>>>>> >>>> spam, but >>>> >>>> >>>>>> the amount >>>>>> >>>>>> >>>>> that >>>>> >>>>> >>>>>> is not flagged has went up quite a bit. Has anyone else >>>>>> >>>>>> >>>> had this problem? >>>> >>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >> >> >> >> > > > -- > shrek-m From victor at PIXELMAGICFX.COM Sat Feb 7 00:29:59 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:22:22 2006 Subject: 200,000 downloads of MailScanner References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> Message-ID: <40243187.9070008@pixelmagicfx.com> Julian Field wrote: > > Many thanks to all of you for helping to spread the word and make my > little > bit of code possibly the most widely-used combined email virus scanner > and > spam detector in the world. Many thanks? I think that's OUR line! :) Impressive. Vic Pixel Magic From peter at UCGBOOK.COM Sat Feb 7 00:34:39 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <4024329F.9050303@ucgbook.com> Jim Dickenson wrote: > What I have seen is people recommend not using the RPM. I have not seen a > reason for that. This is why I am asking. The binary RPM:s have fixed paths for everything and MS can't find what it needs, you seem to have lost all rules SA provides for example. People have had mixed results but for most it simply does not work and it's not supported when used with MS. Isn't that enough for you? Back out the SA RPM and install from CPAN. # rpm -e name_of_sa_rpm # perl -e shell -MCPAN cpan> install Mail::SpamAssassin It will work. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From jester at SPYDERINTERNET.COM Sat Feb 7 00:39:28 2004 From: jester at SPYDERINTERNET.COM (jester) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg Message-ID: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Ive download and installed the new mailscanner mrtg, im getting these errors and im not really sure why, other than just being completely oblivious to something I've missed. thanks in advance Michael What should these be set to and are they not correct? (well if they were, i wouldnt get errors) Unable to find a mountpoint for /var/spool/mqueue. Please set Spool Directory in mailscanner-mrtg.conf to a valid mountpoint Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint -- This message has been scanned for viruses and dangerous content by our MailScanner, and is believed to be clean. From henker at S-H-COM.DE Sat Feb 7 00:59:06 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <4024329F.9050303@ucgbook.com> References: <4024329F.9050303@ucgbook.com> Message-ID: On Sat, 7 Feb 2004, Peter Bonivart wrote: > cpan> install Mail::SpamAssassin > It will work. I added it to the FAQ today, maybe we should append this as a footer to *every* msg to the list :) Regards, Steffan From dickenson at CFMC.COM Sat Feb 7 02:06:05 2004 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:22:22 2006 Subject: SA 2.63 upgrade In-Reply-To: <200402070943.04859.james@grayonline.id.au> Message-ID: Thanks for the pointer about old .cf files not working with a new version. This lead me to the solution. I will try to remember this for future updates and leave a trail for those behind me. The install from the RPM was the cause of the problem. I now remember dealing with this at some time in the past as well. The perl-Mail-SpamAssassin-2.63-1 RPM file put stuff in the 5.6.1 directory but I am running perl 5.8.0 so the new .cf files got installed but as the new perl stuff got put into the "wrong" place I was still using the old version of SA. Moving a bit of stuff around fixed the problem. I also made a link from 5.6.1 to 5.8.0 so maybe I will remember this in the future. I guess the correct thing to do would be to uninstall the RPMs and install SA some other way. Maybe another day. One wasted day is enough this time around ;) Again thanks much! -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: James Gray > Reply-To: james@grayonline.id.au > Date: Sat, 7 Feb 2004 09:43:04 +1100 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA 2.63 upgrade > > On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: >> I am seeing the same problem. I updated, as I have always done, via RPM. >> What I am seeing is that none of the standard rules are getting tripped, >> just the RulesDuJour additions I have installed. >> >> I originally had the RulesDuJour .cf file in /usr/share/spamassassin >> along with the ones distributed with SA. I have moved them to >> /etc/mail/spamassassin but I am still seeing the same behavior. >> >> I also see that all the stuff that is spam is being auto-learned in my >> bayes files. What is the best way to stop using bayes files and then >> creating new ones. I need to get this problem sorted out before I can try >> to get my bayes files loaded again. >> >> TIA, >> -- >> Jim Dickenson > > Jim, > > I posted a similar problem to this list a few weeks ago when I upgraded my > FreeBSD box via "ports" (fBSD "packages" for want of a better term). All > my custom rules were being tripped but none of the standard SA2.63 rules. > The problem was that between 2.61 -> 2.63 the fBSD port maintainer had > moved the location of the standard rules from /usr/share/spamassassin to > /usr/local/share/spamassassin. All I needed to do was manually tell > MailScanner where the SpamAssassin files were, restart and voila! > > Here's the relevent lines from MailScanner.conf: > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > SpamAssassin Default Rules Dir = /usr/local/share/spamassassin > > Hope that helps :) The problem is that all the default SA rules are > version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds > like your spamassassin is finding the older 2.61 rules with the 2.63 engine > which means it will ignore them - have a look in the standard rules files; > there's a "require 2.63" or something similar at the top of each one. DONT > change this BTW, this will break things even worse than it already is. > > Cheers, > > James > -- > Fortune cookies says: > The price one pays for pursuing any profession, or calling, is an intimate > knowledge of its ugly side. -- James Baldwin From danielk at AVALONPUB.COM Sat Feb 7 02:36:11 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:22 2006 Subject: Trend scanner log data missing In-Reply-To: <1076030975.1991.17.camel@jaguar.dorfam.ca> References: <1076030975.1991.17.camel@jaguar.dorfam.ca> Message-ID: <40244F1B.9060306@avalonpub.com> Gerry Doris wrote: >Notice that Trend has identified the virus in a separate line. However, >in /var/log/maillog everything is there except for the Trend data. The >log only contains a line that says "Trend found one infections". > >Is there a way to get the Trend data into the mail log or is this part >of the trend scanning binary? > > I have the same issue with Trend. I wrote to the list about it, but never got a response. Now that 2 of us have reported the problem maybe someone will take a look. My original post has sample output from trend-wrapper. http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R97373&I=-1 Daniel From gdoris at ROGERS.COM Sat Feb 7 03:29:21 2004 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <1076124561.8270.24.camel@jaguar.dorfam.ca> On Fri, 2004-02-06 at 19:39, jester wrote: > Ive download and installed the new mailscanner mrtg, im getting these > errors and im not really sure why, other than just being completely > oblivious to something I've missed. > > thanks in advance > Michael > > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint > > > -- > This message has been scanned for viruses and > dangerous content by our MailScanner, and is > believed to be clean. The latest version will not record data into a Spool Directory graph or a Work Directory graph unless it is a mount point (ie. the graphs will be empty). If you are using a tmpfs directory then go into mailscanner-mrtg.conf and change the value there (/var/spool/MailScanner/incoming) to the correct mount point. Do the same for Spool Directory value if you have a directory you want monitored (must be on a mount point). If you aren't going to use these values and want to stop the messages you can go to /etc/cron.d and change the line in mailscanner-mrtg.crond to read 0-59/5 root /usr/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg > /dev/null 2>&1 The above is all on one line. That will send those warning messages quietly to the bit bucket. -- Gerry Doris From mailscanner at ecs.soton.ac.uk Sat Feb 7 10:38:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Trend scanner log data missing In-Reply-To: <40244F1B.9060306@avalonpub.com> References: <1076030975.1991.17.camel@jaguar.dorfam.ca> <40244F1B.9060306@avalonpub.com> Message-ID: <6.0.1.1.2.20040207103556.044a5e68@imap.ecs.soton.ac.uk> At 02:36 07/02/2004, you wrote: >Gerry Doris wrote: > >>Notice that Trend has identified the virus in a separate line. However, >>in /var/log/maillog everything is there except for the Trend data. The >>log only contains a line that says "Trend found one infections". >> >>Is there a way to get the Trend data into the mail log or is this part >>of the trend scanning binary? >> >I have the same issue with Trend. I wrote to the list about it, but >never got a response. Now that 2 of us have reported the problem maybe >someone will take a look. My original post has sample output from >trend-wrapper. > >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R97373&I=-1 Please mail me a reminder off-list. I am extremely snowed under at the moment, and don't have much time for MailScanner work. You're not getting any of my day-job hours at all right now. If you can mail me a copy of the latest Trend scanner, that would help so I can test it properly. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevin at KEVINSPICER.CO.UK Sat Feb 7 10:12:38 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <1076148758.11003.30.camel@bach.kevinspicer.co.uk> On Sat, 2004-02-07 at 00:39, jester wrote: > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint Please see the thread discussing this on the MailScanner-MRTG sourceforge site. http://sourceforge.net/forum/forum.php?thread_id=1018853&forum_id=234161 Note to MailScanner-MRTG users: Julian and everyone on this list have been very tolerant of out MSMRTG discussions, but I'm aware that this is a fairly high traffic list and don't want to cause inconvenience to others. I'm also seeing duplication of issues on this list and on the sourceforge forums. Therefore I would appreciate it if MailScanner-MRTG issues could be posted to the forums on the sourceforge site - this will also assist other users by providing a single searchable resource. I will continue to post announcements of new releases here. -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040207/86edff7b/attachment.bin From mailscanner at ecs.soton.ac.uk Sat Feb 7 11:39:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: f-secure version 4.52 In-Reply-To: <029301c3ec4e$10f5bc10$6401a8c0@game> References: <029301c3ec4e$10f5bc10$6401a8c0@game> Message-ID: <6.0.1.1.2.20040207113819.03756ec0@imap.ecs.soton.ac.uk> Please apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm It comes down to a 1 character change to the code :-) ------SNIP------- --- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 +++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 @@ -1585,7 +1585,10 @@ $fsecure_InHeader++; return 0; } - $fsecure_InHeader == 0 or return 0; + # This test is more vague than it used to be, but is more tolerant to + # output changes such as extra headers. Scanning non-scanning data is + # not a great idea but causes no harm. + $fsecure_InHeader >= 0 or return 0; $report = $line; $logout = $line; ------SNIP------- At 01:09 06/02/2004, you wrote: >At 19:38 05/02/2004, you wrote: > >MailScanner E-Mail Virus Scanner version 4.26.8 starting... > >F-Secure Anti-Virus for Linux version 4.52 build 2461 > > > > > >I have posted also in the mail letter but no responce.. > > > >Thanks > >----- Original Message ----- > >From: "Julian Field" > <mailscanner@ecs.soton.ac.uk> > >To: "Tim Murphy" <tmurphy@icmcontrols.com> > >Sent: Thursday, February 05, 2004 1:55 PM > >Subject: Re: Not realy sure where to ask this ? i have posted in a couple of > >forums.. but no responce > > > > > > > What version of MailScanner and F-Secure are you using? > > > > > > The best place to ask is on the MailScanner mailing list. See > > > www.mailscanner.info for subscription > instructions. > > > > > > At 14:13 05/02/2004, you wrote: > > > >Thanks.... > > > >System is RH / cpanel / exim / > > > > > > > >I just installed the new version of MailScanner > > > >as of right now > > > >Virus Scanners = rav clamav f-prot f-secure mcafee > > > > > > > >Rav (Registered) (Works) > > > >Clamav (Free) (Works) > > > >F-prot (Trial) (Works) > > > >Mcafee (Trial) (Works) > > > >F-secure (Registered) (Seems Not To Work) > > > > > > > >i can do the command line for f-secure > > > >/usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fsav /tmp > > > >-And that works > > > >Database version: 2004-02-05_01 > > > >Scan started at Thu Feb 5 09:05:31 2004 > > > >Scan ended at Thu Feb 5 09:05:32 2004 > > > >11 files scanned > > > > > > > >But it is not catching any virus in incoming emails > > > >---------------paste from email--------------------- > > > >MessageID: 1Aojlz-0002FM-LP > > > >Report: > > > > Rav: ./1Aojlz-0002FM-LP/body.zip->body.txt .pif Infected: > > > > > <Win32/Mydoom.A@mm>mailto:Win32/Mydoom.A@mm>Win32/Mydoom.A@mm > > > > ClamAV: body.zip contains Worm.SCO.A > > > > F-Prot: > > > > > /var/spool/MailScanner/incoming/30908/1Aojlz-0002FM-LP/body.zip-body.txt > > > > Infection: > <W32/Mydoom.A@mm>mailto:W32/Mydoom.A@mm>W32/Mydoom.A@mm > > > > McAfee: /1Aojlz-0002FM-LP/body.zip Found the > > > > > <W32/Mydoom.a@MM>mailto:W32/Mydoom.a@MM>W32/Mydoom.a@MM > virus !!! > > > >-----------------End Paste------------------- > > > >I dont see any thing in any of the infected mails about f-secure > > > > > > > >----------paste from maillog--------------- > > > >Feb 5 09:01:07 srv1 update.virus.scanners: Found f-secure installed > > > >Feb 5 09:01:07 srv1 update.virus.scanners: Running autoupdate for > >f-secure > > > >-------------End Paste------------------------- > > > > > > > >Mailscanner is seeing it.. > > > > > > > > > > > >Thanks.. > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at > www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at >www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Sat Feb 7 15:23:51 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:22 2006 Subject: OT - list options In-Reply-To: <1076148758.11003.30.camel@bach.kevinspicer.co.uk> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> <1076148758.11003.30.camel@bach.kevinspicer.co.uk> Message-ID: <1257.159.134.245.217.1076167431.squirrel@www.blacknightsolutions.com> Slightly OT, but I was wondering if there was any chance of messages to the list being prepended by "Mailscanner" or similar. When using my desktop email client I filter mail using the "to" or "from" fields, however I cannot use this with my IMAP webmail, as I wouldn't be able to download mail after. Michele From ugob at CAMO-ROUTE.COM Sat Feb 7 15:24:07 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: vnames.pl and mailstats with clamav-module In-Reply-To: References: <4024329F.9050303@ucgbook.com> Message-ID: <40250317.9070706@camo-route.com> Hi, Has anyone been able to make vnames.pl and mailstats with clamav-module? It worked ok with ClamAV. I don't find other settings than "clamav". It is reported correctly with mailscanner-mrtg. Thanks, Ugo From ugob at CAMO-ROUTE.COM Sat Feb 7 15:27:19 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner mrtg In-Reply-To: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> Message-ID: <402503D7.3070802@camo-route.com> jester wrote: > Ive download and installed the new mailscanner mrtg, im getting these > errors and im not really sure why, other than just being completely > oblivious to something I've missed. > > thanks in advance > Michael > > What should these be set to and are they not correct? (well if they were, i > wouldnt get errors) do the command mount you'll get the mount points available on your system. You can choose the one you want, usually /var. It will then monitor its usage. > > Unable to find a mountpoint for /var/spool/mqueue. Please set Spool > Directory in mailscanner-mrtg.conf to a valid mountpoint > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid > mountpoint > > > -- > This message has been scanned for viruses and > dangerous content by our MailScanner, and is > believed to be clean. From mailscanner at ecs.soton.ac.uk Sat Feb 7 15:54:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: OT - list options In-Reply-To: <1257.159.134.245.217.1076167431.squirrel@www.blacknightsol utions.com> References: <6.0.0.22.2.20040206183756.02133f90@spyderinternet.com> <1076148758.11003.30.camel@bach.kevinspicer.co.uk> <1257.159.134.245.217.1076167431.squirrel@www.blacknightsolutions.com> Message-ID: <6.0.1.1.2.20040207155428.02dbd4f0@imap.ecs.soton.ac.uk> You can do this yourself at www.jiscmail.ac.uk/lists/mailscanner.html At 15:23 07/02/2004, you wrote: >Slightly OT, but I was wondering if there was any chance of messages to >the list being prepended by "Mailscanner" or similar. >When using my desktop email client I filter mail using the "to" or "from" >fields, however I cannot use this with my IMAP webmail, as I wouldn't be >able to download mail after. > >Michele -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From David.While at UCE.AC.UK Sat Feb 7 15:39:25 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:22:22 2006 Subject: vnames.pl and mailstats with clamav-module Message-ID: <107DE25EC0216C45AEF670016024245F6441B3@exchangea.staff.uce.ac.uk> The current version of mailstats doesn't support the clamav-module but the next version will. David While -----Original Message----- From: MailScanner mailing list on behalf of Ugo Bellavance Sent: Sat 2/7/2004 3:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: vnames.pl and mailstats with clamav-module Hi, Has anyone been able to make vnames.pl and mailstats with clamav-module? It worked ok with ClamAV. I don't find other settings than "clamav". It is reported correctly with mailscanner-mrtg. Thanks, Ugo From lenaig at WANADOO.FR Sat Feb 7 18:56:04 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? Message-ID: <20040207185604.GA15196@maelenn> Hi, I still have a problem with my mailscanner-mrtg who do not want to scan the number of spam that i should have ? I was speaking to kevin about it, he told me to put Log spam = yes, that's what i did long time ago ... But still do not work. this evening i think about something, i am still using fetchmail/procmail to fetch and sort all of my emails ... Is that possible that fetchmail/procmail (with mda "/usr/local/bin/procmail -d %T") took all of my spam before mailscanner/spamassassin ?? If i am right, how can i do to correct this ? thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From kevins at BMRB.CO.UK Sat Feb 7 21:45:20 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? In-Reply-To: <20040207185604.GA15196@maelenn> References: <20040207185604.GA15196@maelenn> Message-ID: <1076190321.11002.40.camel@bach.kevinspicer.co.uk> On Sat, 2004-02-07 at 18:56, Thierry wrote: > Hi, > I still have a problem with my mailscanner-mrtg who do not want to scan the number of spam that i should have ? > I was speaking to kevin about it, he told me to put Log spam = yes, that's what i did long time ago ... But still do not work. > this evening i think about something, i am still using fetchmail/procmail to fetch and sort all of my emails ... Is that possible that fetchmail/procmail (with mda "/usr/local/bin/procmail -d %T") took all of my spam before mailscanner/spamassassin ?? If i am right, how can i do to correct this ? > Ah you didn't tell me that! If you have set fetchmail to use procmail then all incoming mail will bypass MailScanner completely. Usually simply deleting the mda option will cause fetchmail to start using sendmail to handle incoming mail (naturally I'd advise testing this before putting it into production) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From faq at mailscanner.info Sun Feb 8 00:28:04 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:22 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402080028.i180S4Kj008710@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-02-01-11-38-11 2.717 error editPart 21680 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 2; in item: 3) 2004-02-02-07-08-26 2.717 error editPart 5905 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 3; in item: 4) From rcooper at DIMENSION-FLM.COM Sun Feb 8 00:31:07 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone Message-ID: Hopefully someone will see/think something I have missed on this, it's driving me up the wall.. I have been getting a lot of mail from the new SpamAssassin list dumped into my spam box even though I had the list whitelisted. I then wrote a custom rule that would look at the Return-path header (since the from address could be some other address with a cc to the list) and tested it with SA and all worked fine. But when it runs through MailScanner (and I restarted MS several times) it misses every single time. Below is a sample header section of the last message that got tagged spam. Rules that are in the same .cf file as the rule in question will have hits but the RC_SA_LIST has not hit once, spam or ham. And every time I run it on the same message in the SpamBox it gets dumped into (by MailScanner delete forward spam) it will hit the RC_SA_LIST rule. (MailScanner Version 4.23-7 SA Version 2.63) Message header: Return-path: Envelope-to: SpamMailBox@MyDomain.com Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 Received: from daedalus.apache.org ([208.185.179.12] helo=mail.apache.org) by Mail.MyDomain.com with smtp (Exim 4.22) id 1ApaFQ-0003Vn-MY for MyUname@MyDomain.com; Sat, 07 Feb 2004 16:44:20 -0500 Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 21:44:06 -0000 Mailing-List: contact spamassassin-users-help@incubator.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: List-Id: "SpamAssassin Users" Rule: header RC_SA_LIST Return-path =~ /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\.com\@incu bator\.apache\.org/i Original Score from MailScanner (right out of the header) X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, required 5, AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, FVGT_TRIPWIRE_LW 0.08, FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, FVGT_m_MULTI_ODD2 1.10, FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, RC_B_REGALIS 4.50, b_OBFU_QnoU 0.50) X-DFW-MailScanner-SpamScore: sssssss Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST , Score running spamassassin directly: (with the -p option or not, I have local.cf linked to etc/spam.assassin.prefs.conf) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on MyDomain.com X-Spam-Level: X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT_m_MULTI_O DD2, FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,HTML_40_50, HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,RC_B_REGALI S, RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no version=2.63 ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ So when SA is called directly it hists the whitelist and the custome RC_SA_LIST rule, but both are missed when MailScanner is front-ending SA. I have not updated MailScanner as I don't want to have to repatch Exim.pm, or reapply the custom logging code to log the "To:" address(s), and truncate the SA return to 800 chars, as I have not created a patch for that as of yet. Any one have an idea? Thanks Rick Cooper From adrian at gds.ro Sun Feb 8 00:31:49 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: No subject Message-ID: <57593.193.230.152.1.1076200309.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this error? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, Adrian From craig at WESTPRESS.COM Sun Feb 8 00:31:42 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:22 2006 Subject: SpamAssassins config options and sa-learn Message-ID: <64753.68.63.190.49.1076200302.squirrel@new.host.name> I have installed MailWatch (http://mailwatch.sourceforge.net/) along side of MailScanner with SpamAssassin using Sendmail as my MTA. I have also created two user accounts ('spam', and 'notspam') for our employees to send their email to teach SpamAssassin's Bayesian learning filter. MailScanner, MailWatch, and SpamAssassin seem to be working great, and as I am about to impliment the 'spam' and 'notspam' email option, I find myself with some confusion.... Does MailScanner honor the SpamAssassin options that are set in SpamAssassins 'local.cf' file? Or does MailScanner instead only use the options which are set in /etc/MailScanner/spam.assassin.prefs.conf. I guess what I am asking is this, I want to add these options, but am confused as to where to stick them: use_bayes 1 bayes_path /etc/MailScanner/bayes auto_learn 1 skip_rbl_checks 1 use_razor2 1 use_dcc 1 use_pyzor 0 dcc_add_header 1 dns_available yes header LOCAL_RCVD Received =~ /\S+\.domain\.com\s+$.*\[.*\]$/ describe LOCAL_RCVD Received from local machine score LOCAL_RCVD -50 ## Optional Score Increases score DCC_CHECK 4.000 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_90 3.500 score BAYES_80 3.000 Finally, I want to set up a script and crontab that will force sa-learn to learn from 'spam' and 'notspam', and in this case would I also use /etc/MailScanner/spam.assassin.prefs.conf? my_sa-learn.sh: #!/bin/sh if [ -e /var/mail/spam ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/spam rm /var/mail/spam > /dev/null fi if [ -e /var/mail/notspam ]; then /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/notspam rm /var/mail/notspam > /dev/null fi /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf Am I on the right track here? Craig D. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From adrian at gds.ro Sun Feb 8 00:31:49 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: No subject Message-ID: <57593.193.230.152.1.1076200309.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this error? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, Adrian From steve.swaney at FSL.COM Sun Feb 8 00:49:17 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: Message-ID: <20040208004917.2A86521C138@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Rick Cooper > Sent: Saturday, February 07, 2004 7:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Different score with SpamAssassin Alone > > Hopefully someone will see/think something I have missed on this, > it's driving me up the wall.. > > I have been getting a lot of mail from the new SpamAssassin list > dumped into my spam box even though I had the list whitelisted. I > then wrote a custom rule that would look at the Return-path > header (since the from address could be some other address with a > cc to the list) and tested it with SA and all worked fine. But > when it runs through MailScanner (and I restarted MS several > times) it misses every single time. Below is a sample header > section of the last message that got tagged spam. Rules that are > in the same .cf file as the rule in question will have hits but > the RC_SA_LIST has not hit once, spam or ham. And every time I > run it on the same message in the SpamBox it gets dumped into (by > MailScanner delete forward spam) it will hit the RC_SA_LIST > rule. (MailScanner Version 4.23-7 SA Version 2.63) > Where are you placing your rules? On a typical Linux system, by default, SpamAssassin and MailScanner (configurable in the latest release) look for flies that end in ".cf" in /etc/mail/spamassassin You could also append the rules to /etc/MailScanner/spam.assassin.prefs.conf. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > Message header: > > Return-path: > che.org> > Envelope-to: SpamMailBox@MyDomain.com > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > Received: from daedalus.apache.org ([208.185.179.12] > helo=mail.apache.org) > by Mail.MyDomain.com with smtp (Exim 4.22) > id 1ApaFQ-0003Vn-MY > for MyUname@MyDomain.com; Sat, 07 Feb 2004 16:44:20 -0500 > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > 21:44:06 -0000 > Mailing-List: contact > spamassassin-users-help@incubator.apache.org; run by ezmlm > Precedence: bulk > list-help: > list-unsubscribe: > > list-post: > List-Id: "SpamAssassin Users" > > Rule: > > header RC_SA_LIST Return-path =~ > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\.com\@incu > bator\.apache\.org/i > > Original Score from MailScanner (right out of the header) > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, > required 5, > AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > FVGT_TRIPWIRE_LW 0.08, > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > FVGT_m_MULTI_ODD2 1.10, > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > HTML_LINK_CLICK_HERE 0.10, > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, RC_B_REGALIS > 4.50, > b_OBFU_QnoU 0.50) > X-DFW-MailScanner-SpamScore: sssssss > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > , > > Score running spamassassin directly: > (with the -p option or not, I have local.cf linked to > etc/spam.assassin.prefs.conf) > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > MyDomain.com > X-Spam-Level: > X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT_m_MULTI_O > DD2, > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,HTML_40_50, > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,RC_B_REGALI > S, > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > version=2.63 > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > So when SA is called directly it hists the whitelist and the > custome RC_SA_LIST rule, but both are missed when MailScanner is > front-ending SA. I have not updated MailScanner as I don't want > to have to repatch Exim.pm, or reapply the custom logging code to > log the "To:" address(s), and truncate the SA return to 800 > chars, as I have not created a patch for that as of yet. > > Any one have an idea? > > Thanks > > > Rick Cooper > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From peter at UCGBOOK.COM Sun Feb 8 01:06:28 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:22 2006 Subject: SpamAssassins config options and sa-learn In-Reply-To: <64753.68.63.190.49.1076200302.squirrel@new.host.name> References: <64753.68.63.190.49.1076200302.squirrel@new.host.name> Message-ID: <40258B94.2050206@ucgbook.com> Craig Daters wrote: > Does MailScanner honor the SpamAssassin options that are set in > SpamAssassins 'local.cf' file? Or does MailScanner instead only use the > options which are set in /etc/MailScanner/spam.assassin.prefs.conf. I > guess what I am asking is this, I want to add these options, but am > confused as to where to stick them: Make your changes in spam.assassin.prefs.conf and symlink local.cf to it. Then there's no confusion when you for example run spamassassin --lint to check rules. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From dee at ASYOUNEED.COM Sun Feb 8 01:12:49 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <40258B94.2050206@ucgbook.com> Message-ID: <000901c3ede0$aae334e0$0201a8c0@lappy> Hi, Is it possible to stop Mailscanner from scanning any mails sent from localhost e.g. forms on user webspace? Thanks, Dee From kevins at BMRB.CO.UK Sun Feb 8 01:27:11 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <000901c3ede0$aae334e0$0201a8c0@lappy> References: <000901c3ede0$aae334e0$0201a8c0@lappy> Message-ID: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> On Sun, 2004-02-08 at 01:12, Dee Lowndes wrote: > Hi, > > Is it possible to stop Mailscanner from scanning any mails sent from > localhost e.g. forms on user webspace? > Yes use a ruleset for whatever options you want to trun off.(you don't mention whether you want to stop virus scanning, spam scanning, or whatever) Take a look at the README and EXAMPLES files in /etc/MailScanner/rules Just out of curiosity why do you want to stop it scanning them? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rcooper at DIMENSION-FLM.COM Sun Feb 8 01:51:00 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: <20040208004917.2A86521C138@mail.fsl.com> Message-ID: All of the .cf files are in /etc/mail/spamassassin, and reading below note that : RC_B_REGALIS is in the same .cf file as RC_SA_LIST and RC_B_REGALIS hit with MS. The only difference is that RC_B_REGALIS is not a negative score. Two rules same file, one is ignored when MS runs and neither is ignored when spamassassin is run alone, even with a command of spamassassin -p /opt/MailScanner/etc/spam.assassin.prefs.conf (which is redundant since SA will pick up the /etc/mail/spamassasin/local.cf link to /opt/MailScanner/etc/spam.assassin.prefs.conf) Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Stephen Swaney > Sent: Saturday, February 07, 2004 7:49 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Different score with SpamAssassin Alone > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Rick Cooper > > Sent: Saturday, February 07, 2004 7:31 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Different score with SpamAssassin Alone > > > > Hopefully someone will see/think something I have > missed on this, > > it's driving me up the wall.. > > > > I have been getting a lot of mail from the new > SpamAssassin list > > dumped into my spam box even though I had the list > whitelisted. I > > then wrote a custom rule that would look at the Return-path > > header (since the from address could be some other > address with a > > cc to the list) and tested it with SA and all worked > fine. But > > when it runs through MailScanner (and I restarted MS several > > times) it misses every single time. Below is a sample header > > section of the last message that got tagged spam. > Rules that are > > in the same .cf file as the rule in question will > have hits but > > the RC_SA_LIST has not hit once, spam or ham. And > every time I > > run it on the same message in the SpamBox it gets > dumped into (by > > MailScanner delete forward spam) it will hit the RC_SA_LIST > > rule. (MailScanner Version 4.23-7 SA Version 2.63) > > > > Where are you placing your rules? On a typical Linux > system, by default, > SpamAssassin and MailScanner (configurable in the > latest release) look for > flies that end in ".cf" in /etc/mail/spamassassin > > You could also append the rules to > /etc/MailScanner/spam.assassin.prefs.conf. > > Steve > > Stephen Swaney > President > Fortress Systems Ltd. > Steve.Swaney@FSL.com > > > Message header: > > > > Return-path: > > > ubator.apa > > che.org> > > Envelope-to: SpamMailBox@MyDomain.com > > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > > Received: from daedalus.apache.org ([208.185.179.12] > > helo=mail.apache.org) > > by Mail.MyDomain.com with smtp (Exim 4.22) > > id 1ApaFQ-0003Vn-MY > > for MyUname@MyDomain.com; Sat, 07 Feb 2004 > 16:44:20 -0500 > > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > > 21:44:06 -0000 > > Mailing-List: contact > > spamassassin-users-help@incubator.apache.org; run by ezmlm > > Precedence: bulk > > list-help: > > > list-unsubscribe: > > > > list-post: > > List-Id: "SpamAssassin Users" > > > > Rule: > > > > header RC_SA_LIST Return-path =~ > > > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\ > .com\@incu > > bator\.apache\.org/i > > > > Original Score from MailScanner (right out of the header) > > > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin > (score=7.759, > > required 5, > > AWL -5.91, CLICK_BELOW 0.00, > FROM_HAS_MIXED_NUMS 0.30, > > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > > FVGT_TRIPWIRE_LW 0.08, > > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > > FVGT_m_MULTI_ODD2 1.10, > > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > > HTML_LINK_CLICK_HERE 0.10, > > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, > RC_B_REGALIS > > 4.50, > > b_OBFU_QnoU 0.50) > > X-DFW-MailScanner-SpamScore: sssssss > > > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > > , > > > > Score running spamassassin directly: > > (with the -p option or not, I have local.cf linked to > > etc/spam.assassin.prefs.conf) > > > > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > > MyDomain.com > > X-Spam-Level: > > X-Spam-Status: No, hits=-106.3 required=5.0 > tests=CLICK_BELOW, > > > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > > > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT > _m_MULTI_O > > DD2, > > > > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,H > TML_40_50, > > > > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,R > C_B_REGALI > > S, > > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > > version=2.63 > > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > > So when SA is called directly it hists the whitelist and the > > custome RC_SA_LIST rule, but both are missed when > MailScanner is > > front-ending SA. I have not updated MailScanner as I > don't want > > to have to repatch Exim.pm, or reapply the custom > logging code to > > log the "To:" address(s), and truncate the SA return to 800 > > chars, as I have not created a patch for that as of yet. > > > > Any one have an idea? > > > > Thanks > > > > > > Rick Cooper > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Fortress Systems Ltd. > > www.fsl.com > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From stefanzman at YAHOO.COM Sun Feb 8 02:58:53 2004 From: stefanzman at YAHOO.COM (Stefan Z) Date: Thu Jan 12 21:22:22 2006 Subject: Sender Virus Warning Message-ID: Hello, I am using MailScanner 4.26.8-1 on a LINUX rh9 box with exim 2.4 C-Panel. All was well until I update MailScanner from 4.22-5 to this latest version. After this, the Warning messages for Infected mails are no longer being sent to Senders. The admin Virus notification is still going to the postmaster, but not to the Senders. The settings in MailScanner.conf still specify to notify the Sender. What should I check? Thanks, Stefan From oldmaxgit at YAHOO.COM Sun Feb 8 09:14:19 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working Message-ID: Thanks Julian and Mike. Apologies for the lateness of this reply, another crisis got in the way. (does anybody have a script which will lengthen each day by a couple of hours) :o) I have, I think, made the changes which should have stopped RBL checks in MailScanner and enabled them in SpamAssasin, but still I find Spamcop listed emails getting through. I would appreciate any further input you can offer here. Rather than paste the whole, I have pasted some lines from my config files below (and hope I have all the important ones). I know that some of them are over the top, but would still appreciate comments. In MailScanner.conf : Spam Checks = yes Spam List = Spam Lists To Reach High Score = 1 Think these two are rather high, but wanted to give it every chance Spam List Timeout = 15 Max Spam List Timeouts = 15 Use SpamAssassin = yes Required SpamAssassin Score = 5 SpamAssassin Timeout = 40 Spam Actions = bounce High Scoring Spam Actions = bounce I know that SpamAssassin is slightly off topic but ... In spam.assassin.prefs.conf : # skip_rbl_checks 1 (commented out) rbl_timeout 20 score RCVD_IN_BL_SPAMCOP_NET 6 Still tearing my hair out, so again, thanks for any help you can offer. From lenaig at WANADOO.FR Sun Feb 8 08:40:10 2004 From: lenaig at WANADOO.FR (Thierry) Date: Thu Jan 12 21:22:22 2006 Subject: mailscanner-mrtg/Spam logs ? In-Reply-To: <1076190321.11002.40.camel@bach.kevinspicer.co.uk> References: <20040207185604.GA15196@maelenn> <1076190321.11002.40.camel@bach.kevinspicer.co.uk> Message-ID: <20040208084010.GA99872@maelenn> Working ... thx -- Thierry Ne faites jamais un "apt-get install new-wife" avant un "apt-get remove --purge current-wife" From mailscanner at ecs.soton.ac.uk Sun Feb 8 09:38:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Sender Virus Warning In-Reply-To: References: Message-ID: <6.0.1.1.2.20040208093540.03d94ec0@imap.ecs.soton.ac.uk> Virus Sender Warning are a very bad idea. All major viruses now forge the sender address. So none of your warnings are going to the people who have the infected PCs, they are going to poor innocent third parties who are sick of getting millions of warning messages about viruses they don't have. This causes them lots of grief, it wastes a lot of my time (as they contact me for help or to rant or whinge) and it gives MailScanner a very bad name. So sender warnings are now switched off. At 02:58 08/02/2004, you wrote: >Hello, > >I am using MailScanner 4.26.8-1 on a LINUX rh9 box with exim 2.4 C-Panel. >All was well until I update MailScanner from 4.22-5 to this latest >version. After this, the Warning messages for Infected mails are no longer >being sent to Senders. The admin Virus notification is still going to the >postmaster, but not to the Senders. > >The settings in MailScanner.conf still specify to notify the Sender. > >What should I check? > >Thanks, > >Stefan -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Feb 8 10:19:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working In-Reply-To: Message-ID: Hi! > Use SpamAssassin = yes > Required SpamAssassin Score = 5 > SpamAssassin Timeout = 40 > Spam Actions = bounce > High Scoring Spam Actions = bounce Dont bounce, this is a very bad idea, especially with high scoring spam you can almost be sure it wont reach the original sender anyway. Please turn that off. Bye, Raymond. From dee at ASYOUNEED.COM Sun Feb 8 10:16:52 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> Message-ID: <001001c3ee2c$ac19f5a0$0201a8c0@lappy> > > Is it possible to stop Mailscanner from scanning any mails sent from > > localhost e.g. forms on user webspace? > > > Yes use a ruleset for whatever options you want to trun off.(you don't > mention whether you want to stop virus scanning, spam scanning, or > whatever) > > Take a look at the README and EXAMPLES files in /etc/MailScanner/rules > > Just out of curiosity why do you want to stop it scanning them? > Thanks Kevin, I had been using that but it turns out localhost in my rules doesn't work but changing it to 127.0.0.1 did guess I was a bit tired last night :) Dee From mailscanner at ecs.soton.ac.uk Sun Feb 8 11:28:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Stopping Mailscanner actions In-Reply-To: <001001c3ee2c$ac19f5a0$0201a8c0@lappy> References: <1076203631.11003.46.camel@bach.kevinspicer.co.uk> <001001c3ee2c$ac19f5a0$0201a8c0@lappy> Message-ID: <6.0.1.1.2.20040208112418.04559ec0@imap.ecs.soton.ac.uk> At 10:16 08/02/2004, you wrote: > > > Is it possible to stop Mailscanner from scanning any mails sent from > > > localhost e.g. forms on user webspace? > > > > > Yes use a ruleset for whatever options you want to trun off.(you don't > > mention whether you want to stop virus scanning, spam scanning, or > > whatever) > > > > Take a look at the README and EXAMPLES files in /etc/MailScanner/rules > > > > Just out of curiosity why do you want to stop it scanning them? > > > >Thanks Kevin, > >I had been using that but it turns out localhost in my rules doesn't >work but changing it to 127.0.0.1 did guess I was a bit tired last night >:) It assumes that anything with letters in it is an email address, or email domain or things like that. I only recognises IP addresses when they are all numbers and punctuation. You might find that *@localhost.* might work, but it depends on your sendmail configuration a bit. Just putting in localhost is equivalent to *@localhost which isn't what you meant. I tried to make the parser as intelligent as possible, as I don't see why you should have to tell it the full details of what you want when the parser can make a pretty reliable guess at what you meant :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Feb 8 11:47:38 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:22 2006 Subject: Spamcop not working In-Reply-To: Message-ID: Hi! After reading your post again: > Spam List = > Spam Lists To Reach High Score = 1 > > Think these two are rather high, but wanted to give it every chance > Spam List Timeout = 15 > Max Spam List Timeouts = 15 > > Use SpamAssassin = yes > Required SpamAssassin Score = 5 > SpamAssassin Timeout = 40 > Spam Actions = bounce > High Scoring Spam Actions = bounce You bounce mail if its on _1_ RBL, why not reject them within youtr mailer, that way you dont bother people who didnt send the message in the first place. Seems a better idea for what you wanna do. Bye, Raymond. From rcooper at DIMENSION-FLM.COM Sun Feb 8 12:34:51 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:22 2006 Subject: Different score with SpamAssassin Alone In-Reply-To: Message-ID: Ok I was being very brain dead... There is no return path when MailScanner gets the message as Exim has queued it for delivery but doesn't add the return path until final delivery, after MailScanner has processed it. Doh! Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Rick Cooper > Sent: Saturday, February 07, 2004 7:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Different score with SpamAssassin Alone > > > Hopefully someone will see/think something I have > missed on this, > it's driving me up the wall.. > > I have been getting a lot of mail from the new > SpamAssassin list > dumped into my spam box even though I had the list > whitelisted. I > then wrote a custom rule that would look at the Return-path > header (since the from address could be some other > address with a > cc to the list) and tested it with SA and all worked fine. But > when it runs through MailScanner (and I restarted MS several > times) it misses every single time. Below is a sample header > section of the last message that got tagged spam. > Rules that are > in the same .cf file as the rule in question will have hits but > the RC_SA_LIST has not hit once, spam or ham. And every time I > run it on the same message in the SpamBox it gets > dumped into (by > MailScanner delete forward spam) it will hit the RC_SA_LIST > rule. (MailScanner Version 4.23-7 SA Version 2.63) > > Message header: > > Return-path: > ubator.apa > che.org> > Envelope-to: SpamMailBox@MyDomain.com > Delivery-date: Sat, 07 Feb 2004 16:44:24 -0500 > Received: from daedalus.apache.org ([208.185.179.12] > helo=mail.apache.org) > by Mail.MyDomain.com with smtp (Exim 4.22) > id 1ApaFQ-0003Vn-MY > for MyUname@MyDomain.com; Sat, 07 Feb 2004 > 16:44:20 -0500 > Received: (qmail 68038 invoked by uid 500); 7 Feb 2004 > 21:44:06 -0000 > Mailing-List: contact > spamassassin-users-help@incubator.apache.org; run by ezmlm > Precedence: bulk > list-help: > > list-unsubscribe: > > list-post: > List-Id: "SpamAssassin Users" > > Rule: > > header RC_SA_LIST Return-path =~ > /spamassassin-users-return-[0-9]{2,4}-MyUname=MyDomain\ > .com\@incu > bator\.apache\.org/i > > Original Score from MailScanner (right out of the header) > > X-XXXXX-MailScanner-SpamCheck: spam, SpamAssassin (score=7.759, > required 5, > AWL -5.91, CLICK_BELOW 0.00, FROM_HAS_MIXED_NUMS 0.30, > FVGT_TRIPWIRE_FC 0.08, FVGT_TRIPWIRE_LQ 0.08, > FVGT_TRIPWIRE_LW 0.08, > FVGT_TRIPWIRE_QC 0.08, FVGT_TRIPWIRE_WC 0.08, > FVGT_m_MULTI_ODD2 1.10, > FVGT_m_MULTI_ODD3 1.10, FVGT_m_MULTI_ODD4 1.10, > FVGT_m_MULTI_ODD5 1.10, HTML_40_50 0.47, > HTML_LINK_CLICK_HERE 0.10, > HTML_MESSAGE 0.00, OACYS_m_MULTI_CONS4 3.00, > RC_B_REGALIS > 4.50, > b_OBFU_QnoU 0.50) > X-DFW-MailScanner-SpamScore: sssssss > > Note that RC_B_REGALIS is in the same .cf file as RC_SA_LIST > , > > Score running spamassassin directly: > (with the -p option or not, I have local.cf linked to > etc/spam.assassin.prefs.conf) > > > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > MyDomain.com > X-Spam-Level: > X-Spam-Status: No, hits=-106.3 required=5.0 tests=CLICK_BELOW, > FROM_HAS_MIXED_NUMS,FVGT_TRIPWIRE_FC,FVGT_TRIPWIRE_LQ, > > FVGT_TRIPWIRE_LW,FVGT_TRIPWIRE_QC,FVGT_TRIPWIRE_WC,FVGT > _m_MULTI_O > DD2, > > FVGT_m_MULTI_ODD3,FVGT_m_MULTI_ODD4,FVGT_m_MULTI_ODD5,H > TML_40_50, > > HTML_LINK_CLICK_HERE,HTML_MESSAGE,OACYS_m_MULTI_CONS4,R > C_B_REGALI > S, > RC_SA_LIST,USER_IN_WHITELIST,b_OBFU_QnoU autolearn=no > version=2.63 > ^^^^^^^^^ ^^^^^^^^^^^^^^^^^ > So when SA is called directly it hists the whitelist and the > custome RC_SA_LIST rule, but both are missed when > MailScanner is > front-ending SA. I have not updated MailScanner as I don't want > to have to repatch Exim.pm, or reapply the custom > logging code to > log the "To:" address(s), and truncate the SA return to 800 > chars, as I have not created a patch for that as of yet. > > Any one have an idea? > > Thanks > > > Rick Cooper From eja at URBAKKEN.DK Sun Feb 8 14:08:20 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir Message-ID: <402642D4.1050603@urbakken.dk> Hi. Is anybody here having success with antivir and MailScanner ?. -- Erik From shrek-m at GMX.DE Sun Feb 8 14:19:50 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:22 2006 Subject: OT: mydoom-a Message-ID: <40264586.6040202@gmx.de> ---- Received: from iki.fi (ad245.neoplus.adsl.tpnet.pl [80.50.149.245]) by mx2.redhat.com (8.11.6/8.11.6) with SMTP id i18DSen12810 for ; Sun, 8 Feb 2004 08:28:41 -0500 ---- hi, all mydoom-a i get privat or throgh lists are coming from xxx.neoplus.adsl.tpnet.pl can you check if this is the case ? -- shrek-m From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:06:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208150503.04696008@imap.ecs.soton.ac.uk> Can someone send me a copy of Antivir? Sounds like it's another bug I need to check out. Having a good bug killing weekend so far, I'll release a beta once these are all sorted. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:12:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208151225.058d26a0@imap.ecs.soton.ac.uk> I currently have AntiVir / Linux Version 2.1.0-1 and it is working fine. I guess you have a newer one. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From adrian at gds.ro Sun Feb 8 15:23:29 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:22 2006 Subject: MailScanner high CPU usage Message-ID: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> Hello, here's my problem: Sometimes, mailscanner uses a lot of cpu, for a long amount of time. The mail server's load average rises to ~13 and stays that way for a while. You can see the cpu hogs' activity in the strace output. (I searched for "shmat and umoven: Input/output error" on google and this error is obviously related to the high cpu usage: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) What do you think is wrong? Did anyone else encounter this problem? System configuration: Celeron 2.4 512 ram Kernel 2.4.23 perl 5.6.1 sendmail 8.12.11 mailscanner 4.26.7, sa+bayes enabled spamassassin 2.63 #ps auxf output(some of the processes that consume lots of cpu time): root 7823 0.8 21.7 117172 112232 ? S 07:48 1:42 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf root 8149 1.0 19.7 117284 102152 ? S 08:06 1:47 \_ /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf #strace -p 7823 output: setup() = 0 time([1076057709]) = 1076057709 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 368 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 umask(077) = 0177 time([1076057709]) = 1076057709 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 time([1076057739]) = 1076057739 chdir("/var/spool/mqueue.in") = 0 open(".", O_RDONLY|O_NONBLOCK|0x18000) = 7 fstat64(0x7, 0xbffffb3c) = 0 shmat(7, 0x89eab58, 0x2ptrace: umoven: Input/output error ) = ? ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 568 stat64(0x86254e0, 0x80f51e0) = 0 stat64(0x86254e0, 0x80f51e0) = 0 ipc_subcall(0x7, 0x96db440, 0x1000, 0xb) = 0 close(7) = 0 umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/var/spool/mqueue.in/qfi168tRg2012377", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x97440b8, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = 0 open("/var/spool/mqueue.in/dfi168tRg2012377", O_RDWR|0x8000) = 8 fstat64(0x8, 0x80f5380) = 0 shmat(8, 0x96cd8a0, 0x2ptrace: umoven: Input/output error ) = ? flock(8, LOCK_EX|LOCK_NB) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x9648758, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 stat64(0x963a680, 0x80f51e0) = 0 fstat64(0x7, 0xbffff95c) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x403aa000 _llseek(7, 0, [0], SEEK_SET) = 0 read(7, "V6\nT1076057730\nK0\nN0\nP32901\nF8bs"..., 4096) = 928 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/opt/MailScanner/incoming/7823/i168tRg2012377.header", O_WRONLY|O_CREAT|O_TRUNC|0x8000, 0666) = 9 fstat64(0x9, 0x80f5380) = 0 shmat(9, 0xb95fd18, 0x2ptrace: umoven: Input/output error ) = ? The only error I get in the logs is: Feb 6 11:01:11 kiki MailScanner[8096]: SpamAssassin timed out and was killed, consecutive failure 1 of 50 Thanks, From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:25:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402642D4.1050603@urbakken.dk> References: <402642D4.1050603@urbakken.dk> Message-ID: <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> I have just tested against 2.1.0 (latest on their web site) and it works fine. Are you sure you have the licence key file installed into /usr/lib/AntiVir? It won't work without it. At 14:08 08/02/2004, you wrote: >Hi. > >Is anybody here having success with antivir and MailScanner ?. >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Sun Feb 8 15:33:59 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> Message-ID: <402656E7.9080109@urbakken.dk> Julian Field wrote: > I have just tested against 2.1.0 (latest on their web site) and it works > fine. > Are you sure you have the licence key file installed into /usr/lib/AntiVir? > It won't work without it. Yes I have: I have run the: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp And the result is here: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp AntiVir / Linux Version 2.0.9-16 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.53 created 30 Jan 2004 For private, non-commercial use only. AntiVir license: 12345678 for Erik Jakobsen, Brovst checking drive/path (list): /tmp ----- scan results ----- directories: 1 files: 15 alerts: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. > At 14:08 08/02/2004, you wrote: > >> Hi. >> >> Is anybody here having success with antivir and MailScanner ?. >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Erik From mailscanner at ecs.soton.ac.uk Sun Feb 8 15:40:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <402656E7.9080109@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> Message-ID: <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is detecting viruses in emails just fine. Both inside and outside zip files. Everything just works, so I don't understand what problems other people are having. At 15:33 08/02/2004, you wrote: >Julian Field wrote: >>I have just tested against 2.1.0 (latest on their web site) and it works >>fine. >>Are you sure you have the licence key file installed into /usr/lib/AntiVir? >>It won't work without it. > >Yes I have: > >I have run the: > >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >And the result is here: > ># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >AntiVir / Linux Version 2.0.9-16 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > >VDF version: 6.23.0.53 created 30 Jan 2004 > >For private, non-commercial use only. >AntiVir license: 12345678 for Erik Jakobsen, Brovst > >checking drive/path (list): /tmp > >----- scan results ----- >directories: 1 >files: 15 >alerts: 0 >scan time: 00:00:01 >------------------------ >Thank you for using AntiVir. > >>At 14:08 08/02/2004, you wrote: >> >>>Hi. >>> >>>Is anybody here having success with antivir and MailScanner ?. >>>-- >>>Erik >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevin at EVERTS.US Sun Feb 8 18:20:29 2004 From: kevin at EVERTS.US (Kevin Everts) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner Message-ID: <003701c3ee70$3b8585e0$7203a8c0@everts.us> I am using MailScanner with Postfix to scan my incoming email. I am also using getmail to poll my pop3 accounts and download my email. I would like to process all of the email that getmail retrieves in MailScanner. The way to do this is to invoke MailScanner manually. Is this possible? If so, what is the command to do this? Below is a message that I posted to the getmail mailing list. The reply is from the author of getmail. > I am in the process of setting up a new mail server with Postfix (using > /Maildir's) , getmail, MailScanner and Maildrop. I have everything working > except for getmail. I would like to have getmail first send my email to > MailScanner for virus scanning and spam checking and then to Maildrop for > sorting. Okay. In this case, MailScanner must add headers to the message to allow you to sort based on it's spam/non-spam decision? If that's the case, it must write the modified message to stdout. So your getmail delivery directive would be something like this: postmaster="|/path/to/mydeliveryagent.sh" where that script is something like: #!/bin/bash cat - \ | /path/to/mailscanner [options] \ | /path/to/maildrop [options] I've never used MailScanner, so I can't help you with what specific options you'll need to get it to operate in filter mode (read stdin, modify, write stdout). It should be clearly spelled out in its documentation. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040208/5d14c114/attachment.html From eja at URBAKKEN.DK Sun Feb 8 18:38:47 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> Message-ID: <40268237.5080903@urbakken.dk> Julian Field wrote: > Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is > detecting viruses in emails just fine. Both inside and outside zip files. > Everything just works, so I don't understand what problems other people are > having. Hi Julian. Just installe the 2.1.0. I think its working now, as I couldn't get a message to mysef delivered cause of the eicar file. But I'll look at the logfiles, and report to you. > At 15:33 08/02/2004, you wrote: > >> Julian Field wrote: >> >>> I have just tested against 2.1.0 (latest on their web site) and it works >>> fine. >>> Are you sure you have the licence key file installed into >>> /usr/lib/AntiVir? >>> It won't work without it. >> >> >> Yes I have: >> >> I have run the: >> >> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >> >> And the result is here: >> >> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >> AntiVir / Linux Version 2.0.9-16 >> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >> All rights reserved. >> >> Loading /usr/lib/AntiVir/antivir.vdf ... >> >> VDF version: 6.23.0.53 created 30 Jan 2004 >> >> For private, non-commercial use only. >> AntiVir license: 12345678 for Erik Jakobsen, Brovst >> >> checking drive/path (list): /tmp >> >> ----- scan results ----- >> directories: 1 >> files: 15 >> alerts: 0 >> scan time: 00:00:01 >> ------------------------ >> Thank you for using AntiVir. >> >>> At 14:08 08/02/2004, you wrote: >>> >>>> Hi. >>>> >>>> Is anybody here having success with antivir and MailScanner ?. >>>> -- >>>> Erik >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Erik From eja at URBAKKEN.DK Sun Feb 8 20:14:12 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir Message-ID: My antivir is also licensed, and the key is placed into the antivir diretory. /erik From eja at URBAKKEN.DK Sun Feb 8 20:19:57 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: References: Message-ID: <402699ED.302@urbakken.dk> Erik Jakobsen wrote: > My antivir is also licensed, and the key is placed into the antivir diretory. > > /erik > Here's the content of my /usr/lib/antivir directory: ]# ls -l total 3368 -rwxr-xr-x 1 root root 742912 Feb 5 17:02 antivir -rwxr-xr-x 1 root root 971264 Jan 25 17:18 antivir-fc -rw-r--r-- 1 root root 1650176 Feb 6 19:14 antivir.vdf -rwxr-xr-x 1 root root 1233 Feb 8 19:26 avupdater -rwxr-xr-x 1 root root 52411 Feb 8 19:26 configantivir -rw------- 1 root root 1024 Jan 25 17:12 hbedv.key -- Erik From ugob at CAMO-ROUTE.COM Sun Feb 8 20:50:25 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <003701c3ee70$3b8585e0$7203a8c0@everts.us> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> Message-ID: <4026A111.8040402@camo-route.com> Kevin Everts wrote: > I am using MailScanner with Postfix to scan my incoming email. I am > also using getmail to poll my pop3 accounts and download my email. I > would like to process all of the email that getmail retrieves in > MailScanner. The way to do this is to invoke MailScanner manually. Is > this possible? If so, what is the command to do this? I don't really know how getmail works, but I can say that fetchmail works like a charm and is very easy to setup. hth Ugo > > Below is a message that I posted to the getmail mailing list. The reply > is from the author of getmail. > > > I am in the process of setting up a new mail server with Postfix (using > > /Maildir's) , getmail, MailScanner and Maildrop. I have everything > working > > except for getmail. I would like to have getmail first send my email to > > MailScanner for virus scanning and spam checking and then to Maildrop for > > sorting. > > Okay. In this case, MailScanner must add headers to the message to > allow you > to sort based on it's spam/non-spam decision? If that's the case, it must > write the modified message to stdout. So your getmail delivery directive > would be something like this: > > postmaster="|/path/to/mydeliveryagent.sh" > > where that script is something like: > > #!/bin/bash > cat - \ > | /path/to/mailscanner [options] \ > | /path/to/maildrop [options] > > I've never used MailScanner, so I can't help you with what specific options > you'll need to get it to operate in filter mode (read stdin, modify, write > stdout). It should be clearly spelled out in its documentation. > > Thanks, > Kevin From ugob at CAMO-ROUTE.COM Sun Feb 8 20:52:13 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <40268237.5080903@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> Message-ID: <4026A17D.2040903@camo-route.com> Erik Jakobsen wrote: > Julian Field wrote: > >> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >> detecting viruses in emails just fine. Both inside and outside zip files. >> Everything just works, so I don't understand what problems other >> people are >> having. > > > Hi Julian. > > Just installe the 2.1.0. I think its working now, as I couldn't get a > message to mysef delivered cause of the eicar file. But I'll look at the > logfiles, and report to you. Just a tip, open a terminal window via ssh or virtual console and type in tail -f /var/log/maillog You'll see the mail log in real time. Then send in the virus. > >> At 15:33 08/02/2004, you wrote: >> >>> Julian Field wrote: >>> >>>> I have just tested against 2.1.0 (latest on their web site) and it >>>> works >>>> fine. >>>> Are you sure you have the licence key file installed into >>>> /usr/lib/AntiVir? >>>> It won't work without it. >>> >>> >>> >>> Yes I have: >>> >>> I have run the: >>> >>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> >>> And the result is here: >>> >>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> AntiVir / Linux Version 2.0.9-16 >>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>> All rights reserved. >>> >>> Loading /usr/lib/AntiVir/antivir.vdf ... >>> >>> VDF version: 6.23.0.53 created 30 Jan 2004 >>> >>> For private, non-commercial use only. >>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>> >>> checking drive/path (list): /tmp >>> >>> ----- scan results ----- >>> directories: 1 >>> files: 15 >>> alerts: 0 >>> scan time: 00:00:01 >>> ------------------------ >>> Thank you for using AntiVir. >>> >>>> At 14:08 08/02/2004, you wrote: >>>> >>>>> Hi. >>>>> >>>>> Is anybody here having success with antivir and MailScanner ?. >>>>> -- >>>>> Erik >>>> >>>> >>>> >>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> Professional Support Services at www.MailScanner.biz >>>> MailScanner thanks transtec Computers for their support >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>> >>> -- >>> Erik >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > > > -- > Erik From mailscanner at ecs.soton.ac.uk Sun Feb 8 19:23:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: antivir In-Reply-To: <40268237.5080903@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> Message-ID: <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> Thanks for the server version. I installed my licence file into it (thanks to the AntiVir crew for that), and ran it on a message with a few copies of eicar in it. It detected all of them just fine. Here is an example report: >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "eicar.zip" >was believed to be infected by a virus and has been replaced by this warning >message. > >If you wish to receive a copy of the *infected* attachment, please >e-mail helpdesk and include the whole of this message >in your request. Alternatively, you can call them, with >the contents of this message to hand when you call. > >At Sun Feb 8 19:12:09 2004 the virus scanner said: > AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com <<< = >Contains code of the Eicar-Test-Signatur virus I have now tested this on AntiVir workstation 2.0.6 AntiVir workstation 2.1.0 AntiVir server 2.0.8 and can confirm that they all work with MailScanner on my Linux systems. Please place a copy of eicar.com in a directory and run this command: /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs -z . The output should be this (except for the line about the Verlor.B virus) -----SNIP----- AntiVir / Linux Version 2.1.0-1 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.60 created 06 Feb 2004 For private, non-commercial use only. AntiVir license: 1001034888 for Julian Field, Southampton checking drive/path (list): . ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of the Word macro virus W97M/Verlor.B (removeable) ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the Eicar-Test-Signatur virus ----- scan results ----- directories: 1 files: 4 alerts: 2 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. -----SNIP----- Please let me know if your output matches this. At 18:38 08/02/2004, you wrote: >Julian Field wrote: >>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>detecting viruses in emails just fine. Both inside and outside zip files. >>Everything just works, so I don't understand what problems other people are >>having. > >Hi Julian. > >Just installe the 2.1.0. I think its working now, as I couldn't get a >message to mysef delivered cause of the eicar file. But I'll look at the >logfiles, and report to you. > >>At 15:33 08/02/2004, you wrote: >> >>>Julian Field wrote: >>> >>>>I have just tested against 2.1.0 (latest on their web site) and it works >>>>fine. >>>>Are you sure you have the licence key file installed into >>>>/usr/lib/AntiVir? >>>>It won't work without it. >>> >>> >>>Yes I have: >>> >>>I have run the: >>> >>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>> >>>And the result is here: >>> >>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>AntiVir / Linux Version 2.0.9-16 >>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>All rights reserved. >>> >>>Loading /usr/lib/AntiVir/antivir.vdf ... >>> >>>VDF version: 6.23.0.53 created 30 Jan 2004 >>> >>>For private, non-commercial use only. >>>AntiVir license: 12345678 for Erik Jakobsen, Brovst >>> >>>checking drive/path (list): /tmp >>> >>>----- scan results ----- >>>directories: 1 >>>files: 15 >>>alerts: 0 >>>scan time: 00:00:01 >>>------------------------ >>>Thank you for using AntiVir. >>> >>>>At 14:08 08/02/2004, you wrote: >>>> >>>>>Hi. >>>>> >>>>>Is anybody here having success with antivir and MailScanner ?. >>>>>-- >>>>>Erik >>>> >>>> >>>> >>>>-- >>>>Julian Field >>>>www.MailScanner.info >>>>Professional Support Services at www.MailScanner.biz >>>>MailScanner thanks transtec Computers for their support >>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>>-- >>>Erik >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >Erik -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 8 19:00:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <003701c3ee70$3b8585e0$7203a8c0@everts.us> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> Message-ID: <6.0.1.1.2.20040208185850.03ce3190@imap.ecs.soton.ac.uk> The standard solution to this setup is to use fetchmail and have it poll all your pop3 accounts and then deliver via SMTP to localhost. MailScanner then picks up the incoming mail and scans it. Your existing sendmail setup then delivers the mail into local mailboxes as before. Plenty of people here use this setup and you should find whatever help you need. At 18:20 08/02/2004, you wrote: >I am using MailScanner with Postfix to scan my incoming email. I am also >using getmail to poll my pop3 accounts and download my email. I would >like to process all of the email that getmail retrieves in >MailScanner. The way to do this is to invoke MailScanner manually. Is >this possible? If so, what is the command to do this? > >Below is a message that I posted to the getmail mailing list. The reply >is from the author of getmail. > > > I am in the process of setting up a new mail server with Postfix (using > > /Maildir's) , getmail, MailScanner and Maildrop. I have everything working > > except for getmail. I would like to have getmail first send my email to > > MailScanner for virus scanning and spam checking and then to Maildrop for > > sorting. > >Okay. In this case, MailScanner must add headers to the message to allow you >to sort based on it's spam/non-spam decision? If that's the case, it must >write the modified message to stdout. So your getmail delivery directive >would be something like this: > > postmaster="|/path/to/mydeliveryagent.sh" > >where that script is something like: > > #!/bin/bash > cat - \ > | /path/to/mailscanner [options] \ > | /path/to/maildrop [options] > >I've never used MailScanner, so I can't help you with what specific options >you'll need to get it to operate in filter mode (read stdin, modify, write >stdout). It should be clearly spelled out in its documentation. > >Thanks, >Kevin -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Sun Feb 8 22:48:42 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:22 2006 Subject: Manually invoking MailScanner In-Reply-To: <4026A111.8040402@camo-route.com> References: <003701c3ee70$3b8585e0$7203a8c0@everts.us> <4026A111.8040402@camo-route.com> Message-ID: <4026BCCA.7050309@gmx.de> Ugo Bellavance wrote: > I don't really know how getmail works, but I can say that fetchmail > works like a charm and is very easy to setup. eg. not really tested # grep fetchmail /etc/rc.local /usr/bin/fetchmail # vi /root/.fetchmailrc set daemon 600 set logfile /var/log/maillog poll pop.provider.net proto pop3 user "shrek-m@gmx.de" password "your_passowrd" smtpname "localuser@localhost.localdomain" keep poll imap.other_provider.de proto imap user "user@bla.de" password "other_password" is "localuser" here user "user1@bla.de" password "password" is "localuser1" here # man fetchmail if your distro provides fetchmailconf you can try it with # fetchmailconf -- shrek-m From kevin at KEVINSPICER.CO.UK Mon Feb 9 00:15:38 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner-MRTG users Message-ID: <1076285740.26581.9.camel@bach.kevinspicer.co.uk> Those of you who use MailScanner-MRTG may be interested to read the page I've just added to the website at http://mailscannermrtg.sourceforge.net/future.html in which I propose some future directions for the project. Please feel free to post feedback/ comments/ objections etc to the forums on the sourceforge site. (it would be appreciated if we could avoid staging a takeover of the MailScanner list again!) Regards Kevin -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040209/8b9a6261/attachment.bin From mailbase2004 at yahoo.com Mon Feb 9 00:27:31 2004 From: mailbase2004 at yahoo.com (c c) Date: Thu Jan 12 21:22:23 2006 Subject: source rpm error Message-ID: <20040209002731.63973.qmail@web80105.mail.yahoo.com> Hi I downloaded MailScanner source rpm mailscanner-4.26.8-1.src.rpm Installed the src rpm package and then built rpm package. But when I installed the rpm package, I found the size of the rpm file built from src rpm is different from that in MailScanner-4.26.8-1.rpm.tar.gz Also I got error message during the installation. The same error happened with verion mailscanner-4.23-11. Here is the error error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 My environment is Redhat 9.0 on pentium IV. I just wonder how the mailscanner rpm file in rpm tgz file is created, from a tgz file or src rpm? If it is from a tgz file, where is the tgz file located on the web site? If it is from source rpm, why do I get the error? Thanks in advance. -Tom +++++++++++++++++++++++++++++++++++++++++++ [root@pe400 SPECS]# rpm -i mailscanner-4.23-11.src.rpm [root@pe400 SPECS]# rpmbuild -ba MailScanner4.spec [root@pe400 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/noarch/mailscanner-4.23-11.noarch.rpm error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 From mailbase2004 at YAHOO.COM Mon Feb 9 02:16:53 2004 From: mailbase2004 at YAHOO.COM (c c) Date: Thu Jan 12 21:22:23 2006 Subject: rpmbuild src rpm error Message-ID: <20040209021653.51510.qmail@web80106.mail.yahoo.com> Hi I downloaded MailScanner source rpm mailscanner-4.26.8-1.src.rpm Installed the src rpm package and then built rpm package. But when I installed the rpm package, I found the size of the rpm file built from src rpm is different from that in MailScanner-4.26.8-1.rpm.tar.gz Also I got error message during the installation. The same error happened with verion mailscanner-4.23-11. Here is the error error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 My environment is Redhat 9.0 on pentium IV. I just wonder how the mailscanner rpm file in rpm tgz file is created, from a tgz file or src rpm? If it is from a tgz file, where is the tgz file located on the web site? If it is from source rpm, why do I get the error? Thanks in advance. -Tom +++++++++++++++++++++++++++++++++++++++++++ [root@pe400 SPECS]# rpm -i mailscanner-4.23-11.src.rpm [root@pe400 SPECS]# rpmbuild -ba MailScanner4.spec [root@pe400 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/noarch/mailscanner-4.23-11.noarch.rpm error: Failed dependencies: perl(Archive::Zip) is needed by mailscanner-4.23-11 perl(MailScanner::MCPMessage) is needed by mailscanner-4.23-11 From email at ace.net.au Mon Feb 9 04:49:28 2004 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:22:23 2006 Subject: SA 2.63 upgrade In-Reply-To: References: Message-ID: <200402091519280237.0EC4AE79@smtp1.ace.net.au> Using the SRPM is an overlooked but easy way of doing upgrades reliably, especially if you like to let the RPM system handle everything. D/L the SRPM, you don't need the other bits. rpm -Uvh spamassassin*.src.rpm cd /usr/src/redhat/SPECS rpmbuild -bb spamassassin.spec cd ../RPMS/i386 rpm -Uvh *.rpm (make sure there aren't other rpm's in there that you don't want. All done. No need for CPAN and SpamaAssassin is now configured for your system. Peter *********** REPLY SEPARATOR *********** On 6/02/2004 at 6:06 PM Jim Dickenson wrote: >Thanks for the pointer about old .cf files not working with a new version. >This lead me to the solution. > >I will try to remember this for future updates and leave a trail for those >behind me. > >The install from the RPM was the cause of the problem. I now remember >dealing with this at some time in the past as well. > >The perl-Mail-SpamAssassin-2.63-1 RPM file put stuff in the 5.6.1 directory >but I am running perl 5.8.0 so the new .cf files got installed but as the >new perl stuff got put into the "wrong" place I was still using the old >version of SA. > >Moving a bit of stuff around fixed the problem. I also made a link from >5.6.1 to 5.8.0 so maybe I will remember this in the future. > >I guess the correct thing to do would be to uninstall the RPMs and install >SA some other way. Maybe another day. One wasted day is enough this time >around ;) > >Again thanks much! >-- >Jim Dickenson >mailto:dickenson@cfmc.com > >Computers for Marketing Corporation >http://www.cfmc.com/ > > > >> From: James Gray >> Reply-To: james@grayonline.id.au >> Date: Sat, 7 Feb 2004 09:43:04 +1100 >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: SA 2.63 upgrade >> >> On Sat, 7 Feb 2004 07:16 am, Jim Dickenson wrote: >>> I am seeing the same problem. I updated, as I have always done, via RPM. >>> What I am seeing is that none of the standard rules are getting tripped, >>> just the RulesDuJour additions I have installed. >>> >>> I originally had the RulesDuJour .cf file in /usr/share/spamassassin >>> along with the ones distributed with SA. I have moved them to >>> /etc/mail/spamassassin but I am still seeing the same behavior. >>> >>> I also see that all the stuff that is spam is being auto-learned in my >>> bayes files. What is the best way to stop using bayes files and then >>> creating new ones. I need to get this problem sorted out before I can >try >>> to get my bayes files loaded again. >>> >>> TIA, >>> -- >>> Jim Dickenson >> >> Jim, >> >> I posted a similar problem to this list a few weeks ago when I upgraded >my >> FreeBSD box via "ports" (fBSD "packages" for want of a better term). All >> my custom rules were being tripped but none of the standard SA2.63 >rules. >> The problem was that between 2.61 -> 2.63 the fBSD port maintainer had >> moved the location of the standard rules from /usr/share/spamassassin to >> /usr/local/share/spamassassin. All I needed to do was manually tell >> MailScanner where the SpamAssassin files were, restart and voila! >> >> Here's the relevent lines from MailScanner.conf: >> SpamAssassin Local Rules Dir = /etc/mail/spamassassin >> SpamAssassin Default Rules Dir = /usr/local/share/spamassassin >> >> Hope that helps :) The problem is that all the default SA rules are >> version-specific. You can ONLY use 2.63 rules with SA2.63 etc. Sounds >> like your spamassassin is finding the older 2.61 rules with the 2.63 >engine >> which means it will ignore them - have a look in the standard rules >files; >> there's a "require 2.63" or something similar at the top of each one. >DONT >> change this BTW, this will break things even worse than it already is. >> >> Cheers, >> >> James >> -- >> Fortune cookies says: >> The price one pays for pursuing any profession, or calling, is an >intimate >> knowledge of its ugly side. -- James Baldwin From eja at URBAKKEN.DK Mon Feb 9 06:17:07 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <4026A17D.2040903@camo-route.com> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <4026A17D.2040903@camo-route.com> Message-ID: <402725E3.3030107@urbakken.dk> Ugo Bellavance wrote: > Erik Jakobsen wrote: > >> Julian Field wrote: >> >>> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>> detecting viruses in emails just fine. Both inside and outside zip >>> files. >>> Everything just works, so I don't understand what problems other >>> people are >>> having. >> >> >> >> Hi Julian. >> >> Just installe the 2.1.0. I think its working now, as I couldn't get a >> message to mysef delivered cause of the eicar file. But I'll look at the >> logfiles, and report to you. > > > Just a tip, open a terminal window via ssh or virtual console and type in > > tail -f /var/log/maillog > > You'll see the mail log in real time. Then send in the virus. Thanks for this Ugo. >> >>> At 15:33 08/02/2004, you wrote: >>> >>>> Julian Field wrote: >>>> >>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>> works >>>>> fine. >>>>> Are you sure you have the licence key file installed into >>>>> /usr/lib/AntiVir? >>>>> It won't work without it. >>>> >>>> >>>> >>>> >>>> Yes I have: >>>> >>>> I have run the: >>>> >>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>> And the result is here: >>>> >>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> AntiVir / Linux Version 2.0.9-16 >>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>> All rights reserved. >>>> >>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>> For private, non-commercial use only. >>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>> checking drive/path (list): /tmp >>>> >>>> ----- scan results ----- >>>> directories: 1 >>>> files: 15 >>>> alerts: 0 >>>> scan time: 00:00:01 >>>> ------------------------ >>>> Thank you for using AntiVir. >>>> >>>>> At 14:08 08/02/2004, you wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>> -- >>>>>> Erik >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> Professional Support Services at www.MailScanner.biz >>>>> MailScanner thanks transtec Computers for their support >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Erik >>> >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >> >> >> -- >> Erik > > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Mon Feb 9 06:06:38 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir Message-ID: On Sun, 8 Feb 2004 19:23:12 +0000, Julian Field wrote: Hi Julian. Here is the result that you asked for. Sorry, I didn't recognized you wish at first: # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs -z AntiVir / Linux Version 2.1.0-1 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.23.0.60 created 06 Feb 2004 For private, non-commercial use only. AntiVir license: 1001048978 for Erik Jakobsen, Brovst checking drive/path (cwd): /var/spool/MailScanner/quarantine/20040208/150E8C812 ALERT: [Eicar-Test-Signatur virus] /var/spool/MailScanner/quarantine/20040208/150E8C812/eicar.com <<< Contains code of the Eicar-Test-Signatur virus ----- scan results ----- directories: 1 files: 1 alerts: 1 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. >Thanks for the server version. I installed my licence file into it (thanks >to the AntiVir crew for that), and ran it on a message with a few copies of >eicar in it. It detected all of them just fine. > >Here is an example report: >>This is a message from the MailScanner E-Mail Virus Protection Service >>---------------------------------------------------------------------- >>The original e-mail attachment "eicar.zip" >>was believed to be infected by a virus and has been replaced by this warning >>message. >> >>If you wish to receive a copy of the *infected* attachment, please >>e-mail helpdesk and include the whole of this message >>in your request. Alternatively, you can call them, with >>the contents of this message to hand when you call. >> >>At Sun Feb 8 19:12:09 2004 the virus scanner said: >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com <<< = >>Contains code of the Eicar-Test-Signatur virus > >I have now tested this on > AntiVir workstation 2.0.6 > AntiVir workstation 2.1.0 > AntiVir server 2.0.8 >and can confirm that they all work with MailScanner on my Linux systems. > >Please place a copy of eicar.com in a directory and run this command: >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot >-rs -z . >The output should be this (except for the line about the Verlor.B virus) > >-----SNIP----- >AntiVir / Linux Version 2.1.0-1 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > >VDF version: 6.23.0.60 created 06 Feb 2004 > >For private, non-commercial use only. >AntiVir license: 1001034888 for Julian Field, Southampton > >checking drive/path (list): . >ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of >the Word macro virus W97M/Verlor.B (removeable) >ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the >Eicar-Test-Signatur virus > > >----- scan results ----- > directories: 1 > files: 4 > alerts: 2 > repaired: 0 > deleted: 0 > renamed: 0 > scan time: 00:00:01 >------------------------ >Thank you for using AntiVir. >-----SNIP----- > >Please let me know if your output matches this. > >At 18:38 08/02/2004, you wrote: >>Julian Field wrote: >>>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>>detecting viruses in emails just fine. Both inside and outside zip files. >>>Everything just works, so I don't understand what problems other people are >>>having. >> >>Hi Julian. >> >>Just installe the 2.1.0. I think its working now, as I couldn't get a >>message to mysef delivered cause of the eicar file. But I'll look at the >>logfiles, and report to you. >> >>>At 15:33 08/02/2004, you wrote: >>> >>>>Julian Field wrote: >>>> >>>>>I have just tested against 2.1.0 (latest on their web site) and it works >>>>>fine. >>>>>Are you sure you have the licence key file installed into >>>>>/usr/lib/AntiVir? >>>>>It won't work without it. >>>> >>>> >>>>Yes I have: >>>> >>>>I have run the: >>>> >>>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>>And the result is here: >>>> >>>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>AntiVir / Linux Version 2.0.9-16 >>>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>>All rights reserved. >>>> >>>>Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>>VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>>For private, non-commercial use only. >>>>AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>>checking drive/path (list): /tmp >>>> >>>>----- scan results ----- >>>>directories: 1 >>>>files: 15 >>>>alerts: 0 >>>>scan time: 00:00:01 >>>>------------------------ >>>>Thank you for using AntiVir. >>>> >>>>>At 14:08 08/02/2004, you wrote: >>>>> >>>>>>Hi. >>>>>> >>>>>>Is anybody here having success with antivir and MailScanner ?. >>>>>>-- >>>>>>Erik >>>>> >>>>> >>>>> >>>>>-- >>>>>Julian Field >>>>>www.MailScanner.info >>>>>Professional Support Services at www.MailScanner.biz >>>>>MailScanner thanks transtec Computers for their support >>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>>-- >>>>Erik >>> >>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>Professional Support Services at www.MailScanner.biz >>>MailScanner thanks transtec Computers for their support >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >>-- >>Erik > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Mon Feb 9 06:53:09 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> Message-ID: <40272E55.7020305@urbakken.dk> I have tested it looking into my maillog realtime. But unfortunatley antivir is not present in the scanning ?: Feb 9 07:49:31 gateway postfix/pipe[1676]: C3853C80F: to=, relay=ccfilter, delay=2, status=sent (urbakken.dk) Feb 9 06:49:31 gateway postfix/pickup[32464]: 888F3C812: uid=100 from= Feb 9 06:49:31 gateway postfix/cleanup[1674]: 888F3C812: message-id=<40272D9E.3040903@urbakken.dk> Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: from=, size=1662, nrcpt=1 (queue active) Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: to=, relay=none, delay=0, status=deferred (deferred transport) Feb 9 07:49:32 gateway MailScanner[860]: New Batch: Scanning 1 messages, 1801 bytes Feb 9 07:49:32 gateway MailScanner[860]: Virus and Content Scanning: Starting Feb 9 07:49:33 gateway MailScanner[860]: /var/spool/MailScanner/incoming/860/888F3C812/eicar.com Infection: EICAR_Test_File Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found 1 infections Feb 9 07:49:35 gateway MailScanner[860]: /var/spool/MailScanner/incoming/860/./888F3C812/eicar.com: Eicar-Test-Signature FOUND Feb 9 07:49:36 gateway MailScanner[860]: Virus Scanning: ClamAV found 1 infections Feb 9 07:49:36 gateway MailScanner[860]: Infected message 888F3C812 came from 127.0.0.1 Feb 9 07:49:37 gateway MailScanner[860]: Filename Checks: Windows/DOS Executable (eicar.com) Feb 9 07:49:37 gateway MailScanner[860]: Other Checks: Found 1 problems Feb 9 07:49:37 gateway MailScanner[860]: Saved infected "eicar.com" to /var/spool/MailScanner/quarantine/20040209/888F3C812 Feb 9 01:49:37 gateway postfix/nqmgr[31729]: 7876323EE5: from=, size=2905, nrcpt=1 (queue active) Feb 9 07:49:37 gateway MailScanner[860]: Silent: Delivered 1 messages containing silent viruses Feb 9 01:49:37 gateway postfix/pickup[30831]: 5EB5423F00: uid=89 from= Feb 9 01:49:37 gateway postfix/cleanup[1855]: 5EB5423F00: message-id=<20040209064937.5EB5423F00@gateway.urbakken.dk> Feb 9 07:49:37 gateway MailScanner[860]: Notices: Warned about 1 messages Julian Field wrote: > Thanks for the server version. I installed my licence file into it (thanks > to the AntiVir crew for that), and ran it on a message with a few copies of > eicar in it. It detected all of them just fine. > > Here is an example report: > >> This is a message from the MailScanner E-Mail Virus Protection Service >> ---------------------------------------------------------------------- >> The original e-mail attachment "eicar.zip" >> was believed to be infected by a virus and has been replaced by this >> warning >> message. >> >> If you wish to receive a copy of the *infected* attachment, please >> e-mail helpdesk and include the whole of this message >> in your request. Alternatively, you can call them, with >> the contents of this message to hand when you call. >> >> At Sun Feb 8 19:12:09 2004 the virus scanner said: >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com >> <<< = >> Contains code of the Eicar-Test-Signatur virus > > > I have now tested this on > AntiVir workstation 2.0.6 > AntiVir workstation 2.1.0 > AntiVir server 2.0.8 > and can confirm that they all work with MailScanner on my Linux systems. > > Please place a copy of eicar.com in a directory and run this command: > /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot > -rs -z . > The output should be this (except for the line about the Verlor.B virus) > > -----SNIP----- > AntiVir / Linux Version 2.1.0-1 > Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > All rights reserved. > > Loading /usr/lib/AntiVir/antivir.vdf ... > > VDF version: 6.23.0.60 created 06 Feb 2004 > > For private, non-commercial use only. > AntiVir license: 1001034888 for Julian Field, Southampton > > checking drive/path (list): . > ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of > the Word macro virus W97M/Verlor.B (removeable) > ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the > Eicar-Test-Signatur virus > > > ----- scan results ----- > directories: 1 > files: 4 > alerts: 2 > repaired: 0 > deleted: 0 > renamed: 0 > scan time: 00:00:01 > ------------------------ > Thank you for using AntiVir. > -----SNIP----- > > Please let me know if your output matches this. > > At 18:38 08/02/2004, you wrote: > >> Julian Field wrote: >> >>> Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is >>> detecting viruses in emails just fine. Both inside and outside zip >>> files. >>> Everything just works, so I don't understand what problems other >>> people are >>> having. >> >> >> Hi Julian. >> >> Just installe the 2.1.0. I think its working now, as I couldn't get a >> message to mysef delivered cause of the eicar file. But I'll look at the >> logfiles, and report to you. >> >>> At 15:33 08/02/2004, you wrote: >>> >>>> Julian Field wrote: >>>> >>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>> works >>>>> fine. >>>>> Are you sure you have the licence key file installed into >>>>> /usr/lib/AntiVir? >>>>> It won't work without it. >>>> >>>> >>>> >>>> Yes I have: >>>> >>>> I have run the: >>>> >>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> >>>> And the result is here: >>>> >>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>> AntiVir / Linux Version 2.0.9-16 >>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>> All rights reserved. >>>> >>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>> >>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>> >>>> For private, non-commercial use only. >>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>> >>>> checking drive/path (list): /tmp >>>> >>>> ----- scan results ----- >>>> directories: 1 >>>> files: 15 >>>> alerts: 0 >>>> scan time: 00:00:01 >>>> ------------------------ >>>> Thank you for using AntiVir. >>>> >>>>> At 14:08 08/02/2004, you wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>> -- >>>>>> Erik >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> Professional Support Services at www.MailScanner.biz >>>>> MailScanner thanks transtec Computers for their support >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>> >>>> -- >>>> Erik >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -- >> Erik > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From kcchang at HKUSUA.HKU.HK Mon Feb 9 06:42:49 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file Message-ID: Hi all, We have used MailScanner 4.20.3 installed on our Solaris 2.6 system (with Sophos and Spamassassin 2.55). This combination has been running fine for nearly a year but we recently encountered a problem like this: Feb 9 10:32:51 host MailScanner[21163]: Could not open file >/var_spool/MailScanner/incoming/21163/i192WVVt005047.header: Resource temporarily unavailable Feb 9 10:32:51 host MailScanner[21163]: Cannot create + lock headers file /var_spool/MailScanner/incoming/21163/i192WVVt005047.header, .... Feb 9 10:33:58 host MailScanner[20958]: Could not open file >/var_spool/MailScanner/incoming/20958/i192WVVt005047.header: Resource temporarily unavailable Feb 9 10:33:58 host MailScanner[20958]: Cannot create + lock headers file /var_spool/MailScanner/incoming/20958/i192WVVt005047.header, and the child died out one by one. We have searched through the mailing list and take the recommended actions: - lower the number of child processes - lower the max. messages per scan - add additional resources (CPU and memory), now we should have around 20% utilization left in terms of CPU - add ulimit lines in check_mailscanner script: ulimit -n 2048 ulimit -Hn 2048 ulimit -s 32678 ulimit -Hs 32678 ulimit -v 1048576 ulimit -Hv 1048576 ulimit -d 3932152 ulimit -Hd 3932152 However, we still get into the same problem. When the above problem is encountered, the child mailscanner processes die one by one and repeated with the same error message. We have to re-create a new mqueue.in directory and gradually move back the queued files/messages in batches for delivery. Moving the queued files to fast would result in the same problem. I had performed some sar captured on this morning problem but could only spot a sudden increase in slock/s: 10:27:17 atch/s pgin/s ppgin/s pflt/s vflt/s slock/s 10:30:18 603.25 664.34 3030.24 19383.92 15327.84 0.00 10:33:18 664.29 782.39 3767.35 18025.67 14332.42 6.97 10:36:18 616.73 810.95 4190.90 10806.34 9065.96 20.91 10:39:18 570.98 643.07 3199.66 3298.72 3412.87 238.33 10:42:18 564.98 718.91 3597.47 4662.66 4904.46 17.60 10:45:18 864.03 779.65 3624.08 6613.88 6722.09 0.00 10:48:18 985.85 839.64 4035.54 11045.76 9830.23 0.00 Average 695.73 748.42 3635.03 10548.22 9085.19 40.54 Does anyone has similar experience to solve the problem? Thanks in advance. KC Chang From eja at URBAKKEN.DK Mon Feb 9 07:07:11 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: <40272E55.7020305@urbakken.dk> References: <402642D4.1050603@urbakken.dk> <6.0.1.1.2.20040208152427.03d10288@imap.ecs.soton.ac.uk> <402656E7.9080109@urbakken.dk> <6.0.1.1.2.20040208153832.03d1c4e0@imap.ecs.soton.ac.uk> <40268237.5080903@urbakken.dk> <6.0.1.1.2.20040208191558.0597deb0@imap.ecs.soton.ac.uk> <40272E55.7020305@urbakken.dk> Message-ID: <4027319F.2040206@urbakken.dk> I forgot to mention, that I don't use the avguard. Erik Jakobsen wrote: > I have tested it looking into my maillog realtime. > > But unfortunatley antivir is not present in the scanning ?: > > > Feb 9 07:49:31 gateway postfix/pipe[1676]: C3853C80F: > to=, relay=ccfilter, delay=2, status=sent > (urbakken.dk) > Feb 9 06:49:31 gateway postfix/pickup[32464]: 888F3C812: uid=100 > from= > Feb 9 06:49:31 gateway postfix/cleanup[1674]: 888F3C812: > message-id=<40272D9E.3040903@urbakken.dk> > Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: > from=, size=1662, nrcpt=1 (queue active) > Feb 9 06:49:31 gateway postfix/nqmgr[31682]: 888F3C812: > to=, relay=none, delay=0, status=deferred (deferred > transport) > Feb 9 07:49:32 gateway MailScanner[860]: New Batch: Scanning 1 > messages, 1801 bytes > Feb 9 07:49:32 gateway MailScanner[860]: Virus and Content Scanning: > Starting > Feb 9 07:49:33 gateway MailScanner[860]: > /var/spool/MailScanner/incoming/860/888F3C812/eicar.com Infection: > EICAR_Test_File > Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found > virus EICAR_Test_File > Feb 9 07:49:33 gateway MailScanner[860]: Virus Scanning: F-Prot found 1 > infections > Feb 9 07:49:35 gateway MailScanner[860]: > /var/spool/MailScanner/incoming/860/./888F3C812/eicar.com: > Eicar-Test-Signature FOUND > Feb 9 07:49:36 gateway MailScanner[860]: Virus Scanning: ClamAV found 1 > infections > Feb 9 07:49:36 gateway MailScanner[860]: Infected message 888F3C812 > came from 127.0.0.1 > Feb 9 07:49:37 gateway MailScanner[860]: Filename Checks: Windows/DOS > Executable (eicar.com) > Feb 9 07:49:37 gateway MailScanner[860]: Other Checks: Found 1 problems > Feb 9 07:49:37 gateway MailScanner[860]: Saved infected "eicar.com" to > /var/spool/MailScanner/quarantine/20040209/888F3C812 > Feb 9 01:49:37 gateway postfix/nqmgr[31729]: 7876323EE5: > from=, size=2905, nrcpt=1 (queue active) > Feb 9 07:49:37 gateway MailScanner[860]: Silent: Delivered 1 messages > containing silent viruses > Feb 9 01:49:37 gateway postfix/pickup[30831]: 5EB5423F00: uid=89 > from= > Feb 9 01:49:37 gateway postfix/cleanup[1855]: 5EB5423F00: > message-id=<20040209064937.5EB5423F00@gateway.urbakken.dk> > Feb 9 07:49:37 gateway MailScanner[860]: Notices: Warned about 1 messages > > > Julian Field wrote: > >> Thanks for the server version. I installed my licence file into it >> (thanks >> to the AntiVir crew for that), and ran it on a message with a few >> copies of >> eicar in it. It detected all of them just fine. >> >> Here is an example report: >> >>> This is a message from the MailScanner E-Mail Virus Protection Service >>> ---------------------------------------------------------------------- >>> The original e-mail attachment "eicar.zip" >>> was believed to be infected by a virus and has been replaced by this >>> warning >>> message. >>> >>> If you wish to receive a copy of the *infected* attachment, please >>> e-mail helpdesk and include the whole of this message >>> in your request. Alternatively, you can call them, with >>> the contents of this message to hand when you call. >>> >>> At Sun Feb 8 19:12:09 2004 the virus scanner said: >>> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com >>> <<< = >>> Contains code of the Eicar-Test-Signatur virus >> >> >> >> I have now tested this on >> AntiVir workstation 2.0.6 >> AntiVir workstation 2.1.0 >> AntiVir server 2.0.8 >> and can confirm that they all work with MailScanner on my Linux systems. >> >> Please place a copy of eicar.com in a directory and run this command: >> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s >> -noboot >> -rs -z . >> The output should be this (except for the line about the Verlor.B virus) >> >> -----SNIP----- >> AntiVir / Linux Version 2.1.0-1 >> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >> All rights reserved. >> >> Loading /usr/lib/AntiVir/antivir.vdf ... >> >> VDF version: 6.23.0.60 created 06 Feb 2004 >> >> For private, non-commercial use only. >> AntiVir license: 1001034888 for Julian Field, Southampton >> >> checking drive/path (list): . >> ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains >> code of >> the Word macro virus W97M/Verlor.B (removeable) >> ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the >> Eicar-Test-Signatur virus >> >> >> ----- scan results ----- >> directories: 1 >> files: 4 >> alerts: 2 >> repaired: 0 >> deleted: 0 >> renamed: 0 >> scan time: 00:00:01 >> ------------------------ >> Thank you for using AntiVir. >> -----SNIP----- >> >> Please let me know if your output matches this. >> >> At 18:38 08/02/2004, you wrote: >> >>> Julian Field wrote: >>> >>>> Can you try upgrading to 2.1.0 (on their website). My (licensed) >>>> copy is >>>> detecting viruses in emails just fine. Both inside and outside zip >>>> files. >>>> Everything just works, so I don't understand what problems other >>>> people are >>>> having. >>> >>> >>> >>> Hi Julian. >>> >>> Just installe the 2.1.0. I think its working now, as I couldn't get a >>> message to mysef delivered cause of the eicar file. But I'll look at the >>> logfiles, and report to you. >>> >>>> At 15:33 08/02/2004, you wrote: >>>> >>>>> Julian Field wrote: >>>>> >>>>>> I have just tested against 2.1.0 (latest on their web site) and it >>>>>> works >>>>>> fine. >>>>>> Are you sure you have the licence key file installed into >>>>>> /usr/lib/AntiVir? >>>>>> It won't work without it. >>>>> >>>>> >>>>> >>>>> >>>>> Yes I have: >>>>> >>>>> I have run the: >>>>> >>>>> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>> >>>>> And the result is here: >>>>> >>>>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp >>>>> AntiVir / Linux Version 2.0.9-16 >>>>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >>>>> All rights reserved. >>>>> >>>>> Loading /usr/lib/AntiVir/antivir.vdf ... >>>>> >>>>> VDF version: 6.23.0.53 created 30 Jan 2004 >>>>> >>>>> For private, non-commercial use only. >>>>> AntiVir license: 12345678 for Erik Jakobsen, Brovst >>>>> >>>>> checking drive/path (list): /tmp >>>>> >>>>> ----- scan results ----- >>>>> directories: 1 >>>>> files: 15 >>>>> alerts: 0 >>>>> scan time: 00:00:01 >>>>> ------------------------ >>>>> Thank you for using AntiVir. >>>>> >>>>>> At 14:08 08/02/2004, you wrote: >>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> Is anybody here having success with antivir and MailScanner ?. >>>>>>> -- >>>>>>> Erik >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Julian Field >>>>>> www.MailScanner.info >>>>>> Professional Support Services at www.MailScanner.biz >>>>>> MailScanner thanks transtec Computers for their support >>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Erik >>>> >>>> >>>> >>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> Professional Support Services at www.MailScanner.biz >>>> MailScanner thanks transtec Computers for their support >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> >>> >>> -- >>> Erik >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From oldmaxgit at YAHOO.COM Mon Feb 9 07:13:50 2004 From: oldmaxgit at YAHOO.COM (Miserable Old Git) Date: Thu Jan 12 21:22:23 2006 Subject: Spamcop not working Message-ID: Hi Raymond, Thanks for your time and comments. I Set bounce to "1" for testing purposes and will probably up this when it is running. I know that conversations and arguements rage over whether spam should be bounced or not, and I don't want to start that here. My reasoning behind bouncing RBL listed mail is that there are occasions when an IP can be listed inadvertantly. For example: I was black listed once because somebody on the same server was running an old version of formmail which was used by a spammer. :o( If nobody ever bounces RBL mail, the service providers would never know. I guess that once it is running properly, I will trim/tidy/tweak it as time proceeds. Thanks for your thoughts on the subject, but I remain unconvinced, unsure and open minded about it. Why is life so complicated ? :o) From kevins at BMRB.CO.UK Mon Feb 9 07:57:54 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: References: Message-ID: <1076313474.26581.15.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-09 at 06:42, Chang Kai Cheong wrote: > > > Does anyone has similar experience to solve the problem? > I recommended once to someone that they should add ulimit -n unlimited to the init script, based on the fact I had a similar problem with a different program which that cured (I don't use Solaris for my mail servers). I think that solved the problem for them. You can also tweak system wide limits in /etc/system, but that requires care (you can knacker the entire system) and a reboot. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 9 10:15:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: antivir In-Reply-To: References: Message-ID: <6.0.3.0.2.20040209101427.03dd4528@imap.ecs.soton.ac.uk> You forgot the "." off the end of the command. Can you just compare your output with mine and see if you see any differences? Something is going screwy with blank lines when you paste it into a mail message, which makes it impossible for me to check. Just get the 2 outputs side by side in 2 windows so they line up, and see what has changed. At 06:06 09/02/2004, you wrote: >On Sun, 8 Feb 2004 19:23:12 +0000, Julian Field > wrote: > >Hi Julian. > >Here is the result that you asked for. Sorry, I didn't recognized you wish >at first: > ># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s >-noboot -rs -z >AntiVir / Linux Version 2.1.0-1 >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. >All rights reserved. > >Loading /usr/lib/AntiVir/antivir.vdf ... > > > >VDF version: 6.23.0.60 created 06 Feb 2004 > > > >For private, non-commercial use only. >AntiVir license: 1001048978 for Erik Jakobsen, Brovst > > > >checking drive/path (cwd): >/var/spool/MailScanner/quarantine/20040208/150E8C812 > >ALERT: [Eicar-Test-Signatur virus] >/var/spool/MailScanner/quarantine/20040208/150E8C812/eicar.com <<< Contains >code of the Eicar-Test-Signatur virus > > > >----- scan results ----- > > > directories: 1 > > > files: 1 > > > alerts: 1 > > > repaired: 0 > > > deleted: 0 > > > renamed: 0 > > > scan time: 00:00:01 > > >------------------------ > > >Thank you for using AntiVir. > > > >Thanks for the server version. I installed my licence file into it (thanks > >to the AntiVir crew for that), and ran it on a message with a few copies of > >eicar in it. It detected all of them just fine. > > > >Here is an example report: > >>This is a message from the MailScanner E-Mail Virus Protection Service > >>---------------------------------------------------------------------- > >>The original e-mail attachment "eicar.zip" > >>was believed to be infected by a virus and has been replaced by this > warning > >>message. > >> > >>If you wish to receive a copy of the *infected* attachment, please > >>e-mail helpdesk and include the whole of this message > >>in your request. Alternatively, you can call them, with > >>the contents of this message to hand when you call. > >> > >>At Sun Feb 8 19:12:09 2004 the virus scanner said: > >> AntiVir: ALERT: [Eicar-Test-Signatur virus] eicar.zip --> eicar.com > <<< = > >>Contains code of the Eicar-Test-Signatur virus > > > >I have now tested this on > > AntiVir workstation 2.0.6 > > AntiVir workstation 2.1.0 > > AntiVir server 2.0.8 > >and can confirm that they all work with MailScanner on my Linux systems. > > > >Please place a copy of eicar.com in a directory and run this command: > >/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot > >-rs -z . > >The output should be this (except for the line about the Verlor.B virus) > > > >-----SNIP----- > >AntiVir / Linux Version 2.1.0-1 > >Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > >All rights reserved. > > > >Loading /usr/lib/AntiVir/antivir.vdf ... > > > >VDF version: 6.23.0.60 created 06 Feb 2004 > > > >For private, non-commercial use only. > >AntiVir license: 1001034888 for Julian Field, Southampton > > > >checking drive/path (list): . > >ALERT: [W97M/Verlor.B virus] ./barendsesaunastoom.doc <<< Contains code of > >the Word macro virus W97M/Verlor.B (removeable) > >ALERT: [Eicar-Test-Signatur virus] ./eicar.com <<< Contains code of the > >Eicar-Test-Signatur virus > > > > > >----- scan results ----- > > directories: 1 > > files: 4 > > alerts: 2 > > repaired: 0 > > deleted: 0 > > renamed: 0 > > scan time: 00:00:01 > >------------------------ > >Thank you for using AntiVir. > >-----SNIP----- > > > >Please let me know if your output matches this. > > > >At 18:38 08/02/2004, you wrote: > >>Julian Field wrote: > >>>Can you try upgrading to 2.1.0 (on their website). My (licensed) copy is > >>>detecting viruses in emails just fine. Both inside and outside zip files. > >>>Everything just works, so I don't understand what problems other > people are > >>>having. > >> > >>Hi Julian. > >> > >>Just installe the 2.1.0. I think its working now, as I couldn't get a > >>message to mysef delivered cause of the eicar file. But I'll look at the > >>logfiles, and report to you. > >> > >>>At 15:33 08/02/2004, you wrote: > >>> > >>>>Julian Field wrote: > >>>> > >>>>>I have just tested against 2.1.0 (latest on their web site) and it works > >>>>>fine. > >>>>>Are you sure you have the licence key file installed into > >>>>>/usr/lib/AntiVir? > >>>>>It won't work without it. > >>>> > >>>> > >>>>Yes I have: > >>>> > >>>>I have run the: > >>>> > >>>>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >>>> > >>>>And the result is here: > >>>> > >>>># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /tmp > >>>>AntiVir / Linux Version 2.0.9-16 > >>>>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. > >>>>All rights reserved. > >>>> > >>>>Loading /usr/lib/AntiVir/antivir.vdf ... > >>>> > >>>>VDF version: 6.23.0.53 created 30 Jan 2004 > >>>> > >>>>For private, non-commercial use only. > >>>>AntiVir license: 12345678 for Erik Jakobsen, Brovst > >>>> > >>>>checking drive/path (list): /tmp > >>>> > >>>>----- scan results ----- > >>>>directories: 1 > >>>>files: 15 > >>>>alerts: 0 > >>>>scan time: 00:00:01 > >>>>------------------------ > >>>>Thank you for using AntiVir. > >>>> > >>>>>At 14:08 08/02/2004, you wrote: > >>>>> > >>>>>>Hi. > >>>>>> > >>>>>>Is anybody here having success with antivir and MailScanner ?. > >>>>>>-- > >>>>>>Erik > >>>>> > >>>>> > >>>>> > >>>>>-- > >>>>>Julian Field > >>>>>www.MailScanner.info > >>>>>Professional Support Services at www.MailScanner.biz > >>>>>MailScanner thanks transtec Computers for their support > >>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>>> > >>>> > >>>> > >>>>-- > >>>>Erik > >>> > >>> > >>>-- > >>>Julian Field > >>>www.MailScanner.info > >>>Professional Support Services at www.MailScanner.biz > >>>MailScanner thanks transtec Computers for their support > >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >> > >>-- > >>Erik > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 10:33:22 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:23 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402091033.i19AXMXG014305@seer.ecs.soton.ac.uk> New Guestbook-Entry from Daniel Kleinsinger I am totally impressed with the way Julian maintains MailScanner. From new features, to fixes for specific problems, to dealing with new users\'\' repetitive questions, I can\'\'t think of a developer who does a better job. MailScanner is a great product with a great user community and Julian sets the tone for everyone.

From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 10:34:17 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> Message-ID: <40276229.7000002@solid-state-logic.com> Adrian Voinea wrote: > Hello, here's my problem: > > Sometimes, mailscanner uses a lot of cpu, for a long amount of time. > The mail server's load average rises to ~13 and stays that way for a while. > You can see the cpu hogs' activity in the strace output. > (I searched for "shmat and umoven: Input/output error" on google and this > error is obviously related to > the high cpu usage: > http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) > > What do you think is wrong? Did anyone else encounter this problem? > > > System configuration: > Celeron 2.4 > 512 ram > Kernel 2.4.23 > perl 5.6.1 > sendmail 8.12.11 > mailscanner 4.26.7, sa+bayes enabled > spamassassin 2.63 Have you got RBL's setup in spamassassin? Also worth checking are the numbers of messages you scan and one and the number of children you are running. mine are.. (on a 600mhz Celeron and 512MB ram).. Max Children = 5 Max Unscanned Messages Per Scan = 20 Max Unsafe Messages Per Scan = 20 Also worth checking the SA settings to make sure the rules parse properly.. spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From m.sapsed at BANGOR.AC.UK Mon Feb 9 10:51:55 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos and inconsistent MIME messages? Message-ID: <4027664B.40404@bangor.ac.uk> Hi folks, I've just received this info via my EM Library server: ---------- Global notifications: 2004-02-06 17:07:45: Sophos Anti-Virus version 3.78(d) contains code designed to deal with inconsistent MIME messages. If you are using Sophos Anti-Virus at your email gateway, you are advised to subscribe to this new version. If you are using Sophos Anti-Virus at your desktop only, there is no need to download this new version. ---------- But the release notes are no different to the standard 3.78 version! Any know what this is about? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From adrian at gds.ro Mon Feb 9 11:37:00 2004 From: adrian at gds.ro (Adrian Voinea) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <40276229.7000002@solid-state-logic.com> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> <40276229.7000002@solid-state-logic.com> Message-ID: <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> It must be something else that causes the high CPU usage... does *anyone* know what that shmat error means? ( umask(0177) = 077 open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 fstat64(0x7, 0x80f5380) = 0 shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error ) = ? flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) close(7) ) Martin Hepworth said: > Adrian Voinea wrote: >> Hello, here's my problem: >> >> Sometimes, mailscanner uses a lot of cpu, for a long amount of time. >> The mail server's load average rises to ~13 and stays that way for a >> while. >> You can see the cpu hogs' activity in the strace output. >> (I searched for "shmat and umoven: Input/output error" on google and >> this >> error is obviously related to >> the high cpu usage: >> http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=shmat+umoven+cpu) [...] > > Have you got RBL's setup in spamassassin? I have skip_rbl_checks set to 1 in spam.assassin.prefs.conf > Also worth checking are the > numbers of messages you scan and one and the number of children you are > running. > > mine are.. (on a 600mhz Celeron and 512MB ram).. > Max Children = 5 > Max Unscanned Messages Per Scan = 20 > Max Unsafe Messages Per Scan = 20 I have the same settings. > > > Also worth checking the SA settings to make sure the rules parse > properly.. > > spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf This is the output of the command: root@kiki:/opt/MailScanner/etc# spamassassin -D --lint -C /opt/MailScanner/etc/spam.assassin.prefs.conf debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/usr/local/iproute', keeping. debug: PATH included '/usr/local/samba/bin', keeping. debug: PATH included '/etc/scripts', keeping. debug: PATH included '/www/mysql/bin', keeping. debug: PATH included '/etc/bin', which doesn't exist, dropping. debug: PATH included '/usr/local/samba/bin', keeping. debug: Final PATH set to: /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/local/iproute:/usr/local/samba/bin:/etc/scripts:/www/mysql/bin:/usr/local/samba/bin debug: ignore: using a test message to lint rules debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: 26096 tie-ing to DB file R/O /opt/MailScanner/spamassassin/bayes_toks debug: bayes: 26096 tie-ing to DB file R/O /opt/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: Score set 3 chosen. debug: Initialising learner debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= From michele at BLACKNIGHTSOLUTIONS.COM Mon Feb 9 11:46:43 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:23 2006 Subject: OT - list options In-Reply-To: <6.0.1.1.2.20040207155428.02dbd4f0@imap.ecs.soton.ac.uk> Message-ID: Excellent! I've changed my settings and Squirrel mail is now a lot more user-friendly Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 07 February 2004 15:55 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT - list options > > > You can do this yourself at > www.jiscmail.ac.uk/lists/mailscanner.html > > At 15:23 07/02/2004, you wrote: > >Slightly OT, but I was wondering if there was any chance of messages to > >the list being prepended by "Mailscanner" or similar. > >When using my desktop email client I filter mail using the "to" or "from" > >fields, however I cannot use this with my IMAP webmail, as I wouldn't be > >able to download mail after. > > > >Michele > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 11:57:12 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: MailScanner high CPU usage In-Reply-To: <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> References: <1039.193.230.152.4.1076253809.squirrel@kiki.gds.ro> <40276229.7000002@solid-state-logic.com> <49023.193.230.152.1.1076326620.squirrel@kiki.gds.ro> Message-ID: <40277598.2080104@solid-state-logic.com> Adrian Voinea wrote: > It must be something else that causes the high CPU usage... > does *anyone* know what that shmat error means? > > ( > > umask(0177) = 077 > open("/var/spool/mqueue.in/qfi168t9Rc012372", O_RDWR|0x8000) = 7 > fstat64(0x7, 0x80f5380) = 0 > shmat(7, 0x96c5298, 0x2ptrace: umoven: Input/output error > ) = ? > flock(7, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily > unavailable) > close(7) > > ) > Hi have you checked /var/log/messages to see if there is any indication here? It could be that you are out of shared memory... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From linux at MOSTERT.NOM.ZA Mon Feb 9 15:52:59 2004 From: linux at MOSTERT.NOM.ZA (Mozzi) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks Message-ID: <200402091752.59090.linux@mostert.nom.za> Hi all I have disabled spamchecks and use spamassassin in the conf file yet I still see entries like below in my logfile. MailScanner[20476]: Spam Checks: Starting Any ideas? Mozzi ************************************************************ Scanned by @lantic IS Virus Control Service This message was scanned for viruses and dangerous content. @lantic Internet Services (Pty) Ltd. - http://www.lantic.net eScan for Windows-based PCs - http://www.escan.co.za If you have received a message marked in the subject line as [SPAM] please note that according to our MailScanner, this message has all the attributes of Unsolicited Commercial Email (UCE). If the message has however been marked incorrectly, please send a query to abuse@lantic.net ************************************************************ From JEN at AH.DK Mon Feb 9 14:38:03 2004 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:23 2006 Subject: Svar: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails Message-ID: Hi I am trying to install mailscanner 4.26.8-1 on suse 9.0 and I get some "Failed build dependencies" Attempting to build and install perl-MIME-tools-5.411-pl4.2 Installing perl-MIME-tools-5.411-pl4.2.src.rpm error: Failed build dependencies: perl >= 0:5.00503 is needed by perl-MIME-tools-5.411-pl4.2 My perl version is: 5.8.1 Where do I put: BuildRequires: perl >= 0:5.5.3 or 0:5.8.1 /Jan Elmqvist Nielsen >>> Heinz.Knutzen@DATAPORT.DE 30-01-2004 17:34:03 >>> It doesn't help to install perl-Net-CIDR manually, because the package doesn't build at all: "ERROR: EMPTY FILE LIST" On a system with SuSE 8.0 perl-Net-CIDR builds nicly. I compared the output of rpmbuild at both systems and found the underlying problem. When calling rpmbuild with SuSE 9.0 this results in paths where BuildRoot occurs twice: Installing /var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm perl-Net-CIDR.spec defines BuildRoot as %{_tmppath}/%{name}-%{version}-%{release}-root The first occurence comes from perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix} It appears twice, because SuSE defines it's own version of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros: %makeinstall make DESTDIR=%{buildroot} install The problem didn't occur with SuSE 8.0, because it uses an older version of ExtUtils::MakeMaker, where the resuting Makefile is ignoring it's parameter "DESTDIR" and hence (accidently) successfully creates the package. A possible solution would be to call "make install" directly instead of "%makeinstall" in perl-Net-CIDR.spec. This would solve the problem for SuSE. It shouldn't hurt for other rpm based distributions, because the standard definition of %makeinstall effectivly calls "make install" with many paramters defining prefixes and directories. But these are useless, because PREFIX is already set when processing Makefile.PL. I still need --nodeps to build this package. If I change "BuildRequires" to BuildRequires: perl >= 0:5.5.3 it works fine for SuSE 8.0 and 9.0 without using --nodeps. Viele Gr??e Heinz Knutzen Dataport Altenholzer Str 10-14, 24161 Altenholz, Germany http://www.dataport.de/ mailto:Heinz.Knutzen@dataport.de Tel: +49.431.3295.6581 Fax: +49.431.3295.410 -----Urspr?ngliche Nachricht----- Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im Auftrag von Julian Field Gesendet am: Freitag, 30. Januar 2004 10:14 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails Try just installing the Net-CIDR module with something like rpm -Uvh --nodeps perl-Net-CIDR* and then run ./install.sh. At 16:53 29/01/2004, you wrote: >For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get: >./install.sh >... >Attempting to build and install perl-Net-CIDR-0.08-2 >Installiere perl-Net-CIDR-0.08-2.src.rpm >Fehler: Failed build dependencies: > perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2 > >My perl is: ># rpm -q perl >perl-5.8.1-46 ># perl -v >This is perl, v5.8.1 built for i586-linux-thread-multi >(with 1 registered patch, see perl -V for more detail) > >I get this message for some perl packages, but nor for all of them. >Using "./install.sh nodeps" doesn't help, it gives the same error. > >Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm" >does help a bit, but aborts with: >"ERROR: EMPTY FILE LIST" > >This doesn't seem to be a new problem, it occurs with >MailScanner-4.25-14.suse.tar.gz as well. > > >Viele Gr??e > >-- Heinz > >-----Urspr?ngliche Nachricht----- >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im >Auftrag von Julian Field >Gesendet am: Donnerstag, 29. Januar 2004 16:25 >An: MAILSCANNER@JISCMAIL.AC.UK >Betreff: ANNOUNCE: Beta 4.26.6 released > >Hi folks, > >I have just posted 4.26.6 on the website for you all. Download from >www.mailscanner.info as usual. > >This is intended as a final testing release before 4.26 goes stable, which >will hopefully be this weekend. If you could test it out and let me know of >any problems as soon as possible, I will get them fixed. > >Thanks folks! > >Changes this time are: > >* New Features and Improvements * >- Improved configuration engine so that rules can now contain 2 tests > separated by "and". >- Added "notify" Spam Action and High Scoring Spam Action. This will cause a > short text notification message to be sent to the recipients of the spam > message. The filename of the report is set with the "Recipient Spam > Report" > configuration setting. There is also an MCP equivalent of this > functionality. See the MCP documentation for details of the settings. >- Removed the "bounce" spam action. >- Added regular rebuild of Bayes database. Has 2 options associated with it > which I haven't included in the conf file yet. >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to > configure the operation of the regular Bayes database rebuilds. >- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as > you will want to uncomment this line if you are using the regular > scheduled > Bayes database expiry feature given above. >- Added "Minimum Stars If On Spam List" setting so that people who just filter > on the "Spam Stars" can catch messages which only trigger the "Spam List" > trap. >- Added "Log Non Spam" option to allow logging of all non-spam, which can be > coerced into logging SpamAssassin scores of non-spam mail. >- Added support for Norman virus scanner (www.norman.de). >- Added logging of ids of dropped silent viruses. >- Added "Too Many Attachments" error report in a message instead of old > report saying it could not analyse the message. >- No longer stops or restarts after RPM upgrade. >- Added MCP patches for SpamAssassin 2.61 and 2.63. >- Added 'SpamAssassin Site Rules Dir' setting to locate >/etc/mail/spamassassin. >- Spanish translations of languages.conf updated from Debian translators. >- Added Catalan translation of all report files. >- Added bogusmx list to supplied spam.lists.conf. >- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf. >- Changed the version number scheme from major.minor-teeny to >major.minor.teeny. >- Forced owner to be root.root in both RPM spec files, so can be re-built by > non-root users. >- Added my Amazon.co.uk "wish list" to the donations page. >- Detailed spam report now includes auto-learn status if it was auto-learnt. > >* Fixes * >- Fixed creation of MCP quarantine directory bug. >- Fix to Postfix message duplication problems. Must find "end of message" > record now. >- Fix to duplicate recipient listing in postmaster notices. >- Fixed bug so filename/filetype rules configuration setting can be blank. >- Exim per-message log files are deleted correctly now. >- Fixed recipient duplication problems in sender messages and other reports. >- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's > own checks find multiple problems with 1 attachment. >- Fixed bug where _SCORE_ in subject line modifications is never more than 60. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Mon Feb 9 15:10:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks Message-ID: <54C38A0B814C8E438EF73FC76F3629274108BF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mozzi [mailto:linux@MOSTERT.NOM.ZA] > Envoy? : Monday, February 09, 2004 10:53 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Spam checks > > > Hi all > I have disabled spamchecks and use spamassassin in the conf > file yet I still > see entries like below in my logfile. > MailScanner[20476]: Spam Checks: Starting Spam check can also mean "Checking spam, using spamassassin" Ugo > > Any ideas? > > > Mozzi > > > > > ************************************************************ > Scanned by @lantic IS Virus Control Service > This message was scanned for viruses and dangerous content. > @lantic Internet Services (Pty) Ltd. - http://www.lantic.net > eScan for Windows-based PCs - http://www.escan.co.za > > If you have received a message marked in the subject line > as [SPAM] please note that according to our MailScanner, > this message has all the attributes of Unsolicited > Commercial Email (UCE). If the message has however been > marked incorrectly, please send a query to abuse@lantic.net > ************************************************************ > From mailscanner at LISTS.COM.AR Mon Feb 9 15:30:46 2004 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... Message-ID: <40277D76.10613.236AC43D@localhost> Hi, Kevin Miller asked a few days ago about av-scanners identifying by means of an option the e-mail borne virus so they could be automatically categorized as "silent virus" by MS and apropiate action be taken (e.g. "Still deliver silent viruses = no"). http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17196 Jason Balicki said Sophos is working on this (or so their PR people lie about): http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17462 I aske about this in the clamav list a few days ago (actually asking for the virus database format, in case it already existed): http://mail-archive.com/clamav-users@lists.sourceforge.net/msg04859.html Fajar Nugraha sugested using the 'Worm.' prefix in the name of the virus to identify them: http://mail-archive.com/clamav-users@lists.sourceforge.net/msg04863.html I don't know about other scanners, but they may also have a standard string within their name implying it is a mail worm. Now, Julian, would you consider this as a wished option? It'd be a new option like this (configured for clamav): Silent Viruses Regex: /^Worm\..*/ This way, we can immediately recognize new e-mail worms as 'Silent' and process them appropiately... I wouldn't eliminate the "Silent Viruses:" option, just in case. TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. From raq at CHURCHER.ORG.UK Mon Feb 9 15:30:34 2004 From: raq at CHURCHER.ORG.UK (Steve Churcher) Date: Thu Jan 12 21:22:23 2006 Subject: Mcafee In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108BF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <00a001c3ef21$a95ba2a0$206510ac@euclid.local> Hi All Does anyone know where I can purchase a license for McAfee Command line for unix in the UK? Or indeed anywhere really! Seems a hard one to track down or maybe its just me.. Thanks Steve From dot at DOTAT.AT Mon Feb 9 15:42:16 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... In-Reply-To: Message-ID: Mariano Absatz wrote: > >I don't know about other scanners, but they may also have a standard string >within their name implying it is a mail worm. I think McAfee always uses @MM as a mass mailing worm suffix, but I haven't properly checked that this covers exactly the viruses I want to auto-delete. Tony. -- f.a.n.finch http://dotat.at/ DOVER WIGHT: NORTHWEST 7 TO SEVERE GALE 9 DECREASING 4 OR 5, VEERING NORTH 3 OR 4 LATER. SHOWERS. GOOD. From kcchang at HKUSUA.HKU.HK Mon Feb 9 15:53:03 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <1076313474.26581.15.camel@bach.kevinspicer.co.uk> Message-ID: Hi Kevin, My Solaris got: set rlim_fd_max = 4096 in /etc/system and I think 2048 (out of 4096) should be fairly good but still it failed. The strange thing is that the same error message keeps going even after the restart of MailScanner. I have to move the mqueue.in away and create a new one in order to successfully start MailScanner and make it work properly again (should it be a file descriptor problem??). I can re-start the MailScanner only if the mqueue.in is re-created and then gradually moved back the queued messages. Actually, my MailScanner has been running smoothly for over a year and got this intermittent error since January 2004 (and I got the same version running on Alpha Tru64 without problem). I cannot find any clues in truss output as well (only find a number of fstat/open/fcntl call to mail messages and then rmdir of the incoming dir. before dying of child mailscanner processes). Any ideas? Thanks for your input. KC Chang On Mon, 9 Feb 2004, Kevin Spicer wrote: > On Mon, 2004-02-09 at 06:42, Chang Kai Cheong wrote: > > > > > > Does anyone has similar experience to solve the problem? > > > I recommended once to someone that they should add ulimit -n unlimited > to the init script, based on the fact I had a similar problem with a > different program which that cured (I don't use Solaris for my mail > servers). I think that solved the problem for them. > You can also tweak system wide limits in /etc/system, but that requires > care (you can knacker the entire system) and a reboot. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From prandal at HEREFORDSHIRE.GOV.UK Mon Feb 9 15:53:17 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:23 2006 Subject: Mcafee Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4F2@jessica.herefordshire.gov.uk> We got ours through our Total Virus Defence subscription. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Steve Churcher > Sent: 09 February 2004 15:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mcafee > > > Hi All > > Does anyone know where I can purchase a license for McAfee > Command line > for unix in the UK? Or indeed anywhere really! > > Seems a hard one to track down or maybe its just me.. > > Thanks > Steve > From eja at URBAKKEN.DK Mon Feb 9 15:57:23 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:23 2006 Subject: Mail ?. Message-ID: <4027ADE3.6090007@urbakken.dk> Julian !. Did you receive my mail with the antivir log_file ?. -- Erik From Kevin.Spicer at BMRB.CO.UK Mon Feb 9 16:05:42 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE9B@pascal.priv.bmrb.co.uk> Chang Kai Cheong wrote: > Hi Kevin, > > My Solaris got: > > set rlim_fd_max = 4096 > > in /etc/system and I think 2048 (out of 4096) should be fairly good > but still it failed. The strange thing is that the same error > message keeps going even after the restart of MailScanner. I have to > move the mqueue.in away and create a new one in order to successfully > start MailScanner and make it work properly again (should it be a > file descriptor problem??). I can re-start the MailScanner only if > the mqueue.in is re-created and then gradually moved back the queued > messages. > > Actually, my MailScanner has been running smoothly for over a year > and got this intermittent error since January 2004 (and I got the > same version running on Alpha Tru64 without problem). I cannot find > any clues in truss output as well (only find a number of > fstat/open/fcntl call to mail messages and then rmdir of the incoming > dir. before dying of child mailscanner processes). Any ideas? > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits apply to processes and their children, so... 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files Then we've got the output header files (another 500 files), then any attachments/ bodies being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - but you can see how quickly they can be used up when the server is busy. The very fact that taking the messages out of the queue clears the problem suggests it is a symptom of the number of files involved. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ralexand at HOODINDUSTRIES.COM Mon Feb 9 16:35:15 2004 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external Message-ID: I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of the recent flood of *.zip attachment viruses we currently block all the standard attachments as well as all zip attachments. Is there a way to allow to local users to send zip files within our local site, while still blocking external zip attachments from entering our system? Thanks From raymond at PROLOCATION.NET Mon Feb 9 15:35:50 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:23 2006 Subject: Silent virus & new mail worms... In-Reply-To: <40277D76.10613.236AC43D@localhost> Message-ID: Hi! > It'd be a new option like this (configured for clamav): > Silent Viruses Regex: /^Worm\..*/ Worm will do just fine. > This way, we can immediately recognize new e-mail worms as 'Silent' and > process them appropiately... > > I wouldn't eliminate the "Silent Viruses:" option, just in case. You can also add it in the existing 'Silent virusses', works fine. Some people who are using Kasperski are allready using this, since Kasperski allrady put those into one catagory. Bye, Raymond. From 20020401 at DUH.NET Mon Feb 9 16:44:58 2004 From: 20020401 at DUH.NET (Travis Taylor) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <1076345098@otherbbs.com> We are trying to figure out how an email slipped past MailScanner with Sophos. Symantec quarantined the message on the server when the user checked her mail this morning. The message was a bounce from a site that does not permit executables. Here is the message recovered from the quarantine server: Received: from emailscanner.newton.k12.ks.us not authenticated [192.168.254.10] by newton.k12.ks.us with NetMail SMTP Agent $Revision: 3.22.1.3 $ on Novell NetWare; Fri, 06 Feb 2004 08:36:46 -0600 Received: from mx07.futurequest.net (mx07.futurequest.net [69.5.6.178]) by emailscanner.newton.k12.ks.us (8.12.8/8.12.8) with SMTP id i16EaM6L008388 for ; Fri, 6 Feb 2004 08:36:22 -0600 X-Envelope-To: Message-Id: <200402061436.i16EaM6L008388@emailscanner.newton.k12.ks.us> Received: (qmail 15257 invoked for bounce); 6 Feb 2004 14:27:02 -0000 Date: 6 Feb 2004 14:27:02 -0000 From: MAILER-DAEMON@mx07.futurequest.net To: khays@newton.k12.ks.us Subject: failure notice X-USD373-MailScanner-Information: Mail scanned using http://mailscanner.info X-USD373-MailScanner: Found to be clean X-USD373-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.903, required 5, LARGE_HEX 1.59, MSGID_FROM_MTA_HEADER 0.76, NO_REAL_NAME 0.28, UPPERCASE_25_50 0.26) X-USD373-MailScanner-SpamScore: ss Hi. This is the qmail-send program at mx07.futurequest.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : No executable files accepted. Message rejected 1076077622 pid 2773 --- Below this line is a copy of the message. Return-Path: Received: (qmail 32431 invoked from network); 6 Feb 2004 13:43:40 -0000 Received: from newton.k12.ks.us (hillsboro-bm.teen.k12.ks.us [65.241.105.189]) by mx07.futurequest.net ([69.5.6.178]) with ESMTP via TCP; 06 Feb 2004 13:43:40 -0000 From: khays@newton.k12.ks.us To: ugaw@myparentime.com Subject: Status Date: Fri, 6 Feb 2004 07:43:35 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_9E42CB75.1E93C406" X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0004_9E42CB75.1E93C406 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit [snip] ------=_NextPart_000_0004_9E42CB75.1E93C406 Content-Type: application/octet-stream; name="readme.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="readme.scr" [snip] ------=_NextPart_000_0004_9E42CB75.1E93C406-- So far MailScanner has caught 1817 MyDoom-A virus, with the exception of 27 MyDoom infected messages that slipped through during the window when the virus was released in the wild and before Sophos updated the definitions, MailScanner and Sophos has caught everyone since until now. Anyone got some ideas on what to check or how to verify this got through? Is this something we need to sent to Sophos? Using RH 9, MailScanner v4.23-11, and Sophos v3.75 --- Travis Taylor, EMail Administrator Newton Unified School District #373 Educational Technology Center 116 West 7th Newton, KS 67114 316-284-6251 From dustin.baer at IHS.COM Mon Feb 9 17:09:55 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076345098@otherbbs.com> Message-ID: <4027BEE3.73038005@ihs.com> Travis Taylor wrote: > > We are trying to figure out how an email slipped past MailScanner with > Sophos. Symantec quarantined the message on the server when the user > checked her mail this morning. > > The message was a bounce from a site that does not permit executables. > > Here is the message recovered from the quarantine server: > > [snip] > > So far MailScanner has caught 1817 MyDoom-A virus, with the exception of > 27 MyDoom infected messages that slipped through during the window > when the virus was released in the wild and before Sophos updated the > definitions, MailScanner and Sophos has caught everyone since until now. > Anyone got some ideas on what to check or how to verify this got > through? > > Is this something we need to sent to Sophos? > > Using RH 9, MailScanner v4.23-11, and Sophos v3.75 > > --- > Travis Taylor, EMail Administrator Travis, We have the same situation here. Right now, I am trying to retreive the Symantec quarantined documents, and will be sending them to Sophos. I would suggest sending them yours, also. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From 20020401 at DUH.NET Mon Feb 9 17:32:21 2004 From: 20020401 at DUH.NET (Travis Taylor) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <1076347941@otherbbs.com> >Travis, > >We have the same situation here. Right now, I am trying to retreive >the Symantec quarantined documents, and will be sending them to Sophos. > >I would suggest sending them yours, also. > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 I'm in the process of sending it to sophos now, Dustin. On a side note, I decided to sent the quarantined message as an attachment to myself and MailScanner/Sophos caught it. Though when I pasted the infected bounced message in the body of a message and sent it to myself it slipped through without being detected. I'm wondering if this has something to do with how the message is encoded (mime, uuencode, etc). --- Travis Taylor, EMail Administrator Newton Unified School District #373 Educational Technology Center 116 West 7th Newton, KS 67114 316-284-6251 From martinh at SOLID-STATE-LOGIC.COM Mon Feb 9 17:37:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <1076347941@otherbbs.com> References: <1076347941@otherbbs.com> Message-ID: <4027C56F.2010103@solid-state-logic.com> Travis Taylor wrote: >>Travis, >> >>We have the same situation here. Right now, I am trying to retreive >>the Symantec quarantined documents, and will be sending them to Sophos. >> >>I would suggest sending them yours, also. >> >>Dustin >>-- >>Dustin Baer >>Unix Administrator/Postmaster >>Information Handling Services >>15 Inverness Way East >>Englewood, CO 80112 >>303-397-2836 > > > I'm in the process of sending it to sophos now, Dustin. > > On a side note, I decided to sent the quarantined message as an > attachment to myself and MailScanner/Sophos caught it. Though when I > pasted the infected bounced message in the body of a message and sent > it to myself it slipped through without being detected. I'm wondering > if this has something to do with how the message is encoded (mime, > uuencode, etc). > > This is a known issue with MailScanner and specifically one of the Perl modules it uses. From memory Julian asked for anyone with such an email to forward it direct to him (not the list) so he can investigate the problem. I hope Julian doesn't shoot me getting people to send him viruses. You might want to email him before hand to warn him an example is on the way! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From kevins at BMRB.CO.UK Mon Feb 9 18:28:01 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <4027C56F.2010103@solid-state-logic.com> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> Message-ID: <1076351285.1679.0.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-09 at 17:37, Martin Hepworth wrote: > From memory Julian asked for anyone with such an email to forward it > direct to him (not the list) so he can investigate the problem. > > I hope Julian doesn't shoot me getting people to send him viruses. > > You might want to email him before hand to warn him an example is on the > way! I think he asked for them in a password protected zip (?) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From peter at UCGBOOK.COM Mon Feb 9 18:31:40 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external In-Reply-To: References: Message-ID: <4027D20C.5050609@ucgbook.com> Richard Alexander wrote: > I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of > the recent flood of *.zip attachment viruses we currently block all the > standard attachments as well as all zip attachments. Is there a way to > allow to local users to send zip files within our local site, while still > blocking external zip attachments from entering our system? Yes, use a ruleset to point local users to a different filename.rules.conf than the rest. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From kodak at FRONTIERHOMEMORTGAGE.COM Mon Feb 9 19:13:48 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <1076351285.1679.0.camel@bach.kevinspicer.co.uk> Message-ID: <007f01c3ef40$d8a456a0$0501a8c0@darkside> This issue may be fixed by using the 3.78d version which according to Sophos: "2004-02-06 17:07:45: Sophos Anti-Virus version 3.78(d) contains code designed to deal with inconsistent MIME messages. If you are using Sophos Anti-Virus at your email gateway, you are advised to subscribe to this new version. If you are using Sophos Anti-Virus at your desktop only, there is no need to download this new version." My appologies if you are already using 3.78d. HTH, --J(K) From mailscanner at ecs.soton.ac.uk Mon Feb 9 19:59:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Spam checks In-Reply-To: <200402091752.59090.linux@mostert.nom.za> References: <200402091752.59090.linux@mostert.nom.za> Message-ID: <6.0.1.1.2.20040209195721.02d84ec0@imap.ecs.soton.ac.uk> It tends to log it even though it's not doing it. Considering the possibility of rulesets, it's not actually as trivial as you think it might be to decide if any spam checks are to be done. So I log it anyway, even though that particular message batch might not contain any messages to be spam checked. At 15:52 09/02/2004, you wrote: >Hi all >I have disabled spamchecks and use spamassassin in the conf file yet I still >see entries like below in my logfile. >MailScanner[20476]: Spam Checks: Starting > >Any ideas? > > >Mozzi > > > > >************************************************************ >Scanned by @lantic IS Virus Control Service >This message was scanned for viruses and dangerous content. >@lantic Internet Services (Pty) Ltd. - http://www.lantic.net >eScan for Windows-based PCs - http://www.escan.co.za > >If you have received a message marked in the subject line >as [SPAM] please note that according to our MailScanner, >this message has all the attributes of Unsolicited >Commercial Email (UCE). If the message has however been >marked incorrectly, please send a query to abuse@lantic.net >************************************************************ -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:08:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Rule to allow internal zip files/block external In-Reply-To: References: Message-ID: <6.0.1.1.2.20040209200435.02d1fec0@imap.ecs.soton.ac.uk> At 16:35 09/02/2004, you wrote: >I am currently running MS 4.26.7, SA 2.63.1, on red hat 9.0. Because of >the recent flood of *.zip attachment viruses we currently block all the >standard attachments as well as all zip attachments. Is there a way to >allow to local users to send zip files within our local site, while still >blocking external zip attachments from entering our system? Use a ruleset to point at different filename.rules.conf files. First ban zip files in your main filename.rules.conf file. Copy one of the other deny lines and put it right near the top of the file. Make sure the 4 sections of the line are separated with tabs and not spaces. Then copy the file to filename.allowzip.rules.conf. Change the deny zip to allow zip (use one of the other allow lines as a template). Make sure it's near the top of the file so gets acted on very early. Then create a ruleset in /etc/MailScanner/rules/filenameconf.rules FromAndTo: yourdomain.com /etc/MailScanner/filename.allowzip.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf Finally, in /etc/MailScanner.conf, put this Filename Rules = /etc/MailScanner/rules/filenameconf.rules and then restart or reload MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:11:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <4027C56F.2010103@solid-state-logic.com> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> At 17:37 09/02/2004, you wrote: >Travis Taylor wrote: >>>Travis, >>> >>>We have the same situation here. Right now, I am trying to retreive >>>the Symantec quarantined documents, and will be sending them to Sophos. >>> >>>I would suggest sending them yours, also. >>> >>>Dustin >>>-- >>>Dustin Baer >>>Unix Administrator/Postmaster >>>Information Handling Services >>>15 Inverness Way East >>>Englewood, CO 80112 >>>303-397-2836 >> >> >>I'm in the process of sending it to sophos now, Dustin. >> >>On a side note, I decided to sent the quarantined message as an >>attachment to myself and MailScanner/Sophos caught it. Though when I >>pasted the infected bounced message in the body of a message and sent >>it to myself it slipped through without being detected. I'm wondering >>if this has something to do with how the message is encoded (mime, >>uuencode, etc). >> > >This is a known issue with MailScanner and specifically one of the Perl >modules it uses. > > From memory Julian asked for anyone with such an email to forward it >direct to him (not the list) so he can investigate the problem. > >I hope Julian doesn't shoot me getting people to send him viruses. > >You might want to email him before hand to warn him an example is on the >way! We have seen some cases where Sophos with MailScanner failed to spot a MyDoom. But F-Prot on the same system (running as a secondary scanner) spotted the virus just fine. So somehow Sophos is missing it when F-Prot is finding it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 9 20:03:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Svar: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails In-Reply-To: References: Message-ID: <6.0.1.1.2.20040209200227.03c2dc50@imap.ecs.soton.ac.uk> You can use the "--nodeps" command-line option with "./install.sh" to get around this. I'm going to get time to install a SuSE 9 box soon (hopefully later this week, but the day job is busy right now) and will get all the SuSE 9 niggles sorted out. At 14:38 09/02/2004, you wrote: >Hi > >I am trying to install mailscanner 4.26.8-1 on suse 9.0 and I get some >"Failed build dependencies" > >Attempting to build and install perl-MIME-tools-5.411-pl4.2 >Installing perl-MIME-tools-5.411-pl4.2.src.rpm >error: Failed build dependencies: > perl >= 0:5.00503 is needed by perl-MIME-tools-5.411-pl4.2 > >My perl version is: 5.8.1 > >Where do I put: >BuildRequires: perl >= 0:5.5.3 or 0:5.8.1 > >/Jan Elmqvist Nielsen > > > >>> Heinz.Knutzen@DATAPORT.DE 30-01-2004 17:34:03 >>> >It doesn't help to install perl-Net-CIDR manually, >because the package doesn't build at all: >"ERROR: EMPTY FILE LIST" > >On a system with SuSE 8.0 perl-Net-CIDR builds nicly. >I compared the output of rpmbuild at both systems and found >the underlying problem. > >When calling rpmbuild with SuSE 9.0 this results in paths >where BuildRoot occurs twice: >Installing >/var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm > >perl-Net-CIDR.spec defines BuildRoot as >%{_tmppath}/%{name}-%{version}-%{release}-root > >The first occurence comes from > perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix} > >It appears twice, because SuSE defines it's own version >of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros: >%makeinstall make DESTDIR=%{buildroot} install > >The problem didn't occur with SuSE 8.0, >because it uses an older version of ExtUtils::MakeMaker, >where the resuting Makefile is ignoring it's parameter >"DESTDIR" and hence (accidently) successfully creates the package. > >A possible solution would be to call "make install" directly >instead of "%makeinstall" in perl-Net-CIDR.spec. > >This would solve the problem for SuSE. >It shouldn't hurt for other rpm based distributions, >because the standard definition of %makeinstall effectivly calls >"make install" with many paramters defining prefixes and directories. >But these are useless, because PREFIX is already set >when processing Makefile.PL. > > >I still need --nodeps to build this package. >If I change "BuildRequires" to >BuildRequires: perl >= 0:5.5.3 >it works fine for SuSE 8.0 and 9.0 without using --nodeps. > >Viele Gr??e > >Heinz Knutzen > >Dataport >Altenholzer Str 10-14, 24161 Altenholz, Germany >http://www.dataport.de/ >mailto:Heinz.Knutzen@dataport.de >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 > > > >-----Urspr?ngliche Nachricht----- >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im >Auftrag von Julian Field >Gesendet am: Freitag, 30. Januar 2004 10:14 >An: MAILSCANNER@JISCMAIL.AC.UK >Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails > >Try just installing the Net-CIDR module with something like >rpm -Uvh --nodeps perl-Net-CIDR* >and then run ./install.sh. > >At 16:53 29/01/2004, you wrote: > >For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get: > >./install.sh > >... > >Attempting to build and install perl-Net-CIDR-0.08-2 > >Installiere perl-Net-CIDR-0.08-2.src.rpm > >Fehler: Failed build dependencies: > > perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2 > > > >My perl is: > ># rpm -q perl > >perl-5.8.1-46 > ># perl -v > >This is perl, v5.8.1 built for i586-linux-thread-multi > >(with 1 registered patch, see perl -V for more detail) > > > >I get this message for some perl packages, but nor for all of them. > >Using "./install.sh nodeps" doesn't help, it gives the same error. > > > >Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm" > >does help a bit, but aborts with: > >"ERROR: EMPTY FILE LIST" > > > >This doesn't seem to be a new problem, it occurs with > >MailScanner-4.25-14.suse.tar.gz as well. > > > > > >Viele Gr??e > > > >-- Heinz > > > >-----Urspr?ngliche Nachricht----- > >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im > >Auftrag von Julian Field > >Gesendet am: Donnerstag, 29. Januar 2004 16:25 > >An: MAILSCANNER@JISCMAIL.AC.UK > >Betreff: ANNOUNCE: Beta 4.26.6 released > > > >Hi folks, > > > >I have just posted 4.26.6 on the website for you all. Download from > >www.mailscanner.info as usual. > > > >This is intended as a final testing release before 4.26 goes stable, which > >will hopefully be this weekend. If you could test it out and let me know of > >any problems as soon as possible, I will get them fixed. > > > >Thanks folks! > > > >Changes this time are: > > > >* New Features and Improvements * > >- Improved configuration engine so that rules can now contain 2 tests > > separated by "and". > >- Added "notify" Spam Action and High Scoring Spam Action. This will cause a > > short text notification message to be sent to the recipients of the spam > > message. The filename of the report is set with the "Recipient Spam > > Report" > > configuration setting. There is also an MCP equivalent of this > > functionality. See the MCP documentation for details of the settings. > >- Removed the "bounce" spam action. > >- Added regular rebuild of Bayes database. Has 2 options associated with it > > which I haven't included in the conf file yet. > >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to > > configure the operation of the regular Bayes database rebuilds. > >- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as > > you will want to uncomment this line if you are using the regular > > scheduled > > Bayes database expiry feature given above. > >- Added "Minimum Stars If On Spam List" setting so that people who just > filter > > on the "Spam Stars" can catch messages which only trigger the "Spam > List" > > trap. > >- Added "Log Non Spam" option to allow logging of all non-spam, which can be > > coerced into logging SpamAssassin scores of non-spam mail. > >- Added support for Norman virus scanner (www.norman.de). > >- Added logging of ids of dropped silent viruses. > >- Added "Too Many Attachments" error report in a message instead of old > > report saying it could not analyse the message. > >- No longer stops or restarts after RPM upgrade. > >- Added MCP patches for SpamAssassin 2.61 and 2.63. > >- Added 'SpamAssassin Site Rules Dir' setting to locate > >/etc/mail/spamassassin. > >- Spanish translations of languages.conf updated from Debian translators. > >- Added Catalan translation of all report files. > >- Added bogusmx list to supplied spam.lists.conf. > >- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf. > >- Changed the version number scheme from major.minor-teeny to > >major.minor.teeny. > >- Forced owner to be root.root in both RPM spec files, so can be re-built by > > non-root users. > >- Added my Amazon.co.uk "wish list" to the donations page. > >- Detailed spam report now includes auto-learn status if it was auto-learnt. > > > >* Fixes * > >- Fixed creation of MCP quarantine directory bug. > >- Fix to Postfix message duplication problems. Must find "end of message" > > record now. > >- Fix to duplicate recipient listing in postmaster notices. > >- Fixed bug so filename/filetype rules configuration setting can be blank. > >- Exim per-message log files are deleted correctly now. > >- Fixed recipient duplication problems in sender messages and other reports. > >- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's > > own checks find multiple problems with 1 attachment. > >- Fixed bug where _SCORE_ in subject line modifications is never more > than 60. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Mon Feb 9 20:58:53 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf Message-ID: <4027F48D.D06CF176@ihs.com> I see the following in filename.rules.conf: deny pretty\s+park\.exe$ deny happy99.exe$ deny webpage\.rar$ Is the \ required before . ? Also, I wanted to block any "doc.zip" attachments that come through, so added the following line: deny doc.zip$ - - This also blocks dp_doc.zip, or anything else that has .....doc.zip. The following appears to work properly, but just want to make sure: deny ^doc.zip$ - - Again, is a \. needed, rather than just the . ? Thanks, Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 -- This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank you. From hywel at BURRIS.ORG.UK Mon Feb 9 20:29:38 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:22:23 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> Message-ID: <200402092029.i19KTcKT014669@mail.burris.org.uk> [snip] >> >>This is a known issue with MailScanner and specifically one of the Perl >>modules it uses. >> >> From memory Julian asked for anyone with such an email to forward it >>direct to him (not the list) so he can investigate the problem. >> >>I hope Julian doesn't shoot me getting people to send him viruses. >> >>You might want to email him before hand to warn him an example is on the >>way! >We have seen some cases where Sophos with MailScanner failed to spot a >MyDoom. But F-Prot on the same system (running as a secondary scanner) >spotted the virus just fine. So somehow Sophos is missing it when F-Prot is >finding it. I have seen this today with Clam and McAfee missing one and F-Prot getting it. I have also noticed this before with clam missing some and Mcafee and F-Prot catching them. Hywel From mailscanner at ecs.soton.ac.uk Mon Feb 9 21:11:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027F48D.D06CF176@ihs.com> References: <4027F48D.D06CF176@ihs.com> Message-ID: <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> At 20:58 09/02/2004, you wrote: >I see the following in filename.rules.conf: > >deny pretty\s+park\.exe$ >deny happy99.exe$ >deny webpage\.rar$ > >Is the \ required before . ? Yes, otherwise it wouldn't be there. They are regular expressions. "." means any character. "\." means the literal character "." >Also, I wanted to block any "doc.zip" attachments that come through, so >added the following line: > >deny doc.zip$ - - > >This also blocks dp_doc.zip, or anything else that has .....doc.zip. >The following appears to work properly, but just want to make sure: > >deny ^doc.zip$ - - > >Again, is a \. needed, rather than just the . ? That will match filenames which are exactly "doc.zip" as ^ means the start of the filename and $ means the end of the filename. Suggest you read up a bit on regular expressions. "man perlre" will get you started. What I suspect you mean is to block any filename ending in ".doc.zip" which is deny \.doc\.zip$ - - >Thanks, > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 > >-- >This email message is for the sole use of the intended recipient(s) and >may contain confidential and privileged information. Any unauthorized >review, use, disclosure or distribution is prohibited. If you are not >the intended recipient, please contact the sender by reply email and >destroy all copies of the original message. Thank you. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Mon Feb 9 21:24:37 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027F48D.D06CF176@ihs.com> References: <4027F48D.D06CF176@ihs.com> Message-ID: <6.0.0.22.0.20040209162316.025c15d0@xanadu.evi-inc.com> At 03:58 PM 2/9/2004, Dustin Baer wrote: >deny webpage\.rar$ > >Is the \ required before . ? Yes, because in regular expressions, a . by itself is a single-character wildcard. (like ? in the dos filename world) ie doc.zip will match: doc2zip doc_zip docszip doc.zip etc.. From dustin.baer at IHS.COM Mon Feb 9 21:22:08 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf References: <4027F48D.D06CF176@ihs.com> <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> Message-ID: <4027FA00.3B0F9575@ihs.com> Julian Field wrote: > > At 20:58 09/02/2004, you wrote: > >I see the following in filename.rules.conf: > > > >deny pretty\s+park\.exe$ > >deny happy99.exe$ > >deny webpage\.rar$ > > > >Is the \ required before . ? > > Yes, otherwise it wouldn't be there. They are regular expressions. "." > means any character. "\." means the literal character "." So, since it isn't there, I will assume it is not a typo when you have "happy99.exe$" in filename.rules.conf, rather than "happy99\.exe$"? :-) > >deny ^doc.zip$ - - > > > > That will match filenames which are exactly "doc.zip" as ^ means the start > of the filename and $ means the end of the filename. I know, but... > Suggest you read up a > bit on regular expressions. "man perlre" will get you started. I felt pretty comfortable with regular expressions, but not seeing the \ in "happy99.exe$" made me think twice and though you might be doing something else. > What I > suspect you mean is to block any filename ending in ".doc.zip" which is > deny \.doc\.zip$ - - Nope, just wanted "doc.zip" to be blocked...along with message.zip, document.zip, data.zip, text.zip, file.zip and test.zip, since these sometimes get past MailScanner/Sophos. Thanks for the answer! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Mon Feb 9 21:37:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: \. in filename.rules.conf In-Reply-To: <4027FA00.3B0F9575@ihs.com> References: <4027F48D.D06CF176@ihs.com> <6.0.3.0.2.20040209210901.037e1508@imap.ecs.soton.ac.uk> <4027FA00.3B0F9575@ihs.com> Message-ID: <6.0.3.0.2.20040209213612.03828200@imap.ecs.soton.ac.uk> At 21:22 09/02/2004, you wrote: >Julian Field wrote: > > > > At 20:58 09/02/2004, you wrote: > > >I see the following in filename.rules.conf: > > > > > >deny pretty\s+park\.exe$ > > >deny happy99.exe$ > > >deny webpage\.rar$ > > > > > >Is the \ required before . ? > > > > Yes, otherwise it wouldn't be there. They are regular expressions. "." > > means any character. "\." means the literal character "." > >So, since it isn't there, I will assume it is not a typo when you have >"happy99.exe$" in filename.rules.conf, rather than "happy99\.exe$"? :-) > > > >deny ^doc.zip$ - - > > > > > > > That will match filenames which are exactly "doc.zip" as ^ means the start > > of the filename and $ means the end of the filename. > >I know, but... > > > Suggest you read up a > > bit on regular expressions. "man perlre" will get you started. > >I felt pretty comfortable with regular expressions, but not seeing the \ >in "happy99.exe$" made me think twice and though you might be doing >something else. Yes, a typo. > > What I > > suspect you mean is to block any filename ending in ".doc.zip" which is > > deny \.doc\.zip$ - - > >Nope, just wanted "doc.zip" to be blocked...along with message.zip, >document.zip, data.zip, text.zip, file.zip and test.zip, since these >sometimes get past MailScanner/Sophos. Then I think there's an allow line for *.zip. Change the allow to deny and put in some explanatory text in the last 2 fields of the line. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jclark at SKIDMORE.EDU Mon Feb 9 21:38:15 2004 From: jclark at SKIDMORE.EDU (Jeffrey A. Clark) Date: Thu Jan 12 21:22:23 2006 Subject: Special Characters in stored.XXXXXX.message.txt Message-ID: We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. I am trying to include an e-mail address in the body of the stored.virus.message.txt and stored.filename.message.txt. When I include the '@' symbol in the text line, the whole line does not print. I have tried escaping the @ with the \ but it doesn't send the errant line. examples tried: Please forward this message to the helpdesk (helpdesk@skidmore.edu) for recovery of your attachment. and Please forward this message to the helpdesk (helpdesk\@skidmore.edu) for recovery of your attachment. The only way I was able to have the line print was to use: Please forward this message to the helpdesk (helpdesk skidmore.edu) for recovery of your attachment. leaving a blank where the @ symbol should be. I know, a stupid question, but any help would be appreciated. Jeff -- Jeffrey A. Clark Associate Director, CITS Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866-1632 From sysadmins at ENHTECH.COM Mon Feb 9 21:58:40 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:23 2006 Subject: 200,000 downloads of MailScanner In-Reply-To: <40243187.9070008@pixelmagicfx.com> References: <6.0.1.1.2.20040203134736.07c3d298@imap.ecs.soton.ac.uk> <40243187.9070008@pixelmagicfx.com> Message-ID: <6.0.2.0.0.20040209165739.0261d490@mail.enhtech.com> At 07:29 PM 2/6/2004, you wrote: >Julian Field wrote: > >> >>Many thanks to all of you for helping to spread the word and make my >>little >>bit of code possibly the most widely-used combined email virus scanner >>and >>spam detector in the world. > >Many thanks? I think that's OUR line! :) > >Impressive. > > >Vic >Pixel Magic I second that. Julian, thank you. It always amazes me how the Open Source community puts out this great software. You just got to love it. Thanks a million. Errol Neal From walkera-mailscanner at OFB.NET Mon Feb 9 21:28:59 2004 From: walkera-mailscanner at OFB.NET (Walker Aumann) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? Message-ID: <8021.1076362139@ofb.net> Hello, I noticed something odd with a batch of messages coming through and apparently being misclassified. The relevant portions of my MailScanner.conf file are included followed by the mail logs. By my reading of things, this should not have been marked as spam (although it is close). Did I list these things in the wrong place (SpamList instead of SpamDomainList)? Does SpamAssassin count as a list? Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL SORBS-DNSBL RFC-IGNORANT-BOGUSMX Spam Domain List = Spam Lists To Reach High Score = 2 Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: from=, size=102178, class=0, nrcpts=1, msgid=<3.0.32.20040209065640.00e270d8@mail73006.popserver.pop.net>, proto=ESMTP, daemon=MTA, relay=mr4.ash.ops.us.uu.net [198.5.241.89] Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: to=, delay=00:00:01, mailer=esmtp, pri=30855, stat=queued Feb 9 04:04:25 gw-sea MailScanner[18326]: New Batch: Scanning 1 messages, 102700 bytes Feb 9 04:04:25 gw-sea MailScanner[18326]: Saved archive copies of i19C4N9E019313 Feb 9 04:04:25 gw-sea MailScanner[18326]: Spam Checks: Starting Feb 9 04:04:26 gw-sea MailScanner[18326]: RBL checks: i19C4N9E019313 found in SORBS-DNSBL Feb 9 04:04:27 gw-sea MailScanner[18326]: Message i19C4N9E019313 from 198.5.241.89 (isigrp@isigrp.com) to fiduciary-asset.com is spam, SORBS-DNSBL, SpamAssassin (score=4.637, required 5, BAYES_00 -0.00, MIME_MISSING_BOUNDARY 1.84, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_SMTP 2.70) Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Checks: Found 1 spam messages Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Actions: message i19C4N9E019313 actions are deliver Feb 9 04:04:27 gw-sea MailScanner[18326]: Virus and Content Scanning: Starting Feb 9 04:04:33 gw-sea MailScanner[18326]: Uninfected: Delivered 1 messages From mailscanner at ecs.soton.ac.uk Mon Feb 9 22:17:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: <8021.1076362139@ofb.net> References: <8021.1076362139@ofb.net> Message-ID: <6.0.3.0.2.20040209221714.03aa5e30@imap.ecs.soton.ac.uk> The message was found in SORBS-DNSBL and is therefore marked as spam. What's the problem? At 21:28 09/02/2004, you wrote: >Hello, > >I noticed something odd with a batch of messages coming through and >apparently being misclassified. The relevant portions of my >MailScanner.conf file are included followed by the mail logs. By my >reading of things, this should not have been marked as spam (although it >is close). Did I list these things in the wrong place (SpamList instead >of SpamDomainList)? Does SpamAssassin count as a list? > >Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL SORBS-DNSBL >RFC-IGNORANT-BOGUSMX >Spam Domain List = >Spam Lists To Reach High Score = 2 > >Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: >from=, size=102178, class=0, nrcpts=1, >msgid=<3.0.32.20040209065640.00e270d8@mail73006.popserver.pop.net>, >proto=ESMTP, daemon=MTA, relay=mr4.ash.ops.us.uu.net [198.5.241.89] >Feb 9 04:04:25 gw-sea sendmail[19313]: i19C4N9E019313: >to=, delay=00:00:01, mailer=esmtp, >pri=30855, stat=queued >Feb 9 04:04:25 gw-sea MailScanner[18326]: New Batch: Scanning 1 messages, >102700 bytes >Feb 9 04:04:25 gw-sea MailScanner[18326]: Saved archive copies of >i19C4N9E019313 >Feb 9 04:04:25 gw-sea MailScanner[18326]: Spam Checks: Starting >Feb 9 04:04:26 gw-sea MailScanner[18326]: RBL checks: i19C4N9E019313 >found in SORBS-DNSBL >Feb 9 04:04:27 gw-sea MailScanner[18326]: Message i19C4N9E019313 from >198.5.241.89 (isigrp@isigrp.com) to fiduciary-asset.com is spam, >SORBS-DNSBL, SpamAssassin (score=4.637, required 5, BAYES_00 -0.00, >MIME_MISSING_BOUNDARY 1.84, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_SMTP 2.70) >Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Checks: Found 1 spam messages >Feb 9 04:04:27 gw-sea MailScanner[18326]: Spam Actions: message >i19C4N9E019313 actions are deliver >Feb 9 04:04:27 gw-sea MailScanner[18326]: Virus and Content Scanning: >Starting >Feb 9 04:04:33 gw-sea MailScanner[18326]: Uninfected: Delivered 1 messages -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From walkera-mailscanner at OFB.NET Mon Feb 9 23:29:43 2004 From: walkera-mailscanner at OFB.NET (Walker Aumann) Date: Thu Jan 12 21:22:23 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: Your message of "Mon, 09 Feb 2004 22:17:35 GMT." <6.0.3.0.2.20040209221714.03aa5e30@imap.ecs.soton.ac.uk> Message-ID: <25391.1076369383@ofb.net> Julian Field wrote: > The message was found in SORBS-DNSBL and is therefore marked as spam. > What's the problem? > >Spam Lists To Reach High Score = 2 My impression was that, because of this entry, it needed to be found in two lists, not just one. This is probably a misunderstanding on my part, so being on one list marks the message as spam while two lists marks the message as high scoring spam for people who have a different action for high scoring spam. What I was hoping for was a way to have three tiers of spam lists. The most trusted ones are configured into sendmail, so the connection is dropped immediately and MailScanner never sees it. For the second level, which I was trying to do here, mail is blocked only if it is found in multiple lists (to allow administrators to give some weight to what they might consider to be overly aggressive blacklists). Finally, if a message makes it past those checks, SpamAssassin will still assign points to the message based on what lists it was found in. From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 00:09:33 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:23 2006 Subject: f-secure version 4.52 Message-ID: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> >-----Original Message----- >Please apply this patch to >/usr/lib/MailScanner/MailScanner/SweepViruses.pm >It comes down to a 1 character change to the code :-) > >------SNIP------- >--- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 >+++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 >@@ -1585,7 +1585,10 @@ > $fsecure_InHeader++; > return 0; > } >- $fsecure_InHeader == 0 or return 0; >+ # This test is more vague than it used to be, but is more >tolerant to >+ # output changes such as extra headers. Scanning >non-scanning data is >+ # not a great idea but causes no harm. >+ $fsecure_InHeader >= 0 or return 0; > > $report = $line; > $logout = $line; >------SNIP------- Just to cover my bases: anybody running 4.52 should apply this? And to apply it I copied the stuff between the snips to SweepViruses.pm.old and should now do: patch SweepViruses.pm SweepViruses.pm.old from within /usr/lib/MailScanner/MailScanner/ Thanks... ...Kevin From c.bates at COMNET.CO.NZ Tue Feb 10 00:38:01 2004 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:22:23 2006 Subject: per domain / user Rules Message-ID: <402827E9.7000605@comnet.co.nz> Hi, When using the per domain and per user black and white lists, which takes preference? Say I have a file called foo.bar in the per domain blacklist directory and in that file I have *@chickclick.com. Then I have a file called bob@foo.com in the whitelist directory that says *@chickclick.com. Which ones takes preference? Is the rule behaviour explained somewhere? It would be nice if there was a faciltity where Mailscanner could dump out all its rules and if you could pass an email address to mailscanner and it would print out which rules match it and what the results are. Thanks Craig From kcchang at HKUSUA.HKU.HK Tue Feb 10 01:23:29 2004 From: kcchang at HKUSUA.HKU.HK (Chang Kai Cheong) Date: Thu Jan 12 21:22:23 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE9B@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 9 Feb 2004, Spicer, Kevin wrote: > > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits > apply to processes and their children, so... > > 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files > Then we've got the output header files (another 500 files), then any attachments/ bodies > being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, > file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - > but you can see how quickly they can be used up when the server is busy. > > The very fact that taking the messages out of the queue clears the problem suggests it is a > symptom of the number of files involved. > Actually, I suspected it was file descriptor problem and hence I lowered the number of child from 10 to 5, max. message per scan from 100 to 80 and increase the file descriptors as my first step. However, I was confused by why MailScanner cannot restart successfully. The first (and subsequent) child process would get the "Cannot create + lock headers file" at retart of MailScanner. I don't think the file descriptors would be used up immediately upon the restart of MailScanner (no message files should have been opened yet). I will try further up the number of file descriptor to observe whether the problem was still observed. Thanks, KC Chang From pete at eatathome.com.au Tue Feb 10 03:37:41 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:23 2006 Subject: A Good Test Email Message-ID: <40285205.4050701@eatathome.com.au> I was wondering if anyone has a favorite test email to trigger the bigevil and backhair rule sets - something that is specifically bad content for tripping these rules, rather than hvaing poor originating sources etc... If so cpould you post the body and subject to the list? Specifically i want to see the bigevil and backhair rules working. ta Pete From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:48:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: per domain / user Rules In-Reply-To: <402827E9.7000605@comnet.co.nz> References: <402827E9.7000605@comnet.co.nz> Message-ID: <6.0.3.0.2.20040210094752.03e156d0@imap.ecs.soton.ac.uk> I seem to remember that whitelisting overrides blacklisting. At 00:38 10/02/2004, you wrote: >Hi, > >When using the per domain and per user black and white lists, which >takes preference? > >Say I have a file called foo.bar in the per domain blacklist directory >and in that file I have *@chickclick.com. Then I have a file called >bob@foo.com in the whitelist directory that says *@chickclick.com. >Which ones takes preference? > >Is the rule behaviour explained somewhere? > >It would be nice if there was a faciltity where Mailscanner could dump >out all its rules and if you could pass an email address to mailscanner >and it would print out which rules match it and what the results are. Nice idea. One of these sunny days.... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:47:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:23 2006 Subject: f-secure version 4.52 In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDE9@CITY-EXCH-NTS> Message-ID: <6.0.3.0.2.20040210094651.03cbc670@imap.ecs.soton.ac.uk> At 00:09 10/02/2004, you wrote: > >-----Original Message----- > >Please apply this patch to > >/usr/lib/MailScanner/MailScanner/SweepViruses.pm > >It comes down to a 1 character change to the code :-) > > > >------SNIP------- > >--- SweepViruses.pm.old 2003-12-01 16:26:26.000000000 +0000 > >+++ SweepViruses.pm 2004-02-07 11:37:34.000000000 +0000 > >@@ -1585,7 +1585,10 @@ > > $fsecure_InHeader++; > > return 0; > > } > >- $fsecure_InHeader == 0 or return 0; > >+ # This test is more vague than it used to be, but is more > >tolerant to > >+ # output changes such as extra headers. Scanning > >non-scanning data is > >+ # not a great idea but causes no harm. > >+ $fsecure_InHeader >= 0 or return 0; > > > > $report = $line; > > $logout = $line; > >------SNIP------- > > >Just to cover my bases: anybody running 4.52 should apply this? > >And to apply it I copied the stuff between the snips to SweepViruses.pm.old >and should now do: No. Save the bit between the snips to a file (let's call it SV.patch for now). cd /usr/lib/MailScanner/MailScanner patch < SV.patch If that doesn't work, try patch -p0 < SV.patch instead. > patch SweepViruses.pm SweepViruses.pm.old > >from within /usr/lib/MailScanner/MailScanner/ > >Thanks... > >...Kevin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 09:46:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Spam Lists To Reach High Score? In-Reply-To: <25391.1076369383@ofb.net> References: <25391.1076369383@ofb.net> Message-ID: <6.0.3.0.2.20040210094424.03e1fc68@imap.ecs.soton.ac.uk> At 23:29 09/02/2004, you wrote: >Julian Field wrote: > > The message was found in SORBS-DNSBL and is therefore marked as spam. > > What's the problem? > > > >Spam Lists To Reach High Score = 2 > >My impression was that, because of this entry, it needed to be found >in two lists, not just one. It needs to be on 2 lists to "reach high score". If on 1 list, it will still be treated as spam, but as normal spam (as opposed to high-scoring spam). > This is probably a misunderstanding on my >part, so being on one list marks the message as spam while two lists >marks the message as high scoring spam for people who have a different >action for high scoring spam. Correct. >What I was hoping for was a way to have three tiers of spam lists. >The most trusted ones are configured into sendmail, so the connection >is dropped immediately and MailScanner never sees it. For the second >level, which I was trying to do here, mail is blocked only if it is >found in multiple lists (to allow administrators to give some weight >to what they might consider to be overly aggressive blacklists). >Finally, if a message makes it past those checks, SpamAssassin will >still assign points to the message based on what lists it was found >in. If you need more than 2 tiers, then you will have to implement something of your own using "Custom Functions". Long ago, I came to the conclusion (after much discussion on this list) that 2 tiers was enough for 99.9% of people, and the other 0.1% would always want more tiers than I implemented. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From DERMODYR at ITCARLOW.IE Tue Feb 10 10:04:30 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file Message-ID: <4028ACAD.11317.39DF73D@localhost> Hi Guys, I have succesfully installed mailscanner and its working great (picking up viruses, tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do this all my emails remain stuck in te mqueue.in file and go no further. Once I set this option back to no and restart mailscanner everything works great again. Heres what I did to install Spamassassin 2.63. 1 ) I downloaded spamassassin-2.63-1.i386.rpm 2) rpm -U spamassassin-2.63.1.i386.rpm But then this message appears warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 A rpm -q spam* gives package spamassassin-2.63-1.i386.rpm is not installed Any ideas people or would I be better using the tar bundle? Thanks in advance, From raymond at PROLOCATION.NET Tue Feb 10 10:16:41 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> Message-ID: Hi! > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? Yes, this is pointed out several times, please have a look on the mailinglist archives. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 10:24:38 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> References: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028B166.9060401@solid-state-logic.com> Ray Dermody wrote: > Hi Guys, > I have succesfully installed mailscanner and its working great (picking up viruses, > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > option back to no and restart mailscanner everything works great again. > Heres what I did to install Spamassassin 2.63. > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? > > Thanks in advance, Ray Install from CPAN, much better and will do the dependencies for you. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From DERMODYR at ITCARLOW.IE Tue Feb 10 10:38:10 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028B491.14069.3BCC980@localhost> Argh.... Thanks for the replies guys. Using CPAN now but I get this now Writing Makefile for Mail::SpamAssassin Makefile written by ExtUtils::MakeMaker 6.05 Makefile:94: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible Looks like theres a prob with this, according to bugzilla anyway https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 No recommended resolution there though. On 10 Feb 2004 at 10:04, Ray Dermody wrote: > Hi Guys, > I have succesfully installed mailscanner and its working great (picking up viruses, > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > option back to no and restart mailscanner everything works great again. > Heres what I did to install Spamassassin 2.63. > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > 2) rpm -U spamassassin-2.63.1.i386.rpm > But then this message appears > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > A rpm -q spam* gives > package spamassassin-2.63-1.i386.rpm is not installed > > Any ideas people or would I be better using the tar bundle? > > Thanks in advance, From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 10:42:11 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg In-Reply-To: <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> Message-ID: <4028B583.1090709@solid-state-logic.com> Julian Field wrote: > At 17:37 09/02/2004, you wrote: > >> Travis Taylor wrote: >> >>>> Travis, >>>> >>>> We have the same situation here. Right now, I am trying to retreive >>>> the Symantec quarantined documents, and will be sending them to Sophos. >>>> >>>> I would suggest sending them yours, also. >>>> >>>> Dustin >>>> -- >>>> Dustin Baer >>>> Unix Administrator/Postmaster >>>> Information Handling Services >>>> 15 Inverness Way East >>>> Englewood, CO 80112 >>>> 303-397-2836 >>> >>> >>> >>> I'm in the process of sending it to sophos now, Dustin. >>> >>> On a side note, I decided to sent the quarantined message as an >>> attachment to myself and MailScanner/Sophos caught it. Though when I >>> pasted the infected bounced message in the body of a message and sent >>> it to myself it slipped through without being detected. I'm wondering >>> if this has something to do with how the message is encoded (mime, >>> uuencode, etc). >>> >> >> This is a known issue with MailScanner and specifically one of the Perl >> modules it uses. >> >> From memory Julian asked for anyone with such an email to forward it >> direct to him (not the list) so he can investigate the problem. >> >> I hope Julian doesn't shoot me getting people to send him viruses. >> >> You might want to email him before hand to warn him an example is on the >> way! > > > We have seen some cases where Sophos with MailScanner failed to spot a > MyDoom. But F-Prot on the same system (running as a secondary scanner) > spotted the virus just fine. So somehow Sophos is missing it when F-Prot is > finding it. Julian I've seen, very early in the outbreak, ClamAV (NOT using the module version) and SophosSavi both miss one. No reports other than that single item.. Anyway I'm upgrading to 3.78d as I type so we'll see I guess.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From raymond at PROLOCATION.NET Tue Feb 10 10:52:08 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> Message-ID: Hi! > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test What about installing a compiler? It cant find that. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 11:09:21 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> References: <4028B491.14069.3BCC980@localhost> Message-ID: <4028BBE1.6010003@solid-state-logic.com> Ray Dermody wrote: > Argh.... > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > > Looks like theres a prob with this, according to bugzilla anyway > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 > > No recommended resolution there though. > Ray from the comments on the bug.... OK, works with LANG=en_US, but not with LANG unset. try setting the LANG environment variable.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From DERMODYR at ITCARLOW.IE Tue Feb 10 11:20:07 2004 From: DERMODYR at ITCARLOW.IE (Ray Dermody) Date: Thu Jan 12 21:22:24 2006 Subject: Spamassassin problems in mailscanner.conf file In-Reply-To: <4028B491.14069.3BCC980@localhost> References: <4028ACAD.11317.39DF73D@localhost> Message-ID: <4028BE66.22902.3E33243@localhost> Thats it guys. Got there, changed the $LANG and reran CPAN. Restarted mailscanner and changed "Use SpamAssassin" to yes and we are all good to go. Thanks for your help guys ;-) On 10 Feb 2004 at 10:38, Ray Dermody wrote: > Argh.... > Thanks for the replies guys. Using CPAN now but I get this now > > Writing Makefile for Mail::SpamAssassin > Makefile written by ExtUtils::MakeMaker 6.05 > Makefile:94: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > > Looks like theres a prob with this, according to bugzilla anyway > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=87682 > > No recommended resolution there though. > > > On 10 Feb 2004 at 10:04, Ray Dermody wrote: > > > Hi Guys, > > I have succesfully installed mailscanner and its working great (picking up viruses, > > tagging, quarantining etc etc). I just have 1 problem that's being doing my head in. Its > > when I change the "Use SpamAssassin = yes" on the mailscanner.conf file. When I do > > this all my emails remain stuck in te mqueue.in file and go no further. Once I set this > > option back to no and restart mailscanner everything works great again. > > Heres what I did to install Spamassassin 2.63. > > 1 ) I downloaded spamassassin-2.63-1.i386.rpm > > 2) rpm -U spamassassin-2.63.1.i386.rpm > > But then this message appears > > warning: spamassassin-2.63-1.i386.rpm: V3 DSA signature: NOKEY, key ID e580b363 > > > > A rpm -q spam* gives > > package spamassassin-2.63-1.i386.rpm is not installed > > > > Any ideas people or would I be better using the tar bundle? > > > > Thanks in advance, From taz at AZTEK-ENG.COM Tue Feb 10 13:38:20 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076347941@otherbbs.com> <4027C56F.2010103@solid-state-logic.com> <6.0.1.1.2.20040209201007.02cffec0@imap.ecs.soton.ac.uk> <4028B583.1090709@solid-state-logic.com> Message-ID: <001701c3efdb$28a40520$e90200bf@tazpc> Will do. Maybe, I should just change to F-prot since it seems to be the better one. ----- Original Message ----- From: "Martin Hepworth" To: Sent: Tuesday, February 10, 2004 3:42 AM Subject: Re: Sophos missed MyDoom-A bounced msg > Julian Field wrote: > > At 17:37 09/02/2004, you wrote: > > > >> Travis Taylor wrote: > >> > >>>> Travis, > >>>> > >>>> We have the same situation here. Right now, I am trying to retreive > >>>> the Symantec quarantined documents, and will be sending them to Sophos. > >>>> > >>>> I would suggest sending them yours, also. > >>>> > >>>> Dustin > >>>> -- > >>>> Dustin Baer > >>>> Unix Administrator/Postmaster > >>>> Information Handling Services > >>>> 15 Inverness Way East > >>>> Englewood, CO 80112 > >>>> 303-397-2836 > >>> > >>> > >>> > >>> I'm in the process of sending it to sophos now, Dustin. > >>> > >>> On a side note, I decided to sent the quarantined message as an > >>> attachment to myself and MailScanner/Sophos caught it. Though when I > >>> pasted the infected bounced message in the body of a message and sent > >>> it to myself it slipped through without being detected. I'm wondering > >>> if this has something to do with how the message is encoded (mime, > >>> uuencode, etc). > >>> > >> > >> This is a known issue with MailScanner and specifically one of the Perl > >> modules it uses. > >> > >> From memory Julian asked for anyone with such an email to forward it > >> direct to him (not the list) so he can investigate the problem. > >> > >> I hope Julian doesn't shoot me getting people to send him viruses. > >> > >> You might want to email him before hand to warn him an example is on the > >> way! > > > > > > We have seen some cases where Sophos with MailScanner failed to spot a > > MyDoom. But F-Prot on the same system (running as a secondary scanner) > > spotted the virus just fine. So somehow Sophos is missing it when F-Prot is > > finding it. > > Julian > > I've seen, very early in the outbreak, ClamAV (NOT using the module > version) and SophosSavi both miss one. > > No reports other than that single item.. > > Anyway I'm upgrading to 3.78d as I type so we'll see I guess.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From m.sapsed at BANGOR.AC.UK Tue Feb 10 13:38:59 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg References: <1076347941@otherbbs.com> Message-ID: <4028DEF3.7080703@bangor.ac.uk> 20020401@duh.net wrote: > On a side note, I decided to sent the quarantined message as an > attachment to myself and MailScanner/Sophos caught it. Though when I > pasted the infected bounced message in the body of a message and sent > it to myself it slipped through without being detected. I'm wondering > if this has something to do with how the message is encoded (mime, > uuencode, etc). Someone's already mentioned 3.78d although a MailScanner user in Germany has contacted me after my message about 3.78d the other day to say that he's got a problem with Sophos and some MyDooms and 3.78d didn't fix it. As an aside, looking at the message Travis pasted in, would the payload actually be identified as an attachment by any reasonable mail program? I realise that we ought to find everything but if the code isn't readily useable then how much does it matter that it got through? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From taz at AZTEK-ENG.COM Tue Feb 10 13:54:08 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: mailscanner (Solaris 2.6) Could not open file References: Message-ID: <002401c3efdd$5e045920$e90200bf@tazpc> We had a problem with this, but the log said too many files open. Come to find out that when Solaris 2.6 is installed by default it can only handle a maximum of 64 descriptors by 1 process at a time. I added the following to /etc/system and rebooted the machine and the problem cleared up: set rlim_fd_cur = 1024 set rlim_fd_max = 1024 This sets both the hard and soft limits. I find this just by doing a search on the web on google for: I know this is set high, but us it didn't break anything and was recommended by one of the Sun Managers list. ----- Original Message ----- From: "Chang Kai Cheong" To: Sent: Monday, February 09, 2004 6:23 PM Subject: Re: mailscanner (Solaris 2.6) Could not open file > On Mon, 9 Feb 2004, Spicer, Kevin wrote: > > > > > Its probably been tipped over the edge by the MyDoom virus. IIRC these limits > > apply to processes and their children, so... > > > > 5 mailscanner processes * 100 message batches * 2 queue files per message = 1000 files > > Then we've got the output header files (another 500 files), then any attachments/ bodies > > being scanned (say 2 parts per message maybe another 1000). And thats before Spamassassin, > > file command etc.etc. Okay I admit that maybe all of these aren't open at the same time - > > but you can see how quickly they can be used up when the server is busy. > > > > The very fact that taking the messages out of the queue clears the problem suggests it is a > > symptom of the number of files involved. > > > > Actually, I suspected it was file descriptor problem and hence I lowered > the number of child from 10 to 5, max. message per scan from 100 to 80 and > increase the file descriptors as my first step. > > However, I was confused by why MailScanner cannot restart successfully. > The first (and subsequent) child process would get the "Cannot create + > lock headers file" at retart of MailScanner. I don't think the file > descriptors would be used up immediately upon the restart of MailScanner > (no message files should have been opened yet). > > I will try further up the number of file descriptor to observe whether the > problem was still observed. > > Thanks, > KC Chang From Kevin.Spicer at BMRB.CO.UK Tue Feb 10 13:55:59 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:24 2006 Subject: Sophos missed MyDoom-A bounced msg Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A5B@pascal.priv.bmrb.co.uk> Martin Sapsed wrote: > 20020401@duh.net wrote: > As an aside, looking at the message Travis pasted in, would the > payload actually be identified as an attachment by any reasonable > mail program? I realise that we ought to find everything but if the > code isn't readily useable then how much does it matter that it got > through? > This issue is also receiving attention on the clam list.. I think its important (reputation wise) to detect everything we can - because some scanners do match it (Symantec has a signature for the encoded file for example), this makes it look like MailScanner/Clam/Sophos missed it (which they did, even though it doesn't really matter). Also just because we can't unpack it doesn't mean that there isn't a more tolerent MUA out there that can. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From taz at AZTEK-ENG.COM Tue Feb 10 14:04:15 2004 From: taz at AZTEK-ENG.COM (Travis) Date: Thu Jan 12 21:22:24 2006 Subject: sendmail error after trying to start mailscanner References: <000001c3ec18$b6ff22d0$e90200bf@tazpc> <1076007629.22416.16.camel@bach.kevinspicer.co.uk> Message-ID: <00a101c3efde$c7c26590$e90200bf@tazpc> That fixed that problem. Sorry, I didn't respond quicker I have been working on other issues and only have two days a week to work on this now. ----- Original Message ----- From: "Kevin Spicer" To: Sent: Thursday, February 05, 2004 12:00 PM Subject: Re: sendmail error after trying to start mailscanner > On Thu, 2004-02-05 at 18:48, Travis Zadikem wrote: > > Quick question on a Mandrake 9.1 install. I have downloaded the rpm of > > MailScanner 4.26.8-1 and after stopping sendmail and starting > > Mailscanner I was getting an error about the Module CIDR.pm. So, I > > installed that module. Now when I try to start MailScanner I get the > > following error (with sendmail stopped): incoming sendmail: sendmail: > > > > invalid option -- O > > sendmail: fatal: usage: sendmail [options] > > > > where can I fix this problem at. > > > > Absurd as it sounds I think your problem is that you actually have > postfix installed, not sendmail! The error message above is in the > format postfix uses for reporting errors, sendmail looks differnt > > Mandrake uses Debian's 'alternatives' system, which means that sendmail > is a symlink to /etc/alternatives/mta - which in turn is a symlink to > whichever mta you have installed. > > so either configure mailscanner/postfix to work together or, if you have > already installed sendmail use the update-alternatives command to change > the configuration. > If sendmail isn't installed... > > rpm -e postfix > rpm -i sendmail > > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 14:27:28 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: mailscanner (Solaris 2.6) Could not open file In-Reply-To: <002401c3efdd$5e045920$e90200bf@tazpc> References: <002401c3efdd$5e045920$e90200bf@tazpc> Message-ID: <4028EA50.6020403@solid-state-logic.com> Travis wrote: > We had a problem with this, but the log said too many files open. Come to > find out that when Solaris 2.6 > is installed by default it can only handle a maximum of 64 descriptors by 1 > process at a time. I added the following to /etc/system and rebooted the > machine and the problem cleared up: > set rlim_fd_cur = 1024 > set rlim_fd_max = 1024 > This sets both the hard and soft limits. I find this just by doing a search > on the web on google for: > I know this is set high, but us it didn't break anything and was recommended > by one of the Sun Managers list. > Wouldn't say it's high. Solaris 7 and later sets this by default to be amount of ram in MB upto 4096. I've seen a quite a few systems well over that. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 10 14:58:10 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:24 2006 Subject: Can't run unzip Message-ID: Hi guys, never noticed this before: 2004-02-10T15:51:31+0100 dns mail.warning MailScanner MailScanner[26580]: ERROR: Can\'t run unzip 2004-02-10T15:51:31+0100 dns mail.warning MailScanner MailScanner[26580]: ERROR: Can\'t execute some unpacker. Check paths and permissions on the temporary directory. Any hints? Unzip is installed and works on the box. Regards, JP From Kevin.Spicer at BMRB.CO.UK Tue Feb 10 15:07:59 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:24 2006 Subject: Can't run unzip Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> Jan-Peter Koopmann wrote: > Hi guys, > > never noticed this before: > > 2004-02-10T15:51:31+0100 dns mail.warning MailScanner > MailScanner[26580]: ERROR: Can\'t run unzip > 2004-02-10T15:51:31+0100 dns mail.warning MailScanner > MailScanner[26580]: ERROR: Can\'t execute some unpacker. Check paths > and permissions on the temporary directory. > > > Any hints? Unzip is installed and works on the box. > If you're using an MTA that drops privilege, so MailScanner is running as a user other then root, it possible your environment may set a temp directory in /root/tmp. you need to unset this variable (TMPDIR?) in the MailScanner init script. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From sysadmins at ENHTECH.COM Tue Feb 10 15:48:10 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> Message-ID: <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Hi- I don't know if this question has been asked before. If it has, please forgive me. Is there a way to include the original headers in a virus or spam warning report? If so, how do I do that. Regards, Errol Neal. From dustin.baer at IHS.COM Tue Feb 10 15:58:29 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Message-ID: <4028FFA5.9290C3BB@ihs.com> Admin Team wrote: > > Hi- > > I don't know if this question has been asked before. If it has, please > forgive me. > Is there a way to include the original headers in a virus or spam warning > report? > If so, how do I do that. The report to postmaster: Notices Include Full Headers = yes The report to the recipient is the original email with the report added, so a person should just need to expand the headers in the email. Dustin From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 10 16:00:46 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> Message-ID: <006401c3efef$0b3aa200$0501a8c0@darkside> >I don't know if this question has been asked before. If it has, please >forgive me. >Is there a way to include the original headers in a virus or >spam warning >report? >If so, how do I do that. Set: Notices Include Full Headers = yes in your Mailscanner.conf HTH, --J(K) From sysadmins at ENHTECH.COM Tue Feb 10 16:06:00 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <4028FFA5.9290C3BB@ihs.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> Message-ID: <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Well im not talking about to the postmaster. I'm talking about including them in the messages sent to senders of virii and spam Errol Neal At 10:58 AM 2/10/2004, you wrote: >Admin Team wrote: > > > > Hi- > > > > I don't know if this question has been asked before. If it has, please > > forgive me. > > Is there a way to include the original headers in a virus or spam warning > > report? > > If so, how do I do that. > >The report to postmaster: Notices Include Full Headers = yes > >The report to the recipient is the original email with the report added, >so a person should just need to expand the headers in the email. > >Dustin From newslists at PESSIMISTS.NET Tue Feb 10 16:16:03 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Message-ID: <1076429763.3954.61.camel@andy.pessimists.net> On Tue, 2004-02-10 at 11:06, Admin Team wrote: > Well im not talking about to the postmaster. I'm talking about including > them in the messages sent to senders of virii and spam Since most modern virii and spam fake their addresses, why send out notices at all? It's sort of pointless, and I personally get tired of virus infection messages from people who received an email supposedly from me but with a forged TO: Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From dustin.baer at IHS.COM Tue Feb 10 16:11:35 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> Message-ID: <402902B7.92FBA790@ihs.com> Admin Team wrote: > > Well im not talking about to the postmaster. I'm talking about including > them in the messages sent to senders of virii and spam > > Errol Neal Errol, Okay...I don't believe there is a way to do that. If you continue to send notices to the "senders" of viruses, please make sure you have an updated list of silent viruses, since current viruses are well known to spoof sender addresses. If you send notices to "senders" of spam, please create a ruleset and add *@ihs.com as an address who shouldn't be notified, since it is most likely a spoofed sender address. Thanks, Dustin From sysadmins at ENHTECH.COM Tue Feb 10 16:31:24 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <1076429763.3954.61.camel@andy.pessimists.net> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> At 11:16 AM 2/10/2004, you wrote: >Since most modern virii and spam fake their addresses, why send out >notices at all? It's sort of pointless, and I personally get tired of >virus infection messages from people who received an email supposedly >from me but with a forged TO: Well we think it would be irresponsible of us not to notify. As a matter of fact, it is a pain for us to do so and we only do so because of our client base. We would love not to have to do this. If one of our clients were expecting an urgent, time sensitive email and that email was did not make through the MailScanner for some reason, we feel it is our obligation to notify the sender. Otherwise you have the situation where they believe the message was delivered and leave town, go out of the country, go on vacation or whatever, but our client is left hanging. The notification is critical in this regard because it allows us to quickly alert someone in case of an obvious mistake. Now one would argue the obvious that we are responding to far more spoofed messages than we are valid one and I would agree. But at this point and time, there is no other alternative for my company than do this. Regards Errol Neal From sysadmins at ENHTECH.COM Tue Feb 10 16:32:33 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <402902B7.92FBA790@ihs.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <402902B7.92FBA790@ihs.com> Message-ID: <6.0.2.0.0.20040210113209.02641dd8@mail.enhtech.com> At 11:11 AM 2/10/2004, you wrote: >Errol, > >Okay...I don't believe there is a way to do that. > >If you continue to send notices to the "senders" of viruses, please make >sure you have an updated list of silent viruses, since current viruses >are well known to spoof sender addresses. > >If you send notices to "senders" of spam, please create a ruleset and >add *@ihs.com as an address who shouldn't be notified, since it is most >likely a spoofed sender address. > >Thanks, > >Dustin Will do and thanks. Errol Neal From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 10 16:39:32 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefordshire.gov.uk> Telephones work wonders in situations like this. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: 10 February 2004 16:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Including original headers in reports > > > At 11:16 AM 2/10/2004, you wrote: > >Since most modern virii and spam fake their addresses, why send out > >notices at all? It's sort of pointless, and I personally > get tired of > >virus infection messages from people who received an email supposedly > >from me but with a forged TO: > > > Well we think it would be irresponsible of us not to notify. > As a matter of > fact, it is a pain for us to do so and we only do so > because of our client base. We would love not to have to do > this. If one of > our clients were expecting an urgent, time sensitive email > and that email > was did not make through the MailScanner for some reason, we > feel it is > our obligation to notify the sender. Otherwise you have the > situation where > they believe the message was delivered and leave town, go out of the > country, go on vacation or whatever, but our client is left > hanging. The > notification is critical in this regard because it allows us > to quickly > alert someone in case of an obvious mistake. > Now one would argue the obvious that we are responding to far > more spoofed > messages than we are valid one and I would agree. But at this > point and > time, there is no other alternative for my company than do this. > > Regards > > Errol Neal > From craig at WESTPRESS.COM Tue Feb 10 16:39:48 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <1076429763.3954.61.camel@andy.pessimists.net> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: Does MailScanner need to be restarted after edits to this file. For that matter, are there any files which can be edited that do not require MailScanner to be restarted? -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From sysadmins at ENHTECH.COM Tue Feb 10 16:42:45 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C502@jessica.herefordshire.gov.uk> Message-ID: <6.0.2.0.0.20040210114159.026449d8@mail.enhtech.com> At 11:39 AM 2/10/2004, you wrote: >Telephones work wonders in situations like this. > >Phil In what situation? Errol Neal From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 10 16:45:39 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> ring ring - we haven't got that email you said you'd send us. OK, I'll fax it, etc... Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: 10 February 2004 16:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Including original headers in reports > > > At 11:39 AM 2/10/2004, you wrote: > >Telephones work wonders in situations like this. > > > >Phil > > > In what situation? > > > > Errol Neal > From ugob at CAMO-ROUTE.COM Tue Feb 10 16:43:37 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <40290A39.6030801@camo-route.com> Craig Daters wrote: > Does MailScanner need to be restarted after edits to this file. For > that matter, are there any files which can be edited that do not > require MailScanner to be restarted? I cannot tell exactly, but you can usually just reloading it instead of restarding it. Ugo > -- > --- > > Craig Daters (craig@westpress.com) > Graphic Designer / Systems Administrator > West Press Printing & Copying > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > --- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Tue Feb 10 13:43:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Thankyou for the CD Message-ID: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> To whoever sent me the Peter Gabriel CD from my wish list at www.amazon.co.uk, many thanks! It is much appreciated. It's great getting pressies :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:06:52 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:24 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402101706.i1AH6qsb021119@seer.ecs.soton.ac.uk> New Guestbook-Entry from Anise Betts Very nice! Come visit From sysadmins at ENHTECH.COM Tue Feb 10 16:55:06 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> Message-ID: <6.0.2.0.0.20040210114824.0263f9a0@mail.enhtech.com> At 11:45 AM 2/10/2004, you wrote: >ring ring - we haven't got that email you said you'd send us. OK, I'll fax >it, etc... > >Phil What if it is not convenient for it to be faxed? Such as a 100 page contract or other information like that? So do we inconvenience customers and clients? I don't think that should be our philosophy and it most certainly is not the approach that my company takes. We deploy MailScanner as a value-added service for our clients. It adds more value to the other services we are able to provide. It removes the inconveniences of having to deal with virri and spam at the desktop. What you are suggesting adds another inconvenience. Errol Neal From craig at WESTPRESS.COM Tue Feb 10 17:09:45 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <40290A39.6030801@camo-route.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <40290A39.6030801@camo-route.com> Message-ID: >I cannot tell exactly, but you can usually just reloading it instead of >restarding it. Okay, forgive me if this is a stupid question, but how do I reload MailScanner? I have been usually restarting it by 'service MailScanner restart' would I reload it instead by 'service MailScanner reload'? -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From martinh at SOLID-STATE-LOGIC.COM Tue Feb 10 17:12:00 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C503@jessica.herefordshire.gov.uk> Message-ID: <402910E0.2070605@solid-state-logic.com> Randal, Phil wrote: > ring ring - we haven't got that email you said you'd send us. OK, I'll fax > it, etc... > > Phil > Exactly what I have to tell the 'users' around here every so often. There is *no* guarentee of delivery with email, if its that important use return receipts of phone the person to confirm they got it. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From james at DENY.ORG Tue Feb 10 16:51:27 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <40290C0F.6080306@deny.org> For those of us that feel strongly that email should be a reliable transport medium. That believe that every email server should have secondary mx records. That believe strongly that any message that does not get delivered should send a bounce notice to the original sender. That no properly configured mail server should ever deletes mail with out some kind of notice to either the recipient or sender! For those of us that do spam filtering for brokers or certain types of lawyers that most BY LAW archive every message they get or bounce it. Who also don't want those same brokers wading through hundreds of spam messages a day, just to do there job. Has anyone made a third party patch to add back bounce as a option for Spam Actions? If not and you have interest in such a thing let me know. For those of you that feel email is not a reliable transport medium, that think it is ok for mail servers to just delete email on arbitrary criteria, this is not a prelude to a debat. I don't care what your opinion is, we have a different philosophy about what email is. So don't expect a replay from me because you don't like my point of view. This email is to others that want to bounce message instead of deleting them, whose users expect email to get through or a least tell someone if it does not. We know there are a few people that get a ton of bogus bounce. That this is unfortunate but less sever then mom not getting those pictures of the new baby. I personally wade through 3000 bounce messages a day, It is not that hard to filter them into another folder. So get over it. From mailscanner at ecs.soton.ac.uk Tue Feb 10 16:54:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> At 16:31 10/02/2004, you wrote: >At 11:16 AM 2/10/2004, you wrote: >>Since most modern virii and spam fake their addresses, why send out >>notices at all? It's sort of pointless, and I personally get tired of >>virus infection messages from people who received an email supposedly >>from me but with a forged TO: > > >Well we think it would be irresponsible of us not to notify. As a matter of >fact, it is a pain for us to do so and we only do so >because of our client base. We would love not to have to do this. If one of >our clients were expecting an urgent, time sensitive email and that email >was did not make through the MailScanner for some reason, we feel it is >our obligation to notify the sender. Otherwise you have the situation where >they believe the message was delivered and leave town, go out of the >country, go on vacation or whatever, but our client is left hanging. The >notification is critical in this regard because it allows us to quickly >alert someone in case of an obvious mistake. >Now one would argue the obvious that we are responding to far more spoofed >messages than we are valid one and I would agree. But at this point and >time, there is no other alternative for my company than do this. Please can you do a compromise like this: In MailScanner.conf, set Required SpamAssassin Score = 6 High SpamAssassin Score = 10 Spam Actions = deliver bounce High Scoring Spam Actions = deliver That way low scoring (possibly marginal, possibly incorrectly tagged) spam gets bounced back to the sender. But if you are sure it is spam (believe me, a score of 10 will guarantee that!) then you don't bounce it. Fortunately, with the latest version, even this isn't an option as I have removed the "bounce" spam action completely. If the message had a virus in it, then by default the recipient would still get the message (with the virus removed) and so would know that the client sent them an email. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:13:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40290C0F.6080306@deny.org> References: <40290C0F.6080306@deny.org> Message-ID: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> At 16:51 10/02/2004, you wrote: >For those of us that feel strongly that email should be a reliable >transport medium. That believe that every email server should have >secondary mx records. That believe strongly that any message that does >not get delivered should send a bounce notice to the original sender. >That no properly configured mail server should ever deletes mail with >out some kind of notice to either the recipient or sender! >For those of us that do spam filtering for brokers or certain types of >lawyers that most BY LAW archive every message they get or bounce it. >Who also don't want those same brokers wading through hundreds of spam >messages a day, just to do there job. > >Has anyone made a third party patch to add back bounce as a option for >Spam Actions? If not and you have interest in such a thing >let me know. > >For those of you that feel email is not a reliable transport medium, >that think it is ok for mail servers to just delete Why not just use Spam Actions = deliver or Spam Actions = deliver attachment or Spam Actions = notify store That way your recipients don't have to wade through anything, all your incoming email is stored and people can get at messages that were wrongly tagged very easily. I appreciate your point, and I am aware of your position. But bouncing spam is not the correct answer to it, there are many other superior solutions to the problem, that don't cause grief to everyone else on the net. >email on arbitrary criteria, this is not a prelude to a debat. I don't >care what your opinion is, we have a different philosophy >about what email is. So don't expect a replay from me because you don't >like my point of view. This email is to others that >want to bounce message instead of deleting them, whose users expect >email to get through or a least tell someone if it does not. >We know there are a few people that get a ton of bogus bounce. That this >is unfortunate but less sever then mom not getting those pictures of the >new baby. I personally wade through 3000 bounce messages a day, It is >not that hard to filter them into another folder. So get over it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:08:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> Message-ID: <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> At 16:39 10/02/2004, you wrote: >Does MailScanner need to be restarted after edits to this file. For >that matter, are there any files which can be edited that do not >require MailScanner to be restarted? A "reload" will do. If the "ps ax" command lists all the MailScanner processes as having parent PID of, say, 1234, then type this: kill -HUP -1234 as that will force all the child processes to restart and re-read their configuration. If you don't want to do that, then the child processes restart themselves every 4 hours by default (see "Restart Every" in MailScanner.conf) at which point they will re-read their configuration anyway. A few advanced SpamAssassin configuration options actually require a full restart of MailScanner, but that's pretty rare. >-- >--- > >Craig Daters (craig@westpress.com) >Graphic Designer / Systems Administrator >West Press Printing & Copying >1663 West Grant Road >Tucson, Arizona 85745-1433 > >Tel: 520-624-4939 >Fax: 520-624-2715 > >www.westpress.com > >--- > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:19:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <40290A39.6030801@camo-route.com> Message-ID: <6.0.1.1.2.20040210171903.039e5670@imap.ecs.soton.ac.uk> At 17:09 10/02/2004, you wrote: >>I cannot tell exactly, but you can usually just reloading it instead of >>restarding it. > >Okay, forgive me if this is a stupid question, but how do I reload >MailScanner? > >I have been usually restarting it by 'service MailScanner restart' >would I reload it instead by 'service MailScanner reload'? Yes -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tyler at BELOIT.EDU Tue Feb 10 17:13:15 2004 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:22:24 2006 Subject: conditional direction of email? Message-ID: <6.0.0.22.0.20040210111244.03fe5ca8@beloit.edu> Mailscanner experts, We have most email get MXed through a scanner. We are running sendmail on our AIX5.1 systems. 95% of messages will get relayed through the scanner. Is it possible to have sendmail redirect ONLY messages that were NOT relayed through that scanner to redirect through your mailscanner? Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mkettler at EVI-INC.COM Tue Feb 10 17:26:28 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40290C0F.6080306@deny.org> References: <40290C0F.6080306@deny.org> Message-ID: <6.0.0.22.0.20040210120454.01bf7dd8@xanadu.evi-inc.com> Hmm, that's a great way to convince people to join your cause.. start off with a flame before anyone even replies. Sigh. Feel free to develop a patch and use it, but beware of the implications for your ability to exchange mail with others. I for one take a strong stance against broken MTAs and at times am forced to start 550ing servers that are puking on my network when the admins will not correct their servers. We have a difference of opinion, and that's fine, but keep in mind that your opinion regarding the "reliability" of email may affect the reliability of your ability to send mail in the first place. I'd encourage you to actually try do this some other way than using MailScanner.. Using a tool with deep MTA layer integrations will allow you to 550 the message before delivery. You're now meeting your needs for notifying legitimate senders, AND you're not brokenly puking on bystanders. It's not something MailScanner can do, but so what? You needs encompass something that MailScanner cannot do properly. From wberbert at SERMAP.COM.BR Tue Feb 10 17:14:01 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 Message-ID: Im using mailscanner for debian and Im trying to user f-secure 4.52 as virus scanner engine, Ive changed the f-securewrapper script to meet may needs and started mailscanner, all seems to be fine until: Commercial virus checker failed with real error: Either you've found a bug in MailScanner's F-Secure output parser, or F-Secure's output format has changed! Please mail the author of MailScanner! Thanks for any help From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:25:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> Please search the archives before posting here. I answered this a couple of days ago. See the thread with the title "Re: f-secure version 4.52". At 17:14 10/02/2004, you wrote: >Im using mailscanner for debian and Im trying to user f-secure 4.52 as >virus scanner engine, Ive changed the f-securewrapper script to meet may >needs and started mailscanner, all seems to be fine until: > >Commercial virus checker failed with real error: Either >you've found a bug in MailScanner's F-Secure >output parser, or F-Secure's output format has changed! >Please mail the author of MailScanner! > >Thanks for any help -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wberbert at SERMAP.COM.BR Tue Feb 10 18:38:29 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> Message-ID: <40292525.3050609@sermap.com.br> Ive already looked at archives before posting this email, you posted a patch to be applied to SweepViruses.pm but I didnt find this file in /usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on my computer, I installed MailScanner from packages.debian.org Thanks Julian Field escreveu: > Please search the archives before posting here. > I answered this a couple of days ago. See the thread with the title "Re: > f-secure version 4.52". > > At 17:14 10/02/2004, you wrote: > >> Im using mailscanner for debian and Im trying to user f-secure 4.52 as >> virus scanner engine, Ive changed the f-securewrapper script to meet may >> needs and started mailscanner, all seems to be fine until: >> >> Commercial virus checker failed with real error: Either >> you've found a bug in MailScanner's F-Secure >> output parser, or F-Secure's output format has changed! >> Please mail the author of MailScanner! >> >> Thanks for any help > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From craig at WESTPRESS.COM Tue Feb 10 17:48:08 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:24 2006 Subject: restart after spam.assassin.prefs.con edits? In-Reply-To: <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.1.1.2.20040210165431.03caad30@imap.ecs.soton.ac.uk> Message-ID: That works! Thanks Julian. >At 16:39 10/02/2004, you wrote: >>Does MailScanner need to be restarted after edits to this file. For >>that matter, are there any files which can be edited that do not >>require MailScanner to be restarted? > >A "reload" will do. If the "ps ax" command lists all the MailScanner >processes as having parent PID of, say, 1234, then type this: > kill -HUP -1234 >as that will force all the child processes to restart and re-read their >configuration. > >If you don't want to do that, then the child processes restart themselves >every 4 hours by default (see "Restart Every" in MailScanner.conf) at which >point they will re-read their configuration anyway. > >A few advanced SpamAssassin configuration options actually require a full >restart of MailScanner, but that's pretty rare. -- --- Craig Daters (craig@westpress.com) Graphic Designer / Systems Administrator West Press Printing & Copying 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From sysadmins at ENHTECH.COM Tue Feb 10 17:54:44 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> At 11:54 AM 2/10/2004, you wrote: Please can you do a compromise like this: >In MailScanner.conf, set >Required SpamAssassin Score = 6 >High SpamAssassin Score = 10 >Spam Actions = deliver bounce >High Scoring Spam Actions = deliver >That way low scoring (possibly marginal, possibly incorrectly tagged) spam >gets bounced back to the sender. But if you are sure it is spam (believe >me, a score of 10 will guarantee that!) then you don't bounce it. > >Fortunately, with the latest version, even this isn't an option as I have >removed the "bounce" spam action completely. > >If the message had a virus in it, then by default the recipient would still >get the message (with the virus removed) and so would know that the client >sent them an email. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Well Julian, we already do this. If a message is off the chart, there is absolutely no sense in use bouncing it. That would be crazy. So in the latest version you've removed the bounce option? Ouch... Errol Neal From mailscanner at ecs.soton.ac.uk Tue Feb 10 17:58:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: <40292525.3050609@sermap.com.br> References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> Message-ID: <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> In which case, do "locate SweepViruses.pm" assuming debian has "locate". If it doesn't have a "locate" command, then try this instead find /opt /usr -name SweepViruses.pm -print though that may take a little while. At 18:38 10/02/2004, you wrote: >Ive already looked at archives before posting this email, you posted a >patch to be applied to SweepViruses.pm but I didnt find this file in >/usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >my computer, I installed MailScanner from packages.debian.org > >Thanks > > >Julian Field escreveu: > >>Please search the archives before posting here. >>I answered this a couple of days ago. See the thread with the title "Re: >>f-secure version 4.52". >> >>At 17:14 10/02/2004, you wrote: >> >>>Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>virus scanner engine, Ive changed the f-securewrapper script to meet may >>>needs and started mailscanner, all seems to be fine until: >>> >>>Commercial virus checker failed with real error: Either >>>you've found a bug in MailScanner's F-Secure >>>output parser, or F-Secure's output format has changed! >>>Please mail the author of MailScanner! >>> >>>Thanks for any help >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>------------------------------------------------- >>Esta mensagem foi escaneada por virus e conteudos >>perigosos pelo MailScanner e nao foram encontrados >>virus nesta mensagem. >>------------------------------------------------- >> > > > >------------------------------------------------- >Esta mensagem foi escaneada por virus e conteudos >perigosos pelo MailScanner e nao foram encontrados >virus nesta mensagem. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:03:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports In-Reply-To: <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649A5C@pascal.priv.bmrb.co.uk> <6.0.2.0.0.20040210104609.02630b58@mail.enhtech.com> <4028FFA5.9290C3BB@ihs.com> <6.0.2.0.0.20040210110423.02636858@mail.enhtech.com> <1076429763.3954.61.camel@andy.pessimists.net> <6.0.2.0.0.20040210112114.02639290@mail.enhtech.com> <6.0.1.1.2.20040210165026.03cab488@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210125253.02653ac0@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210175946.03bdbb98@imap.ecs.soton.ac.uk> At 17:54 10/02/2004, you wrote: >At 11:54 AM 2/10/2004, you wrote: >Please can you do a compromise like this: >>In MailScanner.conf, set >>Required SpamAssassin Score = 6 >>High SpamAssassin Score = 10 >>Spam Actions = deliver bounce >>High Scoring Spam Actions = deliver >>That way low scoring (possibly marginal, possibly incorrectly tagged) spam >>gets bounced back to the sender. But if you are sure it is spam (believe >>me, a score of 10 will guarantee that!) then you don't bounce it. >> >>Fortunately, with the latest version, even this isn't an option as I have >>removed the "bounce" spam action completely. >> >>If the message had a virus in it, then by default the recipient would still >>get the message (with the virus removed) and so would know that the client >>sent them an email. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Well Julian, we already do this. If a message is off the chart, there is >absolutely no sense in use bouncing it. That would be >crazy. > >So in the latest version you've removed the bounce option? Ouch... I believe there are better solutions to the problem, such as "deliver attachment" or "notify" so the recipient makes the decision as to what to do with the message. I will only put the "bounce" option back in if there is an absolute outcry about it, which there isn't. The outcry is for stopping people bouncing spam as the sender address is always faked so some innocent soul gets inundated with warning messages about stuff they never sent. I have to deal with a lot of these people, as they contact me for help. This takes a fair amount of my time, so I am strongly against anything that wastes my time. You guys don't have to deal with the fallout from this option, I do! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Tue Feb 10 18:09:54 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> At 12:13 PM 2/10/2004, you wrote: >I appreciate your point, and I am aware of your position. But bouncing spam >is not the correct answer to it, there are many other superior solutions to >the problem, that don't cause grief to everyone else on the net. Julian, as opposed to "bouncing" a message, can we implement something to notify a sender politely that they *may* have sent an email to someone that did not get delivered and *IF* they do not know this person to disregard the message. I am very concerned that the bounce feature is removed. For those providers not wishing to guarantee some type of service to their clients, Tell your Backpone providers to also renig on the SLA you have with them. The reason we notify senders is not to be mean but as a responsibility to the clients we handle mail for. They intrust us with their mail. If for any reason a message cannot be delivered to someone, then the sender needs to know about this. I am asking you to please have this option available for those who need it. Otherwise this breaks more than you are trying to fix. Email is an important form of communication in this day and age and ANY provider who tells their clients they cannot "guarantee" delivery of email to their inbox is simply irresponsible. Again,if you are willing to take this approach, please relieve your backbone providers of all SLA's they provide you. Allow them to tell you that they do not "guarantee" delivery of any datagram to your servers and see how quickly you look for another provider. Errol Neal From wberbert at SERMAP.COM.BR Tue Feb 10 19:07:09 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> Message-ID: <40292BDD.2070107@sermap.com.br> I found a file called sweep.pl at /usr/share/mailscanner/ SweepViruses.pm doesnt exit in my system Thanks for help Julian Field escreveu: > In which case, do "locate SweepViruses.pm" assuming debian has > "locate". If > it doesn't have a "locate" command, then try this instead > find /opt /usr -name SweepViruses.pm -print > though that may take a little while. > > At 18:38 10/02/2004, you wrote: > >> Ive already looked at archives before posting this email, you posted a >> patch to be applied to SweepViruses.pm but I didnt find this file in >> /usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >> my computer, I installed MailScanner from packages.debian.org >> >> Thanks >> >> >> Julian Field escreveu: >> >>> Please search the archives before posting here. >>> I answered this a couple of days ago. See the thread with the title >>> "Re: >>> f-secure version 4.52". >>> >>> At 17:14 10/02/2004, you wrote: >>> >>>> Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>> virus scanner engine, Ive changed the f-securewrapper script to >>>> meet may >>>> needs and started mailscanner, all seems to be fine until: >>>> >>>> Commercial virus checker failed with real error: Either >>>> you've found a bug in MailScanner's F-Secure >>>> output parser, or F-Secure's output format has changed! >>>> Please mail the author of MailScanner! >>>> >>>> Thanks for any help >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> ------------------------------------------------- >>> Esta mensagem foi escaneada por virus e conteudos >>> perigosos pelo MailScanner e nao foram encontrados >>> virus nesta mensagem. >>> ------------------------------------------------- >>> >> >> >> >> ------------------------------------------------- >> Esta mensagem foi escaneada por virus e conteudos >> perigosos pelo MailScanner e nao foram encontrados >> virus nesta mensagem. >> ------------------------------------------------- > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From wberbert at SERMAP.COM.BR Tue Feb 10 17:59:55 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 Message-ID: I found in /usr/share/mailscanner/sweep.pl, something interesting sub ProcessFSecureOutput { my($line, $infections, $types, $BaseDir) = @_; #my($line) = @_; my($report, $infected, $dot, $id, $part, @rest); chomp $line; # Lose cruft return 0 if $fsecure_InCruft > 0; if ($line eq "") { $fsecure_InCruft += 1; return 0; } $fsecure_InCruft == 0 or return 0; # Prefer s/// to m// as less likely to do unpredictable things. # We hope. if ($line =~ /\tinfection:\s/) { $report = $line; # Get to relevant filename in a reasonably but not # totally robust manner (*impossible* to be totally robust # if we have square brackets and spaces in filenames) # Strip archive bits if present $line =~ s/^\[(.*?)\] .+(\tinfection:.*)/$1$2/; # Get to the meat or die trying... $line =~ s/\tinfection:[^:]*$// or Log::DieLog("Dodgy things going on in F-Secure output:\n$report\n"); ($dot,$id,$part,@rest) = split(/\//, $line); $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender return 1; } Log::DieLog("Either you've found a bug in MailScanner's F-Secure\noutput parse r, or F-Secure's output format has changed!\nPlease mail the author of MailScann er!\n"); } When I invoke /etc/mailscanner/wrapper/f- securewrapper /var/spool/mailscanner/incoming/ the output is: F-Secure Anti-Virus for Linux version 4.52 build 2461 Copyright (c) 1999-2003 F-Secure Corporation. All Rights Reserved. EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS. To purchase license, please check http://www.F-Secure.com/purchase/ Database version: 2004-02-09_04^M Scan started at Tue Feb 10 15:58:10 2004 /var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected: W32/Mydoom.A @mm [Orion] /var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected: I- Worm.Mydoo m.a [AVP] [/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm .exe: Infected : W32/Mydoom.A@mm [Orion] [/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm .exe: Infected : I-Worm.Mydoom.a [AVP] [/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm .exe: Infected: W32/My doom.A@mm [Orion] [/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm .exe: Infected: I- Worm .Mydoom.a [AVP] /var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected: W32/Mydo om.A@mm [Orion] /var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected: I- Worm.M ydoom.a [AVP] Scan ended at Tue Feb 10 15:58:13 2004 18 files scanned 4 files infected From marco at MUW.EDU Tue Feb 10 18:40:04 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <1076438404.40292584d0e3a@webmail.MUW.Edu> I support Julian's decision of removing the "Bounce" option. To ask for this option knowingly that 99% of the time you're notifying the wrong sender is outrageous!!! ... I repspectfuly object to the point was made about e-mail "reliability" by enabling "Bounce". I think all you're doing is saturating the Internet with junk and costing other MTAs valuable resources and creating confusion. Do you call this "reliable"? Bouncing too many messages may even force some other MTAs to block your server to stop the excessive bounces. Do you call this "reliable"? I have been running MS to thousands of my users for 2 years now. Our users are extremely happy, less confused, and trust our service. There are other ways that Julian made available to accomplish what you are trying to do without "Bouncing" messages all over the Internet. If you look at the whole picture, you will see Julian's point ... Create a patch that more fits your needs and be done with !!! Marco Quoting Admin Team : > At 12:13 PM 2/10/2004, you wrote: > >I appreciate your point, and I am aware of your position. But bouncing spam > >is not the correct answer to it, there are many other superior solutions to > >the problem, that don't cause grief to everyone else on the net. From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:31:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> At 18:09 10/02/2004, you wrote: >At 12:13 PM 2/10/2004, you wrote: >>I appreciate your point, and I am aware of your position. But bouncing spam >>is not the correct answer to it, there are many other superior solutions to >>the problem, that don't cause grief to everyone else on the net. > > >Julian, as opposed to "bouncing" a message, can we implement something to >notify a sender politely that >they *may* have sent an email to someone that did not get delivered and >*IF* they do not know this person >to disregard the message. I am very concerned that the bounce feature is >removed. For those providers not wishing >to guarantee some type of service to their clients, Tell your Backpone >providers to also renig on the SLA you have with them. >The reason we notify senders is not to be mean but as a responsibility to >the clients we handle mail for. They intrust us with their mail. >If for any reason a message cannot be delivered to someone, then the sender >needs to know about this. I am asking you to please have this option >available for those who need it. Otherwise this breaks more than you are >trying to fix. Email is an important form of communication in this day and >age and ANY provider who tells their clients they cannot "guarantee" >delivery of email to their inbox is >simply irresponsible. That is entirely down to your configuration. I guarantee to deliver every piece of mail to my users' inboxes, and I don't use the bounce option. Informing the (forged, 99.999% of the time) sender is a totally different matter to delivering mail to their inbox. You simply tag the subject line and use "Spam Actions = deliver". That way the recipient can quickly skip through all the labelled spam, but they have the option to check all of it is correctly tagged. You are confusing these two processes. They are totally separate and unrelated. My users would go through the roof if I didn't deliver every piece of mail addressed to them. I do that, but I see no need to "bounce" spam. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 18:26:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 In-Reply-To: <40292BDD.2070107@sermap.com.br> References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> <40292BDD.2070107@sermap.com.br> Message-ID: <6.0.3.0.2.20040210182310.03cd1a28@imap.ecs.soton.ac.uk> At 19:07 10/02/2004, you wrote: >I found a file called sweep.pl at /usr/share/mailscanner/ >SweepViruses.pm doesnt exit in my system In which case you are running version 3 which I haven't supported for at least 1 1/2 years when I wrote version 4. The Debian stable version is so old it's completely useless. It's a bit like virus scanning or spam scanning, if the code is too old it doesn't work any more. The world has moved on rather a long way since the last edition of version 3. I suggest you remove version 3 *completely*, switch to debian unstable and install version 4. Sorry, but I haven't got the time to support code that is getting on for being nearly 2 years out of date. To stay with version 3, you will have to use a version of F-Secure that is 1 1/2 years old as well. >Thanks for help > > >Julian Field escreveu: > >>In which case, do "locate SweepViruses.pm" assuming debian has >>"locate". If >>it doesn't have a "locate" command, then try this instead >>find /opt /usr -name SweepViruses.pm -print >>though that may take a little while. >> >>At 18:38 10/02/2004, you wrote: >> >>>Ive already looked at archives before posting this email, you posted a >>>patch to be applied to SweepViruses.pm but I didnt find this file in >>>/usr/lib/MailScanner I not even have the folder /usr/lib/MailScanner on >>>my computer, I installed MailScanner from packages.debian.org >>> >>>Thanks >>> >>> >>>Julian Field escreveu: >>> >>>>Please search the archives before posting here. >>>>I answered this a couple of days ago. See the thread with the title >>>>"Re: >>>>f-secure version 4.52". >>>> >>>>At 17:14 10/02/2004, you wrote: >>>> >>>>>Im using mailscanner for debian and Im trying to user f-secure 4.52 as >>>>>virus scanner engine, Ive changed the f-securewrapper script to >>>>>meet may >>>>>needs and started mailscanner, all seems to be fine until: >>>>> >>>>>Commercial virus checker failed with real error: Either >>>>>you've found a bug in MailScanner's F-Secure >>>>>output parser, or F-Secure's output format has changed! >>>>>Please mail the author of MailScanner! >>>>> >>>>>Thanks for any help >>>> >>>> >>>> >>>>-- >>>>Julian Field >>>>www.MailScanner.info >>>>MailScanner thanks transtec Computers for their support >>>> >>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>>------------------------------------------------- >>>>Esta mensagem foi escaneada por virus e conteudos >>>>perigosos pelo MailScanner e nao foram encontrados >>>>virus nesta mensagem. >>>>------------------------------------------------- >>> >>> >>> >>>------------------------------------------------- >>>Esta mensagem foi escaneada por virus e conteudos >>>perigosos pelo MailScanner e nao foram encontrados >>>virus nesta mensagem. >>>------------------------------------------------- >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>------------------------------------------------- >>Esta mensagem foi escaneada por virus e conteudos >>perigosos pelo MailScanner e nao foram encontrados >>virus nesta mensagem. >>------------------------------------------------- >> > > > >------------------------------------------------- >Esta mensagem foi escaneada por virus e conteudos >perigosos pelo MailScanner e nao foram encontrados >virus nesta mensagem. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From acschmitt at BPA.GOV Tue Feb 10 18:39:09 2004 From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <242663BECAD80B4DAAF2E62788F96917473B18@exhq01.bud.bpa.gov> I think the original problem was that, polite or not, getting 3000 messages within a half-hour just because a spammer spoofed an email address just doesn't make someone's day. It's happened to some of my clients a few times, and it's _not_ fun. The clueless use of bouncing, on any mail gateway, by some admins has made it a real monster, and I think Julian has done the right thing in deciding to eliminate it. I see a lot of people using "mail receipts", which are client-based, that send back a receipt when they read the message. Someone on this list suggested phone calls to verify, which I use sometimes (since receipts seem kind of annoying to me). Or just allow mail to get through (setting spam to deliver) and tell clients to set up a rule (Outlook and Eudora, IIRC, both do this) that will dump messages labelled spam into the appropriate folder; then they can decide what they want to keep. All I know is, if you are in a position where you are filtering mail in such a way that clients will never see blocked messages, which I am, you can't have your cake and eat it too. Do you want to err on the side of eliminating spam, yielding some false negatives, or err on the side of ensuring mail delivery, yielding some false positives? There are many ways to handle this problem, but flooding the Internet with thousands of replies to spam is one of the least efficient. Andy Schmitt BPA Unix Team -----Original Message----- From: Admin Team [mailto:sysadmins@ENHTECH.COM] Sent: Tuesday, February 10, 2004 10:10 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: For those of us that feel strongly that email should be a reliable transport medium. At 12:13 PM 2/10/2004, you wrote: >I appreciate your point, and I am aware of your position. But bouncing spam >is not the correct answer to it, there are many other superior solutions to >the problem, that don't cause grief to everyone else on the net. Julian, as opposed to "bouncing" a message, can we implement something to notify a sender politely that they *may* have sent an email to someone that did not get delivered and *IF* they do not know this person to disregard the message. I am very concerned that the bounce feature is removed. For those providers not wishing to guarantee some type of service to their clients, Tell your Backpone providers to also renig on the SLA you have with them. The reason we notify senders is not to be mean but as a responsibility to the clients we handle mail for. They intrust us with their mail. If for any reason a message cannot be delivered to someone, then the sender needs to know about this. I am asking you to please have this option available for those who need it. Otherwise this breaks more than you are trying to fix. Email is an important form of communication in this day and age and ANY provider who tells their clients they cannot "guarantee" delivery of email to their inbox is simply irresponsible. Again,if you are willing to take this approach, please relieve your backbone providers of all SLA's they provide you. Allow them to tell you that they do not "guarantee" delivery of any datagram to your servers and see how quickly you look for another provider. Errol Neal From wberbert at SERMAP.COM.BR Tue Feb 10 19:44:55 2004 From: wberbert at SERMAP.COM.BR (Wanderson Berbert) Date: Thu Jan 12 21:22:24 2006 Subject: f-secure 4.52 References: <6.0.1.1.2.20040210172441.03c99358@imap.ecs.soton.ac.uk> <40292525.3050609@sermap.com.br> <6.0.3.0.2.20040210175720.03becd60@imap.ecs.soton.ac.uk> <40292BDD.2070107@sermap.com.br> <6.0.3.0.2.20040210182310.03cd1a28@imap.ecs.soton.ac.uk> Message-ID: <402934B7.3050301@sermap.com.br> ok, I understand I will see what I can do Thanks Julian Field escreveu: > At 19:07 10/02/2004, you wrote: > >> I found a file called sweep.pl at /usr/share/mailscanner/ >> SweepViruses.pm doesnt exit in my system > > > In which case you are running version 3 which I haven't supported for at > least 1 1/2 years when I wrote version 4. The Debian stable version is so > old it's completely useless. It's a bit like virus scanning or spam > scanning, if the code is too old it doesn't work any more. The world has > moved on rather a long way since the last edition of version 3. I suggest > you remove version 3 *completely*, switch to debian unstable and install > version 4. > > Sorry, but I haven't got the time to support code that is getting on for > being nearly 2 years out of date. To stay with version 3, you will > have to > use a version of F-Secure that is 1 1/2 years old as well. > > >> Thanks for help >> >> >> Julian Field escreveu: >> >>> In which case, do "locate SweepViruses.pm" assuming debian has >>> "locate". If >>> it doesn't have a "locate" command, then try this instead >>> find /opt /usr -name SweepViruses.pm -print >>> though that may take a little while. >>> >>> At 18:38 10/02/2004, you wrote: >>> >>>> Ive already looked at archives before posting this email, you posted a >>>> patch to be applied to SweepViruses.pm but I didnt find this file in >>>> /usr/lib/MailScanner I not even have the folder >>>> /usr/lib/MailScanner on >>>> my computer, I installed MailScanner from packages.debian.org >>>> >>>> Thanks >>>> >>>> >>>> Julian Field escreveu: >>>> >>>>> Please search the archives before posting here. >>>>> I answered this a couple of days ago. See the thread with the title >>>>> "Re: >>>>> f-secure version 4.52". >>>>> >>>>> At 17:14 10/02/2004, you wrote: >>>>> >>>>>> Im using mailscanner for debian and Im trying to user f-secure >>>>>> 4.52 as >>>>>> virus scanner engine, Ive changed the f-securewrapper script to >>>>>> meet may >>>>>> needs and started mailscanner, all seems to be fine until: >>>>>> >>>>>> Commercial virus checker failed with real error: Either >>>>>> you've found a bug in MailScanner's F-Secure >>>>>> output parser, or F-Secure's output format has changed! >>>>>> Please mail the author of MailScanner! >>>>>> >>>>>> Thanks for any help >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> MailScanner thanks transtec Computers for their support >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> ------------------------------------------------- >>>>> Esta mensagem foi escaneada por virus e conteudos >>>>> perigosos pelo MailScanner e nao foram encontrados >>>>> virus nesta mensagem. >>>>> ------------------------------------------------- >>>> >>>> >>>> >>>> >>>> ------------------------------------------------- >>>> Esta mensagem foi escaneada por virus e conteudos >>>> perigosos pelo MailScanner e nao foram encontrados >>>> virus nesta mensagem. >>>> ------------------------------------------------- >>> >>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Professional Support Services at www.MailScanner.biz >>> MailScanner thanks transtec Computers for their support >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> ------------------------------------------------- >>> Esta mensagem foi escaneada por virus e conteudos >>> perigosos pelo MailScanner e nao foram encontrados >>> virus nesta mensagem. >>> ------------------------------------------------- >>> >> >> >> >> ------------------------------------------------- >> Esta mensagem foi escaneada por virus e conteudos >> perigosos pelo MailScanner e nao foram encontrados >> virus nesta mensagem. >> ------------------------------------------------- > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > Esta mensagem foi escaneada por virus e conteudos > perigosos pelo MailScanner e nao foram encontrados > virus nesta mensagem. > ------------------------------------------------- > > ------------------------------------------------- Esta mensagem foi escaneada por virus e conteudos perigosos pelo MailScanner e nao foram encontrados virus nesta mensagem. ------------------------------------------------- From gdoris at rogers.com Tue Feb 10 18:44:02 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <35195.129.80.22.133.1076438642.squirrel@65.48.246.102> I was just in the process of sending a note complimenting Julian for removing the bounce option when this message came in. I've been receiving a flood of bogus bounces from all over the world. They are the result of emails from unkown users from my domain that have been faked by the MyDoom virus. Some still contained the virus. I'd hardly call falsely bouncing virus laden messages an example of a reliable transport medium. A short time ago I had a spammer fake my domain as his sending address...I had so many bounces I had to close down my server until they died off! The existing email transport system is inherently not reliable. Gerry From Mark.Warpool at BENCHMARK-USA.COM Tue Feb 10 18:44:27 2004 From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool) Date: Thu Jan 12 21:22:24 2006 Subject: Including original headers in reports Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256827@srv-btc-2k.corp.benchmark-usa.com> I was originally against this idea. But after following this list, and considering the arguments, and more importantly, dealing with the onslaught of requests I've gotten from my users because they received a bounce from the recent MYDOOM virus (not from me, but someone else), I've seen the light. I agree with Julian, there are a lot better ways to deal with this, and I think in the end you're customers/users will thank you for it. Most people don't understand what is going on when they get these messages, and it frustrates them. When you take that burden off of them, they're less worried about the rare message which accidentally skipped or deleted, and more grateful for not having to deal with all the rest of it. At least, that's been my experience. Mark Warpool Benchmark Technologies Corp -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, February 10, 2004 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Including original headers in reports At 17:54 10/02/2004, you wrote: >At 11:54 AM 2/10/2004, you wrote: >Please can you do a compromise like this: >>In MailScanner.conf, set >>Required SpamAssassin Score = 6 >>High SpamAssassin Score = 10 >>Spam Actions = deliver bounce >>High Scoring Spam Actions = deliver >>That way low scoring (possibly marginal, possibly incorrectly tagged) spam >>gets bounced back to the sender. But if you are sure it is spam (believe >>me, a score of 10 will guarantee that!) then you don't bounce it. >> >>Fortunately, with the latest version, even this isn't an option as I have >>removed the "bounce" spam action completely. >> >>If the message had a virus in it, then by default the recipient would still >>get the message (with the virus removed) and so would know that the client >>sent them an email. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Well Julian, we already do this. If a message is off the chart, there is >absolutely no sense in use bouncing it. That would be >crazy. > >So in the latest version you've removed the bounce option? Ouch... I believe there are better solutions to the problem, such as "deliver attachment" or "notify" so the recipient makes the decision as to what to do with the message. I will only put the "bounce" option back in if there is an absolute outcry about it, which there isn't. The outcry is for stopping people bouncing spam as the sender address is always faked so some innocent soul gets inundated with warning messages about stuff they never sent. I have to deal with a lot of these people, as they contact me for help. This takes a fair amount of my time, so I am strongly against anything that wastes my time. You guys don't have to deal with the fallout from this option, I do! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Tue Feb 10 18:52:37 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> Message-ID: <6.0.0.22.0.20040210133708.01fbe0a0@xanadu.evi-inc.com> At 01:09 PM 2/10/2004, Admin Team wrote: >Julian, as opposed to "bouncing" a message, can we implement something to >notify a sender politely that >they *may* have sent an email to someone that did not get delivered and >*IF* they do not know this person >to disregard the message. Unfortunately this just ignores the underlying problem of bounces and just replaces it with something with a different name. If nothing else, your suggested change makes life HARDER for the victims of Joe jobs because the message now doesn't even look like a bounce and can't be procmailed out as easily. (Imagine receiving thousands of "notifications" per hour in hundreds of different formats. Ouch.) To explain a bit, the fundamental problem with post-delivery bounces and notifications is the DDoS that results from thousands of domains sending hundreds of thousands of notifications to forged addresses that spammers use. It's not the content of the message that's a problem, it's the number of them and the vast number of sources they all come from. Post delivery bounces, notifications, etc are a very BAD thing for those on the receiving end of a joe job. They make a bad situation significantly worse. In the case of spam notifications, you already know there's at least a 99% chance that you're sending email to a joe job victim, so why are you sending it in the first place? Really, there are other ways to handle the 1% of the spam-matches that are false positives without abusing 99% of the rest of the world. Use A SMTP layer 550, tag it, quarantine it, or whatever. But don't generate post-delivery bounces, notices, or whatever name you want to call them. From sysadmins at ENHTECH.COM Tue Feb 10 18:54:58 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <1076438404.40292584d0e3a@webmail.MUW.Edu> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <1076438404.40292584d0e3a@webmail.MUW.Edu> Message-ID: <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> At 01:40 PM 2/10/2004, you wrote: >I support Julian's decision of removing the "Bounce" option. To ask for this >option knowingly that 99% of the time you're notifying the wrong sender is >outrageous!!! ... > >I repspectfuly object to the point was made about e-mail "reliability" by >enabling "Bounce". I think all you're doing is saturating the Internet with >junk and costing other MTAs valuable resources and creating confusion. >Do you call this "reliable"? >Bouncing too many messages may even force some other MTAs to block your >server to stop the excessive bounces. Do you call this "reliable"? > >I have been running MS to thousands of my users for 2 years now. Our users are >extremely happy, less confused, and trust our service. There are other ways >that Julian made available to accomplish what you are trying to do >without "Bouncing" messages all over the Internet. > >If you look at the whole picture, you will see Julian's point ... >Create a patch that more fits your needs and be done with !!! > >Marco Well can we agree that it is not the bounce, but the contents of the bounce? For example, a message that says "You are a spammer that sent a message to user@domain.com We do not accept unsolicted mail and blah blah blah" as opposed to a message that says "A message to user@domain.com that apparently came from your email address was not recieved. If you are indeed the sender, please find a alternate means of communicating with the user. Otherwise please disregard this message". That sounds a lot better than he first one. Errol Neal From sysadmins at ENHTECH.COM Tue Feb 10 19:00:06 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> At 01:31 PM 2/10/2004, you wrote: >That way the recipient can quickly skip >through all the labelled spam, but they have the option to check all of it >is correctly tagged. > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Yea, they also get to see all the nice lower scoring porn. *sigh*. I give up. Thanks for at least hearing me out. Regards, Errol Neal From ugob at CAMO-ROUTE.COM Tue Feb 10 19:04:23 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Admin Team [mailto:sysadmins@ENHTECH.COM] > Envoy? : Tuesday, February 10, 2004 2:00 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: For those of us that feel strongly that email should be a > reliable transport medium. > > > At 01:31 PM 2/10/2004, you wrote: > >That way the recipient can quickly skip > >through all the labelled spam, but they have the option to > check all of it > >is correctly tagged. > > > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Yea, they also get to see all the nice lower scoring porn. Not if you use the 'notify' option. Ugo > *sigh*. I give > up. Thanks for at least hearing me out. > > > Regards, > > Errol Neal > From marco at MUW.EDU Tue Feb 10 19:25:13 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> Message-ID: <1076441113.402930199d9e9@webmail.MUW.Edu> Quoting Admin Team : > Yea, they also get to see all the nice lower scoring porn. *sigh*. I give > up. Thanks for at least hearing me out. Exactly :) There is always a trade-off between security and convenience as you might know. There is a price for fighting spam/viruses. Sometimes this price is tangible and other times it is not. What works for me may not exactly work for everyone. However, we all share a common goal "fighting spam/viruses" and hopefully make the Internet "safer" for our users. I think your job as a skilled admin is to find that fine-line where you can satisfy a host of variables...You can never make everyone happy, right Julian??? Marco From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:21:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> At 19:04 10/02/2004, you wrote: > > -----Message d'origine----- > > De : Admin Team [mailto:sysadmins@ENHTECH.COM] > > Envoy? : Tuesday, February 10, 2004 2:00 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Re: For those of us that feel strongly that email should be a > > reliable transport medium. > > > > > > At 01:31 PM 2/10/2004, you wrote: > > >That way the recipient can quickly skip > > >through all the labelled spam, but they have the option to > > check all of it > > >is correctly tagged. > > > > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > Yea, they also get to see all the nice lower scoring porn. > >Not if you use the 'notify' option. This case is one of the main exact reasons I provide this option. They don't have to look at the message at all. I have still not seen any response to my proposal that you are confusing the two issues involved. If you want to have this out properly, then please reply to the proposals that are put to you. "*sigh*" doesn't do your argument any good, you are admitting defeat rather than coming to a compromise that satisfies all involved. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:17:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:24 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <6.0.3.0.2.20040210182713.044efeb0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210135832.02643ab8@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210191634.03bf4d38@imap.ecs.soton.ac.uk> At 19:00 10/02/2004, you wrote: >At 01:31 PM 2/10/2004, you wrote: >>That way the recipient can quickly skip >>through all the labelled spam, but they have the option to check all of it >>is correctly tagged. >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >Yea, they also get to see all the nice lower scoring porn. *sigh*. I give >up. Thanks for at least hearing me out. No they don't. They set up their own email filters to put all the spam in an "AutoSpam" folder. Once in a while they go through the folder checking the "From:" and "Subject:" looking for false positives. That doesn't involve looking at the contents of each message at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:01:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> <6.0.2.0.0.20040210130119.026524a0@mail.enhtech.com> <1076438404.40292584d0e3a@webmail.MUW.Edu> <6.0.2.0.0.20040210135103.02629588@mail.enhtech.com> Message-ID: <6.0.3.0.2.20040210185923.03899e00@imap.ecs.soton.ac.uk> At 18:54 10/02/2004, you wrote: >At 01:40 PM 2/10/2004, you wrote: >>I support Julian's decision of removing the "Bounce" option. To ask for this >>option knowingly that 99% of the time you're notifying the wrong sender is >>outrageous!!! ... >> >>I repspectfuly object to the point was made about e-mail "reliability" by >>enabling "Bounce". I think all you're doing is saturating the Internet with >>junk and costing other MTAs valuable resources and creating confusion. >>Do you call this "reliable"? >>Bouncing too many messages may even force some other MTAs to block your >>server to stop the excessive bounces. Do you call this "reliable"? >> >>I have been running MS to thousands of my users for 2 years now. Our >>users are >>extremely happy, less confused, and trust our service. There are other ways >>that Julian made available to accomplish what you are trying to do >>without "Bouncing" messages all over the Internet. >> >>If you look at the whole picture, you will see Julian's point ... >>Create a patch that more fits your needs and be done with !!! >> >>Marco > > > >Well can we agree that it is not the bounce, but the contents of the >bounce? For example, a message that says >"You are a spammer that sent a message to user@domain.com We do not accept >unsolicted mail and blah blah blah" >as opposed to a message that says "A message to user@domain.com that >apparently came from your email address was >not recieved. If you are indeed the sender, please find a alternate means >of communicating with the user. Otherwise please disregard this message". >That sounds a lot better than he first one. It's not the contents that are the problem, it's the quantity. Have you ever been on the receiving end of a joe-job attack? Or have you ever been the software author that has to put up with the personal abuse and physical threats mailed to you every week by the poor innocent victims of joe-jobs? I think your stance might change *real* fast if you had to deal with this. If you like, I'll start redirecting all my abusive email to you :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at TRCINTL.COM Tue Feb 10 19:26:47 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: I have been running MailScanner for quite some time and it has successfully found literally thousands of e-mail's infected with the Mydoom virus, as well as many others. However, I have noticed that every now and then for whatever reason one seems to slip through MailScanner. The reason I know this is that my mail is first scanned with MailScanner (using eTrust Antivirus 7.0) and then it is sent on to another machine running TrendMicro InterScan VirusWall (I had that in place before MailScanner). On about 4 occasions since the outbreak of Mydoom, a copy of the virus has made it through MailScanner undetected and has then been caught by the TrendMicro product. I had it happen several times already today. I checked the e-mail ID and I see in the log on MailScanner where it passed through without a hitch. I seem to recall someone posting something earlier about this occuring while using the Sophos antivirus product. I just thought this might be something to take note of. By the way, I am currently using MailScanner version 4.26.8 and my virus signatures are up to date. TrendMicro InterScan VirusWall reports the e-mail messages in question as having Mydoom.A. From mailscanner at ecs.soton.ac.uk Tue Feb 10 19:32:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.3.0.2.20040210193152.03c02cb0@imap.ecs.soton.ac.uk> At 19:26 10/02/2004, you wrote: >I have been running MailScanner for quite some time and it has successfully >found literally thousands of e-mail's infected with the Mydoom virus, as >well as many others. However, I have noticed that every now and then for >whatever reason one seems to slip through MailScanner. The reason I know >this is that my mail is first scanned with MailScanner (using eTrust >Antivirus 7.0) and then it is sent on to another machine running TrendMicro >InterScan VirusWall (I had that in place before MailScanner). > >On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >made it through MailScanner undetected and has then been caught by the >TrendMicro product. I had it happen several times already today. I >checked the e-mail ID and I see in the log on MailScanner where it passed >through without a hitch. > >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. Can you set "Quarantine Whole Message = yes" and send me the quarantined copy of one that get through please? You will need to put it in a password-protected zip file to get to me. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james at DENY.ORG Tue Feb 10 19:32:40 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> References: <40290C0F.6080306@deny.org> <6.0.1.1.2.20040210171107.03c99ab0@imap.ecs.soton.ac.uk> Message-ID: <402931D8.5030803@deny.org> Julian Field wrote: > At 16:51 10/02/2004, you wrote: > > Why not just use > > Spam Actions = deliver > or > Spam Actions = deliver attachment > or > Spam Actions = notify store > > That way your recipients don't have to wade through anything, all your > incoming email is stored and people can get at messages that were wrongly > tagged very easily. My setup is an ISP setup very high volume: deliver, deliver attachment, and notify all still puts hundreds of email in pop mails boxes that users have to download over 28.8 baud links, The number of support calls we get because some users email client can't handle this (always outlook or outlook express) eats up real money. As I scan mail for hundreds of domains I'm not sure how long I would be able to "store" email for. I take in hundreds of emails a second, maybe a few days worth. Not to mention I would have to train thousands of users on how to pick up these stored messages! I'm not even sure how I would go about authenticating the users of the corporate customer that use us as an email gateway for incoming mail! > > I appreciate your point, and I am aware of your position. But bouncing > spam > is not the correct answer to it, there are many other superior > solutions to > the problem, that don't cause grief to everyone else on the net. I also appreciate your point of view, but I'm not worried about bouncing the spam I'm worried about bouncing that one message in a thousand that is a false positive. The one that winds me up on the phone with an irate customer because his stock quote did not get acknowledged, and a $5000 dollar a month customer is threating to find another ISP over a few emails! I would love to hear of these "superior solutions" but from what I can tell the only real solution is to bounce, every other solution has serious down sides. Or causes thousands of users to jump through hoops deleting mail they never wanted to begin with! > > > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 10 19:37:22 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: Message-ID: <008001c3f00d$4dc40940$0501a8c0@darkside> >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using >MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. There are issues with some MTAs bouncing MyDoom with munged-up MIME attachments, making it difficult for email virus scanners to detect. I honestly don't know if this is the domain of the anti-virus product or MailScanner (or it's equivilent.) Also, I've gotten quite a few through Mailscanner + Sophos as well, but when examined the attachments were 0 bytes. This may not be the case with you, but in my case it wasn't being detected because there was nothing to detect. It's possible that Trend sees something in the message itself (as opposed to the attachment) and calls it "MyDoom" even though it's not executable. I would also reccomend adding clamav to your setup. It's free and very, very good -- if one doesn't hit the other probably will. YMMV, of course. HTH, --J(K) From sysadmins at ENHTECH.COM Tue Feb 10 19:48:52 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F3629274108CA@mtlnt501fs.CAMOROUTE.COM> <6.0.3.0.2.20040210191830.03bf4ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.2.0.0.20040210142958.02646e30@mail.enhtech.com> At 02:21 PM 2/10/2004, you wrote: >I have still not seen any response to my proposal that you are confusing >the two issues involved. If you want to have this out properly, then >please reply to the proposals that are put to you. "*sigh*" doesn't do >your argument any good, you are admitting defeat rather than coming to a >compromise that satisfies all involved. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 My sigh is out of frustration and for the work that is coming for me. When we discovered MailScanner and started using it and offering it to our clients, we quickly learned what worked and what did not work with our client base. Based upon what we learned we implemented standards and procedures around that. Since we have very high profile clients who rely upon email being delivered to them in a timely manner, they required some sort of assurance in this respect. So we implemented procedures where we bounce lower scoring SPAM so as to notify senders in case one senders was an actual valid email address with good intentions. Now, that you've changed things, I need to figure out other procedures that may not work for my client base and in our company Philosophy, you don't tell the client how you are going to inconveinence them. Businesses that do this don't stay in business very long. And please let me be clear Julian that you have every right to modify your software. I'm not the least bit upset about that nor am I challenging your authority to do so. However, what is funny to me is that the bounce option is just that. It's an option. For those of you not wishing to use, it, don't do so. Now it is not an option any more but forcing people to change and modify their policies and procedures. So to answer your question, the way you guarantee delivery of email to your users is different than I do. My customers appreciate the lack of technical knowledge their users have to possess because our of services. This way they can focus on running their business operations. They appreciate that they do not have to filter messages and receive notifications. Errol Neal From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 19:49:25 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <08146035CA49D6119A36009027AC822A0264EDEF@CITY-EXCH-NTS> >-----Original Message----- >It's not the contents that are the problem, it's the quantity. Have you >ever been on the receiving end of a joe-job attack? Or have >you ever been the software author that has to put up with the personal >abuse and physical threats mailed to you every week by the poor innocent >victims of joe-jobs? Don't get me wrong, as I fully agree w/you Julian, but I wonder if the default footer in the reports isn't somewhat to blame. I went though all of mine and put in stuff that pertains to my domain, and postmaster address. It may be though that some newcomers to MailScanner leave the default verbiage in there, thus insuring that it looks at first blush like MailScanner the "entity" is doing the filtering, not MailScanner the program running on a gazillion different mail hosts all over the planet. Sorta like Postini does. So here's a feature request: Make the reports footer a macro. Then, the MailScanner administrators can just rewrite that info once, and have it appear in all reports. This would also make upgrades a lot easier as we wouldn't get .rpmnew copies sitting there which are identical except for the footer. You, of course, *might* see a degradation of wayward ire over time as people put postmaster@theirdomain in the footer rather than a bunch of stuff that targets MailScanner. >I think your stance might change *real* fast if you had to >deal with this. >If you like, I'll start redirecting all my abusive email to you :-) Now there's an option! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From sysadmins at ENHTECH.COM Tue Feb 10 19:51:28 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.2.0.0.20040210145012.02512238@mail.enhtech.com> At 02:26 PM 2/10/2004, you wrote: >I have been running MailScanner for quite some time and it has successfully >found literally thousands of e-mail's infected with the Mydoom virus, as >well as many others. However, I have noticed that every now and then for >whatever reason one seems to slip through MailScanner. The reason I know >this is that my mail is first scanned with MailScanner (using eTrust >Antivirus 7.0) and then it is sent on to another machine running TrendMicro >InterScan VirusWall (I had that in place before MailScanner). > >On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >made it through MailScanner undetected and has then been caught by the >TrendMicro product. I had it happen several times already today. I >checked the e-mail ID and I see in the log on MailScanner where it passed >through without a hitch. > >I seem to recall someone posting something earlier about this occuring >while using the Sophos antivirus product. I just thought this might be >something to take note of. By the way, I am currently using MailScanner >version 4.26.8 and my virus signatures are up to date. TrendMicro >InterScan VirusWall reports the e-mail messages in question as having >Mydoom.A. I know this is obvious for some, but still. Check your original message headers if you can. If your final SMTP server is not protected from the Internet, it may be open to receive message that were not routed through MX records. We are seeing some of this lately. Regards, Errol Neal From Mark.Warpool at BENCHMARK-USA.COM Tue Feb 10 19:52:28 2004 From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> > From: James Sizemore [mailto:james@DENY.ORG] > Sent: Tuesday, February 10, 2004 2:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > > I also appreciate your point of view, but I'm not worried about > bouncing the spam > I'm worried about bouncing that one message in a thousand that is a > false positive. > The one that winds me up on the phone with an irate customer because > his stock > quote did not get acknowledged, and a $5000 dollar a month customer is > threating > to find another ISP over a few emails! I would love to hear of these > "superior > solutions" but from what I can tell the only real solution is to bounce, > every other > solution has serious down sides. Or causes thousands of users to jump > through > hoops deleting mail they never wanted to begin with! No offense, but this sounds rather self-serving. "I don't care who I damage, as long as my bottom line is safe." I'm not a MailScanner expert here, but I'd be willing to bet that someone could come up with an alternate solution that would be a decent compromise. But 'reverse-spamming' everyone else so that you have no chance of upsetting your customers seems a little selfish. From lists at TRCINTL.COM Tue Feb 10 19:58:56 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: On Tue, 10 Feb 2004 14:51:28 -0500, Admin Team wrote: >At 02:26 PM 2/10/2004, you wrote: >>I have been running MailScanner for quite some time and it has successfully >>found literally thousands of e-mail's infected with the Mydoom virus, as >>well as many others. However, I have noticed that every now and then for >>whatever reason one seems to slip through MailScanner. The reason I know >>this is that my mail is first scanned with MailScanner (using eTrust >>Antivirus 7.0) and then it is sent on to another machine running TrendMicro >>InterScan VirusWall (I had that in place before MailScanner). >> >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >>made it through MailScanner undetected and has then been caught by the >>TrendMicro product. I had it happen several times already today. I >>checked the e-mail ID and I see in the log on MailScanner where it passed >>through without a hitch. >> >>I seem to recall someone posting something earlier about this occuring >>while using the Sophos antivirus product. I just thought this might be >>something to take note of. By the way, I am currently using MailScanner >>version 4.26.8 and my virus signatures are up to date. TrendMicro >>InterScan VirusWall reports the e-mail messages in question as having >>Mydoom.A. > >I know this is obvious for some, but still. Check your original message >headers if you can. If your final SMTP server is not >protected from the Internet, it may be open to receive message that were >not routed through MX records. We are seeing >some of this lately. The messages in question never get to the final SMTP server (which, by the way is protected from the Internet). The messages in question are clearly going through MailScanner, but thanks anyway. > > >Regards, > >Errol Neal From lists at TRCINTL.COM Tue Feb 10 20:04:31 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through Message-ID: On Tue, 10 Feb 2004 19:32:42 +0000, Julian Field wrote: >At 19:26 10/02/2004, you wrote: >>I have been running MailScanner for quite some time and it has successfully >>found literally thousands of e-mail's infected with the Mydoom virus, as >>well as many others. However, I have noticed that every now and then for >>whatever reason one seems to slip through MailScanner. The reason I know >>this is that my mail is first scanned with MailScanner (using eTrust >>Antivirus 7.0) and then it is sent on to another machine running TrendMicro >>InterScan VirusWall (I had that in place before MailScanner). >> >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >>made it through MailScanner undetected and has then been caught by the >>TrendMicro product. I had it happen several times already today. I >>checked the e-mail ID and I see in the log on MailScanner where it passed >>through without a hitch. >> >>I seem to recall someone posting something earlier about this occuring >>while using the Sophos antivirus product. I just thought this might be >>something to take note of. By the way, I am currently using MailScanner >>version 4.26.8 and my virus signatures are up to date. TrendMicro >>InterScan VirusWall reports the e-mail messages in question as having >>Mydoom.A. > >Can you set "Quarantine Whole Message = yes" and send me the quarantined >copy of one that get through please? You will need to put it in a >password-protected zip file to get to me. I would be more than happy to do this as I have already received two more since I posted this, but won't it only quarantine something if it finds a virus in it? Since MailScanner is not finding anything wrong with the messages in question, it is sending them on. Kyle H. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Tue Feb 10 20:05:38 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> Message-ID: <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> At 02:52 PM 2/10/2004, you wrote: >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. No offense, but I cannot help but laugh to some extent. As a business owner, (not this company) I have to think not just at a technical level but at level that involves good business sense. For any business, the customers are what matters. Without them, why the heck are we in business? What is a product or service with out a user? The answer is IT is and will be nothing. So yes, it does sound self serving because it is. It serves the best interests of our clients and the are the reason we are in business. IF, any of the CEO's of CFO's of your companies were a client of my company's and subscribed to our services. IF, they received a time sensitive email message involving lots of money and did not get the message due to the fact that the message was destroyed and no sender was notified, guess who you CEO's and CFO's would hold liable? Can anyone say law suit? Errol neal From garry at GLENDOWN.DE Tue Feb 10 20:07:45 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <40293A11.30909@glendown.de> Kyle Harris wrote: > I would be more than happy to do this as I have already received two more > since I posted this, but won't it only quarantine something if it finds a > virus in it? Since MailScanner is not finding anything wrong with the > messages in question, it is sending them on. If it is getting through, all you need to do is just export the whole message with all headers ... no need for the quarantine ... -gg From steve.swaney at FSL.COM Tue Feb 10 20:24:11 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> Message-ID: <20040210202412.443DA21C14A@mail.fsl.com> Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Admin Team > Sent: Tuesday, February 10, 2004 3:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > At 02:52 PM 2/10/2004, you wrote: > > >No offense, but this sounds rather self-serving. "I don't care who I > >damage, as long as my bottom line is safe." I'm not a MailScanner > >expert here, but I'd be willing to bet that someone could come up with > >an alternate solution that would be a decent compromise. But > >'reverse-spamming' everyone else so that you have no chance of upsetting > >your customers seems a little selfish. > > No offense, but I cannot help but laugh to some extent. As a business > owner, (not this company) I have to think > not just at a technical level but at level that involves good business > sense. For any business, the customers > are what matters. Without them, why the heck are we in business? What is > a > product or service with out a user? The answer > is IT is and will be nothing. So yes, it does sound self serving because > it > is. It serves the best interests of our clients > and the are the reason we are in business. IF, any of the CEO's of CFO's > of > your companies were a client of my company's and > subscribed to our services. IF, they received a time sensitive email > message involving lots of money and did not get the message due > to the fact that the message was destroyed and no sender was notified, > guess who you CEO's and CFO's would hold > liable? Can anyone say law suit? > I know his is Way, way off topic but I just can't resist. Email is and should be considered as reliable but not guaranteed message delivery system. If your lawyer or banking clients are using email for critical document delivery, they should probably re-think that practice. I can tell you from personal experience with Wall Street Banking firms that if a broker ever sent a buy-sell order or other type of exchange that certifies a fund transfer via email he or she would be subject to severe disciplinary action. It is forbidden. The banks I've worked for legally consider email a totally insecure, not 100% guaranteed delivery, "business convenience" - and try to treat it accordingly. Good lawyers treat email the same way. Steve > Errol neal > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Fortress Systems Ltd. www.fsl.com From mailscanner at ecs.soton.ac.uk Tue Feb 10 20:44:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.3.0.2.20040210204323.03d347a0@imap.ecs.soton.ac.uk> At 20:04 10/02/2004, you wrote: >On Tue, 10 Feb 2004 19:32:42 +0000, Julian Field > wrote: > > >At 19:26 10/02/2004, you wrote: > >>I have been running MailScanner for quite some time and it has >successfully > >>found literally thousands of e-mail's infected with the Mydoom virus, as > >>well as many others. However, I have noticed that every now and then for > >>whatever reason one seems to slip through MailScanner. The reason I know > >>this is that my mail is first scanned with MailScanner (using eTrust > >>Antivirus 7.0) and then it is sent on to another machine running >TrendMicro > >>InterScan VirusWall (I had that in place before MailScanner). > >> > >>On about 4 occasions since the outbreak of Mydoom, a copy of the virus has > >>made it through MailScanner undetected and has then been caught by the > >>TrendMicro product. I had it happen several times already today. I > >>checked the e-mail ID and I see in the log on MailScanner where it passed > >>through without a hitch. > >> > >>I seem to recall someone posting something earlier about this occuring > >>while using the Sophos antivirus product. I just thought this might be > >>something to take note of. By the way, I am currently using MailScanner > >>version 4.26.8 and my virus signatures are up to date. TrendMicro > >>InterScan VirusWall reports the e-mail messages in question as having > >>Mydoom.A. > > > >Can you set "Quarantine Whole Message = yes" and send me the quarantined > >copy of one that get through please? You will need to put it in a > >password-protected zip file to get to me. > >I would be more than happy to do this as I have already received two more >since I posted this, but won't it only quarantine something if it finds a >virus in it? Since MailScanner is not finding anything wrong with the >messages in question, it is sending them on. Either dig out the message as finally delivered (lift it out of the mailbox completely intact) or just use "Archive Mail" to store absolutely everything until you know you've found one. Then switch off "Archive Mail" again. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Tue Feb 10 20:46:00 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> Message-ID: <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> > > > > I also appreciate your point of view, but I'm not worried about > > bouncing the spam > > I'm worried about bouncing that one message in a thousand that is a > > false positive. > > The one that winds me up on the phone with an irate customer because > > his stock > > quote did not get acknowledged, and a $5000 dollar a month customer >is > > threating > > to find another ISP over a few emails! I would love to hear of these > > "superior > > solutions" but from what I can tell the only real solution is to >bounce, > > every other > > solution has serious down sides. Or causes thousands of users to jump > > through > > hoops deleting mail they never wanted to begin with! > >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. Of course it is. But he's serving "high profile customers" whom obviously are more important than the rest of us slags! From james at DENY.ORG Tue Feb 10 20:46:27 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> Message-ID: <40294323.5020506@deny.org> Mark Warpool wrote: > >>every other >>solution has serious down sides. Or causes thousands of users to jump >>through >>hoops deleting mail they never wanted to begin with! >> >> > >No offense, but this sounds rather self-serving. "I don't care who I >damage, as long as my bottom line is safe." I'm not a MailScanner >expert here, but I'd be willing to bet that someone could come up with >an alternate solution that would be a decent compromise. But >'reverse-spamming' everyone else so that you have no chance of upsetting >your customers seems a little selfish. > > The need of the many I think out way the need of the one or the few, You want thousands of users to go through hundreds of emails a day they did not want to save ten or fifteen poor slobs (And yes I have been one of theses poor slobs before.) from get a few thousand email they did not want. The truth is BOTH of us are being selfish!!! We both just happen to be annoyed by different side of the same problem. All things aside I was not asking him to go against his best interest, I was finding out if enough people felt like me to make a public patch instead of just patching my own server and moving on, he was just trying to offer me other options. Thats fine I just wished he had an option I liked, but alas it was not so. From dustin.baer at IHS.COM Tue Feb 10 20:47:44 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> <6.0.2.0.0.20040210145851.02640e50@mail.enhtech.com> Message-ID: <40294370.EA5BE0D8@ihs.com> Admin Team wrote: > > IF, they received a time sensitive email > message involving lots of money and did not get the message due > to the fact that the message was destroyed and no sender was notified, > guess who you CEO's and CFO's would hold liable? How would CEO/CFO have received it, if it were bounced? What is your definition of time sensitive? I would be pretty annoyed if I was trying to do business with one of your CEOs or CFOs and sent them a message that bounced back to me with a message that it was spam. If there is something in there that caused a bounce, then how am I supposed to know how to format it "properly" to get the spamminess out of it? Do I call Mr. CFO and ask him? He will then have to call you. Personally, the fewer times a C.O has to call me to ask email questions, the happier I am. Just don't upgrade to the current version and you can bounce all you want. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Tue Feb 10 20:56:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> Message-ID: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> At 20:46 10/02/2004, you wrote: >Of course it is. But he's serving "high profile customers" whom obviously >are more important than the rest of us slags! Now now, people. Let's all remain calm and polite please... I think this thread is best considered closed for now. It's clearly a debate which is going to run and run, I may have to put the "bounce" option to a vote. But in the meantime, does anyone have any good ideas for a happy medium, such as enabling it but not documenting it, or producing a nasty log message if it is used, or something like that? All constructive ideas are most welcome. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 21:06:09 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <08146035CA49D6119A36009027AC822A0264EDF2@CITY-EXCH-NTS> Well, you could also generate an autobounce to local postmaster too - make 'em eat their own dogfood as the saying goes. No option to turn it off of course! Feeling ornery today. Must be something in the water... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, February 10, 2004 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: For those of us that feel strongly that email should be a >reliable transport medium. > > >At 20:46 10/02/2004, you wrote: >>Of course it is. But he's serving "high profile customers" >whom obviously >>are more important than the rest of us slags! > >Now now, people. Let's all remain calm and polite please... > >I think this thread is best considered closed for now. >It's clearly a debate which is going to run and run, I may >have to put the >"bounce" option to a vote. >But in the meantime, does anyone have any good ideas for a >happy medium, >such as enabling it but not documenting it, or producing a nasty log >message if it is used, or something like that? >All constructive ideas are most welcome. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From newslists at PESSIMISTS.NET Tue Feb 10 21:21:00 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> Message-ID: <1076448060.7678.6.camel@andy.pessimists.net> On Tue, 2004-02-10 at 15:56, Julian Field wrote: > But in the meantime, does anyone have any good ideas for a happy medium, > such as enabling it but not documenting it, or producing a nasty log > message if it is used, or something like that? > All constructive ideas are most welcome. > -- > Julian Field Don't know if it is possible, but have an option where you can list your hosted domains and then have an option to limit bounce messages to just those those domains in the TO/FROM. This would let providers inform their customers that something did not go through while not polluting the rest of the net. I think that this would make everyone (mostly) happy. My .02 Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From bpumphrey at WOODMACLAW.COM Tue Feb 10 21:20:18 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: I like the idea of it being there but not documented. Also have a good paragraph of what it will do, because It took me a little bit to catch on to the process of what a virus can do it the bounce it on. I just didn't realize it. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, February 10, 2004 3:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: For those of us that feel strongly that email should be a reliable transport medium. At 20:46 10/02/2004, you wrote: >Of course it is. But he's serving "high profile customers" whom obviously >are more important than the rest of us slags! Now now, people. Let's all remain calm and polite please... I think this thread is best considered closed for now. It's clearly a debate which is going to run and run, I may have to put the "bounce" option to a vote. But in the meantime, does anyone have any good ideas for a happy medium, such as enabling it but not documenting it, or producing a nasty log message if it is used, or something like that? All constructive ideas are most welcome. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Tue Feb 10 21:18:33 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> Message-ID: <40294AA9.BDF759F7@ihs.com> Julian Field wrote: > > At 20:46 10/02/2004, you wrote: > >Of course it is. But he's serving "high profile customers" whom obviously > >are more important than the rest of us slags! > > Now now, people. Let's all remain calm and polite please... This has been one of the most entertaining threads in the past couple of days! > I think this thread is best considered closed for now. > It's clearly a debate which is going to run and run, I may have to put the > "bounce" option to a vote. > But in the meantime, does anyone have any good ideas for a happy medium, > such as enabling it but not documenting it, or producing a nasty log > message if it is used, or something like that? > All constructive ideas are most welcome. How about forcing an additional header (X-%org-name%-MailScanner-bounce) to go along with the bounces? Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From ccampbell at BRUEGGERS.COM Tue Feb 10 21:23:13 2004 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: > All constructive ideas are most welcome. Although I hate being on the receiving end of bounced messages that I didn't send, I feel that MailScanner should remain a configurable product and that SysAdmins should understand how to use the product. It sounds like there may be a, albeit small, business need for the 'bounce' option. That being said, I suggest that: 1) A STRONGLY worded warning be added in reference to using the 'bounce' option in the config file, and/or 2) It is not on by default (I know it's not now...), and/or 3) It must be enabled in more than one location to ensure the SysAdmin REALLY wants it enabled and that a newbie admin doesn't enable it by accident. and/or 4) Ability to restrict to certain domains. Just my suggestions. Flame away... ;) Christian From dnsadmin at 1BIGTHINK.COM Tue Feb 10 21:32:07 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> References: <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> Message-ID: <5.2.1.1.0.20040210161100.0639dbe8@mail.1bigthink.com> At 08:56 PM 2/10/2004 +0000, you wrote: >At 20:46 10/02/2004, you wrote: >>Of course it is. But he's serving "high profile customers" whom obviously >>are more important than the rest of us slags! MY apologies. I was responsible for that. I will politely sit down and shut up after I comment on Julian's reply. >Now now, people. Let's all remain calm and polite please... > >I think this thread is best considered closed for now. >It's clearly a debate which is going to run and run, I may have to put the >"bounce" option to a vote. >But in the meantime, does anyone have any good ideas for a happy medium, >such as enabling it but not documenting it, or producing a nasty log >message if it is used, or something like that? >All constructive ideas are most welcome. I hate the thought of bouncing spam and virii, as I have been on the receiving end as well. MailScanner software has been criticized solely on the fact that it allowed a 'bounce' of mail messages. Otherwise the software received rock-solid reviews. I agree with why Julian took it out. I wish it would not be put back in. However, since there are certainly other ways of bouncing mail for those determined to do so, you should probably just put it back in. I like Dustin's suggestion of the 'bounce' header. I like to know whom to look out for! Cheers! From mailscanner at ecs.soton.ac.uk Tue Feb 10 21:33:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <1076448060.7678.6.camel@andy.pessimists.net> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> Message-ID: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> At 21:21 10/02/2004, you wrote: >On Tue, 2004-02-10 at 15:56, Julian Field wrote: > > But in the meantime, does anyone have any good ideas for a happy medium, > > such as enabling it but not documenting it, or producing a nasty log > > message if it is used, or something like that? > > All constructive ideas are most welcome. > > -- > > Julian Field > >Don't know if it is possible, but have an option where you can list your >hosted domains and then have an option to limit bounce messages to just >those those domains in the TO/FROM. This would let providers inform >their customers that something did not go through while not polluting >the rest of the net. I think that this would make everyone (mostly) >happy. That can already be done with rulesets. However... How about yet another configuration option: This would just apply to the spam "bounce" action. It would be a configuration option called something like "Enable Spam Bounces". Maybe the default configuration should point to a ruleset that defaults to no but has a sample line in it which switches it on for *@yourcustomer.com. The ruleset would have a strongly worded header at the top explaining why you shouldn't use it. But I would have to document the "bounce" action to make it clear why this extra configuration option existed. That way an administrator has to get an idea about rulesets before they can make this work. People wouldn't be able to turn it on by mistake. What do you think? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 21:35:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. In-Reply-To: References: Message-ID: <6.0.3.0.2.20040210213533.04662db0@imap.ecs.soton.ac.uk> At 21:23 10/02/2004, you wrote: > > All constructive ideas are most welcome. > >Although I hate being on the receiving end of bounced messages that I didn't >send, I feel that MailScanner should remain a configurable product and that >SysAdmins should understand how to use the product. It sounds like >there may be a, albeit small, business need for the 'bounce' option. > >That being said, I suggest that: > >1) A STRONGLY worded warning be added in reference to using the 'bounce' >option in the config file, >and/or >2) It is not on by default (I know it's not now...), >and/or >3) It must be enabled in more than one location to ensure the SysAdmin >REALLY wants it enabled >and that a newbie admin doesn't enable it by accident. >and/or >4) Ability to restrict to certain domains. See my previous responses. Hopefully I have addressed most of your points. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 10 21:35:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40294AA9.BDF759F7@ihs.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <40294AA9.BDF759F7@ihs.com> Message-ID: <6.0.3.0.2.20040210213329.0467cee0@imap.ecs.soton.ac.uk> At 21:18 10/02/2004, you wrote: >How about forcing an additional header (X-%org-name%-MailScanner-bounce) >to go along with the bounces? I like that idea. That way people can autoblock mail if the header exists, if they so choose. Maybe call it "Spam Bounce Header". If it was left unset, it wouldn't be disabled but constructed automatically. That way you can't switch it off :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hermit921 at YAHOO.COM Tue Feb 10 21:39:24 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <1076448060.7678.6.camel@andy.pessimists.net> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> Message-ID: <6.0.0.22.2.20040210133659.01e944a8@pop.mail.yahoo.com> At 01:21 PM 2/10/2004, Andy Sutton wrote: >On Tue, 2004-02-10 at 15:56, Julian Field wrote: > > But in the meantime, does anyone have any good ideas for a happy medium, > > such as enabling it but not documenting it, or producing a nasty log > > message if it is used, or something like that? > > All constructive ideas are most welcome. > > -- > > Julian Field > >Don't know if it is possible, but have an option where you can list your >hosted domains and then have an option to limit bounce messages to just >those those domains in the TO/FROM. This would let providers inform >their customers that something did not go through while not polluting >the rest of the net. I think that this would make everyone (mostly) >happy. > >My .02 > >Andy I like this idea. I still get warnings that we sent a virus (from non-existent users or machines here), and I keep trying to reply that the postmaster needs to restrict such messages to their own users. hermit921 From mailscanner at ecs.soton.ac.uk Tue Feb 10 21:44:03 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.0.22.2.20040210133659.01e944a8@pop.mail.yahoo.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.0.22.2.20040210133659.01e944a8@pop.mail.yahoo.com> Message-ID: <6.0.3.0.2.20040210214321.0465a860@imap.ecs.soton.ac.uk> At 21:39 10/02/2004, you wrote: >At 01:21 PM 2/10/2004, Andy Sutton wrote: >>On Tue, 2004-02-10 at 15:56, Julian Field wrote: >> > But in the meantime, does anyone have any good ideas for a happy medium, >> > such as enabling it but not documenting it, or producing a nasty log >> > message if it is used, or something like that? >> > All constructive ideas are most welcome. >> >>Don't know if it is possible, but have an option where you can list your >>hosted domains and then have an option to limit bounce messages to just >>those those domains in the TO/FROM. This would let providers inform >>their customers that something did not go through while not polluting >>the rest of the net. I think that this would make everyone (mostly) >>happy. > > >I like this idea. I still get warnings that we sent a virus (from >non-existent users or machines here), and I keep trying to reply that the >postmaster needs to restrict such messages to their own users. I think we are just talking about spam here, not viruses as well. Viruses are already covered in the configuration file as it stands. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From newslists at PESSIMISTS.NET Tue Feb 10 21:50:52 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> Message-ID: <1076449852.7678.12.camel@andy.pessimists.net> On Tue, 2004-02-10 at 16:33, Julian Field wrote: > How about yet another configuration option: > This would just apply to the spam "bounce" action. It would be a > configuration option called something like "Enable Spam Bounces". > > Maybe the default configuration should point to a ruleset that defaults to > no but has a sample line in it which switches it on for *@yourcustomer.com. > The ruleset would have a strongly worded header at the top explaining why > you shouldn't use it. But I would have to document the "bounce" action to > make it clear why this extra configuration option existed. > > That way an administrator has to get an idea about rulesets before they can > make this work. People wouldn't be able to turn it on by mistake. > > What do you think? > -- > Julian Field That would work for me, as long as the only bounce messages that are generated go to the admin's configured domains. It also raises the bar by having to actually read something and understand it. :-) Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From sevans at FOUNDATION.SDSU.EDU Tue Feb 10 21:50:49 2004 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sdsu.edu> And you might as well add an option to delete messages with the bounce header also. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, February 10, 2004 1:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: For those of us that feel strongly that email should be a reliable transport medium. At 21:18 10/02/2004, you wrote: >How about forcing an additional header >(X-%org-name%-MailScanner-bounce) to go along with the bounces? I like that idea. That way people can autoblock mail if the header exists, if they so choose. Maybe call it "Spam Bounce Header". If it was left unset, it wouldn't be disabled but constructed automatically. That way you can't switch it off :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Tue Feb 10 21:42:15 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> Message-ID: <1076449335.12712.133.camel@dbeauchemin.sti.usherbrooke.ca> Le mar 10/02/2004 ? 16:33, Julian Field a ?crit : > > How about yet another configuration option: > This would just apply to the spam "bounce" action. It would be a > configuration option called something like "Enable Spam Bounces". > > Maybe the default configuration should point to a ruleset that defaults to > no but has a sample line in it which switches it on for *@yourcustomer.com. > The ruleset would have a strongly worded header at the top explaining why > you shouldn't use it. But I would have to document the "bounce" action to > make it clear why this extra configuration option existed. > > That way an administrator has to get an idea about rulesets before they can > make this work. People wouldn't be able to turn it on by mistake. > > What do you think? Julian, It would be quite acceptable to me (I don't bounce anything). Denis PS: As always you find a way to satisfy everyone! 8-) -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From lindsay at pa.net Tue Feb 10 22:22:17 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS Message-ID: <1076451737.21285.26.camel@localhost.localdomain> Julian and fellow Mailscanneriers, Here is a patch which allows MailScanner to ignore ips acting as relays to your mailscanner server. For example, if you collect mail on a mx server and then relay it to a mailscanner server, you can specify your mx server as a local relay. Then, mailscanner will not report the mx server as the source of the message but rather the ip which connected to the mx. example: sender-> localrelay1 -> localrelay2 -> mailscanner mailscanner will report the sender's ip. if this happens: localrelay1 -> localrealy2 -> mailscanner mailscanner will report localrelay1 Would anyone else find this useful? Patch Detail: For now only postfix support is coded. I left debugging in so you can watch what its doing. I originally had the mailscanner.conf -> message object load in during Message.pm:new() but from what I recall, it wasn't running before .pm:ReadQF. Perhaps it should be moved to Postfix.pm:new(). Something like the following will work for the conf file. /etc/MailScanner/MailScanner.conf: # Local Relay Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 205.166.61.131 205.166.61.0/25 10.0.1.8/32 -- Lindsay Snider -------------- next part -------------- A non-text attachment was scrubbed... Name: localrelay.mailscanner.diff Type: text/x-patch Size: 2064 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040210/2cea8db7/localrelay.mailscanner.bin From lindsay at pa.net Tue Feb 10 22:22:17 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS Message-ID: <1076451737.21285.26.camel@localhost.localdomain> Julian and fellow Mailscanneriers, Here is a patch which allows MailScanner to ignore ips acting as relays to your mailscanner server. For example, if you collect mail on a mx server and then relay it to a mailscanner server, you can specify your mx server as a local relay. Then, mailscanner will not report the mx server as the source of the message but rather the ip which connected to the mx. example: sender-> localrelay1 -> localrelay2 -> mailscanner mailscanner will report the sender's ip. if this happens: localrelay1 -> localrealy2 -> mailscanner mailscanner will report localrelay1 Would anyone else find this useful? Patch Detail: For now only postfix support is coded. I left debugging in so you can watch what its doing. I originally had the mailscanner.conf -> message object load in during Message.pm:new() but from what I recall, it wasn't running before .pm:ReadQF. Perhaps it should be moved to Postfix.pm:new(). Something like the following will work for the conf file. /etc/MailScanner/MailScanner.conf: # Local Relay Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 205.166.61.131 205.166.61.0/25 10.0.1.8/32 -- Lindsay Snider -------------- next part -------------- A non-text attachment was scrubbed... Name: localrelay.mailscanner.diff Type: text/x-patch Size: 2092 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040210/2cea8db7/localrelay.mailscanner-0001.bin From michele at BLACKNIGHTSOLUTIONS.COM Tue Feb 10 22:24:25 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <1076449335.12712.133.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: If people want to bounce crap around the net and fill my inbox with junk that is their option. Please make sure that this is left off by default as we all get enough bounces from badly configured mail servers and / or gateway antivirus junk and we all know damn well that some people still think this is a good idea even though most people know damn well that 99.99% of the bounced emails are crappy viruses or spam with falsified headers of some type Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Denis Beauchemin > Sent: 10 February 2004 21:42 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] For those of us that feel strongly that email > should be a reliable transport medium. > > > Le mar 10/02/2004 ? 16:33, Julian Field a ?crit : > > > > How about yet another configuration option: > > This would just apply to the spam "bounce" action. It would be a > > configuration option called something like "Enable Spam Bounces". > > > > Maybe the default configuration should point to a ruleset that > defaults to > > no but has a sample line in it which switches it on for > *@yourcustomer.com. > > The ruleset would have a strongly worded header at the top > explaining why > > you shouldn't use it. But I would have to document the "bounce" > action to > > make it clear why this extra configuration option existed. > > > > That way an administrator has to get an idea about rulesets > before they can > > make this work. People wouldn't be able to turn it on by mistake. > > > > What do you think? > > Julian, > > It would be quite acceptable to me (I don't bounce anything). > > Denis > PS: As always you find a way to satisfy everyone! 8-) > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > From raymond at PROLOCATION.NET Tue Feb 10 22:25:24 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <1076451737.21285.26.camel@localhost.localdomain> Message-ID: Hi! > Julian and fellow Mailscanneriers, > Here is a patch which allows MailScanner to ignore ips acting as > relays to your mailscanner server. For example, if you collect mail on > a mx server and then relay it to a mailscanner server, you can specify > your mx server as a local relay. Then, mailscanner will not report the > mx server as the source of the message but rather the ip which connected > to the mx. > Something like the following will work for the conf file. > /etc/MailScanner/MailScanner.conf: > # Local Relay > Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 > 205.166.61.131 205.166.61.0/25 10.0.1.8/32 Cool! This would be nice for sendmail also. Would save some trouble. Care to have a look for sendmail also? Does the RBL part also check on the 'ip before' ? Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Feb 10 22:25:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sd su.edu> References: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sdsu.edu> Message-ID: <6.0.3.0.2.20040210222339.03e67808@imap.ecs.soton.ac.uk> That will mean the bounce header name will have to be fixed and non-configurable. Which may be a good thing anyway. Slightly worried that it opens up an attack route though. Someone could pile in mail containing the bounce header, and you would quietly delete it. So someone could DoS your mail servers without you being able to work out why. Not sure I want to do that. Thoughts? At 21:50 10/02/2004, you wrote: >And you might as well add an option to delete messages with the bounce >header also. > > >Steve Evans >SDSU Foundation > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Tuesday, February 10, 2004 1:35 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: For those of us that feel strongly that email should be a >reliable transport medium. > >At 21:18 10/02/2004, you wrote: > >How about forcing an additional header > >(X-%org-name%-MailScanner-bounce) to go along with the bounces? > >I like that idea. That way people can autoblock mail if the header >exists, if they so choose. Maybe call it "Spam Bounce Header". If it was >left unset, it wouldn't be disabled but constructed automatically. That >way you can't switch it off :-) >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD >E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Tue Feb 10 22:41:52 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sdsu.edu> <6.0.3.0.2.20040210222339.03e67808@imap.ecs.soton.ac.uk> Message-ID: <40295E30.356665CC@ihs.com> Julian Field wrote: > > That will mean the bounce header name will have to be fixed and > non-configurable. Which may be a good thing anyway. Slightly worried that > it opens up an attack route though. Someone could pile in mail containing > the bounce header, and you would quietly delete it. So someone could DoS > your mail servers without you being able to work out why. Not sure I want > to do that. > Thoughts? Rules can be written at the MTA level that can discard on a particular header...with Sendmail, at least. Might be better to leave it up to the MTA to discard, rather than potentially opening yourself to DoS. > At 21:50 10/02/2004, you wrote: > >And you might as well add an option to delete messages with the bounce > >header also. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From lindsay at pa.net Tue Feb 10 22:47:05 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: References: Message-ID: <1076453224.21285.33.camel@localhost.localdomain> On Tue, 2004-02-10 at 17:25, Raymond Dijkxhoorn wrote: > Hi! > > > Julian and fellow Mailscanneriers, > > Here is a patch which allows MailScanner to ignore ips acting as > > relays to your mailscanner server. For example, if you collect mail on > > a mx server and then relay it to a mailscanner server, you can specify > > your mx server as a local relay. Then, mailscanner will not report the > > mx server as the source of the message but rather the ip which connected > > to the mx. > > > Something like the following will work for the conf file. > > /etc/MailScanner/MailScanner.conf: > > # Local Relay > > Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 > > 205.166.61.131 205.166.61.0/25 10.0.1.8/32 > > Cool! This would be nice for sendmail also. Would save some trouble. > Care to have a look for sendmail also? Yeah, I wouldn't mind writing the patch for sendmail. I don't have sendmail but it should be similar enough. Although almost rhetorical, would you then be up for testing it? Maybe we should also wait to see what Julian thinks in case he'd like to add this to the main distrib. > Does the RBL part also check on the > 'ip before' ? I'm not sure. I know message->{clientip} will be correct. I'll have to check what the RBL looks against. Perhaps Julian is the best to answer this. I'm out until tomorrow afternoon but when I get in, I'll check it out if someone else hasn't beat me to it. > > Bye, > Raymond. -- Lindsay Snider From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 22:49:24 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <08146035CA49D6119A36009027AC822A0264EDF3@CITY-EXCH-NTS> >That will mean the bounce header name will have to be fixed and >non-configurable. Which may be a good thing anyway. Slightly >worried that it opens up an attack route though. Someone could > pile in mail containing the bounce header, and you would quietly >delete it. So someone could DoS your mail servers without you >being able to work out why. Not sure I want to do that. >Thoughts? Kind of a Pandora's box here isn't it. Initial things that come to mind is a counter added that either writes it's own log, or sticks it in the usual spot then add some parsing to check_mailscanner.pl (or whatever it's called - too lazy to look) and do a count at start/restart. If over, say, 100, then maybe it's a DoS and a notice sent to postmaster? It would have to be reset to 0 by check_mailscanner.pl if under the trigger level so we don't accumulate hits over time. Probably something Kevin Spicer could add to mailscanner-mrtg pretty easily if he was so inclined as well. A quick graphical interface is always jiffy. I'm probably just being thick, but I'm not sure if it's worth all the effort. I suspect that the majority of bounces I get aren't from sites running MailScanner, so most likely I'll rarely, if ever, see one of those headers. Since I don't bounce spam I'd never send one. Realistically, between doing a forward of spam to a holding account, and the use of whitelists I don't see why mail should be missed. Critical accounts would waltz in un-spammified and non-critical account messages would be easily retrieved by the users. But that's just me. I guess my vote would be to just leave the bounce option in place w/some really strong comments preceeding on why it's a Really Bad Thing to enable it. Just my .02 worth... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From raymond at PROLOCATION.NET Tue Feb 10 22:51:53 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <1076453224.21285.33.camel@localhost.localdomain> Message-ID: Hi! > > Cool! This would be nice for sendmail also. Would save some trouble. > > Care to have a look for sendmail also? > > Yeah, I wouldn't mind writing the patch for sendmail. I don't have > sendmail but it should be similar enough. Although almost rhetorical, > would you then be up for testing it? Maybe we should also wait to see > what Julian thinks in case he'd like to add this to the main distrib. If Julian wants to add it, sure, i do not only want to test it but will switch it on right away :-) > > Does the RBL part also check on the > > 'ip before' ? > I'm not sure. I know message->{clientip} will be correct. I'll have to > check what the RBL looks against. Perhaps Julian is the best to answer > this. I'm out until tomorrow afternoon but when I get in, I'll check it > out if someone else hasn't beat me to it. Julian ? Bye, Raymond. From Kevin_Miller at CI.JUNEAU.AK.US Tue Feb 10 22:58:20 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS Message-ID: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> That would be handy, although you thought you could already do this after a fashion by setting the option to not scan messages that already have the MailScanner header. Looking through the conf file I can't find it - was it in another product? Essentially it was a header that said to skip scanning if it already had been as it was clean. Of course, a spammer could spoof that, but it doesn't seem all that profitable to do so, as my custom header value will differ from yours, so the spammer would have to know what they all were and target their spam accordingly. By the way Lindsey, you may want to reset your reply to address. It defaults back to you instead of the list. S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Lindsay Snider [mailto:lindsay@pa.net] >Sent: Tuesday, February 10, 2004 1:47 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Local Relay patch for MS > > >On Tue, 2004-02-10 at 17:25, Raymond Dijkxhoorn wrote: >> Hi! >> >> > Julian and fellow Mailscanneriers, >> > Here is a patch which allows MailScanner to ignore ips acting as >> > relays to your mailscanner server. For example, if you >collect mail on >> > a mx server and then relay it to a mailscanner server, you >can specify >> > your mx server as a local relay. Then, mailscanner will >not report the >> > mx server as the source of the message but rather the ip >which connected >> > to the mx. >> >> > Something like the following will work for the conf file. >> > /etc/MailScanner/MailScanner.conf: >> > # Local Relay >> > Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 >> > 205.166.61.131 205.166.61.0/25 10.0.1.8/32 >> >> Cool! This would be nice for sendmail also. Would save some trouble. >> Care to have a look for sendmail also? > >Yeah, I wouldn't mind writing the patch for sendmail. I don't have >sendmail but it should be similar enough. Although almost rhetorical, >would you then be up for testing it? Maybe we should also wait to see >what Julian thinks in case he'd like to add this to the main distrib. > >> Does the RBL part also check on the >> 'ip before' ? > >I'm not sure. I know message->{clientip} will be correct. >I'll have to >check what the RBL looks against. Perhaps Julian is the best to answer >this. I'm out until tomorrow afternoon but when I get in, >I'll check it >out if someone else hasn't beat me to it. > >> >> Bye, >> Raymond. >-- >Lindsay Snider > From raymond at PROLOCATION.NET Tue Feb 10 22:28:06 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210222339.03e67808@imap.ecs.soton.ac.uk> Message-ID: Hi! > it opens up an attack route though. Someone could pile in mail containing > the bounce header, and you would quietly delete it. So someone could DoS > your mail servers without you being able to work out why. Not sure I want > to do that. > Thoughts? Thats what we have logs for, the same applies for regular dos or virus attacks on a mailer. We also drop those silently, whats the difference ? :) Bye, Raymond. From raymond at PROLOCATION.NET Tue Feb 10 23:07:25 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> Message-ID: Hi Kevin, > That would be handy, although you thought you could already do this after a > fashion by setting the option to not scan messages that already have the > MailScanner header. Looking through the conf file I can't find it - was it > in another product? Essentially it was a header that said to skip scanning > if it already had been as it was clean. It wont help in most situations. Most people i know have a couple of MXes outside their own network to cover mail during any network outage. Those machines are plain MX, no scanning there. Once the main box gets back the MS box will scan them. But some things inside MS wont do ok (RBL checks for example) since it checks the first IP only. > Of course, a spammer could spoof that, but it doesn't seem all that > profitable to do so, as my custom header value will differ from yours, so > the spammer would have to know what they all were and target their spam > accordingly. A spammer will deliver anyway, so it thats not the relay IP there is nothing to worry about... Bye, Raymond. From dee at ASYOUNEED.COM Tue Feb 10 23:30:20 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <402931D8.5030803@deny.org> Message-ID: <000f01c3f02d$d91236f0$0201a8c0@lappy> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of James Sizemore > Sent: 10 February 2004 19:33 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > Julian Field wrote: > > > At 16:51 10/02/2004, you wrote: > > > > Why not just use > > > > Spam Actions = deliver > > or > > Spam Actions = deliver attachment > > or > > Spam Actions = notify store > > > > That way your recipients don't have to wade through anything, all your > > incoming email is stored and people can get at messages that were > wrongly > > tagged very easily. > > My setup is an ISP setup very high volume: deliver, deliver > attachment, and notify all still puts hundreds of email in pop mails > boxes that > users have to download over 28.8 baud links, The number of support > calls we get because some users email client can't handle this (always > outlook or outlook express) eats up real money. > > As I scan mail for hundreds of domains I'm not sure how long I would > be able to "store" email for. I take in hundreds of emails a second, maybe > a > few days worth. Not to mention I would have to train thousands of users > on how to pick up these stored messages! I'm not even sure how I would > go about > authenticating the users of the corporate customer that use us as an > email gateway > for incoming mail! > > > > > I appreciate your point, and I am aware of your position. But bouncing > > spam > > is not the correct answer to it, there are many other superior > > solutions to > > the problem, that don't cause grief to everyone else on the net. > > I also appreciate your point of view, but I'm not worried about > bouncing the spam > I'm worried about bouncing that one message in a thousand that is a > false positive. > The one that winds me up on the phone with an irate customer because > his stock Correct me if I'm wrong but isn't that what the whitelist is for if you have a requirement for certain emails to reach from certain address no matter what put it in their. Dee From kevins at BMRB.CO.UK Tue Feb 10 23:33:45 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> Message-ID: <1076456026.26575.24.camel@bach.kevinspicer.co.uk> On Tue, 2004-02-10 at 20:56, Julian Field wrote: > But in the meantime, does anyone have any good ideas for a happy medium, > such as enabling it but not documenting it, or producing a nasty log > message if it is used, or something like that? > All constructive ideas are most welcome. Personally I'm happy to see it left off - but in the interests of debate, four points (1 long 3 short) First point... There are a number of spamassassin tests that spot mail with forged headers (maybe not all of them - but a fair few). The introduction of SPF support in SA2.70 should also help with spotting some forged mail (especially if AOL continue to use it) [I don't want to get into another debate about the merits or otherwise of SPF - but can we agree for sites that choose to use SPF it should be a useful indicator for modifying SpamAssassin scores...] Simply checking for the presence of these indicators (or even the total score contributed by those tests) in the spamassassin report would help to determine whether a source is probably spoofed. Then the bounce option could only be applied to those that are not obviously false. Additionally the triggering of DCC or pyzor tests is also a good suggestion of whether it is worthwhile bouncing a mail. I'm not sure offhand exactly what tests SA does, but some obvious ideas spring to mind, which could perhaps be implemented in SA rules.// The mail originates from one of the 'senders' MX's (good indicator that the domain at least is likely not forged - unless its an open relay!) The mail originates from a host in the same class C as one of the 'senders' MX's A reverse lookup on the senders IP gives a hostname in the same domain. NOTE that I'm not saying that any of these are hard and fast indicators or forged addresses (they all have flaws) but as part of a spamassassin ruleset they may be helpful. Certainly where spamassassin detects that headers are forged there is no excuse for bouncing the mail(?) Second point - Admins who do bounce mail should - at the very least - ensure that the mail they wish to bounce was originally addressed to a valid user. I'll be posting something to the FAQ soon describing a method of doing this for those using sendmail to relay to exhange. Third (contentious) point - Of course this is one benefit of a milter (but lets not start that debate!), I choose not to use a milter, but then I don't bounce spam. Fourth (really contentious) point - Maybe its about time someone started an RBL for mindless autoresponders? /ducks Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkettler at EVI-INC.COM Tue Feb 10 23:40:02 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> At 03:56 PM 2/10/2004, Julian Field wrote: >But in the meantime, does anyone have any good ideas for a happy medium, >such as enabling it but not documenting it, or producing a nasty log >message if it is used, or something like that? >All constructive ideas are most welcome. Julian, I understand you're in a tough position, caught between the world and a couple users, but let's face some simple facts. The bounce capability of MailScanner is horrifically broken and not fixable because of what part of the mailsystem MailScanner attaches to. We all know and understand this, despite some people's lack of concern for their neighbors. Using some kind of fixed "spam bounce" header isn't helpful. It destroys the bouncer's desire for "reliable" mail, and places a burden on every other mail system in the universe to set up filters to block garbage from a couple of people who just don't understand how to configure a mailserver. There are MANY other options out there to reject mail properly (ie: 5xx error in DATA phase), thus there's no need to use MailScanner to do this. Blacklist lookups are easy, nearly every MTA supports them natively, no need for MailScanner on this part, which leaves SpamAssassin. MTA layer integrations for SA exist. They work, and they do it right. MailScanner is extraordinarily versatile but it can't do everything. Sometimes people need a tool other than MailScanner to do the job properly. Exim users can use exiscan, Sendmail users can use spamass-milter or mimedefang. I'm not sure about tools for postfix and qmail, but I'm sure they exist too. Really, my constructive criticism is to suggest that the users who want MailScanner to bounce spam go use another tool. I LOVE MailScanner, but why put broken code back in to keep a few users? Particularly when those users are going to use MailScanner in a way which tarnishes it's reputation? Julian, I honestly believe you did the right thing removing this functionality. It doesn't belong. If some people get mad about it, let them. Putting the functionality back is just facilitating laziness and creates broken mailservers at the expense of others. From ka at PACIFIC.NET Tue Feb 10 23:51:20 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: References: Message-ID: <40296E78.6030805@pacific.net> How about connect the bounce config option to the admin's Paypal account so that if it's used and Julian is personally threatened by the recipients of your bounced mail, your credit card is hit? :-) You could pass that charge on to your customers of course, since they would be the beneficiaries of your fine service. Bounce is dead, notify instead. If notifications are too obnoxious, or your users don't want to be bothered with 'technical' things, then store and write a script to notify x times per day with a list of stored mail that they can release with a click. Ken A Pacific.Net Billy A. Pumphrey wrote: > I like the idea of it being there but not documented. Also have a good > paragraph of what it will do, because It took me a little bit to catch > on to the process of what a virus can do it the bounce it on. I just > didn't realize it. > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, February 10, 2004 3:57 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > At 20:46 10/02/2004, you wrote: > >>Of course it is. But he's serving "high profile customers" whom > > obviously > >>are more important than the rest of us slags! > > > Now now, people. Let's all remain calm and polite please... > > I think this thread is best considered closed for now. > It's clearly a debate which is going to run and run, I may have to put > the > "bounce" option to a vote. > But in the meantime, does anyone have any good ideas for a happy medium, > such as enabling it but not documenting it, or producing a nasty log > message if it is used, or something like that? > All constructive ideas are most welcome. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From dan.farmer at PHONEDIR.COM Tue Feb 10 23:57:12 2004 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> Message-ID: On Feb 10, 2004, at 2:33 PM, Julian Field wrote: > How about yet another configuration option: > This would just apply to the spam "bounce" action. It would be a > configuration option called something like "Enable Spam Bounces". > > Maybe the default configuration should point to a ruleset that > defaults to > no but has a sample line in it which switches it on for > *@yourcustomer.com. > The ruleset would have a strongly worded header at the top explaining > why > you shouldn't use it. But I would have to document the "bounce" action > to > make it clear why this extra configuration option existed. > > That way an administrator has to get an idea about rulesets before > they can > make this work. People wouldn't be able to turn it on by mistake. > > What do you think? *If* you put the bounce option back, this sounds good. (I don't use it, and I totally agreed with your decision to remove it and the reasons why it was removed, so I'm not voting for it to come back by any means, but...) Make it harder to enable than just adding 'bounce' to the options: very good idea. I think the extra bounce header would also be a good thing to add, either way. Having the footer/sender be auto-magically populated with the local postmaster address (and web address?) as the email address for complaints sounds like a real winner. If it returns, I think you should make this option only work on 'Spam Actions', but not on 'High Scoring Spam Actions'. As one of the people who wants the bounce option back said, they only use it on the lower level, as they *never* would bounce something they know is definitely spam (although it contradicts their earlier claims that they either deliver or bounce *every* message they get, for "reliable" & "guaranteed" email service). Of all the options, having the bounces reference the local postmaster/site and coming from the local postmaster will turn many of the joe-job psychos on the admins who use the bounce feature, so it has to be my favorite. You just know that it would probably cause many of those who use the bounce option to figure out a way to not use it pretty quick.... Of course, I still don't see a good enough reason to put it back in the first place as I believe it will always cause more harm than good - same reason I use All-Viruses in my silent list, there's not much point in bouncing them anymore (at least until we can get the whole automated flag from the virus checkers that tells us when a virus doesn't spoof, and should be bounced). dan From ka at PACIFIC.NET Wed Feb 11 00:06:27 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <1076451737.21285.26.camel@localhost.localdomain> References: <1076451737.21285.26.camel@localhost.localdomain> Message-ID: <40297203.8050400@pacific.net> I thought SA already looked at all the ips for rbl checks? Does it not check all the IPs against other IP based SA rules. If it doesn't, then YES, we'd use it for sendmail too! Thanks, Ken A Pacific.Net Lindsay Snider wrote: > Julian and fellow Mailscanneriers, > Here is a patch which allows MailScanner to ignore ips acting as > relays to your mailscanner server. For example, if you collect mail on > a mx server and then relay it to a mailscanner server, you can specify > your mx server as a local relay. Then, mailscanner will not report the > mx server as the source of the message but rather the ip which connected > to the mx. > > example: > sender-> localrelay1 -> localrelay2 -> mailscanner > mailscanner will report the sender's ip. > > if this happens: > localrelay1 -> localrealy2 -> mailscanner > mailscanner will report localrelay1 > > Would anyone else find this useful? > > > Patch Detail: > For now only postfix support is coded. > > I left debugging in so you can watch what its doing. > > I originally had the mailscanner.conf -> message object load in during > Message.pm:new() but from what I recall, it wasn't running before > .pm:ReadQF. Perhaps it should be moved to Postfix.pm:new(). > > > Something like the following will work for the conf file. > /etc/MailScanner/MailScanner.conf: > # Local Relay > Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 > 205.166.61.131 205.166.61.0/25 10.0.1.8/32 > > -- > Lindsay Snider From raymond at PROLOCATION.NET Wed Feb 11 00:13:49 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <40297203.8050400@pacific.net> Message-ID: Hi! > I thought SA already looked at all the ips for rbl checks? > Does it not check all the IPs against other IP based SA rules. > If it doesn't, then YES, we'd use it for sendmail too! > Thanks, SA does, the RBL checks within MS dont. For me it will be still very usefull. Bye, Raymond. From david at PLATFORMHOSTING.COM Wed Feb 11 02:50:12 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.2.0.0.20040210142958.02646e30@mail.enhtech.com> Message-ID: <032f01c3f049$c6cda2b0$0b00a8c0@djh01> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Admin Team > Sent: Wednesday, 11 February 2004 6:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > My sigh is out of frustration and for the work that is coming for me. When > we discovered MailScanner and started using it and offering it to our > clients, we quickly learned what worked and what did not work with our > client base. Based upon what we learned we implemented standards and > procedures around that. Since we have very high profile clients who rely > upon email being delivered to them in a timely manner, they required some > sort of assurance in this respect. So we implemented procedures where we > bounce lower scoring SPAM so as to notify senders in case one senders was > an actual valid email address with good intentions. Now, that you've > changed things, I need to figure out other procedures that may not work > for my client base and in our company Philosophy, you don't tell the > client how you are going to inconveinence them. Businesses that do this > don't stay in business very long. Here's how we do it by default for our customers.. High Scoring Spam = delete Low Scoring Spam = attachment deliver forward spamsort@ourdomain.com Non Spam Actions = deliver We do run these values from a ruleset however so that a customer can opt to use whatever options they wish - we have never offered or allowed bounce however. We have the scoring system pretty majorly altered to help avoid false positives, high scoring spam is spam that we know is spam from more than one source - ie. not just one RBL etc. Generally we have seen the spam or spammer before and block based on that. Low scoring spam accounts for 2 - 4% of all our mail traffic, we ask customers to tell us weather they feel the message is spam or not by forwarding it to an email address. When they forward it, we find the corresponding copy that is stored in our database via the forward action in Low Scoring Spam = and we feed it to BAYES and also write a spamassassin rule to catch it if that is needed. Our customers are very happy with our service, we don't bounce messages, we don't get complaints from our customers, mail is configurable for those that wish to be setup differently, porn _VERY_ rarely gets through as low scoring. As far as bounces go.. We have a customer who has been joe jobbed for the last month by one very persistent spammer. He currently gets in excess of 500 bounces per hour from other companies spam filtering software, something that he as the customer is paying for, something which neither he nor us can stop, something which someone else is making him pay for. Over the last 2 weeks this has risen to about 700 bounces per hour as the anti virus vendors are throwing in their 2 bob. I believe that bouncing viruses and spam these days is not a service to your customers it is an abuse of the goodwill of the greater internet community. Please be a little more creative than bouncing messages, you could even provide customers with a "quarantine" mailbox that you forward all low scoring spam to, you could even go one step further by making mail only stay in the mailbox for 30 days or whatever you choose - sounds like a great service to me. Have a great week guys, but spend some of it thinking about ways to be better internet citizens, you might not notice the cost now, but if you're ever joe jobbed you will I promise. Cheers! Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From david at PLATFORMHOSTING.COM Wed Feb 11 03:01:32 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:25 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> Message-ID: <033201c3f04b$5c18abc0$0b00a8c0@djh01> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, 11 February 2004 8:33 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: For those of us that feel strongly that email should be a > reliable transport medium. > > Maybe the default configuration should point to a ruleset that defaults to > no but has a sample line in it which switches it on for > *@yourcustomer.com. > The ruleset would have a strongly worded header at the top explaining why > you shouldn't use it. But I would have to document the "bounce" action to > make it clear why this extra configuration option existed. Noone reads warnings these days. If you have to make it available again, make it so the rulesets will only accept it on a per user basis. You've got to make it not easy to use and accompany it with a warning or people will just keep doing it. Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From pete at eatathome.com.au Wed Feb 11 03:11:12 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:25 2006 Subject: Thankyou for the CD In-Reply-To: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> References: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> Message-ID: <40299D50.2080808@eatathome.com.au> Julian Field wrote: > To whoever sent me the Peter Gabriel CD from my wish list at > www.amazon.co.uk, many thanks! > It is much appreciated. > > It's great getting pressies :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > PLease supply detail on how to find this wishlist... From pete at eatathome.com.au Wed Feb 11 03:15:38 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:25 2006 Subject: Local Relay patch for MS In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> Message-ID: <40299E5A.6070403@eatathome.com.au> Kevin Miller wrote: >That would be handy, although you thought you could already do this after a >fashion by setting the option to not scan messages that already have the >MailScanner header. Looking through the conf file I can't find it - was it >in another product? Essentially it was a header that said to skip scanning >if it already had been as it was clean. > >Of course, a spammer could spoof that, but it doesn't seem all that >profitable to do so, as my custom header value will differ from yours, so >the spammer would have to know what they all were and target their spam >accordingly. > >By the way Lindsey, you may want to reset your reply to address. It >defaults back to you instead of the list. > >S'later... > >...Kevin >-- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 > > > > >>-----Original Message----- >>From: Lindsay Snider [mailto:lindsay@pa.net] >>Sent: Tuesday, February 10, 2004 1:47 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Local Relay patch for MS >> >> >>On Tue, 2004-02-10 at 17:25, Raymond Dijkxhoorn wrote: >> >> >>>Hi! >>> >>> >>> >>>>Julian and fellow Mailscanneriers, >>>> Here is a patch which allows MailScanner to ignore ips acting as >>>>relays to your mailscanner server. For example, if you >>>> >>>> >>collect mail on >> >> >>>>a mx server and then relay it to a mailscanner server, you >>>> >>>> >>can specify >> >> >>>>your mx server as a local relay. Then, mailscanner will >>>> >>>> >>not report the >> >> >>>>mx server as the source of the message but rather the ip >>>> >>>> >>which connected >> >> >>>>to the mx. >>>> >>>> >>>>Something like the following will work for the conf file. >>>>/etc/MailScanner/MailScanner.conf: >>>># Local Relay >>>>Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 >>>>205.166.61.131 205.166.61.0/25 10.0.1.8/32 >>>> >>>> >>>Cool! This would be nice for sendmail also. Would save some trouble. >>>Care to have a look for sendmail also? >>> >>> >>Yeah, I wouldn't mind writing the patch for sendmail. I don't have >>sendmail but it should be similar enough. Although almost rhetorical, >>would you then be up for testing it? Maybe we should also wait to see >>what Julian thinks in case he'd like to add this to the main distrib. >> >> >> >>>Does the RBL part also check on the >>>'ip before' ? >>> >>> >>I'm not sure. I know message->{clientip} will be correct. >>I'll have to >>check what the RBL looks against. Perhaps Julian is the best to answer >>this. I'm out until tomorrow afternoon but when I get in, >>I'll check it >>out if someone else hasn't beat me to it. >> >> >> >>>Bye, >>>Raymond. >>> >>> >>-- >>Lindsay Snider >> >> >> > > > > > Symantec Antiv Virus content filter has this option - about the only usefull thing in that product From brent.addis at ROAMAD.COM Wed Feb 11 06:04:12 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:25 2006 Subject: AVG antivirus Message-ID: <65314.210.55.104.83.1076479452.squirrel@webmail.roamad.com> Hey does mailscanner support the virus scanner AVG? I've hunted around but cannot find anything on it. Are there any plans for it in the future? I have a copy here if anything is needed. Regards -- Brent Addis From raymond at PROLOCATION.NET Wed Feb 11 08:02:10 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:25 2006 Subject: [Clamav-announce] announcing ClamAV 0.66 (fwd) Message-ID: FYI To: clamav-announce@lists.sourceforge.net Subject: [Clamav-announce] announcing ClamAV 0.66 *) ClamAV 0.66 has been released This version is a response to the "clamav 0.65 remote DOS exploit" information published on popular security-related mailing lists. Unfortunately we had not been contacted by the author before he published that and had to release this (unplanned) package very quickly (it should be mentioned that CVS version was not vulnerable to the exploit). Untested code has been disabled also the Dazuko support is temporarily not available (if you really need it please use a CVS version or wait for a next stable release). Have a look at README for other important changes. *) Notes on downloading the latest release: SourceForge file release system is currently unavailable (see http://sourceforge.net/docman/display_doc.php?docid=2352&group_id=1). The 0.66 release can be temporarily downloaded at Catt.com: http://clamav.catt.com/stable/clamav-0.66.tar.gz http://clamav.catt.com/stable/clamav-0.66.tar.gz.sig Hopefully, clamav-0.66.tar.gz will be uploaded to SourceForge mirrors within the next 24 hours. The ClamAV team (http://www.clamav.net) -- Luca Gibelli (luca@gibelli.it || bofh@oltrelinux.com) Home Page: http://www.nervous.it ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-announce mailing list Clamav-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clamav-announce From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 11 08:07:38 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:25 2006 Subject: Can't run unzip Message-ID: Hi, found the problem. It is not the tmpdir at all. The clamav-wrapper assumes that unzip is in the path. Unfortunately under FreeBSD unzip is in /usr/local/bin and only /usr/bin is in the standard path. Once we patched the wrapper script everything worked fine. I will adjust the FreeBSD port to do this automatically. Regards, JP From rafalek at RAFI.PL.EU.ORG Wed Feb 11 09:03:53 2004 From: rafalek at RAFI.PL.EU.ORG (=?iso-8859-2?Q?Rafa=B3_Janas?=) Date: Thu Jan 12 21:22:25 2006 Subject: Freebsd postfix mailscanner Message-ID: <20040211090925.1B1B73C008@78-tor-7.acn.waw.pl> Hi! I read article abort mailscanner with postfix. I do this same on my server but it doesn't work! I use FreeBSD 5.1 Postfix 2.0.18 and MailScanner 4.25. For example I include part of my maillog: Feb 10 18:50:58 78-tor-7 MailScanner[31016]: MailScanner E-Mail Virus Scanner ve rsion 4.25-14 starting... Feb 10 18:50:58 78-tor-7 MailScanner[31016]: Using locktype = flock Feb 10 18:50:58 78-tor-7 MailScanner[31016]: Postfix queue structure is depth 1 Feb 10 18:51:02 78-tor-7 MailScanner[31014]: Virus and Content Scanning: Startin g Feb 10 18:51:05 78-tor-7 MailScanner[31014]: Uninfected: Delivered 1 messages Feb 10 18:51:06 78-tor-7 postfix/qmgr[30247]: 6744C18C8F: from=, size=1955, nrcpt=1 (queue active) Feb 10 18:51:07 78-tor-7 postfix/local[31022]: warning: corrupted queue file: ac tive/6/6744C18C8F Feb 10 18:51:07 78-tor-7 postfix/qmgr[30247]: warning: saving corrupt file "6744 C18C8F" from queue "active" to queue "corrupt" Feb 10 18:51:08 78-tor-7 MailScanner[31023]: MailScanner E-Mail Virus Scanner ve rsion 4.25-14 starting... To chroot jail I only changle below line in /usr/local/etc/postfix.in/master.cf smtp inet n - y - - smtpd When I coment below line defer_transports = smtp local virtual relay I main.cf then mails to me will be deliver, but if I don't coment it mails stays in corrupt directory! What I do wrong and how to fix it? Thanks. Rafa? Janas rafalek@rafi.pl.eu.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/f94c2196/attachment.html From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:41:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: Thankyou for the CD In-Reply-To: <40299D50.2080808@eatathome.com.au> References: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> <40299D50.2080808@eatathome.com.au> Message-ID: <6.0.1.1.2.20040211093953.03fa9d38@imap.ecs.soton.ac.uk> At 03:11 11/02/2004, you wrote: >Julian Field wrote: > >>To whoever sent me the Peter Gabriel CD from my wish list at >>www.amazon.co.uk, many thanks! >>It is much appreciated. >> >>It's great getting pressies :-) >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >PLease supply detail on how to find this wishlist... Go to http://www.sng.ecs.soton.ac.uk/mailscanner/donations.shtml and click on the "wish list" link in the 3rd paragraph. Alternatively go to www.amazon.co.uk and look for Julian Field in Southampton. Thanks in advance... :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:39:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:25 2006 Subject: AVG antivirus In-Reply-To: <65314.210.55.104.83.1076479452.squirrel@webmail.roamad.com > References: <65314.210.55.104.83.1076479452.squirrel@webmail.roamad.com> Message-ID: <6.0.1.1.2.20040211093855.03f607e8@imap.ecs.soton.ac.uk> I don't think anyone has asked for it before. I'm sure it can be supported if you want. At 06:04 11/02/2004, you wrote: >Hey > >does mailscanner support the virus scanner AVG? I've hunted around but >cannot find anything on it. Are there any plans for it in the future? >I have a copy here if anything is needed. > >Regards >-- >Brent Addis -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:37:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: Local Relay patch for MS In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20040211093624.03fc5de8@imap.ecs.soton.ac.uk> At 22:58 10/02/2004, you wrote: >That would be handy, although you thought you could already do this after a >fashion by setting the option to not scan messages that already have the >MailScanner header. Looking through the conf file I can't find it - was it >in another product? Essentially it was a header that said to skip scanning >if it already had been as it was clean. Eek! Bad guy forges 1 header and you don't scan it as you trust the headers. Great idea, that one. Only a marketing guy could have thought of that :-( Even Microsoft don't write code that is that broken... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:33:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <033201c3f04b$5c18abc0$0b00a8c0@djh01> References: <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> <033201c3f04b$5c18abc0$0b00a8c0@djh01> Message-ID: <6.0.1.1.2.20040211093100.036d70c0@imap.ecs.soton.ac.uk> At 03:01 11/02/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Wednesday, 11 February 2004 8:33 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: For those of us that feel strongly that email should be a > > reliable transport medium. > > > > Maybe the default configuration should point to a ruleset that defaults to > > no but has a sample line in it which switches it on for > > *@yourcustomer.com. > > The ruleset would have a strongly worded header at the top explaining why > > you shouldn't use it. But I would have to document the "bounce" action to > > make it clear why this extra configuration option existed. > >Noone reads warnings these days. If you have to make it available again, >make it so the rulesets will only accept it on a per user basis. > >You've got to make it not easy to use and accompany it with a warning or >people will just keep doing it. Here's my defence line: 1) By default it is supplied as a ruleset. You have to know how to use a ruleset 2) Both the option itself and the ruleset carry a strongly worded warning. 3) It cannot be simply set to "yes" by deleting the pointer to the ruleset. 4) The default value in the ruleset cannot be set to "yes". This way you have to add rules to switch it on selectively, you can't enable it for everyone, for even everyone minus a list of exceptions. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:12:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <40295E30.356665CC@ihs.com> References: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sdsu.edu> <6.0.3.0.2.20040210222339.03e67808@imap.ecs.soton.ac.uk> <40295E30.356665CC@ihs.com> Message-ID: <6.0.1.1.2.20040211091130.03d73120@imap.ecs.soton.ac.uk> At 22:41 10/02/2004, you wrote: >Julian Field wrote: > > > > That will mean the bounce header name will have to be fixed and > > non-configurable. Which may be a good thing anyway. Slightly worried that > > it opens up an attack route though. Someone could pile in mail containing > > the bounce header, and you would quietly delete it. So someone could DoS > > your mail servers without you being able to work out why. Not sure I want > > to do that. > > Thoughts? > >Rules can be written at the MTA level that can discard on a particular >header...with Sendmail, at least. Might be better to leave it up to the >MTA to discard, rather than potentially opening yourself to DoS. Very good idea. I have tagged all the subject lines in all the spam bounce reports, so you can just filter on Subject: which most people can work out how to do (either at MTA or MUA level). > > At 21:50 10/02/2004, you wrote: > > >And you might as well add an option to delete messages with the bounce > > >header also. > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:18:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> Message-ID: <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> At 23:40 10/02/2004, you wrote: >Julian, I honestly believe you did the right thing removing this >functionality. It doesn't belong. If some people get mad about it, let >them. Putting the functionality back is just facilitating laziness and >creates broken mailservers at the expense of others. But even better if I can put the functionality back in, but in such a way that novice admins have to jump through a lot of hoops to enable it. That way it can't be done by accident. And if I make the subject headers obvious, people can auto-delete the notifications. (just trying to please everyone if possible :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:24:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040211092347.036d8798@imap.ecs.soton.ac.uk> At 23:57 10/02/2004, you wrote: >If it returns, I think you should make this option only work on 'Spam >Actions', but not on 'High Scoring Spam Actions'. I like that. Speak now if you think this test is not a good idea. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 09:53:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: Local Relay patch for MS In-Reply-To: <40299E5A.6070403@eatathome.com.au> References: <08146035CA49D6119A36009027AC822A0264EDF4@CITY-EXCH-NTS> <40299E5A.6070403@eatathome.com.au> Message-ID: <6.0.1.1.2.20040211095050.036d33b0@imap.ecs.soton.ac.uk> At 03:15 11/02/2004, you wrote: >Kevin Miller wrote: > >>That would be handy, although you thought you could already do this after a >>fashion by setting the option to not scan messages that already have the >>MailScanner header. Looking through the conf file I can't find it - was it >>in another product? Essentially it was a header that said to skip scanning >>if it already had been as it was clean. >> >>Of course, a spammer could spoof that, but it doesn't seem all that >>profitable to do so, as my custom header value will differ from yours, so >>the spammer would have to know what they all were and target their spam >>accordingly. >> >>By the way Lindsey, you may want to reset your reply to address. It >>defaults back to you instead of the list. >> >>S'later... >> >>...Kevin >>-- >>Kevin Miller Registered Linux User No: 307357 >>CBJ MIS Dept. Network Systems Administrator, Mail >>Administrator >>155 South Seward Street ph: (907) 586-0242 >>Juneau, Alaska 99801 fax: (907 586-4500 >> >> >> >> >>>-----Original Message----- >>>From: Lindsay Snider [mailto:lindsay@pa.net] >>>Sent: Tuesday, February 10, 2004 1:47 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Local Relay patch for MS >>> >>> >>>On Tue, 2004-02-10 at 17:25, Raymond Dijkxhoorn wrote: >>> >>> >>>>Hi! >>>> >>>> >>>> >>>>>Julian and fellow Mailscanneriers, >>>>> Here is a patch which allows MailScanner to ignore ips acting as >>>>>relays to your mailscanner server. For example, if you >>>>> >>>collect mail on >>> >>> >>>>>a mx server and then relay it to a mailscanner server, you >>>>> >>>can specify >>> >>> >>>>>your mx server as a local relay. Then, mailscanner will >>>>> >>>not report the >>> >>> >>>>>mx server as the source of the message but rather the ip >>>>> >>>which connected >>> >>> >>>>>to the mx. >>>>> >>>>> >>>>>Something like the following will work for the conf file. >>>>>/etc/MailScanner/MailScanner.conf: >>>>># Local Relay >>>>>Local Relay = 205.166.61.207 205.166.61.208 205.166.61.202 >>>>>205.166.61.131 205.166.61.0/25 10.0.1.8/32 >>>>> >>>>Cool! This would be nice for sendmail also. Would save some trouble. >>>>Care to have a look for sendmail also? >>>> >>>Yeah, I wouldn't mind writing the patch for sendmail. I don't have >>>sendmail but it should be similar enough. Although almost rhetorical, >>>would you then be up for testing it? Maybe we should also wait to see >>>what Julian thinks in case he'd like to add this to the main distrib. >>> >>> >>> >>>>Does the RBL part also check on the >>>>'ip before' ? >>>> >>>I'm not sure. I know message->{clientip} will be correct. >>>I'll have to >>>check what the RBL looks against. Perhaps Julian is the best to answer >>>this. I'm out until tomorrow afternoon but when I get in, >>>I'll check it >>>out if someone else hasn't beat me to it. I can't implement this until I can get reliable code for all of sendmail - Me Exim - Tony Finch / Nick Postfix - done already ZMailer - Mariano Qmail - OpenComputing Project The above are suggestions of who I would really like to write what, as and when they have time. I am not an expert in all the MTAs and only wrote support for 2 of the 5 myself. Any chance of some help here people? Many thanks, it is all appreciated by everyone! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Wed Feb 11 10:02:11 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:26 2006 Subject: Local Relay patch for MS In-Reply-To: <6.0.1.1.2.20040211095050.036d33b0@imap.ecs.soton.ac.uk> Message-ID: Hi! > I can't implement this until I can get reliable code for all of > sendmail - Me > Exim - Tony Finch / Nick > Postfix - done already > ZMailer - Mariano > Qmail - OpenComputing Project > > The above are suggestions of who I would really like to write what, as and > when they have time. I am not an expert in all the MTAs and only wrote > support for 2 of the 5 myself. > > Any chance of some help here people? > Many thanks, it is all appreciated by everyone! Isnt it possible to enable this for the ones around yet ? The other ones will follow once its there. I would be hapy to test the sendmail one :) Bye, Raymond. From t.d.lee at DURHAM.AC.UK Wed Feb 11 10:31:36 2004 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:22:26 2006 Subject: Ease (or otherwise) of installation Message-ID: We run MailScanner on both Redhat and Solaris platforms. My experience is that maintaining it is one of notable contrast: on Redhat it is quick, painless and reliable, because of the "install.sh" script, but on Solaris the process is much more labour-intensive and awkward and probably error-prone. A couple of weeks ago there was discussion on the list about possible Solaris packaging. Has any further thought been given to that? A closely related issue (a similar-sized headache!) is all the perl dependencies. For Redhat/rpm users these are handled naturally, swiftly, painlessly and automatically inside their "install.sh". But for users of Solaris (and other OSes, I presume) this seems considerably less straightforward. Julian: Could we come up with a model by which "install.sh" could potentially be multi-OS? OK, its first (only?) direct act might be to dive off into OS-specific means to handle the various aspects, but it would establish a coherent overall model for handling the bits of functionality across a multitude of systems (using their own preferred mechanisms). Could you give it some thought? Count me in as an enthusiastic guinea-pig (and I could try to sketch some Solaris things, if you wish). -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From tim at TCSYS.CO.UK Wed Feb 11 11:42:15 2004 From: tim at TCSYS.CO.UK (Tim Cairnes) Date: Thu Jan 12 21:22:26 2006 Subject: Can notification Subject include virus name Message-ID: <1076499734.3499.2.camel@ystordy.tcsys.co.uk> Is it possible to get MailScanner to report the name of the virus found in the subject line of notification messages? Regards Tim From mailscanner at BARENDSE.TO Wed Feb 11 12:04:20 2004 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:22:26 2006 Subject: Mcafee In-Reply-To: <00a001c3ef21$a95ba2a0$206510ac@euclid.local> Message-ID: My ISP used to provide it for free with the account but they stopped it because mcafee supposedly ceased development / support on the virusscan for linux?? Have not been able to find any info about it though On Mon, 9 Feb 2004, Steve Churcher wrote: > Hi All > > Does anyone know where I can purchase a license for McAfee Command line > for unix in the UK? Or indeed anywhere really! > > Seems a hard one to track down or maybe its just me.. > > Thanks > Steve > From danielk at AVALONPUB.COM Wed Feb 11 12:02:27 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040211093100.036d70c0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211093100.036d70c0@imap.ecs.soton.ac.uk> Message-ID: <402A19D3.30003@avalonpub.com> Julian Field wrote: >Here's my defence line: > >1) By default it is supplied as a ruleset. You have to know how to use a >ruleset >2) Both the option itself and the ruleset carry a strongly worded warning. >3) It cannot be simply set to "yes" by deleting the pointer to the ruleset. >4) The default value in the ruleset cannot be set to "yes". > >This way you have to add rules to switch it on selectively, you can't >enable it for everyone, for even everyone minus a list of exceptions. > > > Maybe someone already suggested this, but how about a required setting for an email contact that is added to the bottom of the bounce message instead of the default MailScanner Email Virus Scanner www.mailscanner.info MailScanner thanks transtec Computers for their support ? Then maybe you can make your threat of "redirecting all my abusive email to you" come true. Daniel From mike at ZANKER.ORG Wed Feb 11 12:05:38 2004 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:22:26 2006 Subject: Using sophossavi and clamavmodule together Message-ID: <8448187.1076501138@mallard.open.ac.uk> Is it possible to use both sophossavi and clamavmodule together? sophossavi and clamav work fine together but as soon as I change clamav to clamavmodule MailScanner seems to go into a loop, continually initialising sophossavi and not scanning any batches of mail. Thanks, Mike. From raymond at PROLOCATION.NET Wed Feb 11 12:14:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:26 2006 Subject: Using sophossavi and clamavmodule together In-Reply-To: <8448187.1076501138@mallard.open.ac.uk> Message-ID: Mike, > sophossavi and clamav work fine together but as soon as I change clamav > to clamavmodule MailScanner seems to go into a loop, continually > initialising sophossavi and not scanning any batches of mail. > > Thanks, What version clamavmodule are you using ? There is a problem it seems with 0.5, 0.4 should be running just fine. I allready notified Julian about this. Can you have a look what version module you are using ? Bye, Raymond. From mike at ZANKER.ORG Wed Feb 11 12:18:08 2004 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:22:26 2006 Subject: Using sophossavi and clamavmodule together In-Reply-To: References: Message-ID: <9198078.1076501888@mallard.open.ac.uk> On 11 February 2004 13:14 +0100 Raymond Dijkxhoorn wrote: > What version clamavmodule are you using ? There is a problem it seems > with 0.5, 0.4 should be running just fine. I allready notified Julian > about this. > > Can you have a look what version module you are using ? 0.5 - I'll give 0.4 a go and see if it works. Thanks, Mike. From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 11 12:23:08 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C50D@jessica.herefordshire.gov.uk> Jason Balicki wrote: > I would also reccomend adding clamav to your setup. It's > free and very, very good -- if one doesn't hit the other > probably will. Just how good is open to debate (see the ongoing discusson between Anreas Marx about this on BugTraq). However, it was good enough for us, and I'd always recommend using it in conjunction with another virus scanner. Version 0.66 of ClamAV is out, by the way, and installed here without problems. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From raymond at PROLOCATION.NET Wed Feb 11 12:26:32 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C50D@jessica.herefordshire.gov.uk> Message-ID: Hi! > However, it was good enough for us, and I'd always recommend using it in > conjunction with another virus scanner. > > Version 0.66 of ClamAV is out, by the way, and installed here without > problems. Als orunning fine on my boxes, but ont upgrade to the latest version of the Clam lib, that seems to break MS. Version 0.4 seems ok. Bye, Raymond. From mike at ZANKER.ORG Wed Feb 11 12:26:39 2004 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:22:26 2006 Subject: Using sophossavi and clamavmodule together In-Reply-To: <9198078.1076501888@mallard.open.ac.uk> References: <9198078.1076501888@mallard.open.ac.uk> Message-ID: <9709500.1076502399@mallard.open.ac.uk> On 11 February 2004 12:18 +0000 Mike Zanker wrote: > 0.5 - I'll give 0.4 a go and see if it works. Yup, 0.4 works fine. Thanks Raymond! Mike. From mailscanner at ecs.soton.ac.uk Wed Feb 11 12:09:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: Can notification Subject include virus name In-Reply-To: <1076499734.3499.2.camel@ystordy.tcsys.co.uk> References: <1076499734.3499.2.camel@ystordy.tcsys.co.uk> Message-ID: <6.0.1.1.2.20040211120841.07a06c68@imap.ecs.soton.ac.uk> Not all the virus scanners know what the virus name is, and the API for them that I currently use cannot pass back the name of the virus, as there might be many. At 11:42 11/02/2004, you wrote: >Is it possible to get MailScanner to report the name of the virus found >in the subject line of notification messages? > Regards > Tim -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 11 12:42:37 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:26 2006 Subject: Mcafee Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C510@jessica.herefordshire.gov.uk> No, it has recently been updated, runs like a charm here. I've just asked on the (McAfee) Total Virus Defense User Group mailinglist, so hopefully one of the NAI support guys will get back to me. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Remco Barendse > Sent: 11 February 2004 12:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mcafee > > > My ISP used to provide it for free with the account but they > stopped it > because mcafee supposedly ceased development / support on the > virusscan > for linux?? > > Have not been able to find any info about it though > > On Mon, 9 Feb 2004, Steve Churcher wrote: > > > Hi All > > > > Does anyone know where I can purchase a license for McAfee > Command line > > for unix in the UK? Or indeed anywhere really! > > > > Seems a hard one to track down or maybe its just me.. > > > > Thanks > > Steve > > > From raq at CHURCHER.ORG.UK Wed Feb 11 13:01:06 2004 From: raq at CHURCHER.ORG.UK (Steve Churcher) Date: Thu Jan 12 21:22:26 2006 Subject: Mcafee In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C510@jessica.herefordshire.gov.uk> Message-ID: <01b701c3f09f$1f020c00$206510ac@euclid.local> I'm awaiting a call back from nai as well.. no one there seems to know much about this product! Steve > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Randal, Phil > Sent: 11 February 2004 12:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mcafee > > No, it has recently been updated, runs like a charm here. > > I've just asked on the (McAfee) Total Virus Defense User Group > mailinglist, > so hopefully one of the NAI support guys will get back to me. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Remco Barendse > > Sent: 11 February 2004 12:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Mcafee > > > > > > My ISP used to provide it for free with the account but they > > stopped it > > because mcafee supposedly ceased development / support on the > > virusscan > > for linux?? > > > > Have not been able to find any info about it though > > > > On Mon, 9 Feb 2004, Steve Churcher wrote: > > > > > Hi All > > > > > > Does anyone know where I can purchase a license for McAfee > > Command line > > > for unix in the UK? Or indeed anywhere really! > > > > > > Seems a hard one to track down or maybe its just me.. > > > > > > Thanks > > > Steve > > > > > From mailscanner at LISTS.COM.AR Wed Feb 11 13:38:35 2004 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:22:26 2006 Subject: Local Relay patch for MS In-Reply-To: <6.0.1.1.2.20040211095050.036d33b0@imap.ecs.soton.ac.uk> References: <40299E5A.6070403@eatathome.com.au> Message-ID: <402A062B.18676.2D50EA39@localhost> Gee, I'm in the middle of a win2linux migration of the server farm of a mid- sized ISP... and I have queued the implementation of zmailer+mailscanner+spamassassin+clamav for a major ISP starting next week (that includes about a dozen double-xeon servers processing incoming & outgoing mail)... The only good thing is that the mailscanner implementation may involve development within mailscanner where I could slip this thru... I didn't even read the patch nor I read the messages so as to form a good idea of what is intended... do we want to change the 'originating ip' in the internal ms message object parsing 'Received:' headers ignoring the IPs preconfigured as 'ours'? I'll try to take a look late next week, sorry. El 11 Feb 2004 a las 9:53, Julian Field escribi?: > > I can't implement this until I can get reliable code for all of > sendmail - Me > Exim - Tony Finch / Nick > Postfix - done already > ZMailer - Mariano > Qmail - OpenComputing Project > > The above are suggestions of who I would really like to write what, as and > when they have time. I am not an expert in all the MTAs and only wrote > support for 2 of the 5 myself. > > Any chance of some help here people? > Many thanks, it is all appreciated by everyone! -- Mariano Absatz El Baby ---------------------------------------------------------- Time spent petting the cat is never wasted... signed, The Cat From isp-list at TULSACONNECT.COM Wed Feb 11 13:40:58 2004 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.0.22.0.20040210120454.01bf7dd8@xanadu.evi-inc.com> References: <40290C0F.6080306@deny.org> <40290C0F.6080306@deny.org> Message-ID: <5.2.1.1.2.20040211073944.06cf1408@securemail.tulsaconnect.com> At 12:26 PM 2/10/2004 -0500, you wrote: >Hmm, that's a great way to convince people to join your cause.. start off >with a flame before anyone even replies. > >Sigh. Not to contribute anything useful to this thread, but, did anyone else see the irony in the original senders E-mail address of "james@DENY.ORG"? :-) --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 11 12:31:00 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a rel iable transport medium. Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C50E@jessica.herefordshire.gov.uk> > I think we are just talking about spam here, not viruses as > well. Viruses > are already covered in the configuration file as it stands. But.... If the virus-containing message is a high-scoring spam, it never gets tagged as a virus (see last week's discussion). So we're back to my request to virus-scan everything. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From jharnish at CI.GRAND-RAPIDS.MI.US Wed Feb 11 13:46:12 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:22:26 2006 Subject: Mcafee Message-ID: <221C759285B78647AEE6181FD6AF36A709AC86E2@BAMBI> >From the download page at McAfee the Linux scanner was has: Release Date - 1/7/2004 If this helps anyone. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Churcher Sent: Wednesday, February 11, 2004 8:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mcafee I'm awaiting a call back from nai as well.. no one there seems to know much about this product! Steve > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Randal, Phil > Sent: 11 February 2004 12:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mcafee > > No, it has recently been updated, runs like a charm here. > > I've just asked on the (McAfee) Total Virus Defense User Group > mailinglist, > so hopefully one of the NAI support guys will get back to me. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Remco Barendse > > Sent: 11 February 2004 12:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Mcafee > > > > > > My ISP used to provide it for free with the account but they > > stopped it > > because mcafee supposedly ceased development / support on the > > virusscan > > for linux?? > > > > Have not been able to find any info about it though > > > > On Mon, 9 Feb 2004, Steve Churcher wrote: > > > > > Hi All > > > > > > Does anyone know where I can purchase a license for McAfee > > Command line > > > for unix in the UK? Or indeed anywhere really! > > > > > > Seems a hard one to track down or maybe its just me.. > > > > > > Thanks > > > Steve > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/d535ae8d/attachment.html From rgreen at TRAYERPRODUCTS.COM Wed Feb 11 14:21:18 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:26 2006 Subject: Thankyou for the CD In-Reply-To: <6.0.1.1.2.20040211093953.03fa9d38@imap.ecs.soton.ac.uk> References: <6.0.3.0.2.20040210134227.07f99208@imap.ecs.soton.ac.uk> <40299D50.2080808@eatathome.com.au> <6.0.1.1.2.20040211093953.03fa9d38@imap.ecs.soton.ac.uk> Message-ID: <402A3A5E.6030102@trayerproducts.com> Just looked at your wish list, Julian. No, you aren't getting my A1 !!!! :-) Rod Julian Field wrote: > At 03:11 11/02/2004, you wrote: > >> Julian Field wrote: >> >>> To whoever sent me the Peter Gabriel CD from my wish list at >>> www.amazon.co.uk, many thanks! >>> It is much appreciated. >>> >>> It's great getting pressies :-) >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >> PLease supply detail on how to find this wishlist... > > > Go to > http://www.sng.ecs.soton.ac.uk/mailscanner/donations.shtml > and click on the "wish list" link in the 3rd paragraph. > > Alternatively go to www.amazon.co.uk and look for Julian Field in > Southampton. > > Thanks in advance... :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From jclark at SKIDMORE.EDU Wed Feb 11 14:08:55 2004 From: jclark at SKIDMORE.EDU (jclark) Date: Thu Jan 12 21:22:26 2006 Subject: @ symbol in 'stored.virus.message.txt' Message-ID: I am trying to include a reply address in the 'stored.virus.message.txt' and the 'stored.filename.message.txt'. When I include the @ symbol in the e-mail address, the line that contains the e-mail address does not print. I properly escape it with the '\' symbol, but that doesn't work either. Any suggestions to solve this stupid question would be appreciated. Thanks, Jeff -- Jeffrey A. Clark Associate Director, CITS Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866-1632 (518) 580-5929 E-mail: jclark@skidmore.edu From alden at MATH.OHIO-STATE.EDU Wed Feb 11 14:36:44 2004 From: alden at MATH.OHIO-STATE.EDU (Dave Alden) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.benchmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> Message-ID: <20040211143644.GA29302@math.ohio-state.edu> Hi, On Wed, Feb 11, 2004 at 09:18:12AM +0000, Julian Field wrote: > At 23:40 10/02/2004, you wrote: > >Julian, I honestly believe you did the right thing removing this > >functionality. It doesn't belong. If some people get mad about it, let > >them. Putting the functionality back is just facilitating laziness and > >creates broken mailservers at the expense of others. > > But even better if I can put the functionality back in, but in such a way > that novice admins have to jump through a lot of hoops to enable it. That > way it can't be done by accident. > > And if I make the subject headers obvious, people can auto-delete the > notifications. > > (just trying to please everyone if possible :-) Keep in mind that there are some of us (many???) that won't be happy if you put the bounce option back in. You can't win. :-) Put me in the "Never, under any circumstances, put that option back in" camp. ...dave alden From bpumphrey at WOODMACLAW.COM Wed Feb 11 14:47:16 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:26 2006 Subject: Updating importance Message-ID: Can someone explain the importance of updating, if it is important? I am still learning Linux and I have MailScanner running with someone's help and I don't want to screw it up if it is not critical to update. However if it is critical to update, Its probably time that I dive into it again. Thank you Billy From gdoris at rogers.com Wed Feb 11 14:47:38 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a In-Reply-To: <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> Message-ID: <40768.129.80.22.143.1076510858.squirrel@65.48.246.102> > At 23:40 10/02/2004, you wrote: >>Julian, I honestly believe you did the right thing removing this functionality. It doesn't belong. If some people get mad about it, let them. Putting the functionality back is just facilitating laziness and creates broken mailservers at the expense of others. > > But even better if I can put the functionality back in, but in such a way > that novice admins have to jump through a lot of hoops to enable it. That > way it can't be done by accident. > > And if I make the subject headers obvious, people can auto-delete the notifications. > > (just trying to please everyone if possible :-) > -- > Julian Field Julian, I believe in your efforts to please everyone you are losing sight of the real problem. The crux of the problem is that there are individuals who, for their own reasons, want to bounce mail whether it creates a problem for others or not. While there may be some that have misconfigured MS they are not the individuals demanding that you reverse your decision to remove the bounce option. In all the discussions I have not seen anyone accuse these people of incompetence or ignorance. They know exactly what they are doing and have the skills to do it. While your efforts will make it more difficult for someone to enable the option accidently you will certainly not accomplish your objective of preventing MS being viewed negatively by those people receiving the incorrectly bounced emails. The bottomline is that enabling the bounce feature no matter how convoluted you make it will result in MS being used to distribute unwanted emails to innocent folks. MS was rightly slammed by a reviewer for bouncing messages and he later congratulated MS for removing the option. Do what you believe is correct. You will never please all the people all the time. Gerry From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 11 14:49:10 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:26 2006 Subject: FW: [tvdug] uvscan for Unix/Linux Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C512@jessica.herefordshire.gov.uk> For everyone's information. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: Wolff, Daniel (Avert) [mailto:Daniel_Wolff@avertlabs.com] Sent: 11 February 2004 14:33 To: 'tvdug@yahoogroups.com' Subject: RE: [tvdug] uvscan for Unix/Linux http://www.nai.com/us/downloads/evals/ Near the bottom of the McAfee section is: McAfee VirusScan Command Line Scanner for AIX 4.32 McAfee VirusScan Command Line Scanner for HPUX 4.32 McAfee VirusScan Command Line Scanner for Linux 4.32 McAfee VirusScan Command Line Scanner for Linux s390 4.32 McAfee VirusScan Command Line Scanner for RedHat 9 and Suse 8.x Linux 4.32 McAfee VirusScan Command Line Scanner for SCO 4.32 McAfee VirusScan Command Line Scanner for Solaris 4.32 McAfee VirusScan Command Line Scanners for FreeBSD 4.32 Click on TRY and you can then download a sample for the supported platforms - or at least point the distributors at the link to demonstrate that they exist! Regards Daniel Wolff McAfee AVERT -----Original Message----- From: Randal, Phil [mailto:prandal@herefordshire.gov.uk] Sent: 11 February 2004 12:42 To: Wolff, Daniel (Avert) Subject: [tvdug] uvscan for Unix/Linux Over on the MailScanner mailing list, there's a few people bemoaning the difficulty of getting their hands on uvscan for Unix/Linux. Can one of the NAI folks on the list give a few pointers on how to persuade your distributors that such a product exists and how people can get hold of it? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK If you would like to unsubscribe, please send a blank message to tvdug-unsubscribe@yahoogroups.com. Yahoo! Groups Links ------------------------ Yahoo! Groups Sponsor ---------------------~--> KnowledgeStorm has over 22,000 B2B technology solutions. The most comprehensive IT buyers' information available. Research, compare, decide. E-Commerce | Application Dev | Accounting-Finance | Healthcare | Project Mgt | Sales-Marketing | More http://us.click.yahoo.com/IMai8D/UYQGAA/cIoLAA/qFfwlB/TM ---------------------------------------------------------------------~-> If you would like to unsubscribe, please send a blank message to tvdug-unsubscribe@yahoogroups.com. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/tvdug/ <*> To unsubscribe from this group, send an email to: tvdug-unsubscribe@yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ From miguelk at KONSULTEX.COM.BR Wed Feb 11 15:00:16 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:22:26 2006 Subject: Updating importance References: Message-ID: <402A4380.5070602@konsultex.com.br> Billy; I assume you mean Mail Scanner itself and not the anti-virus engine or pattern. The pattern especially should be updated as frequently as possible because they all work by comparison with known virus definitions. As to Mail Scanner itself, there are some occasions, which are ususally very evident on this mailing list, when an update is important to catch a new type os virus mechanism or interpret a new or changed resut from a virus scanner that you may be using. Those updates are very infrequent in my history with Mail Scanner (about 3 years). I usually update anyway though, a few weeks after a stable release is available because it's pretty simple and usually has some new features I think I may use (but I never do). But I also believe in the golden rule that if it works well for you, don't touch it! Miguel Billy A. Pumphrey wrote: >Can someone explain the importance of updating, if it is important? I >am still learning Linux and I have MailScanner running with someone's >help and I don't want to screw it up if it is not critical to update. >However if it is critical to update, Its probably time that I dive into >it again. > >Thank you >Billy > > > -- Esta mensagem foi verificada pelo sistema de antiv�rus e acredita-se estar livre de perigo. From COMBSTM at APPSTATE.EDU Wed Feb 11 13:52:36 2004 From: COMBSTM at APPSTATE.EDU (T. Combs) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. Message-ID: <01L6GZLGN1TOB2EYNP@appstate.edu> > Keep in mind that there are some of us (many???) that won't be happy if you > put the bounce option back in. You can't win. :-) Put me in the "Never, > under any circumstances, put that option back in" camp. > ...dave alden While this is a near to heart topic, we have been throwing away mail for years that was generated by a virus. I point out to our people that the only reliable line in a virus generated email is the Received: line where our server actually connects to a source - the only really reliable part of that line is the IP address. The From: and To: are fabricated from addressbooks sometimes using all of the address, sometimes using the domain. This feature is one of the great parts of Mailscanner and we love it!! The option we will always use is to TRASH virus generated email. -- Combstm@appstate.edu Appalachian State University (828)262-6297 Information Technology Services FAX: (828)262-2236 From mailscanner at ecs.soton.ac.uk Wed Feb 11 14:54:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: Updating importance In-Reply-To: References: Message-ID: <6.0.1.1.2.20040211145334.03b41c48@imap.ecs.soton.ac.uk> At 14:47 11/02/2004, you wrote: >Can someone explain the importance of updating, if it is important? I >am still learning Linux and I have MailScanner running with someone's >help and I don't want to screw it up if it is not critical to update. >However if it is critical to update, Its probably time that I dive into >it again. Keep an eye on it whenever you upgrade your virus scanner(s). If you need the latest version of your virus scanner(s) (the scanning engine, not the detection patterns which should always be up to date), then you may find you have to update MailScanner to keep track of changes in the virus scanner(s). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 15:06:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: ANNOUNCE: unstable version 4.27.1 released Message-ID: <6.0.1.1.2.20040211145521.0372ac20@imap.ecs.soton.ac.uk> What a day... I have just released version 4.27.1. This has not had much testing, I hope some of you will help with that. The "bounce" spam action is back, but is hard to abuse. Please read on... If you want to find all the restrictions on its use, do a "Luke" and use the source. I have also fixed a bunch of other things, which are in the ChangeLog below. I am never going to manage to satisfy all of you with this "bounce" problem. However, my best idea is to come up with a compromise that will hopefully satisfy most of you, then put it out there and see. So that's what I have done. There will always be people who want to bounce all spam back to the purported sender, and I think they are 99% wrong. However if they can't do it with MailScanner they will just go and use something else that does let them do it. So I am letting them, but under plenty of restrictions. I'm not sure this is a decision that I can make to everyone's satisfaction. This is not a completely one-sided argument, I can see both sides however weak or strong I consider anyone's case. Here endeth the sermon. Download as usual from www.mailscanner.info. The Change Log is this: * New Features and Improvements * - Improved Linux init.d scripts so that postfix and postfix.in settings are used throughout the init.d script. - Added support for F-Secure 4.52. - When lots of consecutive SpamAssassin timeouts occur, all network tests are now stopped, not just RBL checks. - Added support for Qmail. You will need the contents of qmail/qmail-queue.zip. - Added Exim d2mbox to distribution. - Improved logging output from Trend autoupdater. - Improved logging output from Trend parser. - Added old and new queue ids for Postfix to make for easy message tracking. - Portuguese Brazilian reports are now all translated. - Added "Enable Spam Bounce" ruleset for selectively switching on permission to bounce spam from your most important customers. - Fixed small bug in Exim d2mbox script for very long headers. * Fixes * - Fixed bug in "Rebuild Bayes Every" feature on Solaris. - Exim bug with empty Subject headers being corrupted fixed. - Outstanding: Quarantining warning message bug - cannot reproduce on any OS - Outstanding: Exim multiple ACLs - Awaiting Nick or Tony's response -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Wed Feb 11 15:24:38 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:26 2006 Subject: Updating importance Message-ID: Ok, thanks for the reply Miguel and Julian. I do have Sophos running on it and it updates every 2 hours I believe. So yes, as far as virus that is updated in a timely fashion and I was more speaking of MailScanner its self. From what you said updating it is simple, which is good, and I should just keep a look out for certain updates and would be needed to coincide with the virus scanner engine or something to that effect to catch new things that are out. I have saved some of the emails that were talking about updating so that I hopefully wouldn't be completely clueless when that time comes around for me, however if its simple hopefully someone can make a few simple setps to update because the emails didn't quit tell how to but just how to tell what version and such. I didn't know if it was a matter of needing to backup the configs and doing the update then importing the configs, or just applying the update. -----Original Message----- From: Miguel Koren O'Brien de Lacy [mailto:miguelk@KONSULTEX.COM.BR] Sent: Wednesday, February 11, 2004 10:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Updating importance Billy; I assume you mean Mail Scanner itself and not the anti-virus engine or pattern. The pattern especially should be updated as frequently as possible because they all work by comparison with known virus definitions. As to Mail Scanner itself, there are some occasions, which are ususally very evident on this mailing list, when an update is important to catch a new type os virus mechanism or interpret a new or changed resut from a virus scanner that you may be using. Those updates are very infrequent in my history with Mail Scanner (about 3 years). I usually update anyway though, a few weeks after a stable release is available because it's pretty simple and usually has some new features I think I may use (but I never do). But I also believe in the golden rule that if it works well for you, don't touch it! Miguel Billy A. Pumphrey wrote: >Can someone explain the importance of updating, if it is important? I >am still learning Linux and I have MailScanner running with someone's >help and I don't want to screw it up if it is not critical to update. >However if it is critical to update, Its probably time that I dive into >it again. > >Thank you >Billy > > > -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From raymond at PROLOCATION.NET Wed Feb 11 15:24:45 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:26 2006 Subject: ANNOUNCE: unstable version 4.27.1 released In-Reply-To: <6.0.1.1.2.20040211145521.0372ac20@imap.ecs.soton.ac.uk> Message-ID: Julian, > The Change Log is this: > > * New Features and Improvements * > - Improved Linux init.d scripts so that postfix and postfix.in settings are > used throughout the init.d script. > - Added support for F-Secure 4.52. > - When lots of consecutive SpamAssassin timeouts occur, all network tests If you have time, could you have a look on the clamlib stuff ? I switched over to the plain version now, not the perl lib, but people installing it from scratch will have problems since it will cause MS to crash. Only versions up to .4 will work, but .5 is what CPAN delivers currently. Will upgrade two of my boxes later on tonight to 4.27.1 Bye, Raymond. From mkettler at EVI-INC.COM Wed Feb 11 15:38:44 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:26 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040210175419.02c11288@xanadu.evi-inc.com> <6.0.1.1.2.20040211091620.036d8a28@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20040211102102.025c56d0@xanadu.evi-inc.com> At 04:18 AM 2/11/2004, Julian Field wrote: > >Julian, I honestly believe you did the right thing removing this > >functionality. It doesn't belong. If some people get mad about it, let > >them. Putting the functionality back is just facilitating laziness and > >creates broken mailservers at the expense of others. > >But even better if I can put the functionality back in, but in such a way >that novice admins have to jump through a lot of hoops to enable it. That >way it can't be done by accident. > >And if I make the subject headers obvious, people can auto-delete the >notifications. > >(just trying to please everyone if possible :-) I would refrain from describing that as "better" much less "even better". It is however, a compromise of sorts, and I do respect your desire to compromise. Personally, I strongly stand behind the opinion that you'd have to be out of your mind to put it back in. The feature is little short of being a malicious attack tool against other networks. In my mind, it's directly comparable to a setting up a network as a smurf amplifier. By making lots of hoops you've made it so that the admin has to be willfully malicious to turn on the feature, but you've still put a feature into a spam filter that allows spammers to abuse it as an attack tool. If you must add the feature back in, I'd recommend putting some kind of "don't blame MailScanner, we told them not to do this" note in the fixed headers. At least this way people won't be quite as quick to blame MailScanner for the malicious nature of certain network administrators. However, I would consider anyone who still blamed MailScanner for it's part in the attack to be correct in their lay of blame. From Carl.Boberg at NRM.SE Wed Feb 11 15:42:43 2004 From: Carl.Boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: <521A1817A68E5F4895A67C104512BF5FA028@GANDALF.nrm.se> Just a thought, We have also been struck by occasional mydoom viruses getting through. I noticed that I lacked perl module MIME::Base64 and MIME::Type After installing them through cpan I am now monitoring for any new mydoom viruses getting through. Although this problem seems intermittent I am not sure if this might have any effect... Any new input on this is very appreciated. -------------------------------- Carl Boberg System & Network Administrator Swedish Museum of Naturalhistory Frescativ?gen 40 104 05 Stockholm Sweden Tel nr: 08-5195 5116 Mobile: 0701-82 4055 E-mail: carl.boberg@nrm.se -------------------------------- From dahlberg at bucknell.edu Wed Feb 11 15:50:31 2004 From: dahlberg at bucknell.edu (Michael Dahlberg) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <20040211155029.GA1488@bucknell.edu> Kyle Harris [lists@TRCINTL.COM] wrote: > I have been running MailScanner for quite some time and it has successfully > found literally thousands of e-mail's infected with the Mydoom virus, as > well as many others. However, I have noticed that every now and then for > whatever reason one seems to slip through MailScanner. The reason I know > this is that my mail is first scanned with MailScanner (using eTrust > Antivirus 7.0) and then it is sent on to another machine running TrendMicro > InterScan VirusWall (I had that in place before MailScanner). > > On about 4 occasions since the outbreak of Mydoom, a copy of the virus has > made it through MailScanner undetected and has then been caught by the > TrendMicro product. I had it happen several times already today. I > checked the e-mail ID and I see in the log on MailScanner where it passed > through without a hitch. > > I seem to recall someone posting something earlier about this occuring > while using the Sophos antivirus product. I just thought this might be > something to take note of. By the way, I am currently using MailScanner > version 4.26.8 and my virus signatures are up to date. TrendMicro > InterScan VirusWall reports the e-mail messages in question as having > Mydoom.A. Kyle: Did you ever find a fix to this problem? We're experiencing a similar problem. A number of messages are passing through MailScanner(4.13-3)/Sophos and then are interpreted as MyDoom-infected when they reach the client's MUA (Eudora) on a system which is running Symantec's Antivirus software. If these messages are intercepted before being downloaded to the client's system, they look as if they might have something wrong with the MIME header because some MUAs will interpret the message as not having an attachment. Do you see something similar? Thanks. From jamesb at LUDCASTLE.CO.UK Wed Feb 11 15:52:16 2004 From: jamesb at LUDCASTLE.CO.UK (James Beale) Date: Thu Jan 12 21:22:26 2006 Subject: Mailscanner with virus scanning, Open Webmail and sendmail Message-ID: Hi I hope that someone with some more knowledge (it wouldn't be difficult!) than me of configuring Mailscanner with virus scanning, Open Webmail and sendmail will be able to provide me with an answer. First of all, it seems that everything is fine, except for scanning of emails received from outside of our network. That is to say, I can prove emails are virus scanned and disinfected (eicar test virus) when users send emails internally, but when I send myself the test virus from an outside account, it does not get scanned. I feel that I am missing something quite obvious in my setup, but can't figure out what. Many thanks. James. From martinh at SOLID-STATE-LOGIC.COM Wed Feb 11 16:01:17 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <521A1817A68E5F4895A67C104512BF5FA028@GANDALF.nrm.se> References: <521A1817A68E5F4895A67C104512BF5FA028@GANDALF.nrm.se> Message-ID: <402A51CD.8080001@solid-state-logic.com> Just got one that SophosSavi 3.78d caught and ClamAV 0.66 didn't. This is running on FreeBSD 4.8 with MS 4.24-5 if anyone needs the example I'll try and forward it..Julian?? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From lists at TRCINTL.COM Wed Feb 11 16:08:54 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: On Wed, 11 Feb 2004 10:50:31 -0500, Michael Dahlberg wrote: >Kyle Harris [lists@TRCINTL.COM] wrote: >> I have been running MailScanner for quite some time and it has successfully >> found literally thousands of e-mail's infected with the Mydoom virus, as >> well as many others. However, I have noticed that every now and then for >> whatever reason one seems to slip through MailScanner. The reason I know >> this is that my mail is first scanned with MailScanner (using eTrust >> Antivirus 7.0) and then it is sent on to another machine running TrendMicro >> InterScan VirusWall (I had that in place before MailScanner). >> >> On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >> made it through MailScanner undetected and has then been caught by the >> TrendMicro product. I had it happen several times already today. I >> checked the e-mail ID and I see in the log on MailScanner where it passed >> through without a hitch. >> >> I seem to recall someone posting something earlier about this occuring >> while using the Sophos antivirus product. I just thought this might be >> something to take note of. By the way, I am currently using MailScanner >> version 4.26.8 and my virus signatures are up to date. TrendMicro >> InterScan VirusWall reports the e-mail messages in question as having >> Mydoom.A. > >Kyle: > >Did you ever find a fix to this problem? > >We're experiencing a similar problem. A number of messages are >passing through MailScanner(4.13-3)/Sophos and then are interpreted as >MyDoom-infected when they reach the client's MUA (Eudora) on a system >which is running Symantec's Antivirus software. If these messages are >intercepted before being downloaded to the client's system, they look >as if they might have something wrong with the MIME header because >some MUAs will interpret the message as not having an attachment. > >Do you see something similar? > >Thanks. I experienced this at least 10 times yesterday (they seemed to come relatively close together) and had expierenced it about 3 or 4 times in days prior to that. Julian asked if I could send one to him so I enabled archiving and as luck would have it, I have not seen another one get through since. I had to disable archiving as I had too many mail messages building up, but I am keeping a close eye for them and if I see one go through I am planning on quickly enabling the archive option again to see if maybe another will go through that I can catch and send to Julian. It does sound like you are expierencing what I am though. Kyle H. From brose at MED.WAYNE.EDU Wed Feb 11 16:09:05 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:26 2006 Subject: ANNOUNCE: unstable version 4.27.1 released Message-ID: Anyone with an SA rule that can give this spam bounce a high score and drop it ;-) It can go with the rules for dropping the "you are infected" messages. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, February 11, 2004 10:07 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: unstable version 4.27.1 released What a day... I have just released version 4.27.1. This has not had much testing, I hope some of you will help with that. The "bounce" spam action is back, but is hard to abuse. Please read on... If you want to find all the restrictions on its use, do a "Luke" and use the source. I have also fixed a bunch of other things, which are in the ChangeLog below. I am never going to manage to satisfy all of you with this "bounce" problem. However, my best idea is to come up with a compromise that will hopefully satisfy most of you, then put it out there and see. So that's what I have done. There will always be people who want to bounce all spam back to the purported sender, and I think they are 99% wrong. However if they can't do it with MailScanner they will just go and use something else that does let them do it. So I am letting them, but under plenty of restrictions. I'm not sure this is a decision that I can make to everyone's satisfaction. This is not a completely one-sided argument, I can see both sides however weak or strong I consider anyone's case. Here endeth the sermon. Download as usual from www.mailscanner.info. The Change Log is this: * New Features and Improvements * - Improved Linux init.d scripts so that postfix and postfix.in settings are used throughout the init.d script. - Added support for F-Secure 4.52. - When lots of consecutive SpamAssassin timeouts occur, all network tests are now stopped, not just RBL checks. - Added support for Qmail. You will need the contents of qmail/qmail-queue.zip. - Added Exim d2mbox to distribution. - Improved logging output from Trend autoupdater. - Improved logging output from Trend parser. - Added old and new queue ids for Postfix to make for easy message tracking. - Portuguese Brazilian reports are now all translated. - Added "Enable Spam Bounce" ruleset for selectively switching on permission to bounce spam from your most important customers. - Fixed small bug in Exim d2mbox script for very long headers. * Fixes * - Fixed bug in "Rebuild Bayes Every" feature on Solaris. - Exim bug with empty Subject headers being corrupted fixed. - Outstanding: Quarantining warning message bug - cannot reproduce on any OS - Outstanding: Exim multiple ACLs - Awaiting Nick or Tony's response -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Feb 11 16:10:31 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <20040211155029.GA1488@bucknell.edu> References: <20040211155029.GA1488@bucknell.edu> Message-ID: <402A53F7.4000808@solid-state-logic.com> Michael Dahlberg wrote:: > > Did you ever find a fix to this problem? > > We're experiencing a similar problem. A number of messages are > passing through MailScanner(4.13-3)/Sophos and then are interpreted as > MyDoom-infected when they reach the client's MUA (Eudora) on a system > which is running Symantec's Antivirus software. If these messages are > intercepted before being downloaded to the client's system, they look > as if they might have something wrong with the MIME header because > some MUAs will interpret the message as not having an attachment. > > Do you see something similar? > > Thanks. Michael the latest 3.78d from Sophos seems to have picked up one that ClamAV 0.66 didn't.... may I suggest you upgrade your sophos to 3.78d. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dot at DOTAT.AT Wed Feb 11 16:08:02 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:26 2006 Subject: ANNOUNCE: unstable version 4.27.1 released In-Reply-To: Message-ID: Julian Field wrote: > >There will always be people who want to bounce all spam back to the >purported sender, and I think they are 99% wrong. However if they can't >do it with MailScanner they will just go and use something else that does >let them do it. So I am letting them, but under plenty of restrictions. I think MailScanner is the wrong software to use if that is the policy they want to implement: MTAs should be rejecting spam at SMTP time rather than bouncing it later, and MailScanner gets hold of a message too late to do that. If they want an Exim local_scan or Sendmail Milter interface to SpamAssassin, they know where to find it. Tony. -- f.a.n.finch http://dotat.at/ CAPE WRATH TO RATTRAY HEAD INCLUDING ORKNEY: WEST 4 OR 5 GRADUALLY BACKING SOUTH TO SOUTHWEST 3. PATCHY RAIN OR DRIZZLE SOON DYING OUT. MODERATE OR GOOD, OCCASIONALLY POOR AT FIRST IN THE NORTH. SLIGHT OR MODERATE, OCCASIONALLY ROUGH AT FIRST IN NORTH. From erich at MUSEUM.STATE.IL.US Wed Feb 11 16:10:13 2004 From: erich at MUSEUM.STATE.IL.US (Erich Schroeder) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <402A51CD.8080001@solid-state-logic.com> Message-ID: Perhaps you should submit it to the clamav folks? http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi eks On Wed, 11 Feb 2004, Martin Hepworth wrote: > Just got one that SophosSavi 3.78d caught and ClamAV 0.66 didn't. > > This is running on FreeBSD 4.8 with MS 4.24-5 > > if anyone needs the example I'll try and forward it..Julian?? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > -- --------------------------------------------------------------------- Erich Schroeder Phone: (217)785-0033 Curator, Information Technologies FAX: (217)785-2857 Illinois State Museum GIS Lab email:erich(at)illinois.state.museum http://illinois.state.museum/ --------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Wed Feb 11 16:27:38 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <402A53F7.4000808@solid-state-logic.com> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> I found at least 1 part of the problem. The message that contained the MyDoom that got through Sophos (before 3.78d) was actually a bounce from another mail server that included the entire text of the original message. This message does not have the right MIME structure for the MIME-tools to be able to open it, as it is a text/plain messsage that just happens to contain text which contains a mime structure. So MIME-tools quite fairly won't extract the attachments from within it. I now have an example message of this type, and so I will spend some time working on a solution to it. No guarantees, though, the MIME-tools code is pretty heavy reading. So don't bother sending me any more, I think the one message I have is a good example of the type of problem. It can also occur with other viruses, it's a problem caused by MTA's bouncing the entire message. Fortunately it's not been a big problem so far, but I would quite like to fix it if I can. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 16:30:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: ANNOUNCE: unstable version 4.27.1 released In-Reply-To: References: Message-ID: <6.0.1.1.2.20040211162834.0373b918@imap.ecs.soton.ac.uk> At 16:09 11/02/2004, you wrote: >Anyone with an SA rule that can give this spam bounce a high score and >drop it ;-) It can go with the rules for dropping the "you are >infected" messages. Something like this should do the trick: header MAILSCANNER_BOUNCE Subject =~ /\{Bounce\}/i describe MAILSCANNER_BOUNCE Automated bounce message from MailScanner score MAILSCANNER_BOUNCE 20.0 Put that in your spam.assassin.prefs.conf and restart MailScanner. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, February 11, 2004 10:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: unstable version 4.27.1 released > >What a day... > >I have just released version 4.27.1. This has not had much testing, I >hope some of you will help with that. > >The "bounce" spam action is back, but is hard to abuse. Please read >on... >If you want to find all the restrictions on its use, do a "Luke" and use >the source. > >I have also fixed a bunch of other things, which are in the ChangeLog >below. > >I am never going to manage to satisfy all of you with this "bounce" >problem. However, my best idea is to come up with a compromise that will >hopefully satisfy most of you, then put it out there and see. So that's >what I have done. There will always be people who want to bounce all >spam back to the purported sender, and I think they are 99% wrong. >However if they can't do it with MailScanner they will just go and use >something else that does let them do it. So I am letting them, but under >plenty of restrictions. > >I'm not sure this is a decision that I can make to everyone's >satisfaction. >This is not a completely one-sided argument, I can see both sides >however weak or strong I consider anyone's case. > >Here endeth the sermon. > >Download as usual from www.mailscanner.info. > >The Change Log is this: > >* New Features and Improvements * >- Improved Linux init.d scripts so that postfix and postfix.in settings >are > used throughout the init.d script. >- Added support for F-Secure 4.52. >- When lots of consecutive SpamAssassin timeouts occur, all network >tests > are now stopped, not just RBL checks. >- Added support for Qmail. You will need the contents of >qmail/qmail-queue.zip. >- Added Exim d2mbox to distribution. >- Improved logging output from Trend autoupdater. >- Improved logging output from Trend parser. >- Added old and new queue ids for Postfix to make for easy message >tracking. >- Portuguese Brazilian reports are now all translated. >- Added "Enable Spam Bounce" ruleset for selectively switching on >permission > to bounce spam from your most important customers. >- Fixed small bug in Exim d2mbox script for very long headers. > >* Fixes * >- Fixed bug in "Rebuild Bayes Every" feature on Solaris. >- Exim bug with empty Subject headers being corrupted fixed. >- Outstanding: Quarantining warning message bug - cannot reproduce on >any OS >- Outstanding: Exim multiple ACLs - Awaiting Nick or Tony's response >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Wed Feb 11 16:43:24 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:26 2006 Subject: Mcafee In-Reply-To: <01b701c3f09f$1f020c00$206510ac@euclid.local> References: <01b701c3f09f$1f020c00$206510ac@euclid.local> Message-ID: <402A5BAC.4070409@pacific.net> It comes with active virusscan suite 7.0 Ken Pacific.Net Steve Churcher wrote: > I'm awaiting a call back from nai as well.. no one there seems to know > much about this product! > > Steve > > >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Randal, Phil >>Sent: 11 February 2004 12:43 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Mcafee >> >>No, it has recently been updated, runs like a charm here. >> >>I've just asked on the (McAfee) Total Virus Defense User Group >>mailinglist, >>so hopefully one of the NAI support guys will get back to me. >> >>Cheers, >> >>Phil >> >>--------------------------------------------- >>Phil Randal >>Network Engineer >>Herefordshire Council >>Hereford, UK >> >> >>>-----Original Message----- >>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>Behalf Of Remco Barendse >>>Sent: 11 February 2004 12:04 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Mcafee >>> >>> >>>My ISP used to provide it for free with the account but they >>>stopped it >>>because mcafee supposedly ceased development / support on the >>>virusscan >>>for linux?? >>> >>>Have not been able to find any info about it though >>> >>>On Mon, 9 Feb 2004, Steve Churcher wrote: >>> >>> >>>>Hi All >>>> >>>>Does anyone know where I can purchase a license for McAfee >>> >>>Command line >>> >>>>for unix in the UK? Or indeed anywhere really! >>>> >>>>Seems a hard one to track down or maybe its just me.. >>>> >>>>Thanks >>>>Steve >>>> >>> > > From martinh at SOLID-STATE-LOGIC.COM Wed Feb 11 16:47:48 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> Message-ID: <402A5CB4.8070604@solid-state-logic.com> Julian Field wrote: > I found at least 1 part of the problem. > > The message that contained the MyDoom that got through Sophos (before > 3.78d) was actually a bounce from another mail server that included the > entire text of the original message. > > This message does not have the right MIME structure for the MIME-tools to > be able to open it, as it is a text/plain messsage that just happens to > contain text which contains a mime structure. So MIME-tools quite fairly > won't extract the attachments from within it. > > I now have an example message of this type, and so I will spend some time > working on a solution to it. No guarantees, though, the MIME-tools code is > pretty heavy reading. > > So don't bother sending me any more, I think the one message I have is a > good example of the type of problem. It can also occur with other viruses, > it's a problem caused by MTA's bouncing the entire message. Fortunately > it's not been a big problem so far, but I would quite like to fix it if > I can. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Julian that's exactly what I've just seen. the virus was in a base64 attached multipart message, with only 1 part there, the second being non-existant, even though it says next-part... clunk. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dahlberg at BUCKNELL.EDU Wed Feb 11 17:00:48 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <402A53F7.4000808@solid-state-logic.com> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> Message-ID: <20040211170046.GA2869@bucknell.edu> > > Michael > > the latest 3.78d from Sophos seems to have picked up one that ClamAV > 0.66 didn't.... > > may I suggest you upgrade your sophos to 3.78d. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 Martin: Thanks for the suggestion. I initially thought that the problem was with Sophos and called them to discuss the problem. They also recommended that I upgrade to 3.78(d), which I did. Unfortunately, this did not solve the problem. My knowledge of MIME encoding/decoding is limited, but it looks as if the message might have an incomplete MIME header. MailScanner (or the perl modules that handle MIME encoding) analyze the message and determine that there is no MIME-encoded attachment, and as a result delivers the message. The message is received by Eudora (or Outlook), which may be a bit more aggressive in detecting MIME-encoded attachments, and passes the attachment with the incomplete MIME header to NAV and it reports the MyDoom virus. This is just a guess by me from reading other posts on this list and looking at some representative messages. Thanks for the suggestion. Mike From eja at URBAKKEN.DK Wed Feb 11 17:10:21 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:26 2006 Subject: [Fwd: MailScanner 4.27.1] Message-ID: <402A61FD.7010200@urbakken.dk> -- Erik -------------- next part -------------- An embedded message was scrubbed... From: Erik Jakobsen Subject: MailScanner 4.27.1 Date: Wed, 11 Feb 2004 17:23:02 +0100 Size: 1194 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/c1eefa40/MailScanner4.27.mht From martinh at SOLID-STATE-LOGIC.COM Wed Feb 11 17:18:15 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <20040211170046.GA2869@bucknell.edu> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> <20040211170046.GA2869@bucknell.edu> Message-ID: <402A63D7.2070109@solid-state-logic.com> Michael Dahlberg wrote: > > Martin: > > Thanks for the suggestion. I initially thought that the problem was > with Sophos and called them to discuss the problem. They also > recommended that I upgrade to 3.78(d), which I did. Unfortunately, > this did not solve the problem. > > My knowledge of MIME encoding/decoding is limited, but it looks as if > the message might have an incomplete MIME header. MailScanner (or the > perl modules that handle MIME encoding) analyze the message and > determine that there is no MIME-encoded attachment, and as a result > delivers the message. The message is received by Eudora (or Outlook), > which may be a bit more aggressive in detecting MIME-encoded > attachments, and passes the attachment with the incomplete MIME header > to NAV and it reports the MyDoom virus. > > This is just a guess by me from reading other posts on this list and > looking at some representative messages. > > Thanks for the suggestion. > > Mike Mike are you using the SAVI version or the binary version? I'm using the SAVI, and that caught the critter when ClamAV didn't. Also using FreeBSD rather than Linux which might make a difference too. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From bpumphrey at WOODMACLAW.COM Wed Feb 11 16:34:16 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: Awesome you da man. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, February 11, 2004 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mydoom Virus getting Through I found at least 1 part of the problem. The message that contained the MyDoom that got through Sophos (before 3.78d) was actually a bounce from another mail server that included the entire text of the original message. This message does not have the right MIME structure for the MIME-tools to be able to open it, as it is a text/plain messsage that just happens to contain text which contains a mime structure. So MIME-tools quite fairly won't extract the attachments from within it. I now have an example message of this type, and so I will spend some time working on a solution to it. No guarantees, though, the MIME-tools code is pretty heavy reading. So don't bother sending me any more, I think the one message I have is a good example of the type of problem. It can also occur with other viruses, it's a problem caused by MTA's bouncing the entire message. Fortunately it's not been a big problem so far, but I would quite like to fix it if I can. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Wed Feb 11 16:32:11 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: FYI: I am experiencing the same thing also. -----Original Message----- From: Kyle Harris [mailto:lists@TRCINTL.COM] Sent: Wednesday, February 11, 2004 11:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mydoom Virus getting Through On Wed, 11 Feb 2004 10:50:31 -0500, Michael Dahlberg wrote: >Kyle Harris [lists@TRCINTL.COM] wrote: >> I have been running MailScanner for quite some time and it has successfully >> found literally thousands of e-mail's infected with the Mydoom virus, as >> well as many others. However, I have noticed that every now and then for >> whatever reason one seems to slip through MailScanner. The reason I know >> this is that my mail is first scanned with MailScanner (using eTrust >> Antivirus 7.0) and then it is sent on to another machine running TrendMicro >> InterScan VirusWall (I had that in place before MailScanner). >> >> On about 4 occasions since the outbreak of Mydoom, a copy of the virus has >> made it through MailScanner undetected and has then been caught by the >> TrendMicro product. I had it happen several times already today. I >> checked the e-mail ID and I see in the log on MailScanner where it passed >> through without a hitch. >> >> I seem to recall someone posting something earlier about this occuring >> while using the Sophos antivirus product. I just thought this might be >> something to take note of. By the way, I am currently using MailScanner >> version 4.26.8 and my virus signatures are up to date. TrendMicro >> InterScan VirusWall reports the e-mail messages in question as having >> Mydoom.A. > >Kyle: > >Did you ever find a fix to this problem? > >We're experiencing a similar problem. A number of messages are >passing through MailScanner(4.13-3)/Sophos and then are interpreted as >MyDoom-infected when they reach the client's MUA (Eudora) on a system >which is running Symantec's Antivirus software. If these messages are >intercepted before being downloaded to the client's system, they look >as if they might have something wrong with the MIME header because >some MUAs will interpret the message as not having an attachment. > >Do you see something similar? > >Thanks. I experienced this at least 10 times yesterday (they seemed to come relatively close together) and had expierenced it about 3 or 4 times in days prior to that. Julian asked if I could send one to him so I enabled archiving and as luck would have it, I have not seen another one get through since. I had to disable archiving as I had too many mail messages building up, but I am keeping a close eye for them and if I see one go through I am planning on quickly enabling the archive option again to see if maybe another will go through that I can catch and send to Julian. It does sound like you are expierencing what I am though. Kyle H. From dean.plant at ROKE.CO.UK Wed Feb 11 17:32:11 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: Im not sure if this is the same problem but the info might be useful. We are running Trend, Clamav and F-prot on our MailScanner server and find that the MS exchange server that we pass mail onto, running Trend, is picking up the WORM_MyDoom.DAM. This version of the virus passes straight through our MailScanner without being detected even though we are running the same version Trend definitions. Dean Plant -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] Sent: 11 February 2004 17:18 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mydoom Virus getting Through Michael Dahlberg wrote: > > Martin: > > Thanks for the suggestion. I initially thought that the problem was > with Sophos and called them to discuss the problem. They also > recommended that I upgrade to 3.78(d), which I did. Unfortunately, > this did not solve the problem. > > My knowledge of MIME encoding/decoding is limited, but it looks as if > the message might have an incomplete MIME header. MailScanner (or the > perl modules that handle MIME encoding) analyze the message and > determine that there is no MIME-encoded attachment, and as a result > delivers the message. The message is received by Eudora (or Outlook), > which may be a bit more aggressive in detecting MIME-encoded > attachments, and passes the attachment with the incomplete MIME header > to NAV and it reports the MyDoom virus. > > This is just a guess by me from reading other posts on this list and > looking at some representative messages. > > Thanks for the suggestion. > > Mike Mike are you using the SAVI version or the binary version? I'm using the SAVI, and that caught the critter when ClamAV didn't. Also using FreeBSD rather than Linux which might make a difference too. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From mailscanner at ecs.soton.ac.uk Wed Feb 11 17:34:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:26 2006 Subject: [Fwd: MailScanner 4.27.1] In-Reply-To: <402A61FD.7010200@urbakken.dk> References: <402A61FD.7010200@urbakken.dk> Message-ID: <6.0.1.1.2.20040211173419.036e8488@imap.ecs.soton.ac.uk> At 17:10 11/02/2004, you wrote: >Hi. > >I have just installed the new MailScanner4.27.1. Thanks Julian. > >But I receive this error in my /var/log/maillog: > >Feb 11 17:17:38 gateway MailScanner[22384]: MailScanner E-Mail Virus >Scanner version 4.27.1 starting... >Feb 11 17:17:38 gateway MailScanner[22384]: Cannot open ruleset file >/etc/MailScanner/rules/bounce.rules, No such file or directory >Feb 11 17:17:39 gateway ipop3d[22383]: Logout user=erik >host=[192.168.1.250] nmsgs=0 ndele=0 >Feb 11 17:17:48 gateway MailScanner[22386]: MailScanner E-Mail Virus >Scanner version 4.27.1 starting... >Feb 11 17:17:48 gateway MailScanner[22386]: Cannot open ruleset file >/etc/MailScanner/rules/bounce.rules, No such file or directory > >The bounce.rules file doesn't exist. How is it made ?. By installing 4.27.1-2 which has the file in it. Sorry about that. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From leduc at CTS.COM Wed Feb 11 17:52:29 2004 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <402A53F7.4000808@solid-state-logic.com> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> Message-ID: <200402110952.29840.leduc@cts.com> How do you find 3.78d? I spent 15 minutes looking through the sophos website and could only find 3.78. On Wednesday 11 February 2004 08:10 am, Martin Hepworth wrote: > the latest 3.78d from Sophos seems to have picked up one that ClamAV > 0.66 didn't.... > > may I suggest you upgrade your sophos to 3.78d. From martinh at SOLID-STATE-LOGIC.COM Wed Feb 11 17:56:20 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <200402110952.29840.leduc@cts.com> References: <20040211155029.GA1488@bucknell.edu> <402A53F7.4000808@solid-state-logic.com> <200402110952.29840.leduc@cts.com> Message-ID: <402A6CC4.8050802@solid-state-logic.com> Gene LeDuc wrote: > How do you find 3.78d? I spent 15 minutes looking through the sophos website > and could only find 3.78. > > On Wednesday 11 February 2004 08:10 am, Martin Hepworth wrote: > >>the latest 3.78d from Sophos seems to have picked up one that ClamAV >>0.66 didn't.... >> >>may I suggest you upgrade your sophos to 3.78d. Gene there's a link off http://www.sophos.com/support/news/ for your O/S -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From kodak at FRONTIERHOMEMORTGAGE.COM Wed Feb 11 18:00:11 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through In-Reply-To: <200402110952.29840.leduc@cts.com> Message-ID: <005501c3f0c8$e4cafea0$0501a8c0@darkside> >How do you find 3.78d? I spent 15 minutes looking through the >sophos website >and could only find 3.78. Someone else already answered this, but this is different. You can also subscribe to it via the Sophos EM Library. HTH, --J(K) From Jan-Peter.Koopmann at SECEIDOS.DE Wed Feb 11 18:05:55 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:26 2006 Subject: Mydoom Virus getting Through Message-ID: Hi Julian, > This message does not have the right MIME structure for the > MIME-tools to be able to open it, as it is a text/plain > messsage that just happens to contain text which contains a > mime structure. So MIME-tools quite fairly won't extract the > attachments from within it. Would that not also mean that these messages would not expand correctly on the usual MUAs and therefore do not really pose a threat? Regards, JP From JEN at AH.DK Wed Feb 11 17:59:28 2004 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:26 2006 Subject: Svar: Re: Mydoom Virus getting Through Message-ID: I have just upgraded from 4.23.11 to 4.26.8-1 on my secondary MX server, and now I see that some Mydoom.A is not detected! And the attachment is a *.scr, which should be stop by filename.rules.conf! If I release the messages (it's spam) to another server (the primary), which is running MailScanner 4.22-5, the Mydoom virus is detected. I run f-prot and kaspersky on both servers If I run f-prot on the files (from the quarantine) it detect the Mydoon virus attachment from mailwatch /jan Elmqvist Nielsen -------------- next part -------------- A non-text attachment was scrubbed... Name: MYDOOM.JPG Type: image/jpeg Size: 142172 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/e7f0260a/MYDOOM.jpe From dustin.baer at IHS.COM Wed Feb 11 18:21:07 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <3A411846CD3C0D4CB3D8704F937353703E2915@be-00.foundation.sdsu.edu> <6.0.3.0.2.20040210222339.03e67808@imap.ecs.soton.ac.uk> <40295E30.356665CC@ihs.com> <6.0.1.1.2.20040211091130.03d73120@imap.ecs.soton.ac.uk> Message-ID: <402A7293.FB26BBFC@ihs.com> Julian Field wrote: > > At 22:41 10/02/2004, you wrote: > >Julian Field wrote: > > > > > > That will mean the bounce header name will have to be fixed and > > > non-configurable. Which may be a good thing anyway. Slightly worried that > > > it opens up an attack route though. Someone could pile in mail containing > > > the bounce header, and you would quietly delete it. So someone could DoS > > > your mail servers without you being able to work out why. Not sure I want > > > to do that. > > > Thoughts? Dustin Baer wrote: > > > >Rules can be written at the MTA level that can discard on a particular > >header...with Sendmail, at least. Might be better to leave it up to the > >MTA to discard, rather than potentially opening yourself to DoS. > > Very good idea. Well...maybe not... > I have tagged all the subject lines in all the spam bounce > reports, so you can just filter on Subject: which most people can work out > how to do (either at MTA or MUA level). It is a rock-and-a-hard-place scenario. If a receiving admin decides to spam bounce a legitimate email, and the sending admin had decided to discard based on header information, then nobody is made aware of anything. Kudos to you for trying to please everyone! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From dustin.baer at IHS.COM Wed Feb 11 18:24:49 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. References: <6.0.1.1.2.20040211093100.036d70c0@imap.ecs.soton.ac.uk> <402A19D3.30003@avalonpub.com> Message-ID: <402A7371.3413C99B@ihs.com> Daniel Kleinsinger wrote: > > Julian Field wrote: > > Maybe someone already suggested this, but how about a required setting > for an email contact that is added to the bottom of the bounce message > instead of the default > MailScanner > Email Virus Scanner > www.mailscanner.info > MailScanner thanks transtec Computers for their support > ? > > Then maybe you can make your threat of "redirecting all my abusive email > to you" come true. Along these same lines, something that I thought about this morning. Rather than bouncing with "From: <>", how about bouncing with "From: " That way, when our users start complaining (even more) about their addresses being sender spoofed by spammers, we can contact a real person to complain about bouncing to a spoofed sender. Julian, I realize you have already released 4.27, so this might be something to think about for the future. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From brose at MED.WAYNE.EDU Wed Feb 11 18:27:08 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:27 2006 Subject: [Fwd: MailScanner 4.27.1] Message-ID: Ha ha! You really did want to make it difficult for them. ;-) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, February 11, 2004 12:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [Fwd: MailScanner 4.27.1] At 17:10 11/02/2004, you wrote: >Hi. > >I have just installed the new MailScanner4.27.1. Thanks Julian. > >But I receive this error in my /var/log/maillog: > >Feb 11 17:17:38 gateway MailScanner[22384]: MailScanner E-Mail Virus >Scanner version 4.27.1 starting... >Feb 11 17:17:38 gateway MailScanner[22384]: Cannot open ruleset file >/etc/MailScanner/rules/bounce.rules, No such file or directory Feb 11 >17:17:39 gateway ipop3d[22383]: Logout user=erik host=[192.168.1.250] >nmsgs=0 ndele=0 Feb 11 17:17:48 gateway MailScanner[22386]: MailScanner >E-Mail Virus Scanner version 4.27.1 starting... >Feb 11 17:17:48 gateway MailScanner[22386]: Cannot open ruleset file >/etc/MailScanner/rules/bounce.rules, No such file or directory > >The bounce.rules file doesn't exist. How is it made ?. By installing 4.27.1-2 which has the file in it. Sorry about that. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin_Miller at CI.JUNEAU.AK.US Wed Feb 11 18:28:13 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:27 2006 Subject: Local Relay patch for MS Message-ID: <08146035CA49D6119A36009027AC822A0264EDF9@CITY-EXCH-NTS> >-----Original Message----- >Eek! Bad guy forges 1 header and you don't scan it as you trust the >headers. Great idea, that one. Only a marketing guy could have >thought of that :-( Even Microsoft don't write code that is that broken... Augh. I'm wounded to the quick. It's really not all that bad because everybody's header line is different. The spammer isn't going to know 40,000 different headers and custom tailor his output to each. A header that says "X-CBJ-MailScanner: Found to be clean" isn't going to get by a server that's looking for "X-ECS-MailScanner: Found to be clean" or vice versa. YMMV... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lists at TRCINTL.COM Wed Feb 11 18:32:10 2004 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom Virus getting Through Message-ID: On Wed, 11 Feb 2004 16:27:38 +0000, Julian Field wrote: >I found at least 1 part of the problem. > >The message that contained the MyDoom that got through Sophos (before >3.78d) was actually a bounce from another mail server that included the >entire text of the original message. > >This message does not have the right MIME structure for the MIME-tools to >be able to open it, as it is a text/plain messsage that just happens to >contain text which contains a mime structure. So MIME-tools quite fairly >won't extract the attachments from within it. > >I now have an example message of this type, and so I will spend some time >working on a solution to it. No guarantees, though, the MIME-tools code is >pretty heavy reading. > >So don't bother sending me any more, I think the one message I have is a >good example of the type of problem. It can also occur with other viruses, >it's a problem caused by MTA's bouncing the entire message. Fortunately >it's not been a big problem so far, but I would quite like to fix it if I can. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 I think I just found another one and it appears to match your explanation above. It appears to be a bounce with the original message, at least that is what I think it is. Judging by the number of other people that have replied to this post, seems like several others are expierencing this same problem. If it helps any, I have been thinking back and I updated my MailScanner to 4.26.8 a week or so back and I don't recall having this happen before that time. Could be a coincidence or maybe my bad memory but I thought I would throw that in. Kyle H. From mailscanner at ecs.soton.ac.uk Wed Feb 11 18:39:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom Virus getting Through In-Reply-To: References: Message-ID: <6.0.3.0.2.20040211183900.038af598@imap.ecs.soton.ac.uk> At 18:32 11/02/2004, you wrote: >On Wed, 11 Feb 2004 16:27:38 +0000, Julian Field > wrote: > > >I found at least 1 part of the problem. > > > >The message that contained the MyDoom that got through Sophos (before > >3.78d) was actually a bounce from another mail server that included the > >entire text of the original message. > > > >This message does not have the right MIME structure for the MIME-tools to > >be able to open it, as it is a text/plain messsage that just happens to > >contain text which contains a mime structure. So MIME-tools quite fairly > >won't extract the attachments from within it. > > > >I now have an example message of this type, and so I will spend some time > >working on a solution to it. No guarantees, though, the MIME-tools code is > >pretty heavy reading. > > > >So don't bother sending me any more, I think the one message I have is a > >good example of the type of problem. It can also occur with other viruses, > >it's a problem caused by MTA's bouncing the entire message. Fortunately > >it's not been a big problem so far, but I would quite like to fix it if I >can. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >I think I just found another one and it appears to match your explanation >above. It appears to be a bounce with the original message, at least that >is what I think it is. Judging by the number of other people that have >replied to this post, seems like several others are expierencing this same >problem. If it helps any, I have been thinking back and I updated my >MailScanner to 4.26.8 a week or so back and I don't recall having this >happen before that time. Could be a coincidence or maybe my bad memory but >I thought I would throw that in. Coincidence. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 11 18:38:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: Local Relay patch for MS In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDF9@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EDF9@CITY-EXCH-NTS> Message-ID: <6.0.3.0.2.20040211183736.039a1c88@imap.ecs.soton.ac.uk> At 18:28 11/02/2004, you wrote: > >-----Original Message----- > >Eek! Bad guy forges 1 header and you don't scan it as you trust the > >headers. Great idea, that one. Only a marketing guy could have > >thought of that :-( Even Microsoft don't write code that is that broken... > >Augh. I'm wounded to the quick. > >It's really not all that bad because everybody's header line is different. >The spammer isn't going to know 40,000 different headers and custom tailor >his output to each. A header that says "X-CBJ-MailScanner: Found to be >clean" isn't going to get by a server that's looking for "X-ECS-MailScanner: >Found to be clean" or vice versa. > >YMMV... Too right it will V. The spammers can easily discover your header setting. Security by obscurity, never going to work. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Wed Feb 11 16:23:02 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:27 2006 Subject: MailScanner 4.27.1 Message-ID: <402A56E6.70903@urbakken.dk> Hi. I have just installed the new MailScanner4.27.1. Thanks Julian. But I receive this error in my /var/log/maillog: Feb 11 17:17:38 gateway MailScanner[22384]: MailScanner E-Mail Virus Scanner version 4.27.1 starting... Feb 11 17:17:38 gateway MailScanner[22384]: Cannot open ruleset file /etc/MailScanner/rules/bounce.rules, No such file or directory Feb 11 17:17:39 gateway ipop3d[22383]: Logout user=erik host=[192.168.1.250] nmsgs=0 ndele=0 Feb 11 17:17:48 gateway MailScanner[22386]: MailScanner E-Mail Virus Scanner version 4.27.1 starting... Feb 11 17:17:48 gateway MailScanner[22386]: Cannot open ruleset file /etc/MailScanner/rules/bounce.rules, No such file or directory The bounce.rules file doesn't exist. How is it made ?. -- Erik From eja at URBAKKEN.DK Wed Feb 11 18:47:53 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:27 2006 Subject: [Fwd: MailScanner 4.27.1] In-Reply-To: References: Message-ID: <402A78D9.5030102@urbakken.dk> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, February 11, 2004 12:35 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [Fwd: MailScanner 4.27.1] > > At 17:10 11/02/2004, you wrote: > >>Hi. >> >>I have just installed the new MailScanner4.27.1. Thanks Julian. >> >>But I receive this error in my /var/log/maillog: >> >>Feb 11 17:17:38 gateway MailScanner[22384]: MailScanner E-Mail Virus >>Scanner version 4.27.1 starting... >>Feb 11 17:17:38 gateway MailScanner[22384]: Cannot open ruleset file >>/etc/MailScanner/rules/bounce.rules, No such file or directory Feb 11 >>17:17:39 gateway ipop3d[22383]: Logout user=erik host=[192.168.1.250] >>nmsgs=0 ndele=0 Feb 11 17:17:48 gateway MailScanner[22386]: MailScanner > > >>E-Mail Virus Scanner version 4.27.1 starting... >>Feb 11 17:17:48 gateway MailScanner[22386]: Cannot open ruleset file >>/etc/MailScanner/rules/bounce.rules, No such file or directory >> >>The bounce.rules file doesn't exist. How is it made ?. > > > By installing 4.27.1-2 which has the file in it. Sorry about that. NP > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Erik From steve.douglas at SBIINCORPORATED.COM Wed Feb 11 19:01:03 2004 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3C80@mail.gardenbotanika.com> I am set up with RH9, SA 2.61, MS December release, 1.5 GB of RAM, 80 GB duplexed drives. The MS system is forwards from the DMZ through the firewall to my internal Exchange 5.5 file server. My firewall logs are filled by the megatons with errors showing the Exchange email server attempting to send NetBios calls (port 137) to the DMZ MS gateway. I guess this is normal considering the exchange system is trying to do its job (as far as Microsoft is concerned) in identifying the system that is passing it all this email. My firewall has this port blocked for obvious reasons. Is this normal and is there anything that I should do further to shut the exchange server up or just live with it? Thanks. SD :-) From lists at STHOMAS.NET Wed Feb 11 19:27:50 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3C80@mail.gardenbotanika.com>; from steve.douglas@SBIINCORPORATED.COM on Wed, Feb 11, 2004 at 01:01:03PM -0600 References: <3963522F0E71474CB14C0FF54A6914F701AF3C80@mail.gardenbotanika.com> Message-ID: <20040211112750.D12174@sthomas.net> On Wed, Feb 11, 2004 at 01:01:03PM -0600, Steve Douglas is rumored to have said: > > is there anything that I should do further to shut the exchange server up or > just live with it? C:\>format c: ;) -- "Talent does what it can; genius does what it must." - Edward George Bulwer-Lytton (1803-1873) From help at opencompt.com Wed Feb 11 19:31:00 2004 From: help at opencompt.com (Opencomputing Team) Date: Thu Jan 12 21:22:27 2006 Subject: OpenProtect-5.0.1.5 released Message-ID: <402A82F4.4050302@opencompt.com> Hi, OpenProtect-5.0.1.5(http://opencomputing.sf.net) has been released. Download it from http://osdn.dl.sourceforge.net/sourceforge/opencomputing/openprotect-5.0.1.5.tar.gz. Changes are: 5.0.1.5 ------- *Fixed rc directories link for SuSE, Mandrake *Fixed installation under arch's other than i386 *Made OpenTunnel Support Package an optional one *Removed one redundant input during qmail enable *Fixed a default value in openprotect-enable *Delete stale lock files in /tmp and other scripts in /usr/bin during uninstallation *Better pattern matching for IP address in Qmail module cheers, Opencomputing Team | Ph/Fax: +91 (0) 44 52166646 Opencomputing Technologies | http://opencompt.com Server Side E-Mail Protection. From george.hartogensis at NCFCORP.COM Wed Feb 11 19:31:27 2004 From: george.hartogensis at NCFCORP.COM (SUBSCRIBE MAILSCANNER George) Date: Thu Jan 12 21:22:27 2006 Subject: queue files Message-ID: We are currently running MailScanner 4.26.8-1 with sendmail 8.12.6-159 on SuSE SLES 8.1. I am finding that there are many 'childless' q* files being left in the inbound queue directory (/var/spool/mqueue.in). These q* files have no corresponding d* files and they eventually seem to dissappear, which I assume is because sendmail sees them as having not been sent after so many days. They are not really hurting anything except for the fact that MailScanner, and MailWatch, seem to think that the inbound queue is really huge and subsequently I am seeing higher loads on my mail server than I would otherwise. I have occasionally cleaned out the childless q* files and have seen my loads drop considerably. We process about 30K mail messages a day through this server yet the amount of childless q* files is about 300 a day. It has been proposed to me that I set a daily cron to clean out the offending files, but I would rather fix the problem. Has anybody out there seen this and how have they dealt with it? From mailscanner at BARENDSE.TO Wed Feb 11 19:41:48 2004 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS In-Reply-To: <08146035CA49D6119A36009027AC822A0264EDFC@CITY-EXCH-NTS> Message-ID: Why don't you just drop the packets unlogged instead of logging such packets? That will keep your firewall logs clean > > >-----Original Message----- > >From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] > >Sent: Wednesday, February 11, 2004 10:01 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Port / NetBIOS > > > > > >I am set up with RH9, SA 2.61, MS December release, 1.5 GB of > >RAM, 80 GB > >duplexed drives. The MS system is forwards from the DMZ through the > >firewall to my internal Exchange 5.5 file server. > > > >My firewall logs are filled by the megatons with errors > >showing the Exchange > >email server attempting to send NetBios calls (port 137) to the DMZ MS > >gateway. I guess this is normal considering the exchange > >system is trying > >to do its job (as far as Microsoft is concerned) in > >identifying the system > >that is passing it all this email. > > > >My firewall has this port blocked for obvious reasons. Is > >this normal and > >is there anything that I should do further to shut the > >exchange server up or > >just live with it? > > > >Thanks. > > > >SD :-) > > > From dnsadmin at 1BIGTHINK.COM Wed Feb 11 19:52:29 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3C80@mail.gardenbotani ka.com> Message-ID: <5.2.1.1.0.20040211145050.060ef138@mail.1bigthink.com> At 01:01 PM 2/11/2004 -0600, you wrote: >I am set up with RH9, SA 2.61, MS December release, 1.5 GB of RAM, 80 GB >duplexed drives. The MS system is forwards from the DMZ through the >firewall to my internal Exchange 5.5 file server. > >My firewall logs are filled by the megatons with errors showing the Exchange >email server attempting to send NetBios calls (port 137) to the DMZ MS >gateway. I guess this is normal considering the exchange system is trying >to do its job (as far as Microsoft is concerned) in identifying the system >that is passing it all this email. > >My firewall has this port blocked for obvious reasons. Is this normal and >is there anything that I should do further to shut the exchange server up or >just live with it? SMB protocol is chatty. It loves to announce itself to the world! As has been duly noted, unless you want to 'format C:' and install Linux or UNIX, you will have to live with it. From Kevin_Miller at CI.JUNEAU.AK.US Wed Feb 11 19:38:27 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS Message-ID: <08146035CA49D6119A36009027AC822A0264EDFC@CITY-EXCH-NTS> Assume you're connecting to the MS box with the Exchange IMC. Might try putting the host name/address in the LMHOST file on the Exchange box so it doesn't have to query for the name. Don't know if that'll help or not but might be worth a try. Normally requires a reboot, but there's a command to make Windows reread the file. Forget what it is at the moment, sorry... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] >Sent: Wednesday, February 11, 2004 10:01 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Port / NetBIOS > > >I am set up with RH9, SA 2.61, MS December release, 1.5 GB of >RAM, 80 GB >duplexed drives. The MS system is forwards from the DMZ through the >firewall to my internal Exchange 5.5 file server. > >My firewall logs are filled by the megatons with errors >showing the Exchange >email server attempting to send NetBios calls (port 137) to the DMZ MS >gateway. I guess this is normal considering the exchange >system is trying >to do its job (as far as Microsoft is concerned) in >identifying the system >that is passing it all this email. > >My firewall has this port blocked for obvious reasons. Is >this normal and >is there anything that I should do further to shut the >exchange server up or >just live with it? > >Thanks. > >SD :-) > From steve.douglas at SBIINCORPORATED.COM Wed Feb 11 20:07:36 2004 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:22:27 2006 Subject: Port / NetBIOS Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3C88@mail.gardenbotanika.com> Thanks. -----Original Message----- From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] Sent: Wednesday, February 11, 2004 1:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Port / NetBIOS At 01:01 PM 2/11/2004 -0600, you wrote: >I am set up with RH9, SA 2.61, MS December release, 1.5 GB of RAM, 80 GB >duplexed drives. The MS system is forwards from the DMZ through the >firewall to my internal Exchange 5.5 file server. > >My firewall logs are filled by the megatons with errors showing the Exchange >email server attempting to send NetBios calls (port 137) to the DMZ MS >gateway. I guess this is normal considering the exchange system is trying >to do its job (as far as Microsoft is concerned) in identifying the system >that is passing it all this email. > >My firewall has this port blocked for obvious reasons. Is this normal and >is there anything that I should do further to shut the exchange server up or >just live with it? SMB protocol is chatty. It loves to announce itself to the world! As has been duly noted, unless you want to 'format C:' and install Linux or UNIX, you will have to live with it. From mickey-ml at GREENGLOW.ORG Wed Feb 11 20:33:35 2004 From: mickey-ml at GREENGLOW.ORG (Mickey Everts) Date: Thu Jan 12 21:22:27 2006 Subject: bayes rebuild not completing? Message-ID: <006501c3f0de$5311d770$640a0a0a@gyruss> I installed the latest stable release earlier this week and turned on the auto rebuild feature. This is on a Linux box for the record. Anyways, here are the messages I see in my logs. Feb 11 10:23:30 defender MailScanner[680]: Bayes database rebuild is due Feb 11 10:23:31 defender MailScanner[680]: SpamAssassin Bayes database rebuild preparing Feb 11 10:24:06 defender MailScanner[680]: SpamAssassin Bayes database rebuild starting My settings are as follows: Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = yes I grepped the MailScanner source and it appears that I should be seeing the following message also, but I am not. SpamAssassin Bayes database rebuild completed Any suggestions? Regards, Mickey -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/d4769035/attachment.html From danielk at AVALONPUB.COM Wed Feb 11 20:32:32 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom Virus getting Through In-Reply-To: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> Message-ID: <402A9160.70005@avalonpub.com> Julian Field wrote: >The message that contained the MyDoom that got through Sophos (before >3.78d) was actually a bounce from another mail server that included the >entire text of the original message. > >Fortunately it's not been a big problem so far, but I would quite like to fix it if I can. > > > I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I checked which virii got caught by which scanner and before installing 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total MyDoom.A slipped past Sophos everyday). Since installing 3.78d (yesterday) Sophos is catching all that Trend and F-Prot are. There still seem to be some people having issues with 3.78d, but in my case it seems like it was a problem with Sophos, not MailScanner. Daniel From drew at THEMARSHALLS.CO.UK Wed Feb 11 20:37:35 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom Virus getting Through In-Reply-To: <402A9160.70005@avalonpub.com> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> Message-ID: <402A928F.4060107@themarshalls.co.uk> Daniel Kleinsinger wrote: > Julian Field wrote: > >> The message that contained the MyDoom that got through Sophos (before >> 3.78d) was actually a bounce from another mail server that included the >> entire text of the original message. >> >> Fortunately it's not been a big problem so far, but I would quite >> like to fix it if I can. >> >> >> > I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I > checked which virii got caught by which scanner and before installing > 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total > MyDoom.A slipped past Sophos everyday). Since installing 3.78d > (yesterday) Sophos is catching all that Trend and F-Prot are. There > still seem to be some people having issues with 3.78d, but in my case it > seems like it was a problem with Sophos, not MailScanner. > > Daniel I would suggest that this as much an antivirus issue. I run F-prot and Antivir and until Antivir updated their engine about a week ago only F-prot was reliably catching the bounce messages with the original message attached. With the new engine, all is well again and both are catching them. Looks like F-Prot had a better message scanning engine than the others had at the time. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Wed Feb 11 21:34:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402A928F.4060107@themarshalls.co.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> Message-ID: <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> I have hopefully managed to make the MIME parser a lot more robust. It certainly appears to solve the current problem. If you are running a nice recent version, backup your old Message.pm and replace it with this one. Then please test it against the copies of MyDoom that are getting through. The result of a fine evening spent wading through MIME-tools code and deciding that it can't rewind :-( Let me know how it goes. At 20:37 11/02/2004, you wrote: >Daniel Kleinsinger wrote: > >>Julian Field wrote: >> >>>The message that contained the MyDoom that got through Sophos (before >>>3.78d) was actually a bounce from another mail server that included the >>>entire text of the original message. >>> >>>Fortunately it's not been a big problem so far, but I would quite >>>like to fix it if I can. >>> >>> >>I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I >>checked which virii got caught by which scanner and before installing >>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>(yesterday) Sophos is catching all that Trend and F-Prot are. There >>still seem to be some people having issues with 3.78d, but in my case it >>seems like it was a problem with Sophos, not MailScanner. >> >>Daniel > >I would suggest that this as much an antivirus issue. I run F-prot and >Antivir and until Antivir updated their engine about a week ago only >F-prot was reliably catching the bounce messages with the original >message attached. With the new engine, all is well again and both are >catching them. Looks like F-Prot had a better message scanning engine >than the others had at the time. > >Drew > >-- >In line with our policy, this message has >been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. >www.themarshalls.co.uk/policy -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm Type: application/octet-stream Size: 122833 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/941d5ad7/Message.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james at DENY.ORG Wed Feb 11 22:05:43 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.1.1.2.20040211092347.036d8798@imap.ecs.soton.ac.uk> References: <93B43B0A099CFE4AB0AED9B54919346E256828@srv-btc-2k.corp.ben chmark-usa.com> <5.2.1.1.0.20040210154511.064231e8@mail.1bigthink.com> <6.0.3.0.2.20040210205309.03b3bbd0@imap.ecs.soton.ac.uk> <1076448060.7678.6.camel@andy.pessimists.net> <6.0.3.0.2.20040210212711.03ceb768@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040211092347.036d8798@imap.ecs.soton.ac.uk> Message-ID: <402AA737.6090602@deny.org> Julian Field wrote: > At 23:57 10/02/2004, you wrote: > >> If it returns, I think you should make this option only work on 'Spam >> Actions', but not on 'High Scoring Spam Actions'. > > > I like that. > Speak now if you think this test is not a good idea. > -- I agree with this! Which is how I used it any-e-ways. From james at DENY.ORG Wed Feb 11 22:11:44 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <5.2.1.1.2.20040211073944.06cf1408@securemail.tulsaconnect.com> References: <40290C0F.6080306@deny.org> <40290C0F.6080306@deny.org> <5.2.1.1.2.20040211073944.06cf1408@securemail.tulsaconnect.com> Message-ID: <402AA8A0.7040407@deny.org> ISP List wrote: > At 12:26 PM 2/10/2004 -0500, you wrote: > >> Hmm, that's a great way to convince people to join your cause.. start >> off >> with a flame before anyone even replies. >> >> Sigh. > > > Not to contribute anything useful to this thread, but, did anyone else > see > the irony in the original senders E-mail address of "james@DENY.ORG"? :-) > You like that. From peter at UCGBOOK.COM Wed Feb 11 22:17:02 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:27 2006 Subject: Local Relay patch for MS In-Reply-To: <1076451737.21285.26.camel@localhost.localdomain> References: <1076451737.21285.26.camel@localhost.localdomain> Message-ID: <402AA9DE.7060803@ucgbook.com> Lindsay Snider wrote: > Julian and fellow Mailscanneriers, > Here is a patch which allows MailScanner to ignore ips acting as > relays to your mailscanner server. For example, if you collect mail on > a mx server and then relay it to a mailscanner server, you can specify > your mx server as a local relay. Then, mailscanner will not report the > mx server as the source of the message but rather the ip which connected > to the mx. I have a pair of MX servers before my MS box and since SA goes through all the received headers it doesn't matter to me when it comes to detect spam but I use MailStats (now called Vispan) and it has a cool feature that shows the origin of spam by checking the IP address of the sending server. In my case that means all my spam seems to come from Sweden. ;-) Would that be fixed by this patch? If so, I'm interested in a Sendmail version. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP 4.1.2 From mailscanner at ecs.soton.ac.uk Wed Feb 11 22:29:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <402AA8A0.7040407@deny.org> References: <40290C0F.6080306@deny.org> <40290C0F.6080306@deny.org> <5.2.1.1.2.20040211073944.06cf1408@securemail.tulsaconnect.com> <402AA8A0.7040407@deny.org> Message-ID: <6.0.3.0.2.20040211222709.03cda950@imap.ecs.soton.ac.uk> At 22:11 11/02/2004, you wrote: >ISP List wrote: > >>At 12:26 PM 2/10/2004 -0500, you wrote: >> >>>Hmm, that's a great way to convince people to join your cause.. start >>>off >>>with a flame before anyone even replies. >>> >>>Sigh. >> >> >>Not to contribute anything useful to this thread, but, did anyone else >>see >>the irony in the original senders E-mail address of "james@DENY.ORG"? :-) >You like that. Hopefully you are testing 4.27.1-2 Before we deny anything else ;o) Seems strangely quiet round here tonight..... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kodak at FRONTIERHOMEMORTGAGE.COM Wed Feb 11 22:31:53 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040211222709.03cda950@imap.ecs.soton.ac.uk> Message-ID: <009d01c3f0ee$d95a1cb0$0501a8c0@darkside> >Seems strangely quiet round here tonight..... We could start another flamewar, if you'd like. ;) --J(K) From raymond at PROLOCATION.NET Wed Feb 11 22:44:41 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <6.0.3.0.2.20040211222709.03cda950@imap.ecs.soton.ac.uk> Message-ID: Hi! > Hopefully you are testing 4.27.1-2 > Before we deny anything else ;o) > > Seems strangely quiet round here tonight..... We are awaiting the clamlib patch hehehehe =) ,-) Bye, Raymond. From ka at PACIFIC.NET Wed Feb 11 23:15:36 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:27 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> Message-ID: <402AB798.1080006@pacific.net> I tried installing this Message.pm and restarted MailScanner, but I quickly built up a large incoming queue and all exploding in /incoming stopped happening. The directory stayed empty after restarting MailScanner. I'm not sure what caused it, but things went back to normal after I put the old Message.pm back. I'm running 4.26.5, perhaps not a recent enough version? Thanks, Ken A Pacific.Net Julian Field wrote: > I have hopefully managed to make the MIME parser a lot more robust. It > certainly appears to solve the current problem. If you are running a nice > recent version, backup your old Message.pm and replace it with this one. > > Then please test it against the copies of MyDoom that are getting through. > > The result of a fine evening spent wading through MIME-tools code and > deciding that it can't rewind :-( > > Let me know how it goes. > > At 20:37 11/02/2004, you wrote: > >> Daniel Kleinsinger wrote: >> >>> Julian Field wrote: >>> >>>> The message that contained the MyDoom that got through Sophos (before >>>> 3.78d) was actually a bounce from another mail server that included the >>>> entire text of the original message. >>>> >>>> Fortunately it's not been a big problem so far, but I would quite >>>> like to fix it if I can. >>>> >>>> >>> I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I >>> checked which virii got caught by which scanner and before installing >>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>> (yesterday) Sophos is catching all that Trend and F-Prot are. There >>> still seem to be some people having issues with 3.78d, but in my case it >>> seems like it was a problem with Sophos, not MailScanner. >>> >>> Daniel >> >> >> I would suggest that this as much an antivirus issue. I run F-prot and >> Antivir and until Antivir updated their engine about a week ago only >> F-prot was reliably catching the bounce messages with the original >> message attached. With the new engine, all is well again and both are >> catching them. Looks like F-Prot had a better message scanning engine >> than the others had at the time. >> >> Drew >> >> -- >> In line with our policy, this message has >> been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> www.themarshalls.co.uk/policy > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Wed Feb 11 23:38:05 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:27 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402AB798.1080006@pacific.net> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> Message-ID: <402ABCDD.7020503@pacific.net> Looking at the log, I see that MailScanner failed to start. Ken Ken Anderson wrote: > I tried installing this Message.pm and restarted MailScanner, but I > quickly built up a large incoming queue and all exploding in /incoming > stopped happening. The directory stayed empty after restarting > MailScanner. I'm not sure what caused it, but things went back to normal > after I put the old Message.pm back. I'm running 4.26.5, perhaps not a > recent enough version? > Thanks, > Ken A > Pacific.Net > > > Julian Field wrote: > >> I have hopefully managed to make the MIME parser a lot more robust. It >> certainly appears to solve the current problem. If you are running a nice >> recent version, backup your old Message.pm and replace it with this one. >> >> Then please test it against the copies of MyDoom that are getting >> through. >> >> The result of a fine evening spent wading through MIME-tools code and >> deciding that it can't rewind :-( >> >> Let me know how it goes. >> >> At 20:37 11/02/2004, you wrote: >> >>> Daniel Kleinsinger wrote: >>> >>>> Julian Field wrote: >>>> >>>>> The message that contained the MyDoom that got through Sophos (before >>>>> 3.78d) was actually a bounce from another mail server that included >>>>> the >>>>> entire text of the original message. >>>>> >>>>> Fortunately it's not been a big problem so far, but I would quite >>>>> like to fix it if I can. >>>>> >>>>> >>>> I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I >>>> checked which virii got caught by which scanner and before installing >>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>> (yesterday) Sophos is catching all that Trend and F-Prot are. There >>>> still seem to be some people having issues with 3.78d, but in my >>>> case it >>>> seems like it was a problem with Sophos, not MailScanner. >>>> >>>> Daniel >>> >>> >>> >>> I would suggest that this as much an antivirus issue. I run F-prot and >>> Antivir and until Antivir updated their engine about a week ago only >>> F-prot was reliably catching the bounce messages with the original >>> message attached. With the new engine, all is well again and both are >>> catching them. Looks like F-Prot had a better message scanning engine >>> than the others had at the time. >>> >>> Drew >>> >>> -- >>> In line with our policy, this message has >>> been scanned for viruses and dangerous >>> content by MailScanner, and is believed to be clean. >>> www.themarshalls.co.uk/policy >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > From michele at BLACKNIGHTSOLUTIONS.COM Wed Feb 11 23:38:33 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:27 2006 Subject: For those of us that feel strongly that email should be a reliable transport medium. In-Reply-To: <009d01c3f0ee$d95a1cb0$0501a8c0@darkside> Message-ID: > >Seems strangely quiet round here tonight..... > > We could start another flamewar, if you'd like. I always get into trouble with them :( From lindsay at pa.net Wed Feb 11 23:43:55 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:27 2006 Subject: Local Relay patch for MS In-Reply-To: <402AA9DE.7060803@ucgbook.com> References: <1076451737.21285.26.camel@localhost.localdomain> <402AA9DE.7060803@ucgbook.com> Message-ID: <1076543035.21285.135.camel@localhost.localdomain> On Wed, 2004-02-11 at 17:17, Peter Bonivart wrote: > Lindsay Snider wrote: > > Julian and fellow Mailscanneriers, > > Here is a patch which allows MailScanner to ignore ips acting as > > relays to your mailscanner server. For example, if you collect mail on > > a mx server and then relay it to a mailscanner server, you can specify > > your mx server as a local relay. Then, mailscanner will not report the > > mx server as the source of the message but rather the ip which connected > > to the mx. > > I have a pair of MX servers before my MS box and since SA goes through > all the received headers it doesn't matter to me when it comes to detect > spam but I use MailStats (now called Vispan) and it has a cool feature > that shows the origin of spam by checking the IP address of the sending > server. In my case that means all my spam seems to come from Sweden. ;-) > > Would that be fixed by this patch? If so, I'm interested in a Sendmail > version. I'm not familar w/ MailStats but I'd suggest that this probably would. The syslog:maillog will be correct as would a function run from 'Always Looked Up Last' in MailScanner.conf. > > -- > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP 4.1.2 -- Lindsay Snider From pete at eatathome.com.au Thu Feb 12 00:02:14 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:27 2006 Subject: bayes rebuild not completing? In-Reply-To: <006501c3f0de$5311d770$640a0a0a@gyruss> References: <006501c3f0de$5311d770$640a0a0a@gyruss> Message-ID: <402AC286.8060505@eatathome.com.au> Mickey Everts wrote: > I installed the latest stable release earlier this week and turned on > the auto rebuild feature. This is on a Linux box for the record. > Anyways, here are the messages I see in my logs. > > > > Feb 11 10:23:30 defender MailScanner[680]: Bayes database rebuild is due > > Feb 11 10:23:31 defender MailScanner[680]: SpamAssassin Bayes database > rebuild preparing > > Feb 11 10:24:06 defender MailScanner[680]: SpamAssassin Bayes database > rebuild starting > > > > My settings are as follows: > > > > Rebuild Bayes Every = 86400 > > Wait During Bayes Rebuild = yes > > > > I grepped the MailScanner source and it appears that I should be > seeing the following message also, but I am not. > > > > SpamAssassin Bayes database rebuild completed > > > > Any suggestions? > > > > Regards, > > > > Mickey > Does rebuild bayes completely remove all entries and start from scratch? Where do those config entries go? I cant find in ms.conf or sa.conf Can i add the above 2 lines to my spamassassin.prefs.conf and my bayes will be renewed from scratch every month? Thanks Pete From rafalek at RAFI.PL.EU.ORG Thu Feb 12 00:18:09 2004 From: rafalek at RAFI.PL.EU.ORG (Rafal Janas) Date: Thu Jan 12 21:22:27 2006 Subject: question?? Message-ID: <20040212011520.B38012@78-tor-7.acn.waw.pl> Is it normal situation that MailScanner[37967]: Postfix queue structure is depth 1 in maillog? What does it mean exactly? From jen at AH.DK Thu Feb 12 00:34:26 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: All the Mydoom viruses which not have been detected is all High Spam! I store all High Spam and dosn't pass them though I have set my High Spam score a little higher to see what happens :-) /jan Elmqvist Nielsen From jen at AH.DK Thu Feb 12 01:06:15 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:27 2006 Subject: Svar: Mydoom Virus getting Through - High Spam - YES Message-ID: I upgraded MS to 4.26.8-1 the 9/2-2004 And I can see that also Dumaru is not deteted when High Spam score is reached! My High Spam score was 12 /Jan Elmqvist Nielsen >>> jen@AH.DK 12-02-2004 01:34:26 >>> All the Mydoom viruses which not have been detected is all High Spam! I store all High Spam and dosn't pass them though I have set my High Spam score a little higher to see what happens :-) /jan Elmqvist Nielsen -------------- next part -------------- A non-text attachment was scrubbed... Name: DUMARU.JPG Type: image/jpeg Size: 156627 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/57bc0b80/DUMARU.jpe From ugob at CAMO-ROUTE.COM Thu Feb 12 01:11:27 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:27 2006 Subject: question?? In-Reply-To: <20040212011520.B38012@78-tor-7.acn.waw.pl> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> Message-ID: <402AD2BF.6090707@camo-route.com> Rafal Janas wrote: > Is it normal situation that > MailScanner[37967]: Postfix queue structure is depth 1 > in maillog? Yes, it is normal. > What does it mean exactly? I don't know exactly, but I guess it informs you of postfix structure's depth. Sorry I can't tell you more. Ugo From Kevin_Miller at CI.JUNEAU.AK.US Thu Feb 12 01:19:02 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:27 2006 Subject: MailScanner 8.26-1 won't start Message-ID: <08146035CA49D6119A36009027AC822A0264EE00@CITY-EXCH-NTS> Don't know what I did, but I'm building a new server on SuSE 8.0 and installed 8.26-1. It was working, but I turned it off to add a couple other things like Spamassassin, Razor2, and mailscanner-mrtg. Now when I try to start it I get this: city-dns2-su8:/var/log # ps aux | grep MailScanner root 14157 0.0 4.2 12752 10948 ? S 15:16 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 14158 1.3 0.0 0 0 ? Z 15:16 0:01 [MailScanner ] root 14160 1.4 0.0 0 0 ? Z 15:16 0:01 [MailScanner ] root 14177 28.0 0.0 0 0 ? Z 15:18 0:01 [MailScanner ] root 14179 0.0 0.2 1636 592 pts/0 R 15:18 0:00 grep MailScanner I have it set to three child processes. Tail -f /var/log/mail just shows a new process being started every 10 seconds. I'm stumped. I've killed it, then checked /var/log/mail and the odd thing is that the virus scanner update checks are being run on the hour, even if MailScanner isn't running. Not sure what's calling them. I thought MailScanner did. Nothing else in mail - all I get is: Feb 11 16:17:24 city-dns2-su8 MailScanner[16428]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 11 16:17:34 city-dns2-su8 MailScanner[16430]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 11 16:17:44 city-dns2-su8 MailScanner[16433]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Any clues? Anybody else seen this lately? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From jrudd at UCSC.EDU Thu Feb 12 01:10:00 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:27 2006 Subject: Problem with latest version of Mailscanner References: Message-ID: <402AD268.5FAEE9B@ucsc.edu> (note to the mailscanner list: I'm top-posting due to the location of the included files, I'm sorry, and I generally try to avoid that ... the context is in the quoted section) Cyrille, I suspect that the problems are the two "SENDMAIL=" lines. Unfortunately, I don't know anything about how these new configurations are set up (I haven't updated my mailscanner in a while), so I'm CC'ing the mailscanner mailing list in case I'm wrong (and some of my comments are more directed at them, than at you). I'm assuming that the "SENDMAIL=" lines are somehow over-riding the MailScanner.conf entires for "Sendmail =" and "Sendmail2 =". The problem is that neither of the lines mentioned below are clear as to which MailScanner.conf item they are supposed to be. In MailScanner.conf, Sendmail2 should be the ms2cgp script, and I don't know how to set that in these new files you've sent. the "Sendmail =" line should be your communigate pro compatability "sendmail" ( /opt/CommuniGate/sendmail ), however, this does not run as a daemon, and it's hard to tell if one of these is trying to run as a daemon. Most directly, what I would suggest is: don't use rc.MailScanner (nor it's newer counter-part) nor the equiv. for Sendmail. Disable them. (IMO, rc.MailScanner is riddled with assumptions about mailers, and, IMO, that's poor coding) I would, instead, create a new MailScanner start-up script (that goes in /etc/init.d or /etc/rc.d/init.d or wherever redhat puts that stuff these days) that just invokes "/opt/mailscanner/bin/check_mailscanner" for starting, and just kills whatever is in /opt/mailscanner/var/MailScanner.pid for stopping. Something like this: #!/bin/sh # case "$1" in 'start') /opt/mailscanner/bin/check_mailscanner ;; 'stop') kill `cat /opt/mailscanner/var/MailScanner.pid` ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 That should be enough. Having MailScanner's rc file start or stop the external mailer (such as sendmail) is an incredibly bad idea, and I don't know why anyone started doing that. It breaks encapsulation, and a host of other "good ideas" all for the sake of convenience ... never a good trade. This is exactly the type of thing that is the target of the old acronym "KISS: Keep it Simple" (with emphasis on the missing S word). Have MailScanner's rc file control mailscanner, and do nothing else. Have CommuniGate Pro's rc file control CommuniGate Pro, and do nothing else (or substitute in whichever mailer is in discussion). That's how it should be. Hopefully MailScanner still propperly listens to its MailScanner.conf directives, though. If they've stopped having it do that, then I don't know what to say. It may mean that new versions of MailScanner have stopped being useable with CommuniGate Pro. > Cyrille Gueugnon wrote: > > Hello John, > > First of all I would like to thank you for your work, i've been > searching for days on the web a solution to control the viruses and > Spam on Communigate and your page made me discover MailScanner. > > So I'm Cyrille a french geek and i have a small problem to make > MailScanner to work properly with Communigate pro. > > My config is > > Linux Redhat 9 > Communigate Pro 4.1.8 > MailScanner 4.26.8 > > using mcafee 4.3.32 for virus scanning > > I've followed all you indications to setup the connection beetween CGP > and MS and it seems to work only in one way. > > cgp2ms is making his job, sending the mail to MS which analyse them > but don't send them back to CGP. It's putting them in the Queue and it > seems that sendmail is sending the messages directy. > > The only point I'm not sure is the configuration of the rc.MailScanner > file. This Script does not exist anymore and has been replaced by a > file simply name MailScanner in the /etc/init.d/ directory. > It uses variables stored in a /etc/sysconfig/MailScanner file > > The sendmail_enable does not seems to work as variable > and sendmail_program is no longer present. > > There's a SENDMAIL variable that i set to '/dev/null' that cause > MailScanner to crah, when I just let a blank field, I have 2 error > messages about Sendmail but MailScanner Starts correctly. > > > here are those files. > > Thanks by advance for your help > > Cyrille > > *************************************************************************************************** > /etc/init.d/MailScanner > > #!/bin/bash > # > # mailscanner This shell script takes care of starting and stopping > # MailScanner, and its associated copies of sendmail. > # > # chkconfig: 2345 80 30 > # description: MailScanner is an open-source E-Mail Gateway Virus > Scanner. > # processname: MailScanner > # config: /etc/MailScanner/MailScanner.conf > # pidfile: /var/run/MailScanner.pid > > # Source function library. > . /etc/rc.d/init.d/functions > > # Source networking configuration. > . /etc/sysconfig/network > > # > # If you are using sendmail, Exim or Postfix, please try to avoid > editing > # thie file. Edit /etc/sysconfig/MailScanner instead. > # > MTA=sendmail > QUEUETIME=15m > WORKDIR=/var/spool/MailScanner/incoming > INQDIR=/var/spool/mqueue.in > INPID=/var/run/sendmail.in.pid > OUTPID=/var/run/sendmail.out.pid > SMPID=/var/run/sm-client.pid > MSPUSER=smmsp > MSPGROUP=smmsp > SENDMAIL=/usr/sbin/sendmail > POSTFIX=/usr/sbin/postfix > POSTFIXINCF=/etc/postfix.in > POSTFIXOUTCF=/etc/postfix > EXIM=/usr/sbin/exim > EXIMINCF=/etc/exim.conf > EXIMSENDCF=/etc/exim_send.conf > ZMAILER=/usr/lib/zmailer/zmailer > ZMAILERCF=/etc/zmailer/zmailer.conf > RESTART_DELAY=10 > > # Source mailscanner configuration. > if [ -f /etc/sysconfig/MailScanner ] ; then > . /etc/sysconfig/MailScanner > fi > export MTA > export QUEUETIME > export WORKDIR > export INQDIR > export INPID > export OUTPID > export SMPID > export MSPUSER > export MSPGROUP > export SENDMAIL > export POSTFIX > export POSTFIXINCF > export POSTFIXOUTCF > export EXIM > export EXIMINCF > export EXIMSENDCF > export ZMAILER > export ZMAILERCF# > Then the code > > ************************************************************************************ > /etc/sysconfig/MailScanner > > # Put in here all the settings for your particular mail system so that > # MailScanner's init.d script can run it all for you. > # > > # > # Are you running Postfix, sendmail, Exim or ZMailer? > # > MTA=sendmail > #MTA=postfix > #MTA=exim > #MTA=zmailer > > # > # MailScanner Settings > # > WORKDIR=/var/spool/MailScanner/incoming # Where the temp MailScanner > files live > RESTART_DELAY=10 # Pause time between stop and start when restarting > > # > # Sendmail Settings > # > SENDMAIL= > # Was /usr/bin/sendmail > QUEUETIME=15m > INQDIR=/var/spool/mqueue.in > INPID=/var/run/sendmail.in.pid > OUTPID=/var/run/sendmail.out.pid > SMPID=/var/run/sm-client.pid > MSPUSER=smmsp # User for mail submission queue runner > MSPGROUP=smmsp # Group for mail submission queue runner > # > # Postfix settings > # > POSTFIX=/usr/sbin/postfix > POSTFIXINCF=/etc/postfix.in # Directory containing incoming > configuration > POSTFIXOUTCF=/etc/postfix # Directory containing outgoing > configuration > > # > # Exim settings > # > EXIM=/usr/local/exim/bin/exim > EXIMINCF=/usr/local/exim/configure # Incoming configuration > file > EXIMSENDCF=/usr/local/exim/exim_send.conf # Outgoing configuration > file > > # > # ZMailer settings > # > ZMAILER=/usr/lib/zmailer/zmailer > ZMAILERCF=/etc/zmailer/zmailer.conf # Configuration file > > > > > export RESTART_DELAY > **************************************************************************************************** From jen at AH.DK Thu Feb 12 01:24:52 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:27 2006 Subject: Svar: Mydoom Virus getting Through - High Spam - YES Message-ID: wrong date - I upgraded sunday the 8/2 so the fail of detecting has noting to do with the upgrade :-) >>> jen@AH.DK 12-02-2004 02:06:15 >>> I upgraded MS to 4.26.8-1 the 9/2-2004 And I can see that also Dumaru is not deteted when High Spam score is reached! My High Spam score was 12 /Jan Elmqvist Nielsen >>> jen@AH.DK 12-02-2004 01:34:26 >>> All the Mydoom viruses which not have been detected is all High Spam! I store all High Spam and dosn't pass them though I have set my High Spam score a little higher to see what happens :-) /jan Elmqvist Nielsen From ugob at CAMO-ROUTE.COM Thu Feb 12 01:55:21 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:27 2006 Subject: MailScanner 8.26-1 won't start In-Reply-To: <08146035CA49D6119A36009027AC822A0264EE00@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EE00@CITY-EXCH-NTS> Message-ID: <402ADD09.1090105@camo-route.com> Kevin Miller wrote: > Don't know what I did, but I'm building a new server on SuSE 8.0 and > installed 8.26-1. It was working, but I turned it off to add a couple other > things like Spamassassin, Razor2, and mailscanner-mrtg. Now when I try to > start it I get this: > > city-dns2-su8:/var/log # ps aux | grep MailScanner > root 14157 0.0 4.2 12752 10948 ? S 15:16 0:00 /usr/bin/perl > -I/usr/lib/MailScanner /usr/sbin/MailScanner > /etc/MailScanner/MailScanner.conf > root 14158 1.3 0.0 0 0 ? Z 15:16 0:01 [MailScanner > ] > root 14160 1.4 0.0 0 0 ? Z 15:16 0:01 [MailScanner > ] > root 14177 28.0 0.0 0 0 ? Z 15:18 0:01 [MailScanner > ] > root 14179 0.0 0.2 1636 592 pts/0 R 15:18 0:00 grep > MailScanner > > > I have it set to three child processes. Tail -f /var/log/mail just shows a > new process being started every 10 seconds. I'm stumped. I've killed it, > then checked /var/log/mail and the odd thing is that the virus scanner > update checks are being run on the hour, even if MailScanner isn't running. > Not sure what's calling them. I thought MailScanner did. Nothing else in > mail - all I get is: > > Feb 11 16:17:24 city-dns2-su8 MailScanner[16428]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 11 16:17:34 city-dns2-su8 MailScanner[16430]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > Feb 11 16:17:44 city-dns2-su8 MailScanner[16433]: MailScanner E-Mail Virus > Scanner version 4.26.8 starting... > > > Any clues? Anybody else seen this lately? Yup, I remember seeing that when I was trying to configure MailWatch. I needed to upgrade a perl module. > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 From danielk at AVALONPUB.COM Thu Feb 12 02:40:49 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:27 2006 Subject: MailScanner 8.26-1 won't start In-Reply-To: <08146035CA49D6119A36009027AC822A0264EE00@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EE00@CITY-EXCH-NTS> Message-ID: <402AE7B1.5070501@avalonpub.com> Try Debug=yes in MailScanner.conf and it should give you more info. The virus updaters run from cron so it makes sense that they're still running. Good luck. Daniel Kevin Miller wrote: >Don't know what I did, but I'm building a new server on SuSE 8.0 and >installed 8.26-1. It was working, but I turned it off to add a couple other >things like Spamassassin, Razor2, and mailscanner-mrtg. Now when I try to >start it I get this: > >city-dns2-su8:/var/log # ps aux | grep MailScanner >root 14157 0.0 4.2 12752 10948 ? S 15:16 0:00 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner >/etc/MailScanner/MailScanner.conf >root 14158 1.3 0.0 0 0 ? Z 15:16 0:01 [MailScanner >] >root 14160 1.4 0.0 0 0 ? Z 15:16 0:01 [MailScanner >] >root 14177 28.0 0.0 0 0 ? Z 15:18 0:01 [MailScanner >] >root 14179 0.0 0.2 1636 592 pts/0 R 15:18 0:00 grep >MailScanner > > >I have it set to three child processes. Tail -f /var/log/mail just shows a >new process being started every 10 seconds. I'm stumped. I've killed it, >then checked /var/log/mail and the odd thing is that the virus scanner >update checks are being run on the hour, even if MailScanner isn't running. >Not sure what's calling them. I thought MailScanner did. Nothing else in >mail - all I get is: > >Feb 11 16:17:24 city-dns2-su8 MailScanner[16428]: MailScanner E-Mail Virus >Scanner version 4.26.8 starting... >Feb 11 16:17:34 city-dns2-su8 MailScanner[16430]: MailScanner E-Mail Virus >Scanner version 4.26.8 starting... >Feb 11 16:17:44 city-dns2-su8 MailScanner[16433]: MailScanner E-Mail Virus >Scanner version 4.26.8 starting... > > >Any clues? Anybody else seen this lately? > > >...Kevin >-- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 > > From rafalek at RAFI.PL.EU.ORG Thu Feb 12 08:39:31 2004 From: rafalek at RAFI.PL.EU.ORG (Rafal Janas) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd Message-ID: <20040212093719.Y39635@78-tor-7.acn.waw.pl> Is someone try to start mailscanner with postfix on freebsd 5.1 or older? From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 08:56:00 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <20040212093719.Y39635@78-tor-7.acn.waw.pl> References: <20040212093719.Y39635@78-tor-7.acn.waw.pl> Message-ID: <402B3FA0.1090602@solid-state-logic.com> Rafal Janas wrote: > Is someone try to start mailscanner with postfix on freebsd 5.1 or older? Hi there are people running 5.1 and postfix with MS. Have a look in the list archives BUT, remember the 5.x series are still considered UNSTABLE and should be treated as such IMHO. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 84230 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From drew at THEMARSHALLS.CO.UK Thu Feb 12 09:19:37 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <402B3FA0.1090602@solid-state-logic.com> References: <20040212093719.Y39635@78-tor-7.acn.waw.pl> <402B3FA0.1090602@solid-state-logic.com> Message-ID: <18989.194.70.180.170.1076577577.squirrel@net.themarshalls.co.uk> Martin Hepworth said: > Rafal Janas wrote: >> Is someone try to start mailscanner with postfix on freebsd 5.1 or >> older? > > Hi > > there are people running 5.1 and postfix with MS. Have a look in the > list archives > > BUT, remember the 5.x series are still considered UNSTABLE and should be > treated as such IMHO. Indeed and I am successfully running Postfix, MailScanner on FreeBSD 5.2(!) although it's not a high volume server, I haven't (He says touching the most timber like thing he can find!) had any problems. > > Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 09:25:47 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <18989.194.70.180.170.1076577577.squirrel@net.themarshalls.co.uk> References: <20040212093719.Y39635@78-tor-7.acn.waw.pl> <402B3FA0.1090602@solid-state-logic.com> <18989.194.70.180.170.1076577577.squirrel@net.themarshalls.co.uk> Message-ID: <402B469B.7000006@solid-state-logic.com> Drew Marshall wrote: > Martin Hepworth said: > >>Rafal Janas wrote: >> >>>Is someone try to start mailscanner with postfix on freebsd 5.1 or >>>older? >> >>Hi >> >>there are people running 5.1 and postfix with MS. Have a look in the >>list archives >> >>BUT, remember the 5.x series are still considered UNSTABLE and should be >>treated as such IMHO. > > Indeed and I am successfully running Postfix, MailScanner on FreeBSD > 5.2(!) although it's not a high volume server, I haven't (He says touching > the most timber like thing he can find!) had any problems. > >> > Drew Drew Well seeing as though 5.2.1 is due out soon, as they broke quite a few things in 5.2, I'd be be ready for the upgrade. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Thu Feb 12 08:35:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402ABCDD.7020503@pacific.net> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> Message-ID: <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> Please try this patch instead of the new Message.pm. cd /usr/lib/MailScanner/MailScanner cp Message.pm Message.pm.safe patch -p0 < Message.pm.4.26.5.patch service MailScanner restart If it still fails, set "Debug = yes" in MailScanner.conf, then service MailScanner stop sleep 15 check_MailScanner and let me know what it says. At 23:38 11/02/2004, you wrote: >Looking at the log, I see that MailScanner failed to start. >Ken > > >Ken Anderson wrote: > >>I tried installing this Message.pm and restarted MailScanner, but I >>quickly built up a large incoming queue and all exploding in /incoming >>stopped happening. The directory stayed empty after restarting >>MailScanner. I'm not sure what caused it, but things went back to normal >>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a >>recent enough version? >>Thanks, >>Ken A >>Pacific.Net >> >> >>Julian Field wrote: >> >>>I have hopefully managed to make the MIME parser a lot more robust. It >>>certainly appears to solve the current problem. If you are running a nice >>>recent version, backup your old Message.pm and replace it with this one. >>> >>>Then please test it against the copies of MyDoom that are getting >>>through. >>> >>>The result of a fine evening spent wading through MIME-tools code and >>>deciding that it can't rewind :-( >>> >>>Let me know how it goes. >>> >>>At 20:37 11/02/2004, you wrote: >>> >>>>Daniel Kleinsinger wrote: >>>> >>>>>Julian Field wrote: >>>>> >>>>>>The message that contained the MyDoom that got through Sophos (before >>>>>>3.78d) was actually a bounce from another mail server that included >>>>>>the >>>>>>entire text of the original message. >>>>>> >>>>>>Fortunately it's not been a big problem so far, but I would quite >>>>>>like to fix it if I can. >>>>>> >>>>>I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I >>>>>checked which virii got caught by which scanner and before installing >>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>>>>MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>(yesterday) Sophos is catching all that Trend and F-Prot are. There >>>>>still seem to be some people having issues with 3.78d, but in my >>>>>case it >>>>>seems like it was a problem with Sophos, not MailScanner. >>>>> >>>>>Daniel >>>> >>>> >>>> >>>>I would suggest that this as much an antivirus issue. I run F-prot and >>>>Antivir and until Antivir updated their engine about a week ago only >>>>F-prot was reliably catching the bounce messages with the original >>>>message attached. With the new engine, all is well again and both are >>>>catching them. Looks like F-Prot had a better message scanning engine >>>>than the others had at the time. >>>> >>>>Drew >>>> >>>>-- >>>>In line with our policy, this message has >>>>been scanned for viruses and dangerous >>>>content by MailScanner, and is believed to be clean. >>>>www.themarshalls.co.uk/policy >>> >>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>Professional Support Services at www.MailScanner.biz >>>MailScanner thanks transtec Computers for their support >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.4.26.5.patch Type: application/octet-stream Size: 10165 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/f720b5fd/Message.pm.4.26.5.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 08:38:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: question?? In-Reply-To: <20040212011520.B38012@78-tor-7.acn.waw.pl> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> Message-ID: <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> At 00:18 12/02/2004, you wrote: >Is it normal situation that >MailScanner[37967]: Postfix queue structure is depth 1 >in maillog? >What does it mean exactly? I must remove this log entry, it doesn't mean much to most people :-) It's quite harmless, it's just MailScanner working out for itself what shape your Postfix installation is. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 08:37:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:27 2006 Subject: bayes rebuild not completing? In-Reply-To: <402AC286.8060505@eatathome.com.au> References: <006501c3f0de$5311d770$640a0a0a@gyruss> <402AC286.8060505@eatathome.com.au> Message-ID: <6.0.1.1.2.20040212083608.03fcc140@imap.ecs.soton.ac.uk> At 00:02 12/02/2004, you wrote: >Mickey Everts wrote: >>I installed the latest stable release earlier this week and turned on >>the auto rebuild feature. This is on a Linux box for the record. >>Anyways, here are the messages I see in my logs. >>Feb 11 10:23:30 defender MailScanner[680]: Bayes database rebuild is due >> >>Feb 11 10:23:31 defender MailScanner[680]: SpamAssassin Bayes database >>rebuild preparing >> >>Feb 11 10:24:06 defender MailScanner[680]: SpamAssassin Bayes database >>rebuild starting >>My settings are as follows: >>Rebuild Bayes Every = 86400 >>Wait During Bayes Rebuild = yes >>I grepped the MailScanner source and it appears that I should be >>seeing the following message also, but I am not. >>SpamAssassin Bayes database rebuild completed >Does rebuild bayes completely remove all entries and start from scratch? > >Where do those config entries go? I cant find in ms.conf or sa.conf Can >i add the above 2 lines to my spamassassin.prefs.conf and my bayes will >be renewed from scratch every month? MailScanner.conf (should be in either /etc/MailScanner or /opt/MailScanner/etc depending on your OS). It rebuilds the database structure using the data in your current Bayes database, and goes through removing "expired" entries. So it doesn't lose any data, it just does a load of housekeeping. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 09:40:57 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:27 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> Message-ID: <402B4A29.1010103@solid-state-logic.com> Julian Field wrote: > I have hopefully managed to make the MIME parser a lot more robust. It > certainly appears to solve the current problem. If you are running a nice > recent version, backup your old Message.pm and replace it with this one. > > Then please test it against the copies of MyDoom that are getting through. > > The result of a fine evening spent wading through MIME-tools code and > deciding that it can't rewind :-( > > Let me know how it goes. > Julian what versions of MS will this work against? I've got 4.24.-4. Will I need to upgrade? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From drew at THEMARSHALLS.CO.UK Thu Feb 12 09:31:51 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <402B469B.7000006@solid-state-logic.com> References: <20040212093719.Y39635@78-tor-7.acn.waw.pl> <402B3FA0.1090602@solid-state-logic.com> <18989.194.70.180.170.1076577577.squirrel@net.themarshalls.co.uk> <402B469B.7000006@solid-state-logic.com> Message-ID: <19245.194.70.180.170.1076578311.squirrel@net.themarshalls.co.uk> Martin Hepworth said: > Drew Marshall wrote: >> Martin Hepworth said: >> >>>Rafal Janas wrote: >>> >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or >>>>older? >>> >>>Hi >>> >>>there are people running 5.1 and postfix with MS. Have a look in the >>>list archives >>> >>>BUT, remember the 5.x series are still considered UNSTABLE and should be >>>treated as such IMHO. >> >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD >> 5.2(!) although it's not a high volume server, I haven't (He says >> touching >> the most timber like thing he can find!) had any problems. >> >>> >> Drew > > Drew > Well seeing as though 5.2.1 is due out soon, as they broke quite a few > things in 5.2, I'd be be ready for the upgrade. > Great. This is my first venture into BSD land from Linux. Oh well, I did know it wasn't 'stable' but the links on the site take you to the current release download not the stable download. I must like living on the edge :-) Quite like it though (BSD, oh OK and the edge!) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rafalek at RAFI.PL.EU.ORG Thu Feb 12 09:33:03 2004 From: rafalek at RAFI.PL.EU.ORG (=?iso-8859-2?Q?Rafa=B3_Janas?=) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <402B469B.7000006@solid-state-logic.com> Message-ID: <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> If sou configure it correctly could sou send me your configuration files like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell me what you change in article about installing it on postfix in documentation www.mailscanner.info? rafalek@rafi.pl.eu.org thank you -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth Sent: Thursday, February 12, 2004 10:26 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mailscanner & freebsd Drew Marshall wrote: > Martin Hepworth said: > >>Rafal Janas wrote: >> >>>Is someone try to start mailscanner with postfix on freebsd 5.1 or >>>older? >> >>Hi >> >>there are people running 5.1 and postfix with MS. Have a look in the >>list archives >> >>BUT, remember the 5.x series are still considered UNSTABLE and should be >>treated as such IMHO. > > Indeed and I am successfully running Postfix, MailScanner on FreeBSD > 5.2(!) although it's not a high volume server, I haven't (He says touching > the most timber like thing he can find!) had any problems. > >> > Drew Drew Well seeing as though 5.2.1 is due out soon, as they broke quite a few things in 5.2, I'd be be ready for the upgrade. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From brent.addis at ROAMAD.COM Thu Feb 12 09:49:48 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:27 2006 Subject: AVG antivirus In-Reply-To: <6.0.1.1.2.20040211093855.03f607e8@imap.ecs.soton.ac.uk> References: <65314.210.55.104.83.1076479452.squirrel@webmail.roamad.com> <6.0.1.1.2.20040211093855.03f607e8@imap.ecs.soton.ac.uk> Message-ID: <1203.210.55.102.173.1076579388.squirrel@webmail.roamad.com> That'd be great :) We use it on all of our workstations / fileservers and would like to put in on the mailservers too. It has a great centralised update system which is pretty handy. Do you need any details on its command line interface? Regards Brent Addis Julian Field said: > I don't think anyone has asked for it before. I'm sure it can be > supported if you want. > > At 06:04 11/02/2004, you wrote: >>Hey >> >>does mailscanner support the virus scanner AVG? I've hunted around but >>cannot find anything on it. Are there any plans for it in the future? I >>have a copy here if anything is needed. >> >>Regards >>-- >>Brent Addis > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Brent Addis Systems Administrator RoamAD From drew at THEMARSHALLS.CO.UK Thu Feb 12 09:48:46 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> References: <402B469B.7000006@solid-state-logic.com> <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> Message-ID: <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> Rafa? Janas said: > If sou configure it correctly could sou send me your configuration files > like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell me > what > you change in article about installing it on postfix in documentation > www.mailscanner.info? I can't do that now, too much to do and not in the right place, but I'll have a look tonight. What is your set up? Are you using Postfix as a gateway and relaying to another local machine? How are you controling your user database? Mine is not quite a conventional set up (I use a single Postfix instance with MySQL database driven user and virtual user setup) which does make it more difficult for me just to 'cut and paste' my main.cf file (But not impossible!). > > rafalek@rafi.pl.eu.org > thank you > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Martin Hepworth > Sent: Thursday, February 12, 2004 10:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mailscanner & freebsd > > Drew Marshall wrote: >> Martin Hepworth said: >> >>>Rafal Janas wrote: >>> >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or >>>>older? >>> >>>Hi >>> >>>there are people running 5.1 and postfix with MS. Have a look in the >>>list archives >>> >>>BUT, remember the 5.x series are still considered UNSTABLE and should be >>>treated as such IMHO. >> >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD >> 5.2(!) although it's not a high volume server, I haven't (He says >> touching >> the most timber like thing he can find!) had any problems. >> >>> >> Drew > > Drew > Well seeing as though 5.2.1 is due out soon, as they broke quite a few > things in 5.2, I'd be be ready for the upgrade. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rafalek at RAFI.PL.EU.ORG Thu Feb 12 10:21:54 2004 From: rafalek at RAFI.PL.EU.ORG (Rafal Janas) Date: Thu Jan 12 21:22:27 2006 Subject: mailscanner & freebsd In-Reply-To: <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> References: <402B469B.7000006@solid-state-logic.com> <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> Message-ID: <20040212111512.H40542@78-tor-7.acn.waw.pl> I've got standard settings. My relay=local (I don't know how to change it?) My user database is in passwd file! I only change things included in article On Thu, 12 Feb 2004, Drew Marshall wrote: > Rafa? Janas said: > > If sou configure it correctly could sou send me your configuration files > > like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell me > > what > > you change in article about installing it on postfix in documentation > > www.mailscanner.info? > I can't do that now, too much to do and not in the right place, but I'll > have a look tonight. What is your set up? Are you using Postfix as a > gateway and relaying to another local machine? How are you controling your > user database? Mine is not quite a conventional set up (I use a single > Postfix instance with MySQL database driven user and virtual user setup) > which does make it more difficult for me just to 'cut and paste' my > main.cf file (But not impossible!). > > > > rafalek@rafi.pl.eu.org > > thank you > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > Of Martin Hepworth > > Sent: Thursday, February 12, 2004 10:26 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: mailscanner & freebsd > > > > Drew Marshall wrote: > >> Martin Hepworth said: > >> > >>>Rafal Janas wrote: > >>> > >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or > >>>>older? > >>> > >>>Hi > >>> > >>>there are people running 5.1 and postfix with MS. Have a look in the > >>>list archives > >>> > >>>BUT, remember the 5.x series are still considered UNSTABLE and should be > >>>treated as such IMHO. > >> > >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD > >> 5.2(!) although it's not a high volume server, I haven't (He says > >> touching > >> the most timber like thing he can find!) had any problems. > >> > >>> > >> Drew > > > > Drew > > Well seeing as though 5.2.1 is due out soon, as they broke quite a few > > things in 5.2, I'd be be ready for the upgrade. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > Drew > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy > From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 10:18:04 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:27 2006 Subject: Mydoom.A patch Message-ID: <402B52DC.7080707@solid-state-logic.com> Julian I've replaced the Message.pm with the fettled one (thats 'fixed' for you non-north England people :-), reran a message that ClamAV missed and SophosSavi caught and it *WORKED*. Both AV engines caught this message as a MyDoom.A (or equivalent name). I'll keep my eye out, but I'm only gettin 1-2 a day of these a day and mydoom.a is supposed to stop today... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 12 10:20:30 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:28 2006 Subject: Mydoom Virus getting Through Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C514@jessica.herefordshire.gov.uk> That's exactly what I've seen too. Well spotted Martin and Julian. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: 11 February 2004 16:48 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mydoom Virus getting Through > > > Julian Field wrote: > > I found at least 1 part of the problem. > > > > The message that contained the MyDoom that got through > Sophos (before > > 3.78d) was actually a bounce from another mail server that > included the > > entire text of the original message. > > > > This message does not have the right MIME structure for the > MIME-tools to > > be able to open it, as it is a text/plain messsage that > just happens to > > contain text which contains a mime structure. So MIME-tools > quite fairly > > won't extract the attachments from within it. > > > > I now have an example message of this type, and so I will > spend some time > > working on a solution to it. No guarantees, though, the > MIME-tools code is > > pretty heavy reading. > > > > So don't bother sending me any more, I think the one > message I have is a > > good example of the type of problem. It can also occur with > other viruses, > > it's a problem caused by MTA's bouncing the entire message. > Fortunately > > it's not been a big problem so far, but I would quite like > to fix it if > > I can. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Julian > > that's exactly what I've just seen. > > the virus was in a base64 attached multipart message, with only 1 part > there, the second being non-existant, even though it says next-part... > > clunk. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From rafalek at RAFI.PL.EU.ORG Thu Feb 12 10:42:29 2004 From: rafalek at RAFI.PL.EU.ORG (Rafal Janas) Date: Thu Jan 12 21:22:28 2006 Subject: mailscanner & freebsd In-Reply-To: <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> References: <402B469B.7000006@solid-state-logic.com> <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> Message-ID: <20040212113654.W40610@78-tor-7.acn.waw.pl> I use standard configuration files. My relay=local in maillog. I havn't got user database (I store it in passwd file). I only change things included in MS documentation files. All other is standard settings. I even don't know if I've got chroot jail (because I don't know how to do it). On Thu, 12 Feb 2004, Drew Marshall wrote: > Rafa? Janas said: > > If sou configure it correctly could sou send me your configuration files > > like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell me > > what > > you change in article about installing it on postfix in documentation > > www.mailscanner.info? > I can't do that now, too much to do and not in the right place, but I'll > have a look tonight. What is your set up? Are you using Postfix as a > gateway and relaying to another local machine? How are you controling your > user database? Mine is not quite a conventional set up (I use a single > Postfix instance with MySQL database driven user and virtual user setup) > which does make it more difficult for me just to 'cut and paste' my > main.cf file (But not impossible!). > > > > rafalek@rafi.pl.eu.org > > thank you > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf > > Of Martin Hepworth > > Sent: Thursday, February 12, 2004 10:26 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: mailscanner & freebsd > > > > Drew Marshall wrote: > >> Martin Hepworth said: > >> > >>>Rafal Janas wrote: > >>> > >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or > >>>>older? > >>> > >>>Hi > >>> > >>>there are people running 5.1 and postfix with MS. Have a look in the > >>>list archives > >>> > >>>BUT, remember the 5.x series are still considered UNSTABLE and should be > >>>treated as such IMHO. > >> > >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD > >> 5.2(!) although it's not a high volume server, I haven't (He says > >> touching > >> the most timber like thing he can find!) had any problems. > >> > >>> > >> Drew > > > > Drew > > Well seeing as though 5.2.1 is due out soon, as they broke quite a few > > things in 5.2, I'd be be ready for the upgrade. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > Drew > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy > From pete at eatathome.com.au Thu Feb 12 11:17:52 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:28 2006 Subject: bayes rebuild not completing? In-Reply-To: <6.0.1.1.2.20040212083608.03fcc140@imap.ecs.soton.ac.uk> References: <006501c3f0de$5311d770$640a0a0a@gyruss> <402AC286.8060505@eatathome.com.au> <6.0.1.1.2.20040212083608.03fcc140@imap.ecs.soton.ac.uk> Message-ID: <402B60E0.8060007@eatathome.com.au> Julian Field wrote: > At 00:02 12/02/2004, you wrote: > >> Mickey Everts wrote: >> >>> I installed the latest stable release earlier this week and turned on >>> the auto rebuild feature. This is on a Linux box for the record. >>> Anyways, here are the messages I see in my logs. >>> Feb 11 10:23:30 defender MailScanner[680]: Bayes database rebuild is >>> due >>> >>> Feb 11 10:23:31 defender MailScanner[680]: SpamAssassin Bayes database >>> rebuild preparing >>> >>> Feb 11 10:24:06 defender MailScanner[680]: SpamAssassin Bayes database >>> rebuild starting >>> My settings are as follows: >>> Rebuild Bayes Every = 86400 >>> Wait During Bayes Rebuild = yes >>> I grepped the MailScanner source and it appears that I should be >>> seeing the following message also, but I am not. >>> SpamAssassin Bayes database rebuild completed >> >> Does rebuild bayes completely remove all entries and start from scratch? >> >> Where do those config entries go? I cant find in ms.conf or sa.conf Can >> i add the above 2 lines to my spamassassin.prefs.conf and my bayes will >> be renewed from scratch every month? > > > MailScanner.conf (should be in either /etc/MailScanner or > /opt/MailScanner/etc depending on your OS). > It rebuilds the database structure using the data in your current Bayes > database, and goes through removing "expired" entries. So it doesn't lose > any data, it just does a load of housekeeping. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Hmm i have 4.25-4 i dont seem to have those entries in MS.conf Is there a command ot completely refresh, start from new, or leave the original first 200 entries in bayes? We dont have any manual learning, staff wont do it, so bayes dont work after 2 months or so, poison, so be nice to delete and rebuild it monthly or something? Is there a sa-learn command for that, or need to do in perl to remove and recreate DBs? From ugob at CAMO-ROUTE.COM Thu Feb 12 11:35:11 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> Message-ID: <402B64EF.9040508@camo-route.com> Hi, I read the INSTALL, README and NEWS files before installing, but I didn't find anything about that. Anyone else got their "clamavmodule" broken after upgrading to 0.66? Hi had to fall back to "clamav" only to make MailScanner restart, else I got this message: In Debugging mode, not forking... Can't locate ./config.pl in @INC (@INC contains: /usr/sbin /usr/sbin/MailScanner /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm line 144. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm line 145. Compilation failed in require at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. Thanks for your help. From mailscanner at ecs.soton.ac.uk Thu Feb 12 09:58:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402B4A29.1010103@solid-state-logic.com> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402B4A29.1010103@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040212095717.041ba3d0@imap.ecs.soton.ac.uk> At 09:40 12/02/2004, you wrote: >Julian Field wrote: >>I have hopefully managed to make the MIME parser a lot more robust. It >>certainly appears to solve the current problem. If you are running a nice >>recent version, backup your old Message.pm and replace it with this one. >> >>Then please test it against the copies of MyDoom that are getting through. >> >>The result of a fine evening spent wading through MIME-tools code and >>deciding that it can't rewind :-( >> >>Let me know how it goes. > >Julian > >what versions of MS will this work against? I've got 4.24.-4. Will I >need to upgrade? If you try the patch I just posted instead of the complete replacement file, it should be compatible with more versions. Save your old Message.pm just in case. If the patch applies successfully then you should be fine. If you have trouble, mail me off list and I will send you a patch to apply specifically to 4.24-4. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Thu Feb 12 12:05:38 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:28 2006 Subject: Updating importance In-Reply-To: References: Message-ID: <402B6C12.3080500@eatathome.com.au> Billy A. Pumphrey wrote: >Ok, thanks for the reply Miguel and Julian. I do have Sophos running on it and it updates every 2 hours I believe. So yes, as far as virus that is updated in a timely fashion and I was more speaking of MailScanner its self. From what you said updating it is simple, which is good, and I should just keep a look out for certain updates and would be needed to coincide with the virus scanner engine or something to that effect to catch new things that are out. > >I have saved some of the emails that were talking about updating so that I hopefully wouldn't be completely clueless when that time comes around for me, however if its simple hopefully someone can make a few simple setps to update because the emails didn't quit tell how to but just how to tell what version and such. I didn't know if it was a matter of needing to backup the configs and doing the update then importing the configs, or just applying the update. > > >-----Original Message----- >From: Miguel Koren O'Brien de Lacy [mailto:miguelk@KONSULTEX.COM.BR] >Sent: Wednesday, February 11, 2004 10:00 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Updating importance > >Billy; > >I assume you mean Mail Scanner itself and not the anti-virus engine or >pattern. The pattern especially should be updated as frequently as >possible because they all work by comparison with known virus >definitions. As to Mail Scanner itself, there are some occasions, which >are ususally very evident on this mailing list, when an update is >important to catch a new type os virus mechanism or interpret a new or >changed resut from a virus scanner that you may be using. Those updates >are very infrequent in my history with Mail Scanner (about 3 years). I >usually update anyway though, a few weeks after a stable release is >available because it's pretty simple and usually has some new features I >think I may use (but I never do). > >But I also believe in the golden rule that if it works well for you, >don't touch it! > >Miguel > >Billy A. Pumphrey wrote: > > > >>Can someone explain the importance of updating, if it is important? I >>am still learning Linux and I have MailScanner running with someone's >>help and I don't want to screw it up if it is not critical to update. >>However if it is critical to update, Its probably time that I dive into >>it again. >> >>Thank you >>Billy >> >> >> >> >> > > > > > I too havent updated for a while, mainly because i cant really find any good reasons to convince myself. Currently stopping a massive percentage of spam and really havent had ANY bother with mydoom, except the reciept emails coming through, i dont use the access maps, if addressed to *@mydomain.com then its accepted, once day i will get around to getting access maps working nicely, untill then we just deal with that, its not a bog deal. I plan on a hardware upgrade this quarter and will go for all the latest kit then, and will switch from using Red Hat to maybe SME (used to be esmith), since this seems to be FAR less bloated, very weel supported and fasterer than red hat (RH that i build anyway). If you dont have some solid reason for upgrading then..... From drew at THEMARSHALLS.CO.UK Thu Feb 12 12:07:13 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:28 2006 Subject: mailscanner & freebsd In-Reply-To: <20040212113654.W40610@78-tor-7.acn.waw.pl> References: <402B469B.7000006@solid-state-logic.com> <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> <20040212113654.W40610@78-tor-7.acn.waw.pl> Message-ID: <21306.194.70.180.170.1076587633.squirrel@net.themarshalls.co.uk> Rafal Janas said: > I use standard configuration files. My relay=local in maillog. I havn't > got user database (I store it in passwd file). I only change things > included in MS documentation files. All other is standard settings. I even > don't know if I've got chroot jail (because I don't know how to do it). OK so have you got Postfix working with out MailScanner? If so what have you changed in main.cf? What have you changed in the top half of MailScanner.conf? Drew > > On Thu, 12 Feb 2004, Drew Marshall wrote: > >> Rafa? Janas said: >> > If sou configure it correctly could sou send me your configuration >> files >> > like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell >> me >> > what >> > you change in article about installing it on postfix in documentation >> > www.mailscanner.info? >> I can't do that now, too much to do and not in the right place, but I'll >> have a look tonight. What is your set up? Are you using Postfix as a >> gateway and relaying to another local machine? How are you controling >> your >> user database? Mine is not quite a conventional set up (I use a single >> Postfix instance with MySQL database driven user and virtual user setup) >> which does make it more difficult for me just to 'cut and paste' my >> main.cf file (But not impossible!). >> > >> > rafalek@rafi.pl.eu.org >> > thank you >> > >> > -----Original Message----- >> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >> > Behalf >> > Of Martin Hepworth >> > Sent: Thursday, February 12, 2004 10:26 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: Re: mailscanner & freebsd >> > >> > Drew Marshall wrote: >> >> Martin Hepworth said: >> >> >> >>>Rafal Janas wrote: >> >>> >> >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or >> >>>>older? >> >>> >> >>>Hi >> >>> >> >>>there are people running 5.1 and postfix with MS. Have a look in the >> >>>list archives >> >>> >> >>>BUT, remember the 5.x series are still considered UNSTABLE and should >> be >> >>>treated as such IMHO. >> >> >> >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD >> >> 5.2(!) although it's not a high volume server, I haven't (He says >> >> touching >> >> the most timber like thing he can find!) had any problems. >> >> >> >>> >> >> Drew >> > >> > Drew >> > Well seeing as though 5.2.1 is due out soon, as they broke quite a few >> > things in 5.2, I'd be be ready for the upgrade. >> > >> > -- >> > Martin Hepworth >> > Snr Systems Administrator >> > Solid State Logic >> > Tel: +44 (0)1865 842300 >> > >> Drew >> >> -- >> In line with our policy, this message has >> been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> www.themarshalls.co.uk/policy >> > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Thu Feb 12 12:08:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <402B64EF.9040508@camo-route.com> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> <402B64EF.9040508@camo-route.com> Message-ID: <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> At 11:35 12/02/2004, you wrote: >Hi, > > I read the INSTALL, README and NEWS files before installing, but I >didn't find anything about that. > > Anyone else got their "clamavmodule" broken after upgrading to 0.66? >Hi had to fall back to "clamav" only to make MailScanner restart, else I >got this message: > >In Debugging mode, not forking... >Can't locate ./config.pl in @INC (@INC contains: /usr/sbin That's an error in the ClamAV perl code, not in my code. They are "requiring" a perl file and have got the code wrong. Thanks for posting the error message, saved me a whole load of time downloading it all and digging through it myself. Please report this error to the Clam folks and they should be able to produce a fix pretty quickly. If I'm not too busy this afternoon I'll try to work one out for you. >/usr/sbin/MailScanner /usr/lib/MailScanner >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >/usr/lib/MailScanner) at >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >line 144. >BEGIN failed--compilation aborted at >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >line 145. >Compilation failed in require at >/usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. > > >Thanks for your help. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 12:02:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: bayes rebuild not completing? In-Reply-To: <402B60E0.8060007@eatathome.com.au> References: <006501c3f0de$5311d770$640a0a0a@gyruss> <402AC286.8060505@eatathome.com.au> <6.0.1.1.2.20040212083608.03fcc140@imap.ecs.soton.ac.uk> <402B60E0.8060007@eatathome.com.au> Message-ID: <6.0.1.1.2.20040212120204.03992b30@imap.ecs.soton.ac.uk> At 11:17 12/02/2004, you wrote: >Julian Field wrote: > >>At 00:02 12/02/2004, you wrote: >> >>>Mickey Everts wrote: >>> >>>>I installed the latest stable release earlier this week and turned on >>>>the auto rebuild feature. This is on a Linux box for the record. >>>>Anyways, here are the messages I see in my logs. >>>>Feb 11 10:23:30 defender MailScanner[680]: Bayes database rebuild is >>>>due >>>> >>>>Feb 11 10:23:31 defender MailScanner[680]: SpamAssassin Bayes database >>>>rebuild preparing >>>> >>>>Feb 11 10:24:06 defender MailScanner[680]: SpamAssassin Bayes database >>>>rebuild starting >>>>My settings are as follows: >>>>Rebuild Bayes Every = 86400 >>>>Wait During Bayes Rebuild = yes >>>>I grepped the MailScanner source and it appears that I should be >>>>seeing the following message also, but I am not. >>>>SpamAssassin Bayes database rebuild completed >>> >>>Does rebuild bayes completely remove all entries and start from scratch? >>> >>>Where do those config entries go? I cant find in ms.conf or sa.conf Can >>>i add the above 2 lines to my spamassassin.prefs.conf and my bayes will >>>be renewed from scratch every month? >> >> >>MailScanner.conf (should be in either /etc/MailScanner or >>/opt/MailScanner/etc depending on your OS). >>It rebuilds the database structure using the data in your current Bayes >>database, and goes through removing "expired" entries. So it doesn't lose >>any data, it just does a load of housekeeping. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >Hmm i have 4.25-4 i dont seem to have those entries in MS.conf > >Is there a command ot completely refresh, start from new, or leave the >original first 200 entries in bayes? > >We dont have any manual learning, staff wont do it, so bayes dont work >after 2 months or so, poison, so be nice to delete and rebuild it >monthly or something? > >Is there a sa-learn command for that, or need to do in perl to remove >and recreate DBs? Shut down MailScanner, wait for it to die cleanly, delete the ~root/.spamassassin/bayes* files and start up MailScanner again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Thu Feb 12 12:28:50 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> <402B64EF.9040508@camo-route.com> <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> Message-ID: <402B7182.5060004@camo-route.com> Julian Field wrote: > At 11:35 12/02/2004, you wrote: > >> Hi, >> >> I read the INSTALL, README and NEWS files before installing, but I >> didn't find anything about that. >> >> Anyone else got their "clamavmodule" broken after upgrading to >> 0.66? >> Hi had to fall back to "clamav" only to make MailScanner restart, else I >> got this message: >> >> In Debugging mode, not forking... >> Can't locate ./config.pl in @INC (@INC contains: /usr/sbin > > > That's an error in the ClamAV perl code, not in my code. They are > "requiring" a perl file and have got the code wrong. > > Thanks for posting the error message, saved me a whole load of time > downloading it all and digging through it myself. No problem. Tell me if you need anything else. > > Please report this error to the Clam folks and they should be able to > produce a fix pretty quickly. Ok, but I won't have time untill this afternoon, which comes after yours :) If I'm not too busy this afternoon I'll try > to work one out for you. Ok, please let me know if you do. > >> /usr/sbin/MailScanner /usr/lib/MailScanner >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> /usr/lib/MailScanner) at >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >> line 144. >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >> line 145. >> Compilation failed in require at >> /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. >> >> >> Thanks for your help. I do thank you.... ;) > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rafalek at RAFI.PL.EU.ORG Thu Feb 12 12:36:37 2004 From: rafalek at RAFI.PL.EU.ORG (Rafal Janas) Date: Thu Jan 12 21:22:28 2006 Subject: mailscanner & freebsd In-Reply-To: <21306.194.70.180.170.1076587633.squirrel@net.themarshalls.co.uk> References: <402B469B.7000006@solid-state-logic.com> <20040212093832.8459D3C05A@78-tor-7.acn.waw.pl> <20030.194.70.180.170.1076579326.squirrel@net.themarshalls.co.uk> <20040212113654.W40610@78-tor-7.acn.waw.pl> <21306.194.70.180.170.1076587633.squirrel@net.themarshalls.co.uk> Message-ID: <20040212132240.G40896@78-tor-7.acn.waw.pl> this I change in /usr/local/etc/postfix.in/main.cf queue_directory = /var/spool/postfix.in myhostname = 78-tor-7.acn.waw.pl mydomain = rafi.pl.eu.org myorigin = rafi.pl.eu.org inet_interfaces = all mydestination = rafi.pl.eu.org, 78-tor-7.acn.waw.pl mynetworks = 192.168.1.0/24, 127.0.0.1, 195.94.201.154 relay_domains = zenek.rafi.pl.eu.org mail_spool_directory = /var/mail #defer_transports = smtp local virtual relay ; # because without it I can't receive mails in /usr/local/etc/postfix/main.cf is this same without last line above in master.cf (postfix & postfix.in) I only change 1 line smtp inet n - y - - smtpd in Mailscanner.conf I change: Run As User = postfix Run As Group = wheel Incoming Queue Dir = /var/spool/postfix.in/deferred Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = postfix virus Scanners = f-prot ; I install it from ports Thats all If you want take a look I can create you an account (if you give me username,password for my mail rafalek@rafi.pl.eu.org) On Thu, 12 Feb 2004, Drew Marshall wrote: > Rafal Janas said: > > I use standard configuration files. My relay=local in maillog. I havn't > > got user database (I store it in passwd file). I only change things > > included in MS documentation files. All other is standard settings. I even > > don't know if I've got chroot jail (because I don't know how to do it). > OK so have you got Postfix working with out MailScanner? If so what have > you changed in main.cf? What have you changed in the top half of > MailScanner.conf? > Drew > > > > On Thu, 12 Feb 2004, Drew Marshall wrote: > > > >> Rafa? Janas said: > >> > If sou configure it correctly could sou send me your configuration > >> files > >> > like: mailscanner.conf, main.cf (from postfix & postfix.in) and tell > >> me > >> > what > >> > you change in article about installing it on postfix in documentation > >> > www.mailscanner.info? > >> I can't do that now, too much to do and not in the right place, but I'll > >> have a look tonight. What is your set up? Are you using Postfix as a > >> gateway and relaying to another local machine? How are you controling > >> your > >> user database? Mine is not quite a conventional set up (I use a single > >> Postfix instance with MySQL database driven user and virtual user setup) > >> which does make it more difficult for me just to 'cut and paste' my > >> main.cf file (But not impossible!). > >> > > >> > rafalek@rafi.pl.eu.org > >> > thank you > >> > > >> > -----Original Message----- > >> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >> > Behalf > >> > Of Martin Hepworth > >> > Sent: Thursday, February 12, 2004 10:26 AM > >> > To: MAILSCANNER@JISCMAIL.AC.UK > >> > Subject: Re: mailscanner & freebsd > >> > > >> > Drew Marshall wrote: > >> >> Martin Hepworth said: > >> >> > >> >>>Rafal Janas wrote: > >> >>> > >> >>>>Is someone try to start mailscanner with postfix on freebsd 5.1 or > >> >>>>older? > >> >>> > >> >>>Hi > >> >>> > >> >>>there are people running 5.1 and postfix with MS. Have a look in the > >> >>>list archives > >> >>> > >> >>>BUT, remember the 5.x series are still considered UNSTABLE and should > >> be > >> >>>treated as such IMHO. > >> >> > >> >> Indeed and I am successfully running Postfix, MailScanner on FreeBSD > >> >> 5.2(!) although it's not a high volume server, I haven't (He says > >> >> touching > >> >> the most timber like thing he can find!) had any problems. > >> >> > >> >>> > >> >> Drew > >> > > >> > Drew > >> > Well seeing as though 5.2.1 is due out soon, as they broke quite a few > >> > things in 5.2, I'd be be ready for the upgrade. > >> > > >> > -- > >> > Martin Hepworth > >> > Snr Systems Administrator > >> > Solid State Logic > >> > Tel: +44 (0)1865 842300 > >> > > >> Drew > >> > >> -- > >> In line with our policy, this message has > >> been scanned for viruses and dangerous > >> content by MailScanner, and is believed to be clean. > >> www.themarshalls.co.uk/policy > >> > > > > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy > From ugob at CAMO-ROUTE.COM Thu Feb 12 12:30:59 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> <402B64EF.9040508@camo-route.com> <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> Message-ID: <402B7203.2020602@camo-route.com> BTW, there is absolutely no rush. It runs OK with clamav. Thanks, Ugo Julian Field wrote: > At 11:35 12/02/2004, you wrote: > >> Hi, >> >> I read the INSTALL, README and NEWS files before installing, but I >> didn't find anything about that. >> >> Anyone else got their "clamavmodule" broken after upgrading to >> 0.66? >> Hi had to fall back to "clamav" only to make MailScanner restart, else I >> got this message: >> >> In Debugging mode, not forking... >> Can't locate ./config.pl in @INC (@INC contains: /usr/sbin > > > That's an error in the ClamAV perl code, not in my code. They are > "requiring" a perl file and have got the code wrong. > > Thanks for posting the error message, saved me a whole load of time > downloading it all and digging through it myself. > > Please report this error to the Clam folks and they should be able to > produce a fix pretty quickly. If I'm not too busy this afternoon I'll try > to work one out for you. > >> /usr/sbin/MailScanner /usr/lib/MailScanner >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> /usr/lib/MailScanner) at >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >> line 144. >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm >> line 145. >> Compilation failed in require at >> /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. >> >> >> Thanks for your help. > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 12:35:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <05be01c3f160$96f244c0$0b00a8c0@djh01> References: <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> <05be01c3f160$96f244c0$0b00a8c0@djh01> Message-ID: <6.0.1.1.2.20040212121021.03ab45f0@imap.ecs.soton.ac.uk> At 12:05 12/02/2004, you wrote: >Hi Julian, > >I'm running 4.25-14 and got the following output when applying the patch. >Is there a patch for my version? I'd prefer not to have to upgrade all of >our boxes if I can - we have a reasonable number :) Hunks 11, 12 and 13 aren't important. That was just a slight feature tweak I did for someone. However, I don't like the 107 line offsets, they look like patch didn't work. I have attached a patch for 4.25-14 for you. It may require a new setting or 2 in your MailScanner.conf to control any new features that are in this file. >23:02:47 - mx1.mailsecurity.net.au : root - MailScanner> patch -p0 < >Message.pm.4.26.5.patch >patching file Message.pm >Hunk #1 succeeded at 736 (offset -107 lines). >Hunk #3 succeeded at 770 (offset -107 lines). >Hunk #4 succeeded at 1002 (offset -10 lines). >Hunk #5 succeeded at 1134 (offset -107 lines). >Hunk #6 succeeded at 1247 (offset -10 lines). >Hunk #7 succeeded at 1161 (offset -107 lines). >Hunk #8 succeeded at 2051 (offset -10 lines). >Hunk #9 succeeded at 2121 (offset 33 lines). >Hunk #10 succeeded at 2087 (offset -10 lines). >Hunk #11 FAILED at 2194. >Hunk #12 FAILED at 2222. >Hunk #13 FAILED at 2231. >3 out of 13 hunks FAILED -- saving rejects to file Message.pm.rej > >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Thursday, 12 February 2004 7:35 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Fix -- Re: Mydoom Virus getting Through > > > > Please try this patch instead of the new Message.pm. > > > > cd /usr/lib/MailScanner/MailScanner > > cp Message.pm Message.pm.safe > > patch -p0 < Message.pm.4.26.5.patch > > service MailScanner restart > > > > If it still fails, set "Debug = yes" in MailScanner.conf, then > > > > service MailScanner stop > > sleep 15 > > check_MailScanner > > > > and let me know what it says. > > > > At 23:38 11/02/2004, you wrote: > > >Looking at the log, I see that MailScanner failed to start. > > >Ken > > > > > > > > >Ken Anderson wrote: > > > > > >>I tried installing this Message.pm and restarted MailScanner, but I > > >>quickly built up a large incoming queue and all exploding in /incoming > > >>stopped happening. The directory stayed empty after restarting > > >>MailScanner. I'm not sure what caused it, but things went back to normal > > >>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a > > >>recent enough version? > > >>Thanks, > > >>Ken A > > >>Pacific.Net > > >> > > >> > > >>Julian Field wrote: > > >> > > >>>I have hopefully managed to make the MIME parser a lot more robust. It > > >>>certainly appears to solve the current problem. If you are running a > > nice > > >>>recent version, backup your old Message.pm and replace it with this > > one. > > >>> > > >>>Then please test it against the copies of MyDoom that are getting > > >>>through. > > >>> > > >>>The result of a fine evening spent wading through MIME-tools code and > > >>>deciding that it can't rewind :-( > > >>> > > >>>Let me know how it goes. > > >>> > > >>>At 20:37 11/02/2004, you wrote: > > >>> > > >>>>Daniel Kleinsinger wrote: > > >>>> > > >>>>>Julian Field wrote: > > >>>>> > > >>>>>>The message that contained the MyDoom that got through Sophos > > (before > > >>>>>>3.78d) was actually a bounce from another mail server that included > > >>>>>>the > > >>>>>>entire text of the original message. > > >>>>>> > > >>>>>>Fortunately it's not been a big problem so far, but I would quite > > >>>>>>like to fix it if I can. > > >>>>>> > > >>>>>I'm running Sophos in addition to Trend and F-Prot. Using MailWatch > > I > > >>>>>checked which virii got caught by which scanner and before installing > > >>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total > > >>>>>MyDoom.A slipped past Sophos everyday). Since installing 3.78d > > >>>>>(yesterday) Sophos is catching all that Trend and F-Prot are. There > > >>>>>still seem to be some people having issues with 3.78d, but in my > > >>>>>case it > > >>>>>seems like it was a problem with Sophos, not MailScanner. > > >>>>> > > >>>>>Daniel > > >>>> > > >>>> > > >>>> > > >>>>I would suggest that this as much an antivirus issue. I run F-prot and > > >>>>Antivir and until Antivir updated their engine about a week ago only > > >>>>F-prot was reliably catching the bounce messages with the original > > >>>>message attached. With the new engine, all is well again and both are > > >>>>catching them. Looks like F-Prot had a better message scanning engine > > >>>>than the others had at the time. > > >>>> > > >>>>Drew > > >>>> > > >>>>-- > > >>>>In line with our policy, this message has > > >>>>been scanned for viruses and dangerous > > >>>>content by MailScanner, and is believed to be clean. > > >>>>www.themarshalls.co.uk/policy > > >>> > > >>> > > >>>-- > > >>>Julian Field > > >>>www.MailScanner.info > > >>>Professional Support Services at www.MailScanner.biz > > >>>MailScanner thanks transtec Computers for their support > > >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >> > > >> > > > > ======================================================================== > > Pain free spam & virus protection by: www.mailsecurity.net.au > > Forward undetected SPAM to: spam@mailsecurity.net.au > > ======================================================================== > > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.4.25-14.patch Type: application/octet-stream Size: 19976 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/709ab713/Message.pm.4.25-14.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Thu Feb 12 13:55:54 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <402B7182.5060004@camo-route.com> References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> <402B64EF.9040508@camo-route.com> <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> <402B7182.5060004@camo-route.com> Message-ID: hi, I am successfully running clamav 0.66 with clamavmodule, perl 5.8.2, MS 4.26.8, Solaris 9. Jeff On Thu, 12 Feb 2004, Ugo Bellavance wrote: > Date: Thu, 12 Feb 2004 07:28:50 -0500 > From: Ugo Bellavance > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Broken ClamAV module after 0.66 upgrade? > > Julian Field wrote: > > > At 11:35 12/02/2004, you wrote: > > > >> Hi, > >> > >> I read the INSTALL, README and NEWS files before installing, but I > >> didn't find anything about that. > >> > >> Anyone else got their "clamavmodule" broken after upgrading to > >> 0.66? > >> Hi had to fall back to "clamav" only to make MailScanner restart, else I > >> got this message: > >> > >> In Debugging mode, not forking... > >> Can't locate ./config.pl in @INC (@INC contains: /usr/sbin > > > > > > That's an error in the ClamAV perl code, not in my code. They are > > "requiring" a perl file and have got the code wrong. > > > > Thanks for posting the error message, saved me a whole load of time > > downloading it all and digging through it myself. > > No problem. Tell me if you need anything else. > > > > Please report this error to the Clam folks and they should be able to > > produce a fix pretty quickly. > > Ok, but I won't have time untill this afternoon, which comes after yours :) > > If I'm not too busy this afternoon I'll try > > to work one out for you. > Ok, please let me know if you do. > > > >> /usr/sbin/MailScanner /usr/lib/MailScanner > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > >> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > >> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >> /usr/lib/MailScanner) at > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm > >> line 144. > >> BEGIN failed--compilation aborted at > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm > >> line 145. > >> Compilation failed in require at > >> /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. > >> > >> > >> Thanks for your help. > > I do thank you.... ;) > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From bpumphrey at WOODMACLAW.COM Thu Feb 12 14:15:42 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:28 2006 Subject: Svar: Mydoom Virus getting Through - High Spam - YES Message-ID: Where did you get those stats at? It appears to be more complete than MailStats. -----Original Message----- From: Jan Elmqvist Nielsen [mailto:jen@AH.DK] Sent: Wednesday, February 11, 2004 8:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Svar: Mydoom Virus getting Through - High Spam - YES I upgraded MS to 4.26.8-1 the 9/2-2004 And I can see that also Dumaru is not deteted when High Spam score is reached! My High Spam score was 12 /Jan Elmqvist Nielsen >>> jen@AH.DK 12-02-2004 01:34:26 >>> All the Mydoom viruses which not have been detected is all High Spam! I store all High Spam and dosn't pass them though I have set my High Spam score a little higher to see what happens :-) /jan Elmqvist Nielsen From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 12 14:22:08 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:28 2006 Subject: Svar: Mydoom Virus getting Through - High Spam - YES Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C51A@jessica.herefordshire.gov.uk> That's the output from Mailwatch (http://mailwatch.sf.net) Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Billy A. Pumphrey > Sent: 12 February 2004 14:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Svar: Mydoom Virus getting Through - High Spam - YES > > > Where did you get those stats at? It appears to be more complete than > MailStats. > > -----Original Message----- > From: Jan Elmqvist Nielsen [mailto:jen@AH.DK] > Sent: Wednesday, February 11, 2004 8:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Svar: Mydoom Virus getting Through - High Spam - YES > > I upgraded MS to 4.26.8-1 the 9/2-2004 > > And I can see that also Dumaru is not deteted when High Spam score is > reached! > My High Spam score was 12 > > /Jan Elmqvist Nielsen > > >>> jen@AH.DK 12-02-2004 01:34:26 >>> > All the Mydoom viruses which not have been detected is all High Spam! > > I store all High Spam and dosn't pass them though > > I have set my High Spam score a little higher to see what happens :-) > > /jan Elmqvist Nielsen > From bob.jones at USG.EDU Thu Feb 12 14:38:11 2004 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs Message-ID: <402B8FD3.40600@usg.edu> An interesting issue for those of us that run virus scanners for mail. Check out: http://cheerleader.yoz.com/archives/001711.html -- Bob Jones OIIT The Board of Regents The University System of Georgia From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 12 12:13:54 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:28 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> Julian, this one was raised last week with me and a few others requesting virus scanning regardless of spam checking. Do you have any plans to allow us to virus scan all quarantined emails, even when they are high-scoring spam? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan Elmqvist Nielsen > Sent: 12 February 2004 00:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mydoom Virus getting Through - High Spam > > > All the Mydoom viruses which not have been detected is all High Spam! > > I store all High Spam and dosn't pass them though > > I have set my High Spam score a little higher to see what happens :-) > > /jan Elmqvist Nielsen > From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 12 12:32:31 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:28 2006 Subject: [OT] FW: [tvdug] uvscan for Unix/Linux Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C518@jessica.herefordshire.gov.uk> For everyone's information. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: gagel@cnc.bc.ca [mailto:gagel@cnc.bc.ca] Sent: 11 February 2004 17:06 To: tvdug@yahoogroups.com Subject: Re: [tvdug] uvscan for Unix/Linux Not only does it exist but NAI are just about to release a beta version for a full time on access scanner for linux. ---paste--- You are receiving this email as you are subscribed to the release announcement for McAfee LinuxShield. The purpose of this email is to forewarn you on the impending release of the Beta so you can allocate testing time. The current LinuxShield Beta release schedule is as follows Beta 1 is currently scheduled for early March Beta 2 is due early April Final release in May Should this schedule change you will be updated. LinuxShield QA ---end paste--- Details are here: http://www.networkassociates.com/us/downloads/beta/lsh/ To get the uvscan you might have to have the Total Virus Defense suite. It can be downloaded from NAI if you have a valid grant number. ----- Original Message Follows ----- > > [email.htm] > > > > > Over on the MailScanner mailing list, there's a few people bemoaning > the difficulty of getting their hands on uvscan for > Unix/Linux. > Can one of the NAI folks on the list give a few pointers on how to > persuade your distributors that such a product exists and how > people can get hold of it? > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >

> > If you would like to unsubscribe, please send a blank message to > tvdug-unsubscribe@yahoogroups.com.

> >
> > > > > > > > >
Yahoo! Groups > Sponsor
cellspacing=0>
size=-2>ADVERTISEMENT
href="http://rd.yahoo.com/SIG=12cc3nc4o/M=268585.4521611.5694062.126 > 1774/D=egroupweb/S=1707209066:HM/EXP=1076589706/A=1950448/R=0/*http: > //ashnin.com/clk/muryutaitakenattogyo?YH=4521611&yhad=1950448" > alt=""> src="http://us.a1.yimg.com/us.yimg.com/a/qu/quinstreet/300x250_uofp_ > pink_arrows.gif" alt="click here" width="300" height="250" > border="0">

src="http://us.adserver.yahoo.com/l?M=268585.4521611.5694062.1261774 > /D=egroupweb/S=:HM/A=1950448/rand=412569532">

> > > > > > > >
>

> Yahoo! Groups Links > > To visit your group on the web, go to: href="http://groups.yahoo.com/group/tvdug/">http://groups.yahoo.com/ > group/tvdug/ ? To unsubscribe from this group, send > an email to: href="mailto:tvdug-unsubscribe@yahoogroups.com?subject=Unsubscribe"> > tvdug-unsubscribe@yahoogroups.com ? Your use of > Yahoo! Groups is subject to the href="http://docs.yahoo.com/info/terms/">Yahoo! Terms of > Service. > >
> > > > > > > [Attachment: email.htm] ==================== Kevin W. Gagel Network Administrator (250) 561-5848 local 448 (250) 562-2131 local 448 -------------------------------------------------------------- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. -------------------------------------------------------------- ------------------------ Yahoo! Groups Sponsor ---------------------~--> KnowledgeStorm has over 22,000 B2B technology solutions. The most comprehensive IT buyers' information available. Research, compare, decide. E-Commerce | Application Dev | Accounting-Finance | Healthcare | Project Mgt | Sales-Marketing | More http://us.click.yahoo.com/IMai8D/UYQGAA/cIoLAA/qFfwlB/TM ---------------------------------------------------------------------~-> If you would like to unsubscribe, please send a blank message to tvdug-unsubscribe@yahoogroups.com. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/tvdug/ <*> To unsubscribe from this group, send an email to: tvdug-unsubscribe@yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ From mailscanner at ecs.soton.ac.uk Thu Feb 12 14:36:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Installation bug in Mail-ClamAV-0.05 Message-ID: <6.0.1.1.2.20040212142840.07387430@imap.ecs.soton.ac.uk> Scott, Firstly, many thanks for a very useful piece of code! One installation problem with 0.05 that wasn't there in 0.04 After the make install step, ClamAV.pm still contains # removed on install BEGIN { require "./config.pl"; } # end removed on install which of course breaks when you try to use the module as "./config.pl" cannot be found as it is not in the @INC path. Copying config.pl into the same directory as ClamAV.pm does not help, but commenting out the "require" statement works (line 144 of ClamAV.pm). I can't easily give you a patch to fix this, as I'm not quite sure what you were trying to achieve with this "require" statement. Any fixes you could provide would be most welcome. For now I will comment out the require statement. Julian Field -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 14:38:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: References: <20040212011520.B38012@78-tor-7.acn.waw.pl> <6.0.1.1.2.20040212083758.03fcce10@imap.ecs.soton.ac.uk> <402B64EF.9040508@camo-route.com> <6.0.1.1.2.20040212120320.03946bf0@imap.ecs.soton.ac.uk> <402B7182.5060004@camo-route.com> Message-ID: <6.0.1.1.2.20040212143654.039928a0@imap.ecs.soton.ac.uk> It is actually a problem in the Mail::ClamAV perl module, latest version (0.05). If you switch back to Mail::ClamAV 0.04 (which you can download from the same address as 0.05, just change the number in the filename), then it works. I have filed a bug report with the author. At 13:55 12/02/2004, you wrote: >hi, > I am successfully running clamav 0.66 with clamavmodule, perl 5.8.2, >MS 4.26.8, Solaris 9. > >Jeff > >On Thu, 12 Feb 2004, Ugo Bellavance wrote: > > > Date: Thu, 12 Feb 2004 07:28:50 -0500 > > From: Ugo Bellavance > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Broken ClamAV module after 0.66 upgrade? > > > > Julian Field wrote: > > > > > At 11:35 12/02/2004, you wrote: > > > > > >> Hi, > > >> > > >> I read the INSTALL, README and NEWS files before installing, > but I > > >> didn't find anything about that. > > >> > > >> Anyone else got their "clamavmodule" broken after upgrading to > > >> 0.66? > > >> Hi had to fall back to "clamav" only to make MailScanner restart, else I > > >> got this message: > > >> > > >> In Debugging mode, not forking... > > >> Can't locate ./config.pl in @INC (@INC contains: /usr/sbin > > > > > > > > > That's an error in the ClamAV perl code, not in my code. They are > > > "requiring" a perl file and have got the code wrong. > > > > > > Thanks for posting the error message, saved me a whole load of time > > > downloading it all and digging through it myself. > > > > No problem. Tell me if you need anything else. > > > > > > Please report this error to the Clam folks and they should be able to > > > produce a fix pretty quickly. > > > > Ok, but I won't have time untill this afternoon, which comes after yours :) > > > > If I'm not too busy this afternoon I'll try > > > to work one out for you. > > Ok, please let me know if you do. > > > > > >> /usr/sbin/MailScanner /usr/lib/MailScanner > > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > > >> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > > >> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > > >> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > > >> /usr/lib/MailScanner) at > > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm > > >> line 144. > > >> BEGIN failed--compilation aborted at > > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Mail/ClamAV.pm > > >> line 145. > > >> Compilation failed in require at > > >> /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. > > >> > > >> > > >> Thanks for your help. > > > > I do thank you.... ;) > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 14:45:32 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs In-Reply-To: <402B8FD3.40600@usg.edu> References: <402B8FD3.40600@usg.edu> Message-ID: <402B918C.3070507@solid-state-logic.com> Bob Jones wrote: > An interesting issue for those of us that run virus scanners for mail. > Check out: http://cheerleader.yoz.com/archives/001711.html > > -- > Bob Jones > OIIT > The Board of Regents > The University System of Georgia Possibbly something to do with the rush 0.66 release of ClamAV and the DOS attack is mentions???? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Thu Feb 12 14:41:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs In-Reply-To: <402B8FD3.40600@usg.edu> References: <402B8FD3.40600@usg.edu> Message-ID: <6.0.1.1.2.20040212143922.07253d08@imap.ecs.soton.ac.uk> At 14:38 12/02/2004, you wrote: >An interesting issue for those of us that run virus scanners for mail. >Check out: http://cheerleader.yoz.com/archives/001711.html I built defences into MailScanner for this attack a very long time ago, don't worry. This is an old problem. 100Gb out of a 7k zip file isn't the worst/best you can achieve. There is a zip file of 42374 bytes which expands to over 29,000,000 Gbytes (over 29 Petabytes). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DIMENSION-FLM.COM Thu Feb 12 15:09:34 2004 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:22:28 2006 Subject: Broken ClamAV module after 0.66 upgrade? In-Reply-To: <6.0.1.1.2.20040212143654.039928a0@imap.ecs.soton.ac.uk> Message-ID: There is a couple of lines in the ClamAV.pm module that were to be removed upon install that are not: # removed on install BEGIN { require "./config.pl"; } # end removed on install the patch below will fix this by commenting them out. After installing the patch: Feb 12 10:02:47 srv2 MailScanner[588]: Virus and Content Scanning: Starting Feb 12 10:02:47 srv2 MailScanner[588]: Commencing scanning by f-prot... Feb 12 10:02:47 srv2 MailScanner[588]: Completed scanning by f-prot Feb 12 10:02:48 srv2 MailScanner[588]: Commencing scanning by clamavmodule... Feb 12 10:02:48 srv2 MailScanner[588]: Completed scanning by clamavmodule Feb 12 10:02:48 srv2 MailScanner[588]: Completed checking by /usr/bin/file Feb 12 10:02:48 srv2 MailScanner[588]: About to deliver 1 messages ========== Begin patch ============================ *** ClamAV.pm Tue Feb 10 13:38:15 2004 --- ClamAV.pm.new Thu Feb 12 09:59:44 2004 *************** *** 141,147 **** LIBS => "-lclamav"; # removed on install ! BEGIN { ! require "./config.pl"; ! } # end removed on install use Inline C => <<'END_OF_C'; --- 141,147 ---- LIBS => "-lclamav"; # removed on install ! #BEGIN { ! #require "./config.pl"; ! #} # end removed on install use Inline C => <<'END_OF_C'; ================= end patch > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, February 12, 2004 9:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Broken ClamAV module after 0.66 upgrade? > > > It is actually a problem in the Mail::ClamAV perl > module, latest version > (0.05). > > If you switch back to Mail::ClamAV 0.04 (which you can > download from the > same address as 0.05, just change the number in the > filename), then it works. > > I have filed a bug report with the author. > > At 13:55 12/02/2004, you wrote: > >hi, > > I am successfully running clamav 0.66 with > clamavmodule, perl 5.8.2, > >MS 4.26.8, Solaris 9. > > > >Jeff > > > >On Thu, 12 Feb 2004, Ugo Bellavance wrote: > > > > > Date: Thu, 12 Feb 2004 07:28:50 -0500 > > > From: Ugo Bellavance > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Broken ClamAV module after 0.66 upgrade? > > > > > > Julian Field wrote: > > > > > > > At 11:35 12/02/2004, you wrote: > > > > > > > >> Hi, > > > >> > > > >> I read the INSTALL, README and NEWS > files before installing, > > but I > > > >> didn't find anything about that. > > > >> > > > >> Anyone else got their "clamavmodule" > broken after upgrading to > > > >> 0.66? > > > >> Hi had to fall back to "clamav" only to make > MailScanner restart, else I > > > >> got this message: > > > >> > > > >> In Debugging mode, not forking... > > > >> Can't locate ./config.pl in @INC (@INC > contains: /usr/sbin > > > > > > > > > > > > That's an error in the ClamAV perl code, not in > my code. They are > > > > "requiring" a perl file and have got the code wrong. > > > > > > > > Thanks for posting the error message, saved me a > whole load of time > > > > downloading it all and digging through it myself. > > > > > > No problem. Tell me if you need anything else. > > > > > > > > Please report this error to the Clam folks and > they should be able to > > > > produce a fix pretty quickly. > > > > > > Ok, but I won't have time untill this afternoon, > which comes after yours :) > > > > > > If I'm not too busy this afternoon I'll try > > > > to work one out for you. > > > Ok, please let me know if you do. > > > > > > > >> /usr/sbin/MailScanner /usr/lib/MailScanner > > > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/5.8.0 > > > >> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > > > >> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > > > >> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > > > >> /usr/lib/perl5/vendor_perl/5.8.0 > /usr/lib/perl5/vendor_perl > > > >> /usr/lib/perl5/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/5.8.0 . > > > >> /usr/lib/MailScanner) at > > > >> > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/ > Mail/ClamAV.pm > > > >> line 144. > > > >> BEGIN failed--compilation aborted at > > > >> > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/ > Mail/ClamAV.pm > > > >> line 145. > > > >> Compilation failed in require at > > > >> > /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. > > > >> > > > >> > > > >> Thanks for your help. > > > > > > I do thank you.... ;) > > > > > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 > 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From ka at PACIFIC.NET Thu Feb 12 15:29:27 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:28 2006 Subject: [OT] FW: [tvdug] uvscan for Unix/Linux In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C518@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C518@jessica.herefordshire.gov.uk> Message-ID: <402B9BD7.9030308@pacific.net> I wonder if the on access virusscanner will cause as many problems as norton caused on the pc when it's improperly configured. I remember one version that simply quarantined the entire inbox when an infected message arrived and the inbox was accessed! I hope they don't do away with the command line version. Ken A Pacific.Net Randal, Phil wrote: > For everyone's information. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > -----Original Message----- > From: gagel@cnc.bc.ca [mailto:gagel@cnc.bc.ca] > Sent: 11 February 2004 17:06 > To: tvdug@yahoogroups.com > Subject: Re: [tvdug] uvscan for Unix/Linux > > > Not only does it exist but NAI are just about to release a beta > version for a full time on access scanner for linux. > > ---paste--- > You are receiving this email as you are subscribed to the release > announcement for McAfee LinuxShield. The purpose of this email is to > forewarn you on the impending release of the Beta so you can allocate > testing time. > > The current LinuxShield Beta release schedule is as follows > Beta 1 is currently scheduled for early March > Beta 2 is due early April > Final release in May > > Should this schedule change you will be updated. > > LinuxShield QA > ---end paste--- > Details are here: > http://www.networkassociates.com/us/downloads/beta/lsh/ > > To get the uvscan you might have to have the Total Virus Defense > suite. It can be downloaded from NAI if you have a valid grant number. > > ----- Original Message Follows ----- > >>[email.htm] >> >> >> >>>>Over on the MailScanner mailing list, there's a few people bemoaning >>the difficulty of getting their hands on uvscan for >>Unix/Linux. >>Can one of the NAI folks on the list give a few pointers on how to >>persuade your distributors that such a product exists and how >>people can get hold of it? >> >>Cheers, >> >>Phil >> >>--------------------------------------------- >>Phil Randal >>Network Engineer >>Herefordshire Council >>Hereford, UK >> >> >>

>>>>If you would like to unsubscribe, please send a blank message to >>tvdug-unsubscribe@yahoogroups.com.

>> >>
>> >> >> >> >> >> >> >> >> > >

Yahoo! > > Groups > >>Sponsor

>cellspacing=0>

>size=-2>ADVERTISEMENT
> > > href="http://rd.yahoo.com/SIG=12cc3nc4o/M=268585.4521611.5694062.126 > > 1774/D=egroupweb/S=1707209066:HM/EXP=1076589706/A=1950448/R=0/*http: > >>//ashnin.com/clk/muryutaitakenattogyo?YH=4521611&yhad=1950448" >>alt="">> > > src="http://us.a1.yimg.com/us.yimg.com/a/qu/quinstreet/300x250_uofp_ > >>pink_arrows.gif" alt="click here" width="300" height="250" >>border="0">

> > > src="http://us.adserver.yahoo.com/l?M=268585.4521611.5694062.1261774 > >>/D=egroupweb/S=:HM/A=1950448/rand=412569532">

> >> >> >> >> >> >> >>
>>>>Yahoo! Groups Links >> >>To visit your group on the web, go to: > > > href="http://groups.yahoo.com/group/tvdug/">http://groups.yahoo.com/ > >>group/tvdug/ To unsubscribe from this group, send >>an email to: > > > href="mailto:tvdug-unsubscribe@yahoogroups.com?subject=Unsubscribe"> > >>tvdug-unsubscribe@yahoogroups.com Your use of >>Yahoo! Groups is subject to the >href="http://docs.yahoo.com/info/terms/">Yahoo! Terms of >>Service. >> >>
>> >> >> >> >> >> >>[Attachment: email.htm] > > > ==================== > Kevin W. Gagel > Network Administrator > (250) 561-5848 local 448 > (250) 562-2131 local 448 > > -------------------------------------------------------------- > The College of New Caledonia, Visit us at http://www.cnc.bc.ca > Virus scanning is done on all incoming and outgoing email. > -------------------------------------------------------------- > > > ------------------------ Yahoo! Groups Sponsor ---------------------~--> > KnowledgeStorm has over 22,000 B2B technology solutions. The most > comprehensive IT buyers' information available. Research, compare, decide. > E-Commerce | Application Dev | Accounting-Finance | Healthcare | Project Mgt > | Sales-Marketing | More > http://us.click.yahoo.com/IMai8D/UYQGAA/cIoLAA/qFfwlB/TM > ---------------------------------------------------------------------~-> > > If you would like to unsubscribe, please send a blank message to > tvdug-unsubscribe@yahoogroups.com. > Yahoo! Groups Links > > <*> To visit your group on the web, go to: > http://groups.yahoo.com/group/tvdug/ > > <*> To unsubscribe from this group, send an email to: > tvdug-unsubscribe@yahoogroups.com > > <*> Your use of Yahoo! Groups is subject to: > http://docs.yahoo.com/info/terms/ > > > From campbell at CNPAPERS.COM Thu Feb 12 15:17:19 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes Message-ID: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> We are seeing a real slow down in mail delivery here since yesterday. We are receiving about 50% more mail, but our system can't seem to keep up. Our normal mail count is probably about 35K-50K a day. Spam percentage is about 85-90%. I have noticed the last two days a high rate of mail in incoming beginning around 10pm until midnight. When I look at my average load, it seems to be dropping linearly from 3 down to .6 or something like that. (Can servers get tired and need a rest?). Large incoming batches were always handled fairly quickly before this period, and I'm not sure if we're just slow or are receiving a lot of new mail, but based on complaints, mail is slow. I have two questions: Would smaller batches of mail be better? I have this set to 100 normally, and am testing 50 at the moment. I am guessing that smaller batch sizes may take less time to process and get them through faster as a batch, but overall processing of total email may be the same or slightly slower. I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this a problem or could it be multiple parents/children. This machine is pretty much maxed out when this happens. Maybe lower the Max Children, or increase the Queue Scan Interval from 5? Any help and suggestions would be appreciated. Thanks. Steve Campbell campbell@cnpapers.com Charleston Newspapers From jaearick at COLBY.EDU Thu Feb 12 15:50:23 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes In-Reply-To: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> References: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> Message-ID: Hi, There was a whole thread on this a few months back, and one thing Julian did was lower the default batch size from 100 to 30 as a result. Sounds like you are running an old version of MS. If you are running a current version, drop the batch size to 30, maybe look at lowering "Max Normal Queue Size" (default is 1000, mine is 500 and I have a big powerful box), and tweaking the number of children. Tell us what version, and what your box is... If you have some particular spamsite out there pounding you, block them with your MTA, eg sendmail access.db. Jeff Earickson Colby College On Thu, 12 Feb 2004, Stephe Campbell wrote: > Date: Thu, 12 Feb 2004 10:17:19 -0500 > From: Stephe Campbell > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Preference for batch sizes > > We are seeing a real slow down in mail delivery here since yesterday. We are > receiving about 50% more mail, but our system can't seem to keep up. Our > normal mail count is probably about 35K-50K a day. Spam percentage is about > 85-90%. > > I have noticed the last two days a high rate of mail in incoming beginning > around 10pm until midnight. When I look at my average load, it seems to be > dropping linearly from 3 down to .6 or something like that. (Can servers get > tired and need a rest?). Large incoming batches were always handled fairly > quickly before this period, and I'm not sure if we're just slow or are > receiving a lot of new mail, but based on complaints, mail is slow. > > I have two questions: > > Would smaller batches of mail be better? I have this set to 100 normally, > and am testing 50 at the moment. I am guessing that smaller batch sizes may > take less time to process and get them through faster as a batch, but > overall processing of total email may be the same or slightly slower. > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this a > problem or could it be multiple parents/children. This machine is pretty > much maxed out when this happens. Maybe lower the Max Children, or increase > the Queue Scan Interval from 5? > > Any help and suggestions would be appreciated. > > Thanks. > > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > From ka at PACIFIC.NET Thu Feb 12 15:54:01 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes In-Reply-To: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> References: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> Message-ID: <402BA199.5080501@pacific.net> If the load avg is dropping, it's probably network timeouts in SpamAssassin. Are you running a current version of SA? Do you have a nameserver running on the same box? If no to either of these, that's where I'd start. Ken A Pacific.Net Stephe Campbell wrote: > We are seeing a real slow down in mail delivery here since yesterday. We are > receiving about 50% more mail, but our system can't seem to keep up. Our > normal mail count is probably about 35K-50K a day. Spam percentage is about > 85-90%. > > I have noticed the last two days a high rate of mail in incoming beginning > around 10pm until midnight. When I look at my average load, it seems to be > dropping linearly from 3 down to .6 or something like that. (Can servers get > tired and need a rest?). Large incoming batches were always handled fairly > quickly before this period, and I'm not sure if we're just slow or are > receiving a lot of new mail, but based on complaints, mail is slow. > > I have two questions: > > Would smaller batches of mail be better? I have this set to 100 normally, > and am testing 50 at the moment. I am guessing that smaller batch sizes may > take less time to process and get them through faster as a batch, but > overall processing of total email may be the same or slightly slower. > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this a > problem or could it be multiple parents/children. This machine is pretty > much maxed out when this happens. Maybe lower the Max Children, or increase > the Queue Scan Interval from 5? > > Any help and suggestions would be appreciated. > > Thanks. > > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > From mailscanner at BARENDSE.TO Thu Feb 12 16:24:13 2004 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs In-Reply-To: <6.0.1.1.2.20040212143922.07253d08@imap.ecs.soton.ac.uk> Message-ID: Cool, 29 PB :) Is there a copy available of it anywhere?? Nifty to test a raid array :) On Thu, 12 Feb 2004, Julian Field wrote: > At 14:38 12/02/2004, you wrote: > >An interesting issue for those of us that run virus scanners for mail. > >Check out: http://cheerleader.yoz.com/archives/001711.html > > I built defences into MailScanner for this attack a very long time ago, > don't worry. This is an old problem. > > 100Gb out of a 7k zip file isn't the worst/best you can achieve. > There is a zip file of 42374 bytes which expands to over 29,000,000 Gbytes > (over 29 Petabytes). > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From JFalgout at CO.JEFFERSON.CO.US Thu Feb 12 16:19:26 2004 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:22:28 2006 Subject: Feature Request - Super High Scoring Spam or something like it Message-ID: Julian, Is it possible to add an additional action to do something else to "super high scoring spam", the same as {Spam?} and {High Scoring Spam?}. For example, one could set {Spam?} = deliver {High Scoring Spam?} = attachment deliver {Super High Scoring Spam?} = quarantine Super High Scoring Spam is not the best description but you get the idea. The idea is to create SA rules for quick defense against things like MyDoom slipping through and the IE Vulnerablity/Phishing scam. I would like to be able to set those scores extremely high and place them in a quarantine until things get sorted out (AV defs get updated, etc). I'm guessing it would be some duplication of code with a few minor changes. Thoughts anyone? Jeff From campbell at CNPAPERS.COM Thu Feb 12 16:15:33 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes References: <05ec01c3f17f$54e6d360$0b00a8c0@djh01> Message-ID: <010301c3f183$7120f160$9701a8c0@cnpapers.net> My message count is 35K-50K a day. Spam percentage is about 85-90%. I am running a P3 900MHz with 1MB ram. RH7.3 sendmail updated to last up2date. My problem is more with what will make this run like two days ago. I don't really have a clue about what is causing the slowness. I have also started adding more to my blacklist file, noting that these have no spam scores, and assume they are skipped right away. I realize that adding them to my MTA would be better, but I'm trying to make the MailScanner part better tuned now. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "David Hooton" To: Sent: Thursday, February 12, 2004 10:45 AM Subject: RE: Preference for batch sizes Hi Steve, What is your server spec, and how many messages per day are you processing? Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephe Campbell > Sent: Friday, 13 February 2004 2:17 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Preference for batch sizes > > We are seeing a real slow down in mail delivery here since yesterday. We > are > receiving about 50% more mail, but our system can't seem to keep up. Our > normal mail count is probably about 35K-50K a day. Spam percentage is > about > 85-90%. > > I have noticed the last two days a high rate of mail in incoming beginning > around 10pm until midnight. When I look at my average load, it seems to be > dropping linearly from 3 down to .6 or something like that. (Can servers > get > tired and need a rest?). Large incoming batches were always handled fairly > quickly before this period, and I'm not sure if we're just slow or are > receiving a lot of new mail, but based on complaints, mail is slow. > > I have two questions: > > Would smaller batches of mail be better? I have this set to 100 normally, > and am testing 50 at the moment. I am guessing that smaller batch sizes > may > take less time to process and get them through faster as a batch, but > overall processing of total email may be the same or slightly slower. > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this > a > problem or could it be multiple parents/children. This machine is pretty > much maxed out when this happens. Maybe lower the Max Children, or > increase > the Queue Scan Interval from 5? > > Any help and suggestions would be appreciated. > > Thanks. > > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > ======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au > ======================================================================== ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From campbell at CNPAPERS.COM Thu Feb 12 16:23:52 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes References: <00cd01c3f17b$4ef29ce0$9701a8c0@cnpapers.net> <402BA199.5080501@pacific.net> Message-ID: <011101c3f184$9c17fa20$9701a8c0@cnpapers.net> Thanks all for the help. I dropped to 50 batch size and that has helped. I will try 30 later today. I don't see any timeouts any where. I am running SA 2.61 and the latest MS. No nameserver on this box but have never had DNS problems with our own separate DNS servers. I just can't figure why before Wednesday, backups of 2000 emails in incoming would clear relatively quickly, but now, with incoming and new emails, it takes all day (Maybe more new incoming than usual, as I mentioned, 25K more than usual). Yesterday, it started at 10pm the prior night and didn't get back into the under-10 range until about 7pm. Usually something like this clears in a matter of minutes. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Ken Anderson" To: Sent: Thursday, February 12, 2004 10:54 AM Subject: Re: Preference for batch sizes > If the load avg is dropping, it's probably network timeouts in > SpamAssassin. Are you running a current version of SA? Do you have a > nameserver running on the same box? If no to either of these, that's > where I'd start. > > Ken A > Pacific.Net > > Stephe Campbell wrote: > > > We are seeing a real slow down in mail delivery here since yesterday. We are > > receiving about 50% more mail, but our system can't seem to keep up. Our > > normal mail count is probably about 35K-50K a day. Spam percentage is about > > 85-90%. > > > > I have noticed the last two days a high rate of mail in incoming beginning > > around 10pm until midnight. When I look at my average load, it seems to be > > dropping linearly from 3 down to .6 or something like that. (Can servers get > > tired and need a rest?). Large incoming batches were always handled fairly > > quickly before this period, and I'm not sure if we're just slow or are > > receiving a lot of new mail, but based on complaints, mail is slow. > > > > I have two questions: > > > > Would smaller batches of mail be better? I have this set to 100 normally, > > and am testing 50 at the moment. I am guessing that smaller batch sizes may > > take less time to process and get them through faster as a batch, but > > overall processing of total email may be the same or slightly slower. > > > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this a > > problem or could it be multiple parents/children. This machine is pretty > > much maxed out when this happens. Maybe lower the Max Children, or increase > > the Queue Scan Interval from 5? > > > > Any help and suggestions would be appreciated. > > > > Thanks. > > > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > From campbell at CNPAPERS.COM Thu Feb 12 16:26:25 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes References: <05ec01c3f17f$54e6d360$0b00a8c0@djh01> <010301c3f183$7120f160$9701a8c0@cnpapers.net> Message-ID: <011f01c3f184$f7e409c0$9701a8c0@cnpapers.net> OOPS, that's 1GB of ram. I'll bet you all thought you had it solved!!!! Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Stephe Campbell" To: Sent: Thursday, February 12, 2004 11:15 AM Subject: Re: Preference for batch sizes > My message count is 35K-50K a day. Spam percentage is about 85-90%. I am > running a P3 900MHz with 1MB ram. RH7.3 sendmail updated to last up2date. > > My problem is more with what will make this run like two days ago. I don't > really have a clue about what is causing the slowness. > > I have also started adding more to my blacklist file, noting that these have > no spam scores, and assume they are skipped right away. I realize that > adding them to my MTA would be better, but I'm trying to make the > MailScanner part better tuned now. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > ----- Original Message ----- > From: "David Hooton" > To: > Sent: Thursday, February 12, 2004 10:45 AM > Subject: RE: Preference for batch sizes > > > Hi Steve, > > What is your server spec, and how many messages per day are you processing? > > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Stephe Campbell > > Sent: Friday, 13 February 2004 2:17 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Preference for batch sizes > > > > We are seeing a real slow down in mail delivery here since yesterday. We > > are > > receiving about 50% more mail, but our system can't seem to keep up. Our > > normal mail count is probably about 35K-50K a day. Spam percentage is > > about > > 85-90%. > > > > I have noticed the last two days a high rate of mail in incoming beginning > > around 10pm until midnight. When I look at my average load, it seems to be > > dropping linearly from 3 down to .6 or something like that. (Can servers > > get > > tired and need a rest?). Large incoming batches were always handled fairly > > quickly before this period, and I'm not sure if we're just slow or are > > receiving a lot of new mail, but based on complaints, mail is slow. > > > > I have two questions: > > > > Would smaller batches of mail be better? I have this set to 100 normally, > > and am testing 50 at the moment. I am guessing that smaller batch sizes > > may > > take less time to process and get them through faster as a batch, but > > overall processing of total email may be the same or slightly slower. > > > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this > > a > > problem or could it be multiple parents/children. This machine is pretty > > much maxed out when this happens. Maybe lower the Max Children, or > > increase > > the Queue Scan Interval from 5? > > > > Any help and suggestions would be appreciated. > > > > Thanks. > > > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > ======================================================================== > > Pain free spam & virus protection by: www.mailsecurity.net.au > > Forward undetected SPAM to: spam@mailsecurity.net.au > > ======================================================================== > > > ======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au > ======================================================================== From mailscanner at ecs.soton.ac.uk Thu Feb 12 16:32:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Feature Request - Super High Scoring Spam or something like it In-Reply-To: References: Message-ID: <6.0.1.1.2.20040212163151.03aa0e70@imap.ecs.soton.ac.uk> Another request for n+1 levels of spam scoring. You can implement this easily with a simple Custom Function. For a suitable bribe (or something off my wish list) I'll even write it for you. At 16:19 12/02/2004, you wrote: >Julian, > >Is it possible to add an additional action to do something else to >"super high scoring spam", the same as {Spam?} and {High Scoring >Spam?}. >For example, one could set >{Spam?} = deliver >{High Scoring Spam?} = attachment deliver >{Super High Scoring Spam?} = quarantine > >Super High Scoring Spam is not the best description but you >get the idea. > >The idea is to create SA rules for quick defense against things >like MyDoom slipping through and the IE Vulnerablity/Phishing >scam. I would like to be able to set those scores extremely high >and place them in a quarantine until things get sorted out (AV >defs get updated, etc). > >I'm guessing it would be some duplication of code with a few minor >changes. > >Thoughts anyone? > >Jeff -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 16:34:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes In-Reply-To: <010301c3f183$7120f160$9701a8c0@cnpapers.net> References: <05ec01c3f17f$54e6d360$0b00a8c0@djh01> <010301c3f183$7120f160$9701a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040212163345.03da7e10@imap.ecs.soton.ac.uk> I've consistently been getting razor timeouts all the time now. If you are using razor, try switching it off ("use_razor2 0" in spam.assassin.prefs.conf then restart MailScanner). At 16:15 12/02/2004, you wrote: >My message count is 35K-50K a day. Spam percentage is about 85-90%. I am >running a P3 900MHz with 1MB ram. RH7.3 sendmail updated to last up2date. > >My problem is more with what will make this run like two days ago. I don't >really have a clue about what is causing the slowness. > >I have also started adding more to my blacklist file, noting that these have >no spam scores, and assume they are skipped right away. I realize that >adding them to my MTA would be better, but I'm trying to make the >MailScanner part better tuned now. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > >----- Original Message ----- >From: "David Hooton" >To: >Sent: Thursday, February 12, 2004 10:45 AM >Subject: RE: Preference for batch sizes > > >Hi Steve, > >What is your server spec, and how many messages per day are you processing? > >Regards, > >David Hooton >Senior Partner >Platform Hosting >1300 85 HOST >www.platformhosting.com > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Stephe Campbell > > Sent: Friday, 13 February 2004 2:17 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Preference for batch sizes > > > > We are seeing a real slow down in mail delivery here since yesterday. We > > are > > receiving about 50% more mail, but our system can't seem to keep up. Our > > normal mail count is probably about 35K-50K a day. Spam percentage is > > about > > 85-90%. > > > > I have noticed the last two days a high rate of mail in incoming beginning > > around 10pm until midnight. When I look at my average load, it seems to be > > dropping linearly from 3 down to .6 or something like that. (Can servers > > get > > tired and need a rest?). Large incoming batches were always handled fairly > > quickly before this period, and I'm not sure if we're just slow or are > > receiving a lot of new mail, but based on complaints, mail is slow. > > > > I have two questions: > > > > Would smaller batches of mail be better? I have this set to 100 normally, > > and am testing 50 at the moment. I am guessing that smaller batch sizes > > may > > take less time to process and get them through faster as a batch, but > > overall processing of total email may be the same or slightly slower. > > > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this > > a > > problem or could it be multiple parents/children. This machine is pretty > > much maxed out when this happens. Maybe lower the Max Children, or > > increase > > the Queue Scan Interval from 5? > > > > Any help and suggestions would be appreciated. > > > > Thanks. > > > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > ======================================================================== > > Pain free spam & virus protection by: www.mailsecurity.net.au > > Forward undetected SPAM to: spam@mailsecurity.net.au > > ======================================================================== > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hywel at BURRIS.ORG.UK Thu Feb 12 16:44:49 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:22:28 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> Message-ID: <200402121644.i1CGilrY019636@mail.burris.org.uk> This would be very useful for me also Thanks Hywel -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Randal, Phil Sent: 12 February 2004 12:14 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mydoom Virus getting Through - High Spam Julian, this one was raised last week with me and a few others requesting virus scanning regardless of spam checking. Do you have any plans to allow us to virus scan all quarantined emails, even when they are high-scoring spam? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan Elmqvist Nielsen > Sent: 12 February 2004 00:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mydoom Virus getting Through - High Spam > > > All the Mydoom viruses which not have been detected is all High Spam! > > I store all High Spam and dosn't pass them though > > I have set my High Spam score a little higher to see what happens :-) > > /jan Elmqvist Nielsen > From ralexand at HOODINDUSTRIES.COM Thu Feb 12 16:46:43 2004 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:22:28 2006 Subject: Updated MS/SA now i don't get the mailing list :( Message-ID: I made the addition as directed and it worked fine for a few days. I looked in the MailScanner.conf and it says maximum attachemnts are at 200. Last 2 nights the list was blocked again and i'm seeing the following in my maillog: Feb 11 17:50:59 inet sendmail[5245]: i1BNom6L005245: from=, size=557564, class=-30, nrcpts=1, msgid=<200402112350.i1BNom6L005245@inet.hoodindustries.com>, proto=SMTP, daemon=MTA, relay=smtp.jiscmail.ac.uk [130.246.192.48] Feb 11 17:51:00 inet MailScanner[5190]: New Batch: Scanning 1 messages, 558192 bytes Feb 11 17:51:00 inet MailScanner[5190]: Spam Checks: Starting Feb 11 17:51:06 inet MailScanner[5190]: Too many attachments in i1BNom6L005245 Feb 11 17:51:06 inet MailScanner[5190]: Virus and Content Scanning: Starting Feb 11 17:51:06 inet MailScanner[5190]: Looked up unknown string report in language translation file /etc/MailScanner/reports/en/languages.conf Feb 11 17:51:06 inet sendmail[5263]: i1BNp6rN005263: from=postmaster, size=1461, class=0, nrcpts=1, msgid=<200402112351.i1BNp6rN005263@inet.hoodindustries.com>, relay=root@localhost Feb 11 17:51:07 inet sendmail[5265]: i1BNp66L005265: from=, size=1748, class=0, nrcpts=1, msgid=<200402112351.i1BNp6rN005263@inet.hoodindustries.com>, proto=ESMTP, daemon=MTA, relay=inet.hoodindustries.com [127.0.0.1] Feb 11 17:51:07 inet sendmail[5263]: i1BNp6rN005263: to=postmaster, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30091, relay= [127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i1BNp66L005265 Message accepted for delivery) Feb 11 17:51:07 inet MailScanner[5190]: Notices: Warned about 1 messages Feb 11 17:51:07 inet MailScanner[5190]: New Batch: Scanning 1 messages, 2282 bytes On Wed, 4 Feb 2004 15:17:25 +0000, Julian Field wrote: >At 15:06 04/02/2004, you wrote: >>I updated my versions of MS/SA on Saturday afternoon and now I'm not >>receiving my daily MS list email. Anyone no of any issue with the list or >>why this might have happened. I went to the site and still shows me >>subscribed. >> >>Thanks all for the upgrade advice that helped everything go smoothly. > >Try adding >From: *mailscanner@jiscmail.ac.uk yes >to your spam.whitelist.rules file and reload MailScanner. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at STHOMAS.NET Thu Feb 12 16:54:30 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs In-Reply-To: ; from mailscanner@BARENDSE.TO on Thu, Feb 12, 2004 at 05:24:13PM +0100 References: <6.0.1.1.2.20040212143922.07253d08@imap.ecs.soton.ac.uk> Message-ID: <20040212085430.A19100@sthomas.net> On Thu, Feb 12, 2004 at 05:24:13PM +0100, Remco Barendse is rumored to have said: > > Cool, 29 PB :) > > Is there a copy available of it anywhere?? Nifty to > test a raid array :) Google for 42.zip. -- "Pray, v.: To ask that the laws of the universe be annulled on behalf of a single petitioner confessedly unworthy." - Ambrose Bierce (1842-1914) From martinh at SOLID-STATE-LOGIC.COM Thu Feb 12 16:53:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:28 2006 Subject: [Fwd: New subgroups in the IRTF ASRG] Message-ID: <402BAF9F.4040902@solid-state-logic.com> Maybe useful to people on this list NB the domain sp.am ;-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: "John R Levine" Subject: New subgroups in the IRTF ASRG Date: 12 Feb 2004 11:24:48 -0500 Size: 4293 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/b71bccbc/NewsubgroupsintheIRTFASRG.mht From campbell at CNPAPERS.COM Thu Feb 12 16:53:17 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Updated MS/SA now i don't get the mailing list :( References: Message-ID: <013701c3f188$b6e345e0$9701a8c0@cnpapers.net> My similar problem turned out to be what I think was Bayes poisoning, as suggested by Mr. Field. I could not repair it, so I deleted my Bayes files and all seemed fine. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Richard Alexander" To: Sent: Thursday, February 12, 2004 11:46 AM Subject: Re: Updated MS/SA now i don't get the mailing list :( > I made the addition as directed and it worked fine for a few days. > I looked in the MailScanner.conf and it says maximum attachemnts are at > 200. Last 2 nights the list was blocked again and i'm seeing the > following in my maillog: > > Feb 11 17:50:59 inet sendmail[5245]: i1BNom6L005245: from= MAILSCANNER@JISCMAIL.AC.UK>, size=557564, class=-30, nrcpts=1, > msgid=<200402112350.i1BNom6L005245@inet.hoodindustries.com>, proto=SMTP, > daemon=MTA, relay=smtp.jiscmail.ac.uk [130.246.192.48] > Feb 11 17:51:00 inet MailScanner[5190]: New Batch: Scanning 1 messages, > 558192 bytes > Feb 11 17:51:00 inet MailScanner[5190]: Spam Checks: Starting > Feb 11 17:51:06 inet MailScanner[5190]: Too many attachments in > i1BNom6L005245 > Feb 11 17:51:06 inet MailScanner[5190]: Virus and Content Scanning: > Starting > Feb 11 17:51:06 inet MailScanner[5190]: Looked up unknown string report in > language translation file /etc/MailScanner/reports/en/languages.conf > Feb 11 17:51:06 inet sendmail[5263]: i1BNp6rN005263: from=postmaster, > size=1461, class=0, nrcpts=1, > msgid=<200402112351.i1BNp6rN005263@inet.hoodindustries.com>, > relay=root@localhost > Feb 11 17:51:07 inet sendmail[5265]: i1BNp66L005265: > from=, size=1748, class=0, nrcpts=1, > msgid=<200402112351.i1BNp6rN005263@inet.hoodindustries.com>, proto=ESMTP, > daemon=MTA, relay=inet.hoodindustries.com [127.0.0.1] > Feb 11 17:51:07 inet sendmail[5263]: i1BNp6rN005263: to=postmaster, > delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30091, relay= > [127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i1BNp66L005265 Message > accepted for delivery) > Feb 11 17:51:07 inet MailScanner[5190]: Notices: Warned about 1 messages > Feb 11 17:51:07 inet MailScanner[5190]: New Batch: Scanning 1 messages, > 2282 bytes > > > On Wed, 4 Feb 2004 15:17:25 +0000, Julian Field > wrote: > > >At 15:06 04/02/2004, you wrote: > >>I updated my versions of MS/SA on Saturday afternoon and now I'm not > >>receiving my daily MS list email. Anyone no of any issue with the list > or > >>why this might have happened. I went to the site and still shows me > >>subscribed. > >> > >>Thanks all for the upgrade advice that helped everything go smoothly. > > > >Try adding > >From: *mailscanner@jiscmail.ac.uk yes > >to your spam.whitelist.rules file and reload MailScanner. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Thu Feb 12 16:55:08 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes References: <05ec01c3f17f$54e6d360$0b00a8c0@djh01> <010301c3f183$7120f160$9701a8c0@cnpapers.net> <6.0.1.1.2.20040212163345.03da7e10@imap.ecs.soton.ac.uk> Message-ID: <013f01c3f188$f8d28ba0$9701a8c0@cnpapers.net> I do not use Razor, but the suggestion to lower the message count per scan seemed to fix it up. I am not running at 2 or 3 messages in my incoming. Somehow, I missed the prior thread. Thanks very much all Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, February 12, 2004 11:34 AM Subject: Re: Preference for batch sizes > I've consistently been getting razor timeouts all the time now. If you are > using razor, try switching it off ("use_razor2 0" in > spam.assassin.prefs.conf then restart MailScanner). > > At 16:15 12/02/2004, you wrote: > >My message count is 35K-50K a day. Spam percentage is about 85-90%. I am > >running a P3 900MHz with 1MB ram. RH7.3 sendmail updated to last up2date. > > > >My problem is more with what will make this run like two days ago. I don't > >really have a clue about what is causing the slowness. > > > >I have also started adding more to my blacklist file, noting that these have > >no spam scores, and assume they are skipped right away. I realize that > >adding them to my MTA would be better, but I'm trying to make the > >MailScanner part better tuned now. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > >----- Original Message ----- > >From: "David Hooton" > >To: > >Sent: Thursday, February 12, 2004 10:45 AM > >Subject: RE: Preference for batch sizes > > > > > >Hi Steve, > > > >What is your server spec, and how many messages per day are you processing? > > > >Regards, > > > >David Hooton > >Senior Partner > >Platform Hosting > >1300 85 HOST > >www.platformhosting.com > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Stephe Campbell > > > Sent: Friday, 13 February 2004 2:17 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Preference for batch sizes > > > > > > We are seeing a real slow down in mail delivery here since yesterday. We > > > are > > > receiving about 50% more mail, but our system can't seem to keep up. Our > > > normal mail count is probably about 35K-50K a day. Spam percentage is > > > about > > > 85-90%. > > > > > > I have noticed the last two days a high rate of mail in incoming beginning > > > around 10pm until midnight. When I look at my average load, it seems to be > > > dropping linearly from 3 down to .6 or something like that. (Can servers > > > get > > > tired and need a rest?). Large incoming batches were always handled fairly > > > quickly before this period, and I'm not sure if we're just slow or are > > > receiving a lot of new mail, but based on complaints, mail is slow. > > > > > > I have two questions: > > > > > > Would smaller batches of mail be better? I have this set to 100 normally, > > > and am testing 50 at the moment. I am guessing that smaller batch sizes > > > may > > > take less time to process and get them through faster as a batch, but > > > overall processing of total email may be the same or slightly slower. > > > > > > I have Max Children set to 5. Top shows 8-9 MailScanners running. Is this > > > a > > > problem or could it be multiple parents/children. This machine is pretty > > > much maxed out when this happens. Maybe lower the Max Children, or > > > increase > > > the Queue Scan Interval from 5? > > > > > > Any help and suggestions would be appreciated. > > > > > > Thanks. > > > > > > > > > Steve Campbell > > > campbell@cnpapers.com > > > Charleston Newspapers > > > > > > ======================================================================== > > > Pain free spam & virus protection by: www.mailsecurity.net.au > > > Forward undetected SPAM to: spam@mailsecurity.net.au > > > ======================================================================== > > > > > >======================================================================== > > Pain free spam & virus protection by: www.mailsecurity.net.au > > Forward undetected SPAM to: spam@mailsecurity.net.au > >======================================================================== > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 17:12:50 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:28 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402121712.i1CHCoUV020717@seer.ecs.soton.ac.uk> New Guestbook-Entry from Annie Bowers On this Site You\'\'ll find Tips on where to find http://loose-slot-machines.best-slot.com ,What are loose Slot machines, Why is it worth for the casino to keep Loose Slot Machines, How to Identify Loose Slot Machines From mkettler at EVI-INC.COM Thu Feb 12 17:09:49 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:28 2006 Subject: Interesting... Decompression Bombs In-Reply-To: <402B918C.3070507@solid-state-logic.com> References: <402B8FD3.40600@usg.edu> <402B918C.3070507@solid-state-logic.com> Message-ID: <6.0.0.22.0.20040212120841.02553e98@xanadu.evi-inc.com> At 09:45 AM 2/12/2004, Martin Hepworth wrote: >Bob Jones wrote: > > An interesting issue for those of us that run virus scanners for mail. > > Check out: http://cheerleader.yoz.com/archives/001711.html > > > > -- > > Bob Jones > > OIIT > > The Board of Regents > > The University System of Georgia > >Possibbly something to do with the rush 0.66 release of ClamAV and the >DOS attack is mentions???? No, the DOS attack involves decoding of invalid uuencoded streams. There's an explanation on bugtraq for those that are concerned. Look for the subject "clamav 0.65 remote DOS exploit " in the bugtraq archives of your choice. (google searches work well too). From maillists at CONACTIVE.COM Thu Feb 12 17:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:28 2006 Subject: size of mailscanner processes? Message-ID: I'm evaluating MailScanner at the moment and I wonder if it is normal that the processes take up 50 MB each? Somewhere in a FAQ I read about 20 MB. 50 MB per process and most of that not-shared seems a bit high to me. 3229 root 15 0 14456 13m 9360 S 0.0 2.6 0:00.04 MailScanner 21196 root 15 0 52452 51m 9972 S 0.0 10.2 0:05.23 MailScanner 21215 root 15 0 52536 51m 9952 S 0.0 10.2 0:05.48 MailScanner so, the main starter process seems to have only 15 MB, but any of the real work processes has 50. System is Suse 9.0 with Perl 5.8.1 I'm using clamavmodule, could this be the culprit for grabbing so much RAM? Kai -- Kai Sch?tzl, Berlin, Germany From maillists at CONACTIVE.COM Thu Feb 12 17:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:28 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Thu, 12 Feb 2004 12:13:54 -0000: > Do you have any plans to allow us to virus scan all quarantined emails, even > when they are high-scoring spam? > I've currently set up a test environment because I'm considering moving from a milter to MailScanner. And I see exactly what you want: Incoming virus messages are scanned by clamav and also detected as spam and then quarantined. Or did I misunderstand you? Actually, I would like to see an option where I could give a processing order and tell Mailscanner to stop scanning when it is true. f.i., a simplified example: processing order: filetype stop spam virus would process in that order and stop processing if the message contains a forbidden attachment type - and quarantine it. Depending on which order you choose it could reduce the ressource usage tremendously. F.i. if most mail coming in are viruses with certain extensions the order above would already grab and stop most mail without virus-scanning and spam-scanning. Ressource usage isn't an issue on low-volume machines, but where you process thousands of messages a day you are quite happy when you can stop it at the earliest moment with the least possible CPU and mem usage. Of course, it should be possible that MS continues with the scan if someone releases the mail and puts it back in the queue. I assume it would need to add an extra header X-MailScanner-ScanStatus: spam So this would indicate to restart scanning at that stage. And it would probably need another header/measure which lets MailScanner identify that it can trust this header. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From Kevin_Miller at CI.JUNEAU.AK.US Thu Feb 12 17:48:32 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:28 2006 Subject: MailScanner 8.26-1 won't start Message-ID: <08146035CA49D6119A36009027AC822A0264EE02@CITY-EXCH-NTS> Thanks. Did that and got: In Debugging mode, not forking... Digest::MD5 object version 2.20 does not match bootstrap parameter 2.16 at /usr/lib/perl5/5.6.1/i586-linux/DynaLoader.pm line 225. Compilation failed in require at /usr/lib/perl5/site_perl/5.6.1/Inline.pm line 419. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.6.1/i586-linux/Mail/ClamAV.pm line 390. Compilation failed in require at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 369. Inline.pm requres MD5, ClamAV needs Inline.pm and SweepViruses.pm requires ClamAV.pm, so if I can get MD5 fixed it outta fly. So what do I need to twiddle to update the DynaLoader to use 2.20 instead of 2.16 (which apparently no longer exists on my system)? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Daniel Kleinsinger [mailto:danielk@AVALONPUB.COM] >Sent: Wednesday, February 11, 2004 5:41 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 8.26-1 won't start > > >Try Debug=yes in MailScanner.conf and it should give you more >info. The >virus updaters run from cron so it makes sense that they're still >running. Good luck. > >Daniel > >Kevin Miller wrote: > >>Don't know what I did, but I'm building a new server on SuSE 8.0 and >>installed 8.26-1. It was working, but I turned it off to add >a couple other >>things like Spamassassin, Razor2, and mailscanner-mrtg. Now >when I try to >>start it I get this: >> >>city-dns2-su8:/var/log # ps aux | grep MailScanner >>root 14157 0.0 4.2 12752 10948 ? S 15:16 >0:00 /usr/bin/perl >>-I/usr/lib/MailScanner /usr/sbin/MailScanner >>/etc/MailScanner/MailScanner.conf >>root 14158 1.3 0.0 0 0 ? Z 15:16 >0:01 [MailScanner >>] >>root 14160 1.4 0.0 0 0 ? Z 15:16 >0:01 [MailScanner >>] >>root 14177 28.0 0.0 0 0 ? Z 15:18 >0:01 [MailScanner >>] >>root 14179 0.0 0.2 1636 592 pts/0 R 15:18 0:00 grep >>MailScanner >> >> >>I have it set to three child processes. Tail -f >/var/log/mail just shows a >>new process being started every 10 seconds. I'm stumped. >I've killed it, >>then checked /var/log/mail and the odd thing is that the virus scanner >>update checks are being run on the hour, even if MailScanner >isn't running. >>Not sure what's calling them. I thought MailScanner did. >Nothing else in >>mail - all I get is: >> >>Feb 11 16:17:24 city-dns2-su8 MailScanner[16428]: MailScanner >E-Mail Virus >>Scanner version 4.26.8 starting... >>Feb 11 16:17:34 city-dns2-su8 MailScanner[16430]: MailScanner >E-Mail Virus >>Scanner version 4.26.8 starting... >>Feb 11 16:17:44 city-dns2-su8 MailScanner[16433]: MailScanner >E-Mail Virus >>Scanner version 4.26.8 starting... >> >> >>Any clues? Anybody else seen this lately? >> >> >>...Kevin >>-- >>Kevin Miller Registered Linux User No: 307357 >>CBJ MIS Dept. Network Systems Administrator, Mail >>Administrator >>155 South Seward Street ph: (907) 586-0242 >>Juneau, Alaska 99801 fax: (907 586-4500 >> >> > From mailscanner at ecs.soton.ac.uk Thu Feb 12 18:07:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: ANNOUNCE: Beta 4.27.2 released Message-ID: <6.0.3.0.2.20040212180202.0385b868@imap.ecs.soton.ac.uk> The only change of any importance is that I have made is an improvement to the MIME decoder, making it considerably more robust and aggressive at decoding. I wouldn't normally release a version for a single change like this, but several people have contacted me requesting patches to get this improvement. So I thought the simplest solution was to publish it completely. If you want to just patch your existing installation and not replace it, then the file containing the changes is Message.pm. You will need to diff your old file against this new one and patch your current code by hand, but I can't really produce a separate patch for every version currently in use. Download as usual from www.mailscanner.info The full Change Log is linked from the home page of the website. Let me know what you think. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 18:17:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:28 2006 Subject: size of mailscanner processes? In-Reply-To: References: Message-ID: <6.0.3.0.2.20040212180815.03820ee0@imap.ecs.soton.ac.uk> At 17:31 12/02/2004, you wrote: >I'm evaluating MailScanner at the moment and I wonder if it is normal that >the processes take up 50 MB each? Somewhere in a FAQ I read about 20 MB. >50 MB per process and most of that not-shared seems a bit high to me. Mine usually run about 30Mb RSS on average. Just under 30,000 lines of Perl does make for pretty big processes. MailScanner likes plenty of RAM. > 3229 root 15 0 14456 13m 9360 S 0.0 2.6 0:00.04 MailScanner >21196 root 15 0 52452 51m 9972 S 0.0 10.2 0:05.23 MailScanner >21215 root 15 0 52536 51m 9952 S 0.0 10.2 0:05.48 MailScanner > >so, the main starter process seems to have only 15 MB, but any of the real >work processes has 50. >System is Suse 9.0 with Perl 5.8.1 >I'm using clamavmodule, could this be the culprit for grabbing so much >RAM? Running clamavmodule, mine run between 20Mb and 53Mb (except for the smaller parent process). Running f-prot, mine are between 39Mb and 41Mb. So clamavmodule could be costing up to 12Mb per process. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Thu Feb 12 18:49:21 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:28 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> Message-ID: <402BCAB1.6060309@pacific.net> patched and restarted with no problems. Thanks, Ken A. Pacific.Net Julian Field wrote: > Please try this patch instead of the new Message.pm. > > cd /usr/lib/MailScanner/MailScanner > cp Message.pm Message.pm.safe > patch -p0 < Message.pm.4.26.5.patch > service MailScanner restart > > If it still fails, set "Debug = yes" in MailScanner.conf, then > > service MailScanner stop > sleep 15 > check_MailScanner > > and let me know what it says. > > At 23:38 11/02/2004, you wrote: > >> Looking at the log, I see that MailScanner failed to start. >> Ken >> >> >> Ken Anderson wrote: >> >>> I tried installing this Message.pm and restarted MailScanner, but I >>> quickly built up a large incoming queue and all exploding in /incoming >>> stopped happening. The directory stayed empty after restarting >>> MailScanner. I'm not sure what caused it, but things went back to normal >>> after I put the old Message.pm back. I'm running 4.26.5, perhaps not a >>> recent enough version? >>> Thanks, >>> Ken A >>> Pacific.Net >>> >>> >>> Julian Field wrote: >>> >>>> I have hopefully managed to make the MIME parser a lot more robust. It >>>> certainly appears to solve the current problem. If you are running a >>>> nice >>>> recent version, backup your old Message.pm and replace it with this >>>> one. >>>> >>>> Then please test it against the copies of MyDoom that are getting >>>> through. >>>> >>>> The result of a fine evening spent wading through MIME-tools code and >>>> deciding that it can't rewind :-( >>>> >>>> Let me know how it goes. >>>> >>>> At 20:37 11/02/2004, you wrote: >>>> >>>>> Daniel Kleinsinger wrote: >>>>> >>>>>> Julian Field wrote: >>>>>> >>>>>>> The message that contained the MyDoom that got through Sophos >>>>>>> (before >>>>>>> 3.78d) was actually a bounce from another mail server that included >>>>>>> the >>>>>>> entire text of the original message. >>>>>>> >>>>>>> Fortunately it's not been a big problem so far, but I would quite >>>>>>> like to fix it if I can. >>>>>>> >>>>>> I'm running Sophos in addition to Trend and F-Prot. Using >>>>>> MailWatch I >>>>>> checked which virii got caught by which scanner and before installing >>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>>>>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are. There >>>>>> still seem to be some people having issues with 3.78d, but in my >>>>>> case it >>>>>> seems like it was a problem with Sophos, not MailScanner. >>>>>> >>>>>> Daniel >>>>> >>>>> >>>>> >>>>> >>>>> I would suggest that this as much an antivirus issue. I run F-prot and >>>>> Antivir and until Antivir updated their engine about a week ago only >>>>> F-prot was reliably catching the bounce messages with the original >>>>> message attached. With the new engine, all is well again and both are >>>>> catching them. Looks like F-Prot had a better message scanning engine >>>>> than the others had at the time. >>>>> >>>>> Drew >>>>> >>>>> -- >>>>> In line with our policy, this message has >>>>> been scanned for viruses and dangerous >>>>> content by MailScanner, and is believed to be clean. >>>>> www.themarshalls.co.uk/policy >>>> >>>> >>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> Professional Support Services at www.MailScanner.biz >>>> MailScanner thanks transtec Computers for their support >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ycayer at 3WEBMEDIA.COM Thu Feb 12 20:03:09 2004 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:22:28 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Message-ID: <4915A8E67C498D42BAB5CB1351FD026E23BC3E@3webad1.3WebMedia.int> Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since we have activated the anti-spam features using SpamAssassin, and standard Spam-Checking throught the ORBS lists, our bandwidth usage has more than doubled. Before activating that feature, we were using 80-100GB of bandwidth per month. Now we're up to 224GB for last month. Has anyone ever heard of SpamAssassin doing this? Thank you in advance for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/eddc9a51/attachment.html From wei at eng.fsu.edu Thu Feb 12 20:05:28 2004 From: wei at eng.fsu.edu (Wei Li) Date: Thu Jan 12 21:22:28 2006 Subject: amavis Message-ID: <200402122005.i1CK5SL25344@lynx.eng.fsu.edu> Hi, Gurus, I am using amavis now, if I transfer to mailscanner, it will mean that I do not need it any more, right? Because amavis is used by every end users and hundreds of users use it as the same time, it is really resource consuming. And I am using uvscan, is it right that I only need to set the Virus Scanners = /opt/unscan in /opt/MailScanner/etc/MailScanner.conf file? Some suggesion? I am using Solaris 8 and sendmail 8.11. Thanks Wei From danielk at AVALONPUB.COM Thu Feb 12 20:27:02 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:28 2006 Subject: Preference for batch sizes In-Reply-To: <6.0.1.1.2.20040212163345.03da7e10@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040212163345.03da7e10@imap.ecs.soton.ac.uk> Message-ID: <402BE196.7000005@avalonpub.com> "razor-admin -discover" usually fixes it for me when I start getting razor timeouts. I was getting them a few days ago, but since discovering it seems to be working reliably again. Hope this helps, Daniel Julian Field wrote: >I've consistently been getting razor timeouts all the time now. If you are >using razor, try switching it off ("use_razor2 0" in >spam.assassin.prefs.conf then restart MailScanner). > > > From ka at PACIFIC.NET Thu Feb 12 20:27:34 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:29 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402BCAB1.6060309@pacific.net> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> <402BCAB1.6060309@pacific.net> Message-ID: <402BE1B6.4040602@pacific.net> oops, spoke too soon. It's still broken. It runs for a minute then stops writing to the log silently. The processes are still busy exploding thousands of identical copies of *.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250 directories. The messages are: msg-12397-2166.txt msg-12397-2167.txt msg-12397-2168.txt msg-12397-2169.txt etc... ls | wc 3213 3213 61044 diff msg-12397-2166.txt msg-12397-2167.txt No diff. Hope this helps, Ken A. Pacific.Net Ken Anderson wrote: > patched and restarted with no problems. > Thanks, > Ken A. > Pacific.Net > > > Julian Field wrote: > >> Please try this patch instead of the new Message.pm. >> >> cd /usr/lib/MailScanner/MailScanner >> cp Message.pm Message.pm.safe >> patch -p0 < Message.pm.4.26.5.patch >> service MailScanner restart >> >> If it still fails, set "Debug = yes" in MailScanner.conf, then >> >> service MailScanner stop >> sleep 15 >> check_MailScanner >> >> and let me know what it says. >> >> At 23:38 11/02/2004, you wrote: >> >>> Looking at the log, I see that MailScanner failed to start. >>> Ken >>> >>> >>> Ken Anderson wrote: >>> >>>> I tried installing this Message.pm and restarted MailScanner, but I >>>> quickly built up a large incoming queue and all exploding in /incoming >>>> stopped happening. The directory stayed empty after restarting >>>> MailScanner. I'm not sure what caused it, but things went back to >>>> normal >>>> after I put the old Message.pm back. I'm running 4.26.5, perhaps not a >>>> recent enough version? >>>> Thanks, >>>> Ken A >>>> Pacific.Net >>>> >>>> >>>> Julian Field wrote: >>>> >>>>> I have hopefully managed to make the MIME parser a lot more robust. It >>>>> certainly appears to solve the current problem. If you are running a >>>>> nice >>>>> recent version, backup your old Message.pm and replace it with this >>>>> one. >>>>> >>>>> Then please test it against the copies of MyDoom that are getting >>>>> through. >>>>> >>>>> The result of a fine evening spent wading through MIME-tools code and >>>>> deciding that it can't rewind :-( >>>>> >>>>> Let me know how it goes. >>>>> >>>>> At 20:37 11/02/2004, you wrote: >>>>> >>>>>> Daniel Kleinsinger wrote: >>>>>> >>>>>>> Julian Field wrote: >>>>>>> >>>>>>>> The message that contained the MyDoom that got through Sophos >>>>>>>> (before >>>>>>>> 3.78d) was actually a bounce from another mail server that included >>>>>>>> the >>>>>>>> entire text of the original message. >>>>>>>> >>>>>>>> Fortunately it's not been a big problem so far, but I would quite >>>>>>>> like to fix it if I can. >>>>>>>> >>>>>>> I'm running Sophos in addition to Trend and F-Prot. Using >>>>>>> MailWatch I >>>>>>> checked which virii got caught by which scanner and before >>>>>>> installing >>>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>>>>>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are. There >>>>>>> still seem to be some people having issues with 3.78d, but in my >>>>>>> case it >>>>>>> seems like it was a problem with Sophos, not MailScanner. >>>>>>> >>>>>>> Daniel >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I would suggest that this as much an antivirus issue. I run F-prot >>>>>> and >>>>>> Antivir and until Antivir updated their engine about a week ago only >>>>>> F-prot was reliably catching the bounce messages with the original >>>>>> message attached. With the new engine, all is well again and both are >>>>>> catching them. Looks like F-Prot had a better message scanning engine >>>>>> than the others had at the time. >>>>>> >>>>>> Drew >>>>>> >>>>>> -- >>>>>> In line with our policy, this message has >>>>>> been scanned for viruses and dangerous >>>>>> content by MailScanner, and is believed to be clean. >>>>>> www.themarshalls.co.uk/policy >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Julian Field >>>>> www.MailScanner.info >>>>> Professional Support Services at www.MailScanner.biz >>>>> MailScanner thanks transtec Computers for their support >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> >>>> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > From mailscanner at ecs.soton.ac.uk Thu Feb 12 20:38:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: amavis In-Reply-To: <200402122005.i1CK5SL25344@lynx.eng.fsu.edu> References: <200402122005.i1CK5SL25344@lynx.eng.fsu.edu> Message-ID: <6.0.3.0.2.20040212203630.0384b850@imap.ecs.soton.ac.uk> At 20:05 12/02/2004, you wrote: >I am using amavis now, if I transfer to mailscanner, it will mean that I >do not >need it any more, right? Because amavis is used by every end users and >hundreds >of users use it as the same time, it is really resource consuming. Correct. MailScanner works at the same level as the MTA (sendmail or whatever). >And I am using uvscan, is it right that I only need to set the Virus >Scanners = >/opt/unscan in /opt/MailScanner/etc/MailScanner.conf file? You set Virus Scanners = mcafee in MailScanner.conf and put the path to your McAfee installation in the virus.scanners.conf file. MailScanner doesn't need anything special in your sendmail.cf at all. You can put it back how it was before you started running amavis. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 20:39:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Preference for batch sizes In-Reply-To: <402BE196.7000005@avalonpub.com> References: <6.0.1.1.2.20040212163345.03da7e10@imap.ecs.soton.ac.uk> <402BE196.7000005@avalonpub.com> Message-ID: <6.0.3.0.2.20040212203822.03d33da0@imap.ecs.soton.ac.uk> I did it again today and it still permanently times out. It always tries to connect me to the same Razor server, and that one always times out. I don't know whether it is possible to force it to use a different server by hand. At 20:27 12/02/2004, you wrote: >"razor-admin -discover" usually fixes it for me when I start getting >razor timeouts. I was getting them a few days ago, but since >discovering it seems to be working reliably again. > >Hope this helps, >Daniel > >Julian Field wrote: > >>I've consistently been getting razor timeouts all the time now. If you are >>using razor, try switching it off ("use_razor2 0" in >>spam.assassin.prefs.conf then restart MailScanner). >> >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 20:46:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402BE1B6.4040602@pacific.net> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> <402BCAB1.6060309@pacific.net> <402BE1B6.4040602@pacific.net> Message-ID: <6.0.3.0.2.20040212204457.03f96bf0@imap.ecs.soton.ac.uk> Okay, I can guess exactly why that happened. Please apply this little patch to your Message.pm and get straight back to me to let me know if it worked. -----SNIP----- --- Message.pm.old 2004-02-11 21:31:07.000000000 +0000 +++ Message.pm 2004-02-12 20:44:16.000000000 +0000 @@ -1025,12 +1025,15 @@ sub ExplodePart { my($this, $explodeinto) = @_; - my($dir, $part); + my($dir, $part, @parts); $dir = new DirHandle; $dir->open($explodeinto); - while($part = $dir->read) { + @parts = $dir->read(); + $dir->close(); + + foreach $part (@parts) { #print STDERR "Reading $part\n"; next unless $part =~ /^msg.*txt/; @@ -1058,7 +1061,6 @@ unless ($foundheader) { $file->close(); - $dir->close(); return; } -----SNIP----- At 20:27 12/02/2004, you wrote: >oops, spoke too soon. It's still broken. > >It runs for a minute then stops writing to the log silently. The >processes are still busy exploding thousands of identical copies of >*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250 >directories. >The messages are: >msg-12397-2166.txt >msg-12397-2167.txt >msg-12397-2168.txt >msg-12397-2169.txt >etc... > >ls | wc > 3213 3213 61044 > >diff msg-12397-2166.txt msg-12397-2167.txt > >No diff. >Hope this helps, > >Ken A. >Pacific.Net > > > >Ken Anderson wrote: > >>patched and restarted with no problems. >>Thanks, >>Ken A. >>Pacific.Net >> >> >>Julian Field wrote: >> >>>Please try this patch instead of the new Message.pm. >>> >>>cd /usr/lib/MailScanner/MailScanner >>>cp Message.pm Message.pm.safe >>>patch -p0 < Message.pm.4.26.5.patch >>>service MailScanner restart >>> >>>If it still fails, set "Debug = yes" in MailScanner.conf, then >>> >>>service MailScanner stop >>>sleep 15 >>>check_MailScanner >>> >>>and let me know what it says. >>> >>>At 23:38 11/02/2004, you wrote: >>> >>>>Looking at the log, I see that MailScanner failed to start. >>>>Ken >>>> >>>> >>>>Ken Anderson wrote: >>>> >>>>>I tried installing this Message.pm and restarted MailScanner, but I >>>>>quickly built up a large incoming queue and all exploding in /incoming >>>>>stopped happening. The directory stayed empty after restarting >>>>>MailScanner. I'm not sure what caused it, but things went back to >>>>>normal >>>>>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a >>>>>recent enough version? >>>>>Thanks, >>>>>Ken A >>>>>Pacific.Net >>>>> >>>>> >>>>>Julian Field wrote: >>>>> >>>>>>I have hopefully managed to make the MIME parser a lot more robust. It >>>>>>certainly appears to solve the current problem. If you are running a >>>>>>nice >>>>>>recent version, backup your old Message.pm and replace it with this >>>>>>one. >>>>>> >>>>>>Then please test it against the copies of MyDoom that are getting >>>>>>through. >>>>>> >>>>>>The result of a fine evening spent wading through MIME-tools code and >>>>>>deciding that it can't rewind :-( >>>>>> >>>>>>Let me know how it goes. >>>>>> >>>>>>At 20:37 11/02/2004, you wrote: >>>>>> >>>>>>>Daniel Kleinsinger wrote: >>>>>>> >>>>>>>>Julian Field wrote: >>>>>>>> >>>>>>>>>The message that contained the MyDoom that got through Sophos >>>>>>>>>(before >>>>>>>>>3.78d) was actually a bounce from another mail server that included >>>>>>>>>the >>>>>>>>>entire text of the original message. >>>>>>>>> >>>>>>>>>Fortunately it's not been a big problem so far, but I would quite >>>>>>>>>like to fix it if I can. >>>>>>>>I'm running Sophos in addition to Trend and F-Prot. Using >>>>>>>>MailWatch I >>>>>>>>checked which virii got caught by which scanner and before >>>>>>>>installing >>>>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total >>>>>>>>MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are. There >>>>>>>>still seem to be some people having issues with 3.78d, but in my >>>>>>>>case it >>>>>>>>seems like it was a problem with Sophos, not MailScanner. >>>>>>>> >>>>>>>>Daniel >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>I would suggest that this as much an antivirus issue. I run F-prot >>>>>>>and >>>>>>>Antivir and until Antivir updated their engine about a week ago only >>>>>>>F-prot was reliably catching the bounce messages with the original >>>>>>>message attached. With the new engine, all is well again and both are >>>>>>>catching them. Looks like F-Prot had a better message scanning engine >>>>>>>than the others had at the time. >>>>>>> >>>>>>>Drew >>>>>>> >>>>>>>-- >>>>>>>In line with our policy, this message has >>>>>>>been scanned for viruses and dangerous >>>>>>>content by MailScanner, and is believed to be clean. >>>>>>>www.themarshalls.co.uk/policy >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>-- >>>>>>Julian Field >>>>>>www.MailScanner.info >>>>>>Professional Support Services at www.MailScanner.biz >>>>>>MailScanner thanks transtec Computers for their support >>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >>> >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From brose at MED.WAYNE.EDU Thu Feb 12 20:49:51 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:29 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Message-ID: SA is DNS querying the RBLs so of course it's going to increase the bandwidth and would be proportional to the number of rbls that you have it checking. _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer Sent: Thursday, February 12, 2004 3:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since we have activated the anti-spam features using SpamAssassin, and standard Spam-Checking throught the ORBS lists, our bandwidth usage has more than doubled. Before activating that feature, we were using 80-100GB of bandwidth per month. Now we're up to 224GB for last month. Has anyone ever heard of SpamAssassin doing this? Thank you in advance for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/07f03c4d/attachment.html From wei at eng.fsu.edu Thu Feb 12 21:01:27 2004 From: wei at eng.fsu.edu (Wei Li) Date: Thu Jan 12 21:22:29 2006 Subject: amavis Message-ID: <200402122101.i1CL1RL09003@lynx.eng.fsu.edu> Hi, So, in my sendmail.cf file, do I need to comment this two lines to disable amavis? Mlocal, P=/usr/sbin/amavis, F=SAw5:|/@glDFMPhsfn, S=10/30, R=20/40, A=amavis $f $u /usr/bin/procmail -Y -a $h -d $u And, for the spamassasion, after run mailscanner, will the spamassasin run for every single user as before? do I need to disable it, too? how? Thanks a lot >X-RAL-MFrom: >X-RAL-Connect: >X-Sender: (Unverified) >Mime-Version: 1.0 >X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more information >X-ECS-MailScanner: Found to be clean >X-Scanned-By: MIMEDefang 2.38 >Date: Thu, 12 Feb 2004 20:38:09 +0000 >From: Julian Field >Subject: Re: amavis >Comments: To: Wei Li >To: MAILSCANNER@JISCMAIL.AC.UK >X-Virus-Scanned: by AMaViS 0.3.12pre8 >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lynx.eng.fsu.edu >X-Spam-Status: No, hits=0.8 required=5.0 tests=BIZ_TLD autolearn=no version=2.63 >X-Spam-Level: > >At 20:05 12/02/2004, you wrote: >>I am using amavis now, if I transfer to mailscanner, it will mean that I >>do not >>need it any more, right? Because amavis is used by every end users and >>hundreds >>of users use it as the same time, it is really resource consuming. > >Correct. MailScanner works at the same level as the MTA (sendmail or whatever). > >>And I am using uvscan, is it right that I only need to set the Virus >>Scanners = >>/opt/unscan in /opt/MailScanner/etc/MailScanner.conf file? > >You set >Virus Scanners = mcafee >in MailScanner.conf >and put the path to your McAfee installation in the virus.scanners.conf file. > >MailScanner doesn't need anything special in your sendmail.cf at all. You >can put it back how it was before you started running amavis. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 21:11:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: amavis In-Reply-To: <200402122101.i1CL1RL09003@lynx.eng.fsu.edu> References: <200402122101.i1CL1RL09003@lynx.eng.fsu.edu> Message-ID: <6.0.3.0.2.20040212210855.03d74618@imap.ecs.soton.ac.uk> At 21:01 12/02/2004, you wrote: >Hi, > >So, in my sendmail.cf file, do I need to comment this two lines to disable >amavis? > >Mlocal, P=/usr/sbin/amavis, F=SAw5:|/@glDFMPhsfn, S=10/30, R=20/40, > A=amavis $f $u /usr/bin/procmail -Y -a $h -d $u You need to put it back how it was before you installed amavis. >And, for the spamassasion, after run mailscanner, will the spamassasin run for >every single user as before? do I need to disable it, too? how? Let MailScanner take over SpamAssassin for you. Individual .spamassassin/user_prefs files won't be used, but everything that people usually want to customise can be configured on a per-user or per-domain (or per-anything else) basis using MailScanner rulesets. Read /etc/MailScanner/rules/* for more information on rulesets. >Thanks a lot > > >X-RAL-MFrom: > >X-RAL-Connect: > >X-Sender: (Unverified) > >Mime-Version: 1.0 > >X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more >information > >X-ECS-MailScanner: Found to be clean > >X-Scanned-By: MIMEDefang 2.38 > >Date: Thu, 12 Feb 2004 20:38:09 +0000 > >From: Julian Field > >Subject: Re: amavis > >Comments: To: Wei Li > >To: MAILSCANNER@JISCMAIL.AC.UK > >X-Virus-Scanned: by AMaViS 0.3.12pre8 > >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lynx.eng.fsu.edu > >X-Spam-Status: No, hits=0.8 required=5.0 tests=BIZ_TLD autolearn=no >version=2.63 > >X-Spam-Level: > > > >At 20:05 12/02/2004, you wrote: > >>I am using amavis now, if I transfer to mailscanner, it will mean that I > >>do not > >>need it any more, right? Because amavis is used by every end users and > >>hundreds > >>of users use it as the same time, it is really resource consuming. > > > >Correct. MailScanner works at the same level as the MTA (sendmail or > whatever). > > > >>And I am using uvscan, is it right that I only need to set the Virus > >>Scanners = > >>/opt/unscan in /opt/MailScanner/etc/MailScanner.conf file? > > > >You set > >Virus Scanners = mcafee > >in MailScanner.conf > >and put the path to your McAfee installation in the virus.scanners.conf > file. > > > >MailScanner doesn't need anything special in your sendmail.cf at all. You > >can put it back how it was before you started running amavis. > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Thu Feb 12 21:19:31 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:29 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <6.0.3.0.2.20040212204457.03f96bf0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> <402BCAB1.6060309@pacific.net> <402BE1B6.4040602@pacific.net> <6.0.3.0.2.20040212204457.03f96bf0@imap.ecs.soton.ac.uk> Message-ID: <402BEDE3.7020903@pacific.net> Was I supposed to patch the patched version or the original 4.26.5 Version of Message.pm? Well I patched the patched version and it is working now, only expanding a few .txt files now and then in the incoming dir. mailfilter# patch -p0 < Message.pm.4.26.5.patch patching file Message.pm mailfilter# patch -p0 < Message.pm.4.26.5.2nd.patch patching file Message.pm Hunk #1 succeeded at 1020 with fuzz 1 (offset -5 lines). Hunk #2 succeeded at 1061 with fuzz 2. Thanks, Ken A Pacific.Net Julian Field wrote: > Okay, I can guess exactly why that happened. > > Please apply this little patch to your Message.pm and get straight back to > me to let me know if it worked. > > -----SNIP----- > --- Message.pm.old 2004-02-11 21:31:07.000000000 +0000 > +++ Message.pm 2004-02-12 20:44:16.000000000 +0000 > @@ -1025,12 +1025,15 @@ > sub ExplodePart { > my($this, $explodeinto) = @_; > > - my($dir, $part); > + my($dir, $part, @parts); > > $dir = new DirHandle; > > $dir->open($explodeinto); > - while($part = $dir->read) { > + @parts = $dir->read(); > + $dir->close(); > + > + foreach $part (@parts) { > #print STDERR "Reading $part\n"; > next unless $part =~ /^msg.*txt/; > > @@ -1058,7 +1061,6 @@ > > unless ($foundheader) { > $file->close(); > - $dir->close(); > return; > } > > -----SNIP----- > > At 20:27 12/02/2004, you wrote: > >> oops, spoke too soon. It's still broken. >> >> It runs for a minute then stops writing to the log silently. The >> processes are still busy exploding thousands of identical copies of >> *.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250 >> directories. >> The messages are: >> msg-12397-2166.txt >> msg-12397-2167.txt >> msg-12397-2168.txt >> msg-12397-2169.txt >> etc... >> >> ls | wc >> 3213 3213 61044 >> >> diff msg-12397-2166.txt msg-12397-2167.txt >> >> No diff. >> Hope this helps, >> >> Ken A. >> Pacific.Net >> >> >> >> Ken Anderson wrote: >> >>> patched and restarted with no problems. >>> Thanks, >>> Ken A. >>> Pacific.Net >>> >>> >>> Julian Field wrote: >>> >>>> Please try this patch instead of the new Message.pm. >>>> >>>> cd /usr/lib/MailScanner/MailScanner >>>> cp Message.pm Message.pm.safe >>>> patch -p0 < Message.pm.4.26.5.patch >>>> service MailScanner restart >>>> >>>> If it still fails, set "Debug = yes" in MailScanner.conf, then >>>> >>>> service MailScanner stop >>>> sleep 15 >>>> check_MailScanner >>>> >>>> and let me know what it says. >>>> >>>> At 23:38 11/02/2004, you wrote: >>>> >>>>> Looking at the log, I see that MailScanner failed to start. >>>>> Ken >>>>> >>>>> >>>>> Ken Anderson wrote: >>>>> >>>>>> I tried installing this Message.pm and restarted MailScanner, but I >>>>>> quickly built up a large incoming queue and all exploding in >>>>>> /incoming >>>>>> stopped happening. The directory stayed empty after restarting >>>>>> MailScanner. I'm not sure what caused it, but things went back to >>>>>> normal >>>>>> after I put the old Message.pm back. I'm running 4.26.5, perhaps >>>>>> not a >>>>>> recent enough version? >>>>>> Thanks, >>>>>> Ken A >>>>>> Pacific.Net >>>>>> >>>>>> >>>>>> Julian Field wrote: >>>>>> >>>>>>> I have hopefully managed to make the MIME parser a lot more >>>>>>> robust. It >>>>>>> certainly appears to solve the current problem. If you are running a >>>>>>> nice >>>>>>> recent version, backup your old Message.pm and replace it with this >>>>>>> one. >>>>>>> >>>>>>> Then please test it against the copies of MyDoom that are getting >>>>>>> through. >>>>>>> >>>>>>> The result of a fine evening spent wading through MIME-tools code >>>>>>> and >>>>>>> deciding that it can't rewind :-( >>>>>>> >>>>>>> Let me know how it goes. >>>>>>> >>>>>>> At 20:37 11/02/2004, you wrote: >>>>>>> >>>>>>>> Daniel Kleinsinger wrote: >>>>>>>> >>>>>>>>> Julian Field wrote: >>>>>>>>> >>>>>>>>>> The message that contained the MyDoom that got through Sophos >>>>>>>>>> (before >>>>>>>>>> 3.78d) was actually a bounce from another mail server that >>>>>>>>>> included >>>>>>>>>> the >>>>>>>>>> entire text of the original message. >>>>>>>>>> >>>>>>>>>> Fortunately it's not been a big problem so far, but I would quite >>>>>>>>>> like to fix it if I can. >>>>>>>>> >>>>>>>>> I'm running Sophos in addition to Trend and F-Prot. Using >>>>>>>>> MailWatch I >>>>>>>>> checked which virii got caught by which scanner and before >>>>>>>>> installing >>>>>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 >>>>>>>>> total >>>>>>>>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are. >>>>>>>>> There >>>>>>>>> still seem to be some people having issues with 3.78d, but in my >>>>>>>>> case it >>>>>>>>> seems like it was a problem with Sophos, not MailScanner. >>>>>>>>> >>>>>>>>> Daniel >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I would suggest that this as much an antivirus issue. I run F-prot >>>>>>>> and >>>>>>>> Antivir and until Antivir updated their engine about a week ago >>>>>>>> only >>>>>>>> F-prot was reliably catching the bounce messages with the original >>>>>>>> message attached. With the new engine, all is well again and >>>>>>>> both are >>>>>>>> catching them. Looks like F-Prot had a better message scanning >>>>>>>> engine >>>>>>>> than the others had at the time. >>>>>>>> >>>>>>>> Drew >>>>>>>> >>>>>>>> -- >>>>>>>> In line with our policy, this message has >>>>>>>> been scanned for viruses and dangerous >>>>>>>> content by MailScanner, and is believed to be clean. >>>>>>>> www.themarshalls.co.uk/policy >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Julian Field >>>>>>> www.MailScanner.info >>>>>>> Professional Support Services at www.MailScanner.biz >>>>>>> MailScanner thanks transtec Computers for their support >>>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>> >>>>>> >>>>>> >>>>>> >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> MailScanner thanks transtec Computers for their support >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From maillists at CONACTIVE.COM Thu Feb 12 21:31:30 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: Adding Envelope Headers? Message-ID: Is there a way to add the envelope headers to each message with MailScanner like this? X-Envelope-From: X-Envelope-To: Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 12 21:31:30 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <6.0.3.0.2.20040212181837.038c0720@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> <6.0.3.0.2.20040212181837.038c0720@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000: > You can't trust anything that is in any header. > I see what you mean. But I guess there is some way to handle this. But even without a second scanning I think it's worthwhile to consider adding such an option. What I was thinking is: why handle the extra load if I already know that a message contains a virus or a filetype I want to block? At the moment all viruses are scanned for spam as well which looks like a waste of time for me. I suppose just determining the file type would be the fastest check, then maybe virus scanning and then spam scanning. If we get an .exe file we don't care to know which virus it is or if the tweaked SA rules would have caught it as well. Just stopping and quarantining is enough. Doing something like this could lower the load considerably I think. I'm not sure what "Blocked File" does, does the quarantining of viruses apply to it as well? Is there a particular order MailScanner carries out the actions? At least at the moment I think it would be a good idea if I could tell it to scan in this order: - filetype/extension detection - virus detection - spam detection and if any of them is true quarantine (or whatever action I have set) it and stop scanning. Maybe, if I could do this it would turn out as not too effective and I would stop using it soon. I don't know. But I can't try it out or can I? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mailscanner at ecs.soton.ac.uk Thu Feb 12 21:37:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Fix -- Re: Mydoom Virus getting Through In-Reply-To: <402BEDE3.7020903@pacific.net> References: <6.0.1.1.2.20040211162236.03735ab8@imap.ecs.soton.ac.uk> <402A9160.70005@avalonpub.com> <402A928F.4060107@themarshalls.co.uk> <6.0.3.0.2.20040211213154.03de9d78@imap.ecs.soton.ac.uk> <402AB798.1080006@pacific.net> <402ABCDD.7020503@pacific.net> <6.0.1.1.2.20040212083334.03dba8e8@imap.ecs.soton.ac.uk> <402BCAB1.6060309@pacific.net> <402BE1B6.4040602@pacific.net> <6.0.3.0.2.20040212204457.03f96bf0@imap.ecs.soton.ac.uk> <402BEDE3.7020903@pacific.net> Message-ID: <6.0.3.0.2.20040212213303.038cc008@imap.ecs.soton.ac.uk> That's right. I have just published 4.27.3 including this fix. I assume you mean it is unpacking the .txt files in the /var/spool/MailScanner/incoming/process-id/message-id directory. That is where it should be unpacking them, that's what the code says and that's where mine is unpacking them. They should just be added to the attachments already unpacked. Thanks for letting me know so quickly. At 21:19 12/02/2004, you wrote: >Was I supposed to patch the patched version or the original 4.26.5 >Version of Message.pm? > >Well I patched the patched version and it is working now, only expanding >a few .txt files now and then in the incoming dir. > >mailfilter# patch -p0 < Message.pm.4.26.5.patch >patching file Message.pm >mailfilter# patch -p0 < Message.pm.4.26.5.2nd.patch >patching file Message.pm >Hunk #1 succeeded at 1020 with fuzz 1 (offset -5 lines). >Hunk #2 succeeded at 1061 with fuzz 2. > >Thanks, >Ken A >Pacific.Net > > >Julian Field wrote: > >>Okay, I can guess exactly why that happened. >> >>Please apply this little patch to your Message.pm and get straight back to >>me to let me know if it worked. >> >>-----SNIP----- >>--- Message.pm.old 2004-02-11 21:31:07.000000000 +0000 >>+++ Message.pm 2004-02-12 20:44:16.000000000 +0000 >>@@ -1025,12 +1025,15 @@ >> sub ExplodePart { >> my($this, $explodeinto) = @_; >> >>- my($dir, $part); >>+ my($dir, $part, @parts); >> >> $dir = new DirHandle; >> >> $dir->open($explodeinto); >>- while($part = $dir->read) { >>+ @parts = $dir->read(); >>+ $dir->close(); >>+ >>+ foreach $part (@parts) { >> #print STDERR "Reading $part\n"; >> next unless $part =~ /^msg.*txt/; >> >>@@ -1058,7 +1061,6 @@ >> >> unless ($foundheader) { >> $file->close(); >>- $dir->close(); >> return; >> } >> >>-----SNIP----- >> >>At 20:27 12/02/2004, you wrote: >> >>>oops, spoke too soon. It's still broken. >>> >>>It runs for a minute then stops writing to the log silently. The >>>processes are still busy exploding thousands of identical copies of >>>*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250 >>>directories. >>>The messages are: >>>msg-12397-2166.txt >>>msg-12397-2167.txt >>>msg-12397-2168.txt >>>msg-12397-2169.txt >>>etc... >>> >>>ls | wc >>> 3213 3213 61044 >>> >>>diff msg-12397-2166.txt msg-12397-2167.txt >>> >>>No diff. >>>Hope this helps, >>> >>>Ken A. >>>Pacific.Net >>> >>> >>> >>>Ken Anderson wrote: >>> >>>>patched and restarted with no problems. >>>>Thanks, >>>>Ken A. >>>>Pacific.Net >>>> >>>> >>>>Julian Field wrote: >>>> >>>>>Please try this patch instead of the new Message.pm. >>>>> >>>>>cd /usr/lib/MailScanner/MailScanner >>>>>cp Message.pm Message.pm.safe >>>>>patch -p0 < Message.pm.4.26.5.patch >>>>>service MailScanner restart >>>>> >>>>>If it still fails, set "Debug = yes" in MailScanner.conf, then >>>>> >>>>>service MailScanner stop >>>>>sleep 15 >>>>>check_MailScanner >>>>> >>>>>and let me know what it says. >>>>> >>>>>At 23:38 11/02/2004, you wrote: >>>>> >>>>>>Looking at the log, I see that MailScanner failed to start. >>>>>>Ken >>>>>> >>>>>> >>>>>>Ken Anderson wrote: >>>>>> >>>>>>>I tried installing this Message.pm and restarted MailScanner, but I >>>>>>>quickly built up a large incoming queue and all exploding in >>>>>>>/incoming >>>>>>>stopped happening. The directory stayed empty after restarting >>>>>>>MailScanner. I'm not sure what caused it, but things went back to >>>>>>>normal >>>>>>>after I put the old Message.pm back. I'm running 4.26.5, perhaps >>>>>>>not a >>>>>>>recent enough version? >>>>>>>Thanks, >>>>>>>Ken A >>>>>>>Pacific.Net >>>>>>> >>>>>>> >>>>>>>Julian Field wrote: >>>>>>> >>>>>>>>I have hopefully managed to make the MIME parser a lot more >>>>>>>>robust. It >>>>>>>>certainly appears to solve the current problem. If you are running a >>>>>>>>nice >>>>>>>>recent version, backup your old Message.pm and replace it with this >>>>>>>>one. >>>>>>>> >>>>>>>>Then please test it against the copies of MyDoom that are getting >>>>>>>>through. >>>>>>>> >>>>>>>>The result of a fine evening spent wading through MIME-tools code >>>>>>>>and >>>>>>>>deciding that it can't rewind :-( >>>>>>>> >>>>>>>>Let me know how it goes. >>>>>>>> >>>>>>>>At 20:37 11/02/2004, you wrote: >>>>>>>> >>>>>>>>>Daniel Kleinsinger wrote: >>>>>>>>> >>>>>>>>>>Julian Field wrote: >>>>>>>>>> >>>>>>>>>>>The message that contained the MyDoom that got through Sophos >>>>>>>>>>>(before >>>>>>>>>>>3.78d) was actually a bounce from another mail server that >>>>>>>>>>>included >>>>>>>>>>>the >>>>>>>>>>>entire text of the original message. >>>>>>>>>>> >>>>>>>>>>>Fortunately it's not been a big problem so far, but I would quite >>>>>>>>>>>like to fix it if I can. >>>>>>>>>> >>>>>>>>>>I'm running Sophos in addition to Trend and F-Prot. Using >>>>>>>>>>MailWatch I >>>>>>>>>>checked which virii got caught by which scanner and before >>>>>>>>>>installing >>>>>>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 >>>>>>>>>>total >>>>>>>>>>MyDoom.A slipped past Sophos everyday). Since installing 3.78d >>>>>>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are. >>>>>>>>>>There >>>>>>>>>>still seem to be some people having issues with 3.78d, but in my >>>>>>>>>>case it >>>>>>>>>>seems like it was a problem with Sophos, not MailScanner. >>>>>>>>>> >>>>>>>>>>Daniel >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>I would suggest that this as much an antivirus issue. I run F-prot >>>>>>>>>and >>>>>>>>>Antivir and until Antivir updated their engine about a week ago >>>>>>>>>only >>>>>>>>>F-prot was reliably catching the bounce messages with the original >>>>>>>>>message attached. With the new engine, all is well again and >>>>>>>>>both are >>>>>>>>>catching them. Looks like F-Prot had a better message scanning >>>>>>>>>engine >>>>>>>>>than the others had at the time. >>>>>>>>> >>>>>>>>>Drew >>>>>>>>> >>>>>>>>>-- >>>>>>>>>In line with our policy, this message has >>>>>>>>>been scanned for viruses and dangerous >>>>>>>>>content by MailScanner, and is believed to be clean. >>>>>>>>>www.themarshalls.co.uk/policy >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>-- >>>>>>>>Julian Field >>>>>>>>www.MailScanner.info >>>>>>>>Professional Support Services at www.MailScanner.biz >>>>>>>>MailScanner thanks transtec Computers for their support >>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>>> >>>>>>> >>>>>>> >>>>>-- >>>>>Julian Field >>>>>www.MailScanner.info >>>>>MailScanner thanks transtec Computers for their support >>>>> >>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 21:39:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Adding Envelope Headers? In-Reply-To: References: Message-ID: <6.0.3.0.2.20040212213908.03ef3148@imap.ecs.soton.ac.uk> That's your MTA's job. At 21:31 12/02/2004, you wrote: >Is there a way to add the envelope headers to each message with >MailScanner like this? > >X-Envelope-From: >X-Envelope-To: > > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 12 21:47:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C517@jessica.herefordshire.gov.uk> <6.0.3.0.2.20040212181837.038c0720@imap.ecs.soton.ac.uk> Message-ID: <6.0.3.0.2.20040212214008.03f1be48@imap.ecs.soton.ac.uk> At 21:31 12/02/2004, you wrote: >Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000: > > > You can't trust anything that is in any header. > > > >I see what you mean. But I guess there is some way to handle this. But >even without a second scanning I think it's worthwhile to consider adding >such an option. > >What I was thinking is: why handle the extra load if I already know that a >message contains a virus or a filetype I want to block? At the moment all >viruses are scanned for spam as well which looks like a waste of time for >me. >I suppose just determining the file type would be the fastest check, then >maybe virus scanning and then spam scanning. If we get an .exe file we >don't care to know which virus it is or if the tweaked SA rules would have >caught it as well. But if it contains a harmless exe and a doc, you want to let the doc through so long as it isn't infected. So you still have to virus scan the message. > Just stopping and quarantining is enough. Doing >something like this could lower the load considerably I think. > >At least at the moment I think it would be a good idea if I could tell it >to scan in this order: > >- filetype/extension detection >- virus detection >- spam detection I am looking at being able to switch virus+filetype with spam. It's not trivial. During normal times (i.e. not during big virus attacks) you get far more spam than viruses, so you want to throw away the spam first. During big virus attacks you want to be able to throw away the viruses first. So it needs to be switchable. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jstuart at EDENPR.K12.MN.US Thu Feb 12 21:53:45 2004 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:22:29 2006 Subject: bayes Message-ID: I just set up bayes like explained in the Mailscanner faq. With two email boxes named spam and notspam. Then I have a cronjob that runs the sa-learn script on them. My plan is to have the users send their email to the respected mailboxes. My only concern is that lets say I send 100 messages to spam@mydomain.com will the filters start to think that mail coming from me is spam, or is the sa-learn script smarter than that? Also, is that the way others are using bayes in an organizational setting? Thanks From dwinkler at ALGORITHMICS.COM Thu Feb 12 21:51:29 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:29 2006 Subject: Adding Envelope Headers? Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> I added the from to X-Algo-MailScanner-Information with a custom function. So much easier to whitelist. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Thursday, February 12, 2004 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Adding Envelope Headers? That's your MTA's job. At 21:31 12/02/2004, you wrote: >Is there a way to add the envelope headers to each message with >MailScanner like this? > >X-Envelope-From: >X-Envelope-To: > > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Thu Feb 12 22:06:05 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:29 2006 Subject: bayes In-Reply-To: References: Message-ID: <6.0.0.22.0.20040212170126.0262e4c0@xanadu.evi-inc.com> At 04:53 PM 2/12/2004, Joe Stuart wrote: >I just set up bayes like explained in the Mailscanner faq. With two >email boxes named spam and notspam. Then I have a cronjob that runs the >sa-learn script on them. My plan is to have the users send their email >to the respected mailboxes. My only concern is that lets say I send 100 >messages to spam@mydomain.com will the filters start to think that mail >coming from me is spam, or is the sa-learn script smarter than that? >Also, is that the way others are using bayes in an organizational >setting? No, sa-learn is NOT smarter than that. But it's not as dumb as learning "mail from xxx is spam" SA's bayes engine tokenizes headers.. message ID patterns, mime boundary patterns, all kinds of things. It will wind up learning "any message that looks like a forwarded by this mail client is spam" as a result. It's 100% impossible for SA to ever bayes_learn from a generic forwarded message. Most forwards have lost their headers, had text added to the body, HTML re-encoded by the client, attachments stripped, multipart/alternatives covnerted to singlepart or vice-versa, etc. SA MUST be fed a message that has original, unmangled body, and the original headers included. Anything else will poison your bayes database. You _can_ however forward the message (with complete headers) as an attachment, and have a cron job that extracts the attachments and feeds them to sa-learn. From kevin at KEVINSPICER.CO.UK Thu Feb 12 22:11:44 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:29 2006 Subject: Blocking incorrectly addressed mail when relaying to Exchange Message-ID: <1076623904.18649.35.camel@bach.kevinspicer.co.uk> Theres been some interest expressed in this in the past. Recently Jan-Peter Koopman posted a vb script to the list to produce a list of email addresses from active directory (he was using it with exim I believe). I've managed to get this to work for sendmail, with a little perl script of my own and sendmail's ldap_routing feature (which despite its name doesn't need to use ldap). I've added a description of how I did this (and the necessary scripts) to the FAQ http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?file=270 enjoy! [By the way this isn't the only way to do this - some people may prefer to use LDAP directly from sendmail] -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/092a00f7/attachment.bin From maillists at CONACTIVE.COM Thu Feb 12 22:12:50 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: How to release mail from quarantine? Message-ID: I think I read some lines about this when scanning the mailing list archive or the FAQs, but I'm not quite sure how to do it exactly. 1. If I quarantine as queue files I think I can simply put the corresponding df/qf files in the outgoing mail queue. Is this correct? But what about attachments? As I see MailScanner puts the df/qf plus all attachments in a directory and puts it in the quarantine. I think I can't just move that to the queue. I've never seen any over than df/qf/xf files in a sendmail queue. 2. If I quarantine *not* as queue files like it is required for a fully working Mailwatch setup. How do I do that? Send the file straight to sendmail via "sendmail -v sender < file"? My intent is to send our customers two notify messages per day for spam and viruses and the user can just hit reply and send relevant parts back. The receiving program than just grabs the queue file names or the idfile name from the mail and releases that mail from quarantine. I looked at the mailscanner data in the Mailwatch database and the content looks quite promising, seems like everything is already there, so no need to parse all the quarantine directories, everything of importance is already in the Mysql tables. Anyone already gone this way? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From kevins at BMRB.CO.UK Thu Feb 12 22:16:40 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:29 2006 Subject: bayes In-Reply-To: <6.0.0.22.0.20040212170126.0262e4c0@xanadu.evi-inc.com> References: <6.0.0.22.0.20040212170126.0262e4c0@xanadu.evi-inc.com> Message-ID: <1076624203.18648.39.camel@bach.kevinspicer.co.uk> On Thu, 2004-02-12 at 22:06, Matt Kettler wrote: > It's 100% impossible for SA to ever bayes_learn from a generic forwarded > message. Most forwards have lost their headers, had text added to the body, > HTML re-encoded by the client, attachments stripped, multipart/alternatives > covnerted to singlepart or vice-versa, etc. > > SA MUST be fed a message that has original, unmangled body, and the > original headers included. Anything else will poison your bayes database. Worth noting that (IIRC) SA uses the messageID as a key, so if you want to relearn a message that was identified as ham as spam (or vice versa) you must preserve the headers, so that SA can realise that it previously learned the message and so unlearn it before learning it correctly. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Feb 12 22:19:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: How to release mail from quarantine? In-Reply-To: References: Message-ID: <6.0.3.0.2.20040212221735.03f15e98@imap.ecs.soton.ac.uk> At 22:12 12/02/2004, you wrote: >I think I read some lines about this when scanning the mailing list >archive or the FAQs, but I'm not quite sure how to do it exactly. > >1. >If I quarantine as queue files I think I can simply put the corresponding >df/qf files in the outgoing mail queue. Is this correct? But what about >attachments? As I see MailScanner puts the df/qf plus all attachments in a >directory and puts it in the quarantine. I think I can't just move that to >the queue. I've never seen any over than df/qf/xf files in a sendmail >queue. You can just put the df+qf pair in the outgoing mail queue. They contain all the attachments. >2. >If I quarantine *not* as queue files like it is required for a fully >working Mailwatch setup. How do I do that? Send the file straight to >sendmail via "sendmail -v sender < file"? Add a -oi (check that) and -oem to the command line to make it more robust against things like lines with just "." on them. And you mean -t not -v. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wei at eng.fsu.edu Thu Feb 12 22:25:44 2004 From: wei at eng.fsu.edu (Wei Li) Date: Thu Jan 12 21:22:29 2006 Subject: I have no incoming message, please help... Message-ID: <200402122225.i1CMPi126298@lynx.eng.fsu.edu> After start mailscanner, I could only send mail but no incoming mail..it is urgent, please help. Thanks. >X-RAL-MFrom: >X-RAL-Connect: >X-Sender: (Unverified) >Mime-Version: 1.0 >X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more information >X-ECS-MailScanner: Found to be clean >X-Scanned-By: MIMEDefang 2.38 >Date: Thu, 12 Feb 2004 21:11:00 +0000 >From: Julian Field >Subject: Re: amavis >Comments: To: Wei Li >To: MAILSCANNER@JISCMAIL.AC.UK >X-Virus-Scanned: by AMaViS 0.3.12pre8 >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lynx.eng.fsu.edu >X-Spam-Status: No, hits=0.8 required=5.0 tests=BIZ_TLD autolearn=no version=2.63 >X-Spam-Level: > >At 21:01 12/02/2004, you wrote: >>Hi, >> >>So, in my sendmail.cf file, do I need to comment this two lines to disable >>amavis? >> >>Mlocal, P=/usr/sbin/amavis, F=SAw5:|/@glDFMPhsfn, S=10/30, R=20/40, >> A=amavis $f $u /usr/bin/procmail -Y -a $h -d $u > >You need to put it back how it was before you installed amavis. > >>And, for the spamassasion, after run mailscanner, will the spamassasin run for >>every single user as before? do I need to disable it, too? how? > >Let MailScanner take over SpamAssassin for you. Individual >.spamassassin/user_prefs files won't be used, but everything that people >usually want to customise can be configured on a per-user or per-domain (or >per-anything else) basis using MailScanner rulesets. Read >/etc/MailScanner/rules/* for more information on rulesets. > > >>Thanks a lot >> >> >X-RAL-MFrom: >> >X-RAL-Connect: >> >X-Sender: (Unverified) >> >Mime-Version: 1.0 >> >X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more >>information >> >X-ECS-MailScanner: Found to be clean >> >X-Scanned-By: MIMEDefang 2.38 >> >Date: Thu, 12 Feb 2004 20:38:09 +0000 >> >From: Julian Field >> >Subject: Re: amavis >> >Comments: To: Wei Li >> >To: MAILSCANNER@JISCMAIL.AC.UK >> >X-Virus-Scanned: by AMaViS 0.3.12pre8 >> >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lynx.eng.fsu.edu >> >X-Spam-Status: No, hits=0.8 required=5.0 tests=BIZ_TLD autolearn=no >>version=2.63 >> >X-Spam-Level: >> > >> >At 20:05 12/02/2004, you wrote: >> >>I am using amavis now, if I transfer to mailscanner, it will mean that I >> >>do not >> >>need it any more, right? Because amavis is used by every end users and >> >>hundreds >> >>of users use it as the same time, it is really resource consuming. >> > >> >Correct. MailScanner works at the same level as the MTA (sendmail or >> whatever). >> > >> >>And I am using uvscan, is it right that I only need to set the Virus >> >>Scanners = >> >>/opt/unscan in /opt/MailScanner/etc/MailScanner.conf file? >> > >> >You set >> >Virus Scanners = mcafee >> >in MailScanner.conf >> >and put the path to your McAfee installation in the virus.scanners.conf >> file. >> > >> >MailScanner doesn't need anything special in your sendmail.cf at all. You >> >can put it back how it was before you started running amavis. >> >-- >> >Julian Field >> >www.MailScanner.info >> >Professional Support Services at www.MailScanner.biz >> >MailScanner thanks transtec Computers for their support >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ************************************************************ Wei Li @__ ----- System Administrator _,>/'_ ---- FAMU-FSU College of Engineering (*) \(*) --- O:332 - C Tel:(850)410-6157 ************************************************************ ============================================================ With a PC, I always felt limited by the software available. On Unix, I am limited only by my knowledge. --Peter J. Schoenster ============================================================ From ugob at CAMO-ROUTE.COM Thu Feb 12 22:30:27 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:29 2006 Subject: I have no incoming message, please help... Message-ID: <54C38A0B814C8E438EF73FC76F3629274108DF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Wei Li [mailto:wei@eng.fsu.edu] > Envoy? : Thursday, February 12, 2004 5:26 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : I have no incoming message, please help... > > > After start mailscanner, I could only send mail but no > incoming mail.. Can be a number or things. First try telnetting to the server on port 25 and send a message this way, to yourself. Then see your logs. > it is > urgent, please help. Urgent? Just restart sendmail if it was working, in the meantime... Btw, the quality of the help you'll receive here is direcly proportional to the quantity of information you provide. hth Ugo > > Thanks. > From maillists at CONACTIVE.COM Thu Feb 12 22:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: amavis In-Reply-To: <200402122101.i1CL1RL09003@lynx.eng.fsu.edu> References: <200402122101.i1CL1RL09003@lynx.eng.fsu.edu> Message-ID: Wei Li wrote on Thu, 12 Feb 2004 16:01:27 -0500: > So, in my sendmail.cf file, do I need to comment this two lines to disable > amavis? yes, no milter needed anymore! > And, for the spamassasion, after run mailscanner, will the spamassasin run for > every single user as before? Sorry, don't know. I assume so. > do I need to disable it, too? how? > How, where do you want to disable it? I don't know how amavis pipes to SA. Does it use spamd? In that case you can shutdown spamd, yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From david at PLATFORMHOSTING.COM Thu Feb 12 22:52:14 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:29 2006 Subject: Preference for batch sizes In-Reply-To: <013f01c3f188$f8d28ba0$9701a8c0@cnpapers.net> Message-ID: <065e01c3f1ba$dcbf6e10$0b00a8c0@djh01> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephe Campbell > Sent: Friday, 13 February 2004 3:55 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Preference for batch sizes > > I do not use Razor, but the suggestion to lower the message count per scan > seemed to fix it up. I am not running at 2 or 3 messages in my incoming. > Somehow, I missed the prior thread. > Hi Steve, I've found on an i386 box with 1 gig of ram, 80 Gig 7200RPM IDE disk and an AMD 2200 processor, using tempfs for the work dir that 3 children and 10 messages per batch is the most efficient combination. If you have an evening free, write yourself a script to flood the box with a decent number of messages and do some timings on how long each combination takes to clear the queue - results below. Spam Load Test Messages Children Msg/batch Mins 50 4 5 0:08:39 Workdir = DISK 50 3 5 0:08:05 Workdir = DISK 50 3 10 0:09:38 Workdir = DISK 50 2 10 0:13:07 Workdir = DISK 50 1 10 0:17:00 Workdir = DISK 50 0 10 0:15:00 Workdir = DISK 50 3 5 0:01:51 Workdir = TEMPFS 50 3 10 0:01:02 Workdir = TEMPFS 50 3 15 0:01:10 Workdir = TEMPFS We've managed to drop load on the box to 1/3 of it's old load just by playing with these settings alone, and a further reduction in load after that by tuning our spamassassin rules very savagely. We have also recently taken to storing the Bayes DB's in tempfs which has helped further reduce load and improve performance. Hope this helps you and anyone else with these kinds of issues. Cheers! Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From david at PLATFORMHOSTING.COM Thu Feb 12 22:55:20 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:29 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth In-Reply-To: <4915A8E67C498D42BAB5CB1351FD026E23BC3E@3webad1.3WebMedia.int> Message-ID: <065f01c3f1bb$4b97e510$0b00a8c0@djh01> Have you perhaps considered that the last month's mail traffic has increased fairly significantly? MyDoom on it's own was more than half of our traffic for a day or so. Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer Sent: Friday, 13 February 2004 7:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since we have activated the anti-spam features using SpamAssassin, and standard Spam-Checking throught the ORBS lists, our bandwidth usage has more than doubled. Before activating that feature, we were using 80-100GB of bandwidth per month. Now we're up to 224GB for last month. Has anyone ever heard of SpamAssassin doing this? Thank you in advance for your help. _____ Pain free spam & virus protection - Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au _____ ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040213/7d8564ce/attachment.html From raymond at PROLOCATION.NET Fri Feb 13 00:15:16 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:29 2006 Subject: ANNOUNCE: Beta 4.27.3 released In-Reply-To: <6.0.3.0.2.20040212180202.0385b868@imap.ecs.soton.ac.uk> Message-ID: Hi! MailScanner-4.27.3-1 running just fine, test running on two of my servers. The problem seems fixed with the mime headers, i have tested with 3 examples i had saved up and those were handled ok it seems. Great work Julian! Bye, Raymond. From jburzenski at AMERICANHM.COM Fri Feb 13 00:54:44 2004 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:22:29 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8090DFCB1@ahm_exchange2.americanhm.com> This may seem like a bit of a stretch but I recently had a similar problem (increase in traffic by over 200%) when I integrated a new domain into my system. The domain was relatively new and had few users so I couldn't fathom the load increase. A week later I was able to trace the problem down to a user who had their account closed with a rule in exchange to forward the mail out to an internet account. Eventually this internet account became full and started to generate mailbox full bounce messages, which in turn eventually filled up the users mailbox on my exchange system which also started spewing out mailbox full messages. These messages would bounce very quickly between boxes, apending the bounce message to the bottom of the message each time. The bounce messages would replicate up to about 2.5 MB in size in 5k increments in under 10 minutes for each message the user received. As you can imagine, this had a major impact on mail traffic. I would recommend going through a slice of your maillog to see if you can recognize a pattern. It may be that you process a lot of very small messages and spam assassin is generating detailed reports in the headers which is the source of your problem. _____ From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: Thursday, February 12, 2004 5:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner -> Spamassassin taking insane amount of bandwidth Have you perhaps considered that the last month's mail traffic has increased fairly significantly? MyDoom on it's own was more than half of our traffic for a day or so. Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer Sent: Friday, 13 February 2004 7:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since we have activated the anti-spam features using SpamAssassin, and standard Spam-Checking throught the ORBS lists, our bandwidth usage has more than doubled. Before activating that feature, we were using 80-100GB of bandwidth per month. Now we're up to 224GB for last month. Has anyone ever heard of SpamAssassin doing this? Thank you in advance for your help. _____ Pain free spam & virus protection - Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au _____ _____ Pain free spam & virus protection - Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au _____ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/9f4bcecf/attachment.html From campbell at CNPAPERS.COM Fri Feb 13 02:33:15 2004 From: campbell at CNPAPERS.COM (Steve Campbell) Date: Thu Jan 12 21:22:29 2006 Subject: Preference for batch sizes In-Reply-To: <065e01c3f1ba$dcbf6e10$0b00a8c0@djh01> References: <065e01c3f1ba$dcbf6e10$0b00a8c0@djh01> Message-ID: <1076639595.402c376b28cae@kanawha.cnpapers.net> Mr. Hooton, Thank you for a very informative response. I am seeing some really strange things happening here, as I have alluded to in prior post with this subject. I will more than likely have to start using tempfs for some things, but first I will break up our domains across multiple boxes. The strangeness of no timeouts for RBL and SA as a general rule, small amounts of mail in incoming taking a very long time to clear, and the load average dropping regardless of what is in either queues has me baffled. Especially, since before Tuesday night, large amounts of email being dumped into this server was handled very swiftly. Load average usually remained proportionate to emails waiting to be scanned or delivered. One other thing I am going to do is wean myself away from linuxconf and begin using sendmail to it's fullest. (Be warned - Another post coming to either this list or some other). I really have a problem with non-existent user email. I feel it's a shame to waste resources just to eliminate bounces, but I have yet to find how these are resolved by Sendmail. Thanks very much Steve Campbell Quoting David Hooton : > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Stephe Campbell > > Sent: Friday, 13 February 2004 3:55 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Preference for batch sizes > > > > I do not use Razor, but the suggestion to lower the message count per scan > > seemed to fix it up. I am not running at 2 or 3 messages in my incoming. > > Somehow, I missed the prior thread. > > > > > Hi Steve, > > I've found on an i386 box with 1 gig of ram, 80 Gig 7200RPM IDE disk and an > AMD 2200 processor, using tempfs for the work dir that 3 children and 10 > messages per batch is the most efficient combination. > > If you have an evening free, write yourself a script to flood the box with a > decent number of messages and do some timings on how long each combination > takes to clear the queue - results below. > > Spam Load Test > > Messages Children Msg/batch Mins > 50 4 5 0:08:39 Workdir = DISK > 50 3 5 0:08:05 Workdir = DISK > 50 3 10 0:09:38 Workdir = DISK > 50 2 10 0:13:07 Workdir = DISK > 50 1 10 0:17:00 Workdir = DISK > 50 0 10 0:15:00 Workdir = DISK > 50 3 5 0:01:51 Workdir = TEMPFS > 50 3 10 0:01:02 Workdir = TEMPFS > 50 3 15 0:01:10 Workdir = TEMPFS > > We've managed to drop load on the box to 1/3 of it's old load just by > playing with these settings alone, and a further reduction in load after > that by tuning our spamassassin rules very savagely. > > We have also recently taken to storing the Bayes DB's in tempfs which has > helped further reduce load and improve performance. > > Hope this helps you and anyone else with these kinds of issues. > > Cheers! > > Dave > > > ======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au > ======================================================================== > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From campbell at CNPAPERS.COM Fri Feb 13 02:48:49 2004 From: campbell at CNPAPERS.COM (Steve Campbell) Date: Thu Jan 12 21:22:29 2006 Subject: Afterthought about bouncing Message-ID: <1076640529.402c3b1172081@kanawha.cnpapers.net> To the list, I really never thought about this until my recent explosion of invalid-user emails sent to our domains and my undetermined reason for slowness. Could someone explain the definition of bouncing to me in their own environment and tell me what they think of the below stuff? I use a dead box here to capture nonexistent user emails, where they are reviewed for simple mis-typed addressing, and then either forwarded to the proper user or discarded. I blacklist heavily on "From:" to throw away emails. In this situation, I hope I am not bouncing much. As I research my move to using M4 for pure Sendmail, getting away from linuxconf, I have not seen a way to prevent the NDR message generated by sendmail when I do not use a fallover address (dead box). It appears that this will always occur. Isn't this a form of bouncing even though I am not forwarding the original message? I want to eliminate as much for MS to do as possible, and want to do this at the MTA (SendMail, again). Please no wars about bouncing. Just the facts, ma'am. (That's from the TV show Dragnet to all of you youngsters). Thanks, Steve Campbell Charleston Newspapers campbell@cnpapers.com ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From jaearick at COLBY.EDU Fri Feb 13 03:23:18 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:29 2006 Subject: Preference for batch sizes In-Reply-To: <1076639595.402c376b28cae@kanawha.cnpapers.net> References: <065e01c3f1ba$dcbf6e10$0b00a8c0@djh01> <1076639595.402c376b28cae@kanawha.cnpapers.net> Message-ID: Steve, You should probably give your DNS a good hard look. When things mysteriously delay like this, often the problem is lack of DNS resolution. You may have to get your network guys involved. Made any changes to DNS lately? Changed upstream network providers? I did some quick "dig" action on domain "cnpapers.net" and nothing obvious hit me. Can you resolve remote sites quickly? Ever considered running DNS service on your mail machines? Jeff Earickson Colby College On Thu, 12 Feb 2004, Steve Campbell wrote: > Date: Thu, 12 Feb 2004 21:33:15 -0500 > From: Steve Campbell > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Preference for batch sizes > > Mr. Hooton, > > Thank you for a very informative response. I am seeing some really strange > things happening here, as I have alluded to in prior post with this subject. I > will more than likely have to start using tempfs for some things, but first I > will break up our domains across multiple boxes. > > The strangeness of no timeouts for RBL and SA as a general rule, small amounts > of mail in incoming taking a very long time to clear, and the load average > dropping regardless of what is in either queues has me baffled. Especially, > since before Tuesday night, large amounts of email being dumped into this > server was handled very swiftly. Load average usually remained proportionate > to emails waiting to be scanned or delivered. > > One other thing I am going to do is wean myself away from linuxconf and begin > using sendmail to it's fullest. (Be warned - Another post coming to either > this list or some other). I really have a problem with non-existent user > email. I feel it's a shame to waste resources just to eliminate bounces, but I > have yet to find how these are resolved by Sendmail. > > Thanks very much > > Steve Campbell > > > Quoting David Hooton : > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Stephe Campbell > > > Sent: Friday, 13 February 2004 3:55 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Preference for batch sizes > > > > > > I do not use Razor, but the suggestion to lower the message count per scan > > > seemed to fix it up. I am not running at 2 or 3 messages in my incoming. > > > Somehow, I missed the prior thread. > > > > > > > > > Hi Steve, > > > > I've found on an i386 box with 1 gig of ram, 80 Gig 7200RPM IDE disk and an > > AMD 2200 processor, using tempfs for the work dir that 3 children and 10 > > messages per batch is the most efficient combination. > > > > If you have an evening free, write yourself a script to flood the box with a > > decent number of messages and do some timings on how long each combination > > takes to clear the queue - results below. > > > > Spam Load Test > > > > Messages Children Msg/batch Mins > > 50 4 5 0:08:39 Workdir = DISK > > 50 3 5 0:08:05 Workdir = DISK > > 50 3 10 0:09:38 Workdir = DISK > > 50 2 10 0:13:07 Workdir = DISK > > 50 1 10 0:17:00 Workdir = DISK > > 50 0 10 0:15:00 Workdir = DISK > > 50 3 5 0:01:51 Workdir = TEMPFS > > 50 3 10 0:01:02 Workdir = TEMPFS > > 50 3 15 0:01:10 Workdir = TEMPFS > > > > We've managed to drop load on the box to 1/3 of it's old load just by > > playing with these settings alone, and a further reduction in load after > > that by tuning our spamassassin rules very savagely. > > > > We have also recently taken to storing the Bayes DB's in tempfs which has > > helped further reduce load and improve performance. > > > > Hope this helps you and anyone else with these kinds of issues. > > > > Cheers! > > > > Dave > > > > > > ======================================================================== > > Pain free spam & virus protection by: www.mailsecurity.net.au > > Forward undetected SPAM to: spam@mailsecurity.net.au > > ======================================================================== > > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > From P.G.M.Peters at utwente.nl Fri Feb 13 08:34:58 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:29 2006 Subject: Interesting... Decompression Bombs In-Reply-To: <20040212085430.A19100@sthomas.net> References: <6.0.1.1.2.20040212143922.07253d08@imap.ecs.soton.ac.uk> <20040212085430.A19100@sthomas.net> Message-ID: On Thu, 12 Feb 2004 08:54:30 -0800, you wrote: >> Cool, 29 PB :) >> >> Is there a copy available of it anywhere?? Nifty to >> test a raid array :) > >Google for 42.zip. And not click on the first link. ;-( -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 13 09:26:20 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? Message-ID: Hi Julian, I am currently updating the FreeBSD ports and have two questions: 1. The MIME patch you posted here is not yet part of the 4.26.8-1 tarball is it? 2. The attached exim patch (posted earlier) is also not applied in that tarball? How about the current unstable? I adjusted the port so that both patches are applied automatically. Is that ok with you? Regards, JP -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-exim.patch Type: application/octet-stream Size: 2088 bytes Desc: mailscanner-exim.patch Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040213/b46610e8/mailscanner-exim.obj From mailscanner at ecs.soton.ac.uk Fri Feb 13 09:43:50 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040213094243.0737d298@imap.ecs.soton.ac.uk> At 09:26 13/02/2004, you wrote: >Hi Julian, > >I am currently updating the FreeBSD ports and have two questions: > >1. The MIME patch you posted here is not yet part of the 4.26.8-1 >tarball is it? No, it is in 4.27. >2. The attached exim patch (posted earlier) is also not applied in that >tarball? Also in 4.27. >How about the current unstable? They are in there. >I adjusted the port so that both patches are applied automatically. Is >that ok with you? Won't be necessary once 4.27 is produced. But if you want to support them in BSD 4.26 then that's fine with me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 13 10:09:00 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? Message-ID: > >How about the current unstable? > > They are in there. Perfect. Good to know since I am about to update the mailscanner-devel port in a few seconds... :-) > Won't be necessary once 4.27 is produced. But if you want to > support them in BSD 4.26 then that's fine with me. Is 4.27 coming so soon? I expected to see 4.26.8 to be the final release for a few weeks. I think I missed parts of the "to bounce or not to bounce" discussion. Should we not alter the manpages for the new bounce stuff? Regards, JP From mailscanner at ecs.soton.ac.uk Fri Feb 13 10:22:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040213101958.035f9b30@imap.ecs.soton.ac.uk> At 10:09 13/02/2004, you wrote: > > >How about the current unstable? > > > > They are in there. > >Perfect. Good to know since I am about to update the mailscanner-devel >port in a few seconds... :-) > > > Won't be necessary once 4.27 is produced. But if you want to > > support them in BSD 4.26 then that's fine with me. > >Is 4.27 coming so soon? I expected to see 4.26.8 to be the final release >for a few weeks. No, I'm just putting out betas when I feel like it. I probably won't release the stable version until start of April. >I think I missed parts of the "to bounce or not to bounce" discussion. >Should we not alter the manpages for the new bounce stuff? There is a new "Enable Spam Bounce" option, for which the docs are below. Feel free to tell people not to use it. The default value is "no". # You can use this ruleset to enable the "bounce" Spam Action. # You must *only* enable this for mail from sites with which you have # agreed to bounce possible spam. Use it on low-scoring spam only (<10) # and only to your regular customers for use in the rare case that a # message is mis-tagged as spam when it shouldn't have been. # Beware that many sites will automatically delete the bounce messages # created by using this option unless you have agreed this with them in # advance. Enable Spam Bounce = %rules-dir%/bounce.rules -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 13 10:53:54 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C521@jessica.herefordshire.gov.uk> Then suddenly a new exploit with a hitherto considered sate filetype appers. Boom! Virus scan everything first, then do the other checks. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kai Schaetzl > Sent: 12 February 2004 21:32 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mydoom Virus getting Through - High Spam > > > Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000: > > > You can't trust anything that is in any header. > > > > I see what you mean. But I guess there is some way to handle > this. But > even without a second scanning I think it's worthwhile to > consider adding > such an option. > > What I was thinking is: why handle the extra load if I > already know that a > message contains a virus or a filetype I want to block? At > the moment all > viruses are scanned for spam as well which looks like a waste > of time for > me. > I suppose just determining the file type would be the fastest > check, then > maybe virus scanning and then spam scanning. If we get an > .exe file we > don't care to know which virus it is or if the tweaked SA > rules would have > caught it as well. Just stopping and quarantining is enough. Doing > something like this could lower the load considerably I think. > > I'm not sure what "Blocked File" does, does the quarantining > of viruses > apply to it as well? Is there a particular order MailScanner > carries out > the actions? > > At least at the moment I think it would be a good idea if I > could tell it > to scan in this order: > > - filetype/extension detection > - virus detection > - spam detection > > and if any of them is true quarantine (or whatever action I > have set) it > and stop scanning. > > Maybe, if I could do this it would turn out as not too > effective and I > would stop using it soon. I don't know. > But I can't try it out or can I? > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 13 10:56:01 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? Message-ID: Me again, > >How about the current unstable? > > They are in there. Just had a look at 4.27.3. The Exim.pm patch does not seem to be in there... The Exim.pm 1.24.2.27 only added this AFAIK: @@ -791,7 +791,9 @@ if (defined $header) { # Found it :) #$header->{body} = $newvalue . $sep . $header->{body}; + chomp($header->{body}); $header->{body} =~ s/^($sep|\s)*/ $newvalue$sep/; + $header->{body} .= "\n"; } else { # Didn't find it :( The entire ACL stuff seems to be missing. Will your version work with the Exim ACL variables as well or do I need to patch the rest of the Exim patch in there as well? Regards, JP From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 13 10:56:54 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C522@jessica.herefordshire.gov.uk> There'll be some pointy-haired boss somewhere who demands statistics about numbers of viruses blocked. Telling them "we can't tell you, most viruses are marked as spam" doesn't go down too well, alas. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 12 February 2004 21:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mydoom Virus getting Through - High Spam > > > At 21:31 12/02/2004, you wrote: > >Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000: > > > > > You can't trust anything that is in any header. > > > > > > >I see what you mean. But I guess there is some way to handle > this. But > >even without a second scanning I think it's worthwhile to > consider adding > >such an option. > > > >What I was thinking is: why handle the extra load if I > already know that a > >message contains a virus or a filetype I want to block? At > the moment all > >viruses are scanned for spam as well which looks like a > waste of time for > >me. > >I suppose just determining the file type would be the > fastest check, then > >maybe virus scanning and then spam scanning. If we get an > .exe file we > >don't care to know which virus it is or if the tweaked SA > rules would have > >caught it as well. > > But if it contains a harmless exe and a doc, you want to let the doc > through so long as it isn't infected. So you still have to > virus scan the > message. > > > Just stopping and quarantining is enough. Doing > >something like this could lower the load considerably I think. > > > >At least at the moment I think it would be a good idea if I > could tell it > >to scan in this order: > > > >- filetype/extension detection > >- virus detection > >- spam detection > > I am looking at being able to switch virus+filetype with > spam. It's not > trivial. During normal times (i.e. not during big virus > attacks) you get > far more spam than viruses, so you want to throw away the spam first. > During big virus attacks you want to be able to throw away > the viruses first. > So it needs to be switchable. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Fri Feb 13 11:28:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040213112556.0386e0f0@imap.ecs.soton.ac.uk> I am awaiting confirmation from my Exim experts that this patch won't interfere with anything else. I want to be absolutely sure the patch won't break anything. As soon as one of them gets a chance to take a look at it, I will put it in the distribution. But not before then. It is listed in the Changelog as being outstanding. At 10:56 13/02/2004, you wrote: >Me again, > > > >How about the current unstable? > > > > They are in there. > >Just had a look at 4.27.3. The Exim.pm patch does not seem to be in >there... > >The Exim.pm 1.24.2.27 only added this AFAIK: > >@@ -791,7 +791,9 @@ > if (defined $header) { > # Found it :) > #$header->{body} = $newvalue . $sep . $header->{body}; >+ chomp($header->{body}); > $header->{body} =~ s/^($sep|\s)*/ $newvalue$sep/; >+ $header->{body} .= "\n"; > } > else { > # Didn't find it :( > > >The entire ACL stuff seems to be missing. Will your version work with >the Exim ACL variables as well or do I need to patch the rest of the >Exim patch in there as well? > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 13 11:43:46 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? Message-ID: OK. I see. I have it up and running here since it was posted and have not noticed any problems so far. I am no Exim-ACL/Qfile expert though. Is there anything I can do to help? Regards, JP From mailscanner at ecs.soton.ac.uk Fri Feb 13 11:57:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Patches missing? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040213115613.03e19ee0@imap.ecs.soton.ac.uk> At 11:43 13/02/2004, you wrote: >OK. I see. I have it up and running here since it was posted and have >not noticed any problems so far. I am no Exim-ACL/Qfile expert though. >Is there anything I can do to help? As it's going to be a while before I issue the next stable version, I'll put the patch in and leave it in until someone says it's broken. Not as safe, but should help you out. Can you (off list) please mail me a copy of the patch again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at CAMAROSS.NET Fri Feb 13 13:56:12 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:29 2006 Subject: Afterthought about bouncing In-Reply-To: <1076640529.402c3b1172081@kanawha.cnpapers.net> Message-ID: <200402131354.i1DDsBaa028981@avwall.bladeware.com> I'm not sure I understand exactly what you're wanting to do, but I'll give it a shot. If an email is not deliverable due to an addressing error, your machine should reject the email connection with a "user unknown". Your server would not generate an email to the *sender*. Their MTA would bounce the message back to the sender as undeliverable. This is not any additional load on your server. I would leave it up to the sender to make sure the address is correct before sending...not the postmaster. If you want to catch all of the mis-addressed emails, add an entry to your /etc/mail/virtusertable: @yourdomain.com localuser@yourdomain.com This is called a catch-all. You could also add a few entries for commonly mispelled addresses such as: johndeo@domain.com johndoe@domain.com m.smith@domain.com msmith@domain.com Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Campbell > Sent: Thursday, February 12, 2004 8:49 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Afterthought about bouncing > > To the list, > > I really never thought about this until my recent explosion > of invalid-user emails sent to our domains and my > undetermined reason for slowness. Could someone explain the > definition of bouncing to me in their own environment and > tell me what they think of the below stuff? > > I use a dead box here to capture nonexistent user emails, > where they are reviewed for simple mis-typed addressing, and > then either forwarded to the proper user or discarded. I > blacklist heavily on "From:" to throw away emails. > In this situation, I hope I am not bouncing much. > > As I research my move to using M4 for pure Sendmail, getting > away from linuxconf, I have not seen a way to prevent the NDR > message generated by sendmail when I do not use a fallover > address (dead box). It appears that this will always occur. > Isn't this a form of bouncing even though I am not forwarding > the original message? I want to eliminate as much for MS to > do as possible, and want to do this at the MTA (SendMail, again). > > Please no wars about bouncing. Just the facts, ma'am. (That's > from the TV show Dragnet to all of you youngsters). > > Thanks, > > Steve Campbell > Charleston Newspapers > campbell@cnpapers.com > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > From maillists at conactive.com Fri Feb 13 14:00:11 2004 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: SA timeout setting? Message-ID: I'm still getting an occasional SA time-out when using Mailscanner and I can't repro it when scanning the same message again. I thought I had seen a time-out setting of 20 seconds in Mailscanner.conf but that was wrong. There's only a time-out counter. What's the time-out MS uses for SA and how can I change it? (No, I'm not using any RBL tests in SA, never did.) Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at conactive.com Fri Feb 13 14:00:11 2004 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: Adding Envelope Headers? In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> Message-ID: Derek Winkler wrote on Thu, 12 Feb 2004 16:51:29 -0500: > I added the from to X-Algo-MailScanner-Information with a custom function. Sorry, I fear I don't understand what you mean or maybe I just fear I won't be able to do that. But, wouldn't it be much better to have it added like X-Envelope-From: X-Envelope-To: instead of being buried in some other information? > That's your MTA's job. > Almost overlooked that one. I think that's strictly a point-of-view thing. Why should it be natural for the MTA to do? Anyway, I searched around how sendmail could do this and it simply doesn't. I found only these clumsy procmail solutions: http://www.sendmail.org/faq/section3.html#3.29 http://www.polbox.com/a/anfi/sendmail/sharedmailbox.html and still no X-Envelope-From. We are currently using a milter which happily adds both headers by default and I found that they are very useful for everything concerning anti-spam measures, adding to access.db etc. but also for whitelisting. Actually, I was quite surprised when first checking out Mailscanner that it doesn't add these headers and wonder why it doesn't. Mailscanner seems to be the perfect place to do it. Obviously, sendmail doesn't do, that's why several milters add them (f.i. amavis-new does it, but why add another milter to the chain if I don't need it for other things?). Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at conactive.com Fri Feb 13 14:00:11 2004 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C522@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C522@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Fri, 13 Feb 2004 10:56:54 -0000: > There'll be some pointy-haired boss somewhere who demands statistics about > numbers of viruses blocked. Telling them "we can't tell you, most viruses > are marked as spam" doesn't go down too well, alas. > I think you didn't understand me. If you want complete statistics you have it on. If you want virus scanning always, you have it on. If you don't need that for blocked files, you have it off. I'm sure that there are many vendors who want to have it all on. Fine. I see the value in that approach. However, I'm also sure that many would like to balance their ressource usage and just use what is necessary. Back to your original question I hooked on: I see high-scoring spam marked as containing a virus as well, so there must be something different in your setup if it doesn't work for you. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at conactive.com Fri Feb 13 14:00:11 2004 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C521@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C521@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Fri, 13 Feb 2004 10:53:54 -0000: > Then suddenly a new exploit with a hitherto considered sate filetype appers. > > Boom! No Boom. > > Virus scan everything first, then do the other checks. > You did not understand. If a file is blocked by type, it is blocked. No Boom. If it is not blocked by type it is virus scanned. So, where's the problem? Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mailscanner at ecs.soton.ac.uk Fri Feb 13 14:09:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:29 2006 Subject: Adding Envelope Headers? In-Reply-To: References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> Message-ID: <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> At 14:00 13/02/2004, you wrote: >Derek Winkler wrote on Thu, 12 Feb 2004 16:51:29 -0500: > > > I added the from to X-Algo-MailScanner-Information with a custom function. > >Sorry, I fear I don't understand what you mean or maybe I just fear I won't >be able to do that. But, wouldn't it be much better to have it added like > >X-Envelope-From: >X-Envelope-To: > >instead of being buried in some other information? > > > That's your MTA's job. > > > >Almost overlooked that one. I think that's strictly a point-of-view thing. >Why should it be natural for the MTA to do? Anyway, I searched around how >sendmail could do this and it simply doesn't. I found only these clumsy >procmail solutions: >http://www.sendmail.org/faq/section3.html#3.29 >http://www.polbox.com/a/anfi/sendmail/sharedmailbox.html >and still no X-Envelope-From. Sendmail will add a "Return-Path:" header for you which is the envelope sender address. In your sendmail.cf, at the start of the "Format of headers" section, you need to ensure you have H?P?Return-Path: <$g> Putting in the envelope recipient addresses are a bad idea as this means that "Bcc" is no longer "blind" as all the recipients will get to see the addresses of all the other recipients, which isn't what your users will want. >We are currently using a milter which happily adds both headers by default >and I found that they are very useful for everything concerning anti-spam >measures, adding to access.db etc. but also for whitelisting. Actually, I >was quite surprised when first checking out Mailscanner that it doesn't add >these headers and wonder why it doesn't. Mailscanner seems to be the perfect >place to do it. Obviously, sendmail doesn't do, that's why several milters >add them (f.i. amavis-new does it, but why add another milter to the chain >if I don't need it for other things?). I am of the opinion that your MTA can already do the envelope sender, and putting in the envelope recipient is a bad idea. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ycayer at 3webmedia.com Fri Feb 13 14:15:51 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:29 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth In-Reply-To: A<065f01c3f1bb$4b97e510$0b00a8c0@djh01> Message-ID: <200402131415.i1DEFi127221@3webserv2.3webmedia.com> Still, it doesn't justify for 124GB extra in a month! _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Sent: Thursday, February 12, 2004 5:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner -> Spamassassin taking insane amount of bandwidth Have you perhaps considered that the last month's mail traffic has increased fairly significantly? MyDoom on it's own was more than half of our traffic for a day or so. Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer Sent: Friday, 13 February 2004 7:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner -> Spamassassin taking insane amount of bandwidth Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since we have activated the anti-spam features using SpamAssassin, and standard Spam-Checking throught the ORBS lists, our bandwidth usage has more than doubled. Before activating that feature, we were using 80-100GB of bandwidth per month. Now we're up to 224GB for last month. Has anyone ever heard of SpamAssassin doing this? Thank you in advance for your help. _____ Pain free spam & virus protection - Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au _____ _____ Pain free spam & virus protection - Mail Security To report SPAM forward the message to: spam@mailsecurity.net.au To report incorrectly tagged messages: notspam@mailsecurity.net.au _____ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040213/96442ada/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 13 14:18:32 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:29 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> Kai Schaetzl wrote >> Then suddenly a new exploit with a hitherto considered safe filetype appears. >> >> Boom! > No Boom. >> Virus scan everything first, then do the other checks. > You did not understand. If a file is blocked by type, it is blocked. No Boom. > If it is not blocked by type it is virus scanned. So, where's the problem? I did say "a hitherto considered safe" filetype, i.e, one you let through. Call me paranoid if you like, but I don't like the idea of having virus-infected files sitting in quarantine without MailScanner telling me that they are infected. It's an accident waiting to happen. Agreed, it's a small window of opportunity, but under pressure human error occurs. > Back to your original question I hooked on: I see high-scoring spam marked > as containing a virus as well, so there must be something different in your > setup if it doesn't work for you. High Scoring Spam Actions = store delete Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From ugob at CAMO-ROUTE.COM Fri Feb 13 14:30:12 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:29 2006 Subject: yoursite config Message-ID: <54C38A0B814C8E438EF73FC76F3629274108E4@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Wei Li [mailto:wei@eng.fsu.edu] > Envoy? : Friday, February 13, 2004 9:14 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : yoursite config > > > Hi, > > I've installed mailscanner yesterday and it runs great. Thank you all. > > Other two more questions, first, where can I change yoursite > to my department > name in the following: in MailScanner.conf: %org-name% = yoursite > > X-yoursite-MailScanner-Information: Please contact the ISP for more > information > > X-yoursite-MailScanner: Found to be clean > > Second question: it seems spamassasin does not work because I > tried to send > myself an test one from spamassasin website but it went through. Please give more info, your config, your settings... > > Thanks again. > > Wei > From ugob at CAMO-ROUTE.COM Fri Feb 13 14:32:56 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:29 2006 Subject: SA timeout setting? Message-ID: <54C38A0B814C8E438EF73FC76F3629274108E5@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kai Schaetzl [mailto:maillists@conactive.com] > Envoy? : Friday, February 13, 2004 9:00 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : SA timeout setting? > > > I'm still getting an occasional SA time-out when using > Mailscanner and I > can't repro it when scanning the same message again. I > thought I had seen > a time-out setting of 20 seconds in Mailscanner.conf but that > was wrong. > There's only a time-out counter. What's the time-out MS uses > for SA and > how can I change it? > (No, I'm not using any RBL tests in SA, never did.) in MailScanner.conf # If SpamAssassin takes longer than this (in seconds), the check is # abandoned and the timeout noted. SpamAssassin Timeout = 200 Better try to see where the timeouts come from, though. So you disabled all the RBL tests in SA? > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From campbell at CNPAPERS.COM Fri Feb 13 14:50:51 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:30 2006 Subject: Afterthought about bouncing References: <200402131354.i1DDsBaa028981@avwall.bladeware.com> Message-ID: <007801c3f240$c6ef34e0$e301a8c0@cnpapers.net> Mr. Kercher & Mr. Earickson, Sorry to be so loose-worded in my query. My main problem is I have always taken the easy way of configuring sendmail with linuxconf. I inherited a mail server configured this way and never changed it. Now, with all of this spam crap, I need to use, or at least think I need to use, more of what sendmail offers than what linuxconf would do for me. Based on what both of you have said, I may not have to change over. I have looked many times for a way to drop messages completely at the MTA based on whether the user exists or not, similar to the way a firewall can drop packets. But it looks like at the very least, I will always either generate and send a "user unknown message" back to the sender (real or not) or forward the message to this catch all (dead box) account. Doublebounce would handle the return from the return if one is generated. If I don't use the catch all account, though, am I really returning the email back to the sender, or just the notification that the user doesn't exist and dropping the original email? Either way, aren't I spamming the innocent returnee who probably never sent the original? Unless I misread Mr. Kercher below, he indicates that my server will not generate an email to the *sender*, but won't it still send the "user_unknown" reply back. How do I stop the "user_unknown" reply other than using a catch all account? Thanks very much. Does this make sense? Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Mike Kercher" To: Sent: Friday, February 13, 2004 8:56 AM Subject: Re: Afterthought about bouncing > I'm not sure I understand exactly what you're wanting to do, but I'll give > it a shot. > > If an email is not deliverable due to an addressing error, your machine > should reject the email connection with a "user unknown". Your server would > not generate an email to the *sender*. Their MTA would bounce the message > back to the sender as undeliverable. This is not any additional load on > your server. I would leave it up to the sender to make sure the address is > correct before sending...not the postmaster. > > If you want to catch all of the mis-addressed emails, add an entry to your > /etc/mail/virtusertable: > > @yourdomain.com localuser@yourdomain.com > > This is called a catch-all. You could also add a few entries for commonly > mispelled addresses such as: > > johndeo@domain.com johndoe@domain.com > m.smith@domain.com msmith@domain.com > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Campbell > > Sent: Thursday, February 12, 2004 8:49 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Afterthought about bouncing > > > > To the list, > > > > I really never thought about this until my recent explosion > > of invalid-user emails sent to our domains and my > > undetermined reason for slowness. Could someone explain the > > definition of bouncing to me in their own environment and > > tell me what they think of the below stuff? > > > > I use a dead box here to capture nonexistent user emails, > > where they are reviewed for simple mis-typed addressing, and > > then either forwarded to the proper user or discarded. I > > blacklist heavily on "From:" to throw away emails. > > In this situation, I hope I am not bouncing much. > > > > As I research my move to using M4 for pure Sendmail, getting > > away from linuxconf, I have not seen a way to prevent the NDR > > message generated by sendmail when I do not use a fallover > > address (dead box). It appears that this will always occur. > > Isn't this a form of bouncing even though I am not forwarding > > the original message? I want to eliminate as much for MS to > > do as possible, and want to do this at the MTA (SendMail, again). > > > > Please no wars about bouncing. Just the facts, ma'am. (That's > > from the TV show Dragnet to all of you youngsters). > > > > Thanks, > > > > Steve Campbell > > Charleston Newspapers > > campbell@cnpapers.com > > > > > > > > > > > > ------------------------------------------------- > > This mail sent through IMP: http://horde.org/imp/ > > From campbell at CNPAPERS.COM Fri Feb 13 15:01:55 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:30 2006 Subject: yoursite config References: <54C38A0B814C8E438EF73FC76F3629274108E4@mtlnt501fs.CAMOROUTE.COM> Message-ID: <00a501c3f242$526945a0$e301a8c0@cnpapers.net> I've set my org-name and it doesn't make any difference. I still get the default headers. Using 4.26.8. Stopped and started doesn't make a difference either. %org-name% = CNPapers give me X-MailScanner: Found to be clean Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Friday, February 13, 2004 9:30 AM Subject: Re: yoursite config > -----Message d'origine----- > De : Wei Li [mailto:wei@eng.fsu.edu] > Envoy? : Friday, February 13, 2004 9:14 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : yoursite config > > > Hi, > > I've installed mailscanner yesterday and it runs great. Thank you all. > > Other two more questions, first, where can I change yoursite > to my department > name in the following: in MailScanner.conf: %org-name% = yoursite > > X-yoursite-MailScanner-Information: Please contact the ISP for more > information > > X-yoursite-MailScanner: Found to be clean > > Second question: it seems spamassasin does not work because I > tried to send > myself an test one from spamassasin website but it went through. Please give more info, your config, your settings... > > Thanks again. > > Wei > From dean.plant at ROKE.CO.UK Fri Feb 13 14:58:27 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:22:30 2006 Subject: Mydoom Virus getting Through - High Spam Message-ID: We don't suffer from this problem as we forward all high scoring spam to an exchange folder. This way all mail has passed through virus checking giving correct statistics. Dean. -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 13 February 2004 10:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mydoom Virus getting Through - High Spam There'll be some pointy-haired boss somewhere who demands statistics about numbers of viruses blocked. Telling them "we can't tell you, most viruses are marked as spam" doesn't go down too well, alas. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 12 February 2004 21:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mydoom Virus getting Through - High Spam > > > At 21:31 12/02/2004, you wrote: > >Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000: > > > > > You can't trust anything that is in any header. > > > > > > >I see what you mean. But I guess there is some way to handle > this. But > >even without a second scanning I think it's worthwhile to > consider adding > >such an option. > > > >What I was thinking is: why handle the extra load if I > already know that a > >message contains a virus or a filetype I want to block? At > the moment all > >viruses are scanned for spam as well which looks like a > waste of time for > >me. > >I suppose just determining the file type would be the > fastest check, then > >maybe virus scanning and then spam scanning. If we get an > .exe file we > >don't care to know which virus it is or if the tweaked SA > rules would have > >caught it as well. > > But if it contains a harmless exe and a doc, you want to let the doc > through so long as it isn't infected. So you still have to > virus scan the > message. > > > Just stopping and quarantining is enough. Doing > >something like this could lower the load considerably I think. > > > >At least at the moment I think it would be a good idea if I > could tell it > >to scan in this order: > > > >- filetype/extension detection > >- virus detection > >- spam detection > > I am looking at being able to switch virus+filetype with > spam. It's not > trivial. During normal times (i.e. not during big virus > attacks) you get > far more spam than viruses, so you want to throw away the spam first. > During big virus attacks you want to be able to throw away > the viruses first. > So it needs to be switchable. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From dean.plant at ROKE.CO.UK Fri Feb 13 15:06:33 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:22:30 2006 Subject: Blocking incorrectly addressed mail when relaying to Exchange Message-ID: Thanks for this Kevin. This is something we will be looking at in the future. Dean Plant -----Original Message----- From: Kevin Spicer [mailto:kevin@KEVINSPICER.CO.UK] Sent: 12 February 2004 22:12 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Blocking incorrectly addressed mail when relaying to Exchange Theres been some interest expressed in this in the past. Recently Jan-Peter Koopman posted a vb script to the list to produce a list of email addresses from active directory (he was using it with exim I believe). I've managed to get this to work for sendmail, with a little perl script of my own and sendmail's ldap_routing feature (which despite its name doesn't need to use ldap). I've added a description of how I did this (and the necessary scripts) to the FAQ http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?file=270 enjoy! [By the way this isn't the only way to do this - some people may prefer to use LDAP directly from sendmail] -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From ugob at CAMO-ROUTE.COM Fri Feb 13 15:08:35 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:30 2006 Subject: yoursite config Message-ID: <54C38A0B814C8E438EF73FC76F3629273132F9@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Wei Li [mailto:wei@eng.fsu.edu] > Envoy? : Friday, February 13, 2004 9:56 AM > ? : Ugo Bellavance > Objet : Re: yoursite config > > > Hi, Bellavance, > > When I tried to send myself a spam test message. It went through... > > What could I do to config the spamassasin? I repeat myself for a reason: Please give _more_ information. What you provide us with is far less than sufficient to make a good diagnostic of your problem. By the way, have you taken some time to go through /etc/MailScanner/MailScanner.conf? > > Thanks > > Date: Thu, 02 Nov 2003 12:34:56 -0400 > From: "WebMaster" > To: "User" > Subject: ROUTING test file > X-yoursite-MailScanner-Information: Please contact the ISP > for more information > X-yoursite-MailScanner: Found to be clean > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > lynx.eng.fsu.edu > X-Spam-Status: No, hits=0.0 required=5.0 > tests=BAYES_01,DATE_IN_PAST_96_XX > autolearn=no version=2.63 > X-Spam-Level: > > This is a test message that was sent to you because you > (or someone you know) visited our page at > http://www.declude.com/tools . > > This is a sample E-mail designed to trigger spam tests. > Depending on the software you use, it may or may not get > marked as spam. Visit http://www.declude.com for our > Declude JunkMail solution for IMail servers. > > Test: ROUTING > > Description: This E-mail was (apparently) sent from a United > States IP, through a Chinese mailserver, and back to a U.S. > destination. It will likely get caught be anti-spam software > that analyzes the routing of an E-mail. It should fail the > Declude JunkMail ROUTING test. > > >X-RAL-MFrom: > >X-RAL-Connect: > >Content-Class: urn:content-classes:message > >MIME-Version: 1.0 > >Content-Transfer-Encoding: quoted-printable > >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 > >X-MS-Has-Attach: > >X-MS-TNEF-Correlator: > >Thread-Topic: yoursite config > >thread-index: AcPyO7maPQjpu1YCR9Ol/4tD+73qiQAAg2eA > >X-camo-route-MailScanner-Information: Contactez le > gestionnaire de courriels > >X-camo-route-MailScanner: Found to be clean > >X-Scanned-By: MIMEDefang 2.39 > >Date: Fri, 13 Feb 2004 09:30:12 -0500 > >From: Ugo Bellavance > >Subject: Re: yoursite config > >To: MAILSCANNER@JISCMAIL.AC.UK > >X-yoursite-MailScanner-Information: Please contact the ISP > for more information > >X-yoursite-MailScanner: Found to be clean > >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on > lynx.eng.fsu.edu > >X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 > autolearn=ham > version=2.63 > >X-Spam-Level: > > > >> -----Message d'origine----- > >> De : Wei Li [mailto:wei@eng.fsu.edu] > >> Envoy? : Friday, February 13, 2004 9:14 AM > >> ? : MAILSCANNER@JISCMAIL.AC.UK > >> Objet : yoursite config > >> > >> > >> Hi, > >> > >> I've installed mailscanner yesterday and it runs great. > Thank you all. > >> > >> Other two more questions, first, where can I change yoursite > >> to my department > >> name in the following: > > > >in MailScanner.conf: > > > >%org-name% = yoursite > > > >> > >> X-yoursite-MailScanner-Information: Please contact the ISP for more > >> information > >> > >> X-yoursite-MailScanner: Found to be clean > >> > >> Second question: it seems spamassasin does not work because I > >> tried to send > >> myself an test one from spamassasin website but it went through. > > > >Please give more info, your config, your settings... > >> > >> Thanks again. > >> > >> Wei > >> > > ************************************************************ > > Wei Li @__ ----- > System Administrator _,>/'_ ---- > FAMU-FSU College of Engineering (*) \(*) --- > O:332 - C Tel:(850)410-6157 > > ************************************************************ > > ============================================================ > With a PC, I always felt limited by the software available. > On Unix, I am limited only by my knowledge. > > --Peter J. Schoenster > ============================================================ > > > > From dwinkler at ALGORITHMICS.COM Fri Feb 13 15:08:52 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:30 2006 Subject: Adding Envelope Headers? Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BB@tormail2.algorithmics.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kai Schaetzl > Sent: Friday, February 13, 2004 9:00 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Adding Envelope Headers? > > > Derek Winkler wrote on Thu, 12 Feb 2004 16:51:29 -0500: > > > I added the from to X-Algo-MailScanner-Information with a > custom function. > Make this change to your MailScanner.conf Information Header Value = &AddEnvelopeAddress Then add these functions to CustomConfig.pm: # # Add the envelope address to the "Information Header Value" config parameter. # sub InitAddEnvelopeAddress { # No initialisation needs doing here at all. MailScanner::Log::InfoLog("Initialising AddEnvelopeAddress"); } sub EndAddEnvelopeAddress { # No shutdown code needed here at all. MailScanner::Log::InfoLog("Ending AddEnvelopeAddress"); } sub AddEnvelopeAddress { my($message) = @_; my $from = $message->{from}; if ($from !~ m/^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$/) { $from="unknown"; } return "Please contact Whoever for more information ($from)"; } Envelope from will now appear in the header defined by "Information Header" in MailScanner.conf. > Sorry, I fear I don't understand what you mean or maybe I > just fear I won't > be able to do that. But, wouldn't it be much better to have > it added like > > X-Envelope-From: > X-Envelope-To: > > instead of being buried in some other information? > > > That's your MTA's job. > > > > Almost overlooked that one. I think that's strictly a > point-of-view thing. > Why should it be natural for the MTA to do? Anyway, I > searched around how > sendmail could do this and it simply doesn't. I found only > these clumsy > procmail solutions: > http://www.sendmail.org/faq/section3.html#3.29 > http://www.polbox.com/a/anfi/sendmail/sharedmailbox.html > and still no X-Envelope-From. > > We are currently using a milter which happily adds both > headers by default > and I found that they are very useful for everything > concerning anti-spam > measures, adding to access.db etc. but also for whitelisting. > Actually, I > was quite surprised when first checking out Mailscanner that > it doesn't add > these headers and wonder why it doesn't. Mailscanner seems to > be the perfect > place to do it. Obviously, sendmail doesn't do, that's why > several milters > add them (f.i. amavis-new does it, but why add another milter > to the chain > if I don't need it for other things?). > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From Uwe.Krause at FEP.FRAUNHOFER.DE Fri Feb 13 15:12:42 2004 From: Uwe.Krause at FEP.FRAUNHOFER.DE (Krause, Uwe) Date: Thu Jan 12 21:22:30 2006 Subject: yoursite config Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F438025@midgard.fep.fhg.de> Already tried the Debug Mode ? Uwe From dwinkler at ALGORITHMICS.COM Fri Feb 13 15:17:23 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:30 2006 Subject: CustomConfig Local Functions Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BC@tormail2.algorithmics.com> Would it possible to have something like, if ( -f "/opt/MailScanner/etc/CustomConfig.pm") { do "/opt/MailScanner/etc/CustomConfig.pm"; } added to CustomConfig.pm? I like to keep my local functions in a location other than the included CustomConfig.pm. Thanks, Derek Winkler Security Administrator Algorithmics 185 Spadina Ave Toronto, Ontario Canada M5T 2C6 Phone: 416-217-4107 Fax: 416-971-6100 From maillists at CONACTIVE.COM Fri Feb 13 15:31:43 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Fri, 13 Feb 2004 14:18:32 -0000: > I did say "a hitherto considered safe" filetype, i.e, one you let through. But there is no file type I "let thru". There are only file types I do NOT let thru. Any non-blocked file makes it to the virus scan. > > Call me paranoid if you like, but I don't like the idea of having > virus-infected files sitting in quarantine without MailScanner telling me > that they are infected. I can perfectly understand this. However, others like me won't mind. > > It's an accident waiting to happen. > > Agreed, it's a small window of opportunity, but under pressure human error > occurs. That's why I thought it might be useful to start scanning a released email with the next "stage". This would prevent the small chance of a user releasing a blocked file type which contains a virus from happening. However, if that is painful to implement I'm quite happy without it. But just allowing MS to stop scanning if a match occurs shouldn't be that difficult I assume. If Julian doesn't like the idea he won't put it in, anyway ;-) > > > Back to your original question I hooked on: I see high-scoring spam marked > > as containing a virus as well, so there must be something different in > your > > setup if it doesn't work for you. > > High Scoring Spam Actions = store delete > Ah, we just have "store". This implies that MS first does the spam scan and then already discards the mail. Maybe you could direct high scoring spam with some rules in a different quarantine directory and remove the "delete"? If that is possible you could then run a deletion script from cron. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From dahlberg at BUCKNELL.EDU Fri Feb 13 15:36:00 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues Message-ID: <20040213153559.GA1477@bucknell.edu> Fanatastic piece of software...I can't imagine running a mail server without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has uncovered a few issues. A little about our config: MailScanner (4.26.8) runs with Sophos (3.78d) on a dual processor Sun 220R with 2GB RAM. The MailScanner.conf file is set to start 10 child processes which will scan a max of 30 messages. MailScanner also runs in queue mode rather than batch. We do no spam analysis, just virus scanning. I've also installed the first Message.pm perl mod that Julian Fields released a couple of days ago. I've noticed that when running the SAVI engine (Virus Scanner = sophossavi), rather than `sweep` (Virus Scanner = sophos) it takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 messages using SAVI versus 1 min with sweep). Also when I use the SAVI engine, more MyDoom-infected email messages are found and removed. Is this the experience of other readers of this list? Does anyone have an explanation or advice on which virus scanner (Sophos or SAVI) to use? Thanks, Mike ###################### Michael Dahlberg Systems Integrator Bucknell University ###################### From mkettler at EVI-INC.COM Fri Feb 13 15:59:47 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:30 2006 Subject: SA timeout setting? In-Reply-To: References: Message-ID: <6.0.0.22.0.20040213105648.026720b8@xanadu.evi-inc.com> At 09:00 AM 2/13/2004, Kai Schaetzl wrote: >I'm still getting an occasional SA time-out when using Mailscanner and I >can't repro it when scanning the same message again. I thought I had seen >a time-out setting of 20 seconds in Mailscanner.conf but that was wrong. >There's only a time-out counter. What's the time-out MS uses for SA and >how can I change it? >(No, I'm not using any RBL tests in SA, never did.) From MailScanner.conf: # If SpamAssassin takes longer than this (in seconds), the check is # abandoned and the timeout noted. SpamAssassin Timeout = 60 # This means that remote network failures causing SpamAssassin trouble will # not mean your mail stops flowing. Max SpamAssassin Timeouts = 20 Note: in general you shouldn't be getting timeouts for SA if you don't use RBLS, and don't use razor/dcc/pyzor. It could be a matter of bayes expiry runs causing timeouts if you use bayes. Some of the most recent versions of MailScanner actively manage bayes expiry to prevent timeouts while processing messages. If your version doesn't, you can make a short-term fix by having a daily cron job call sa-learn --force-expire. From martinh at SOLID-STATE-LOGIC.COM Fri Feb 13 16:04:54 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <20040213153559.GA1477@bucknell.edu> References: <20040213153559.GA1477@bucknell.edu> Message-ID: <402CF5A6.1080008@solid-state-logic.com> Michael Dahlberg wrote: > Fanatastic piece of software...I can't imagine running a mail server > without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has > uncovered a few issues. > > A little about our config: MailScanner (4.26.8) runs with Sophos > (3.78d) on a dual processor Sun 220R with 2GB RAM. The > MailScanner.conf file is set to start 10 child processes which will > scan a max of 30 messages. MailScanner also runs in queue mode rather > than batch. We do no spam analysis, just virus scanning. I've also > installed the first Message.pm perl mod that Julian Fields released a > couple of days ago. > > I've noticed that when running the SAVI engine (Virus Scanner = > sophossavi), rather than `sweep` (Virus Scanner = sophos) it > takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > messages using SAVI versus 1 min with sweep). Also when I use the > SAVI engine, more MyDoom-infected email messages are found and > removed. > > Is this the experience of other readers of this list? Does anyone > have an explanation or advice on which virus scanner (Sophos or SAVI) > to use? > > Thanks, > Mike > > ###################### > Michael Dahlberg > Systems Integrator > Bucknell University > ###################### Mike the Savi engine 'should' be quicker as it doesn't need to fork a process. I'd check the Savi install and make sure you've got all the required Perl modules. It's also worth checking the archives to see which is 'quicker' queue or batch. I've got mine set to batch as the default, so maybe the batch mode is better..??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Feb 13 16:08:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <402CF5A6.1080008@solid-state-logic.com> References: <20040213153559.GA1477@bucknell.edu> <402CF5A6.1080008@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> At 16:04 13/02/2004, you wrote: >Michael Dahlberg wrote: >>Fanatastic piece of software...I can't imagine running a mail server >>without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has >>uncovered a few issues. >> >>A little about our config: MailScanner (4.26.8) runs with Sophos >>(3.78d) on a dual processor Sun 220R with 2GB RAM. The >>MailScanner.conf file is set to start 10 child processes which will >>scan a max of 30 messages. MailScanner also runs in queue mode rather >>than batch. We do no spam analysis, just virus scanning. I've also >>installed the first Message.pm perl mod that Julian Fields released a >>couple of days ago. >> >>I've noticed that when running the SAVI engine (Virus Scanner = >>sophossavi), rather than `sweep` (Virus Scanner = sophos) it >>takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 >>messages using SAVI versus 1 min with sweep). Also when I use the >>SAVI engine, more MyDoom-infected email messages are found and >>removed. >> >>Is this the experience of other readers of this list? Does anyone >>have an explanation or advice on which virus scanner (Sophos or SAVI) >>to use? >> >>Thanks, >>Mike >> >>###################### >>Michael Dahlberg >>Systems Integrator >>Bucknell University >>###################### >Mike > >the Savi engine 'should' be quicker as it doesn't need to fork a process. > >I'd check the Savi install and make sure you've got all the required >Perl modules. > >It's also worth checking the archives to see which is 'quicker' queue or >batch. I've got mine set to batch as the default, so maybe the batch >mode is better..??? There is no very good reason to run in "queue" mode rather than "batch". It will just delay your mail. The only use for "queue" is when debugging so that you can lift messages out of mqueue. I might integrate the "queue" functionality into the "Debug" option at some point, and remove the "queue" option altogether. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 13 15:58:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: yoursite config In-Reply-To: <00a501c3f242$526945a0$e301a8c0@cnpapers.net> References: <54C38A0B814C8E438EF73FC76F3629274108E4@mtlnt501fs.CAMOROUTE.COM> <00a501c3f242$526945a0$e301a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040213155720.03b31ad8@imap.ecs.soton.ac.uk> Yes, but if you have upgraded you will find that %org-name% doesn't appear in the values of the headers. It's just a simple text substitution, nothing clever. If you don't refer to %org-name% in your header names as defined in MailScanner.conf, then it won't use the definition of %org-name%. At 15:01 13/02/2004, you wrote: >I've set my org-name and it doesn't make any difference. I still get the >default headers. Using 4.26.8. Stopped and started doesn't make a difference >either. > >%org-name% = CNPapers > >give me > >X-MailScanner: Found to be clean > > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > > >----- Original Message ----- >From: "Ugo Bellavance" >To: >Sent: Friday, February 13, 2004 9:30 AM >Subject: Re: yoursite config > > > > -----Message d'origine----- > > De : Wei Li [mailto:wei@eng.fsu.edu] > > Envoy? : Friday, February 13, 2004 9:14 AM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : yoursite config > > > > > > Hi, > > > > I've installed mailscanner yesterday and it runs great. Thank you all. > > > > Other two more questions, first, where can I change yoursite > > to my department > > name in the following: > >in MailScanner.conf: > >%org-name% = yoursite > > > > > X-yoursite-MailScanner-Information: Please contact the ISP for more > > information > > > > X-yoursite-MailScanner: Found to be clean > > > > Second question: it seems spamassasin does not work because I > > tried to send > > myself an test one from spamassasin website but it went through. > >Please give more info, your config, your settings... > > > > Thanks again. > > > > Wei > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 13 15:59:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: CustomConfig Local Functions In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BC@tormail2.algorithmi cs.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BC@tormail2.algorithmics.com> Message-ID: <6.0.1.1.2.20040213155852.03c44268@imap.ecs.soton.ac.uk> At 15:17 13/02/2004, you wrote: >Would it possible to have something like, > >if ( -f "/opt/MailScanner/etc/CustomConfig.pm") { > do "/opt/MailScanner/etc/CustomConfig.pm"; >} > >added to CustomConfig.pm? > >I like to keep my local functions in a location other than the included >CustomConfig.pm. Just add a "require" statement to CustomConfig.pm. Also, note that if you change CustomConfig.pm at all, it will *not* be overwritten by any later upgrade. So your mods are quite safe in there. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 13 16:01:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040213155956.03cad008@imap.ecs.soton.ac.uk> At 15:31 13/02/2004, you wrote: >Phil Randal wrote on Fri, 13 Feb 2004 14:18:32 -0000: > > > High Scoring Spam Actions = store delete > > > >Ah, we just have "store". That will do exactly the same thing here. Because you have asked it to "store" it ignores the conflicting "delete". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 13 16:17:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> References: <20040213153559.GA1477@bucknell.edu> <402CF5A6.1080008@solid-state-logic.com> <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040213161515.03c91a98@imap.ecs.soton.ac.uk> At 16:08 13/02/2004, you wrote: >At 16:04 13/02/2004, you wrote: >>Michael Dahlberg wrote: >>>I've noticed that when running the SAVI engine (Virus Scanner = >>>sophossavi), rather than `sweep` (Virus Scanner = sophos) it >>>takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 >>>messages using SAVI versus 1 min with sweep). Also when I use the >>>SAVI engine, more MyDoom-infected email messages are found and >>>removed. Check your /usr/local/Sophos/lib directory to ensure that the links are pointing to the right (latest) versions of the library in there. Sounds like sweep is using a different version to SAVI. When you built Perl-SAVI did you remember to make the mods to Makefile.PL? Is your Sophos installation done with my Sophos.install script? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dwinkler at ALGORITHMICS.COM Fri Feb 13 16:20:26 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:30 2006 Subject: CustomConfig Local Functions Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BE@tormail2.algorithmics.com> I use the tarball install on Solaris so unfortunately I have to re-create my changes after upgrade. Which usually means adding the below, just thought it would be pretty harmless to have this in the distro. When I upgrade and forget to add it, chaos until I remember. I usually do remember to review the etc directory though. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Friday, February 13, 2004 11:00 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: CustomConfig Local Functions > > > At 15:17 13/02/2004, you wrote: > >Would it possible to have something like, > > > >if ( -f "/opt/MailScanner/etc/CustomConfig.pm") { > > do "/opt/MailScanner/etc/CustomConfig.pm"; > >} > > > >added to CustomConfig.pm? > > > >I like to keep my local functions in a location other than > the included > >CustomConfig.pm. > > Just add a "require" statement to CustomConfig.pm. > Also, note that if you change CustomConfig.pm at all, it will *not* be > overwritten by any later upgrade. So your mods are quite safe > in there. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From ka at PACIFIC.NET Fri Feb 13 16:19:10 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:30 2006 Subject: The subject line of notify Message-ID: <402CF8FE.6010107@pacific.net> Julian, Is it possible to change the subject line of the notify function, so that it includes something like:"{SPAM not delivered} [original subject here]"? I tested the notify function, and I like it, but would like the subject to contain the original subject so that it's easier to identify something that I might want to take a closer look at. Thanks, Ken A Pacific.Net From mailscanner at ecs.soton.ac.uk Fri Feb 13 16:50:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: The subject line of notify In-Reply-To: <402CF8FE.6010107@pacific.net> References: <402CF8FE.6010107@pacific.net> Message-ID: <6.0.1.1.2.20040213164644.03fdbdf0@imap.ecs.soton.ac.uk> You can already do it. In the recipient.spam.report.txt file use a line like this: Subject: {SPAM not delivered} $subject I have added this change to the recipient.spam.report.txt in the distribution so it will be more obvious in future releases. At 16:19 13/02/2004, you wrote: >Julian, >Is it possible to change the subject line of the notify function, so >that it includes something like:"{SPAM not delivered} [original subject >here]"? >I tested the notify function, and I like it, but would like the subject >to contain the original subject so that it's easier to identify >something that I might want to take a closer look at. >Thanks, >Ken A >Pacific.Net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 13 20:01:02 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:30 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402132001.i1DK12P7032737@seer.ecs.soton.ac.uk> New Guestbook-Entry from Al Innnnnn credible software worth thousands.

Spammners should be sent to hell.... p.s. checkout my website http://www.brooky.com LOL!!

Seriously thought this is amazing easy to install and very powerful.

From mailscanner at ecs.soton.ac.uk Fri Feb 13 21:29:22 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:30 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402132129.i1DLTMRo013003@seer.ecs.soton.ac.uk> New Guestbook-Entry from Alayna Wirtz it is a well know fact that people just love to play the following games : http://www.newroulette.com ,

roulette internet, in online casinos

roulette internet casino,

and roulette internet games

From dahlberg at BUCKNELL.EDU Fri Feb 13 17:28:44 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <6.0.1.1.2.20040213161515.03c91a98@imap.ecs.soton.ac.uk> References: <20040213153559.GA1477@bucknell.edu> <402CF5A6.1080008@solid-state-logic.com> <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040213161515.03c91a98@imap.ecs.soton.ac.uk> Message-ID: <20040213172843.GC1477@bucknell.edu> Julian Field [mailscanner@ECS.SOTON.AC.UK] wrote: > At 16:08 13/02/2004, you wrote: > >At 16:04 13/02/2004, you wrote: > >>Michael Dahlberg wrote: > >>>I've noticed that when running the SAVI engine (Virus Scanner = > >>>sophossavi), rather than `sweep` (Virus Scanner = sophos) it > >>>takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > >>>messages using SAVI versus 1 min with sweep). Also when I use the > >>>SAVI engine, more MyDoom-infected email messages are found and > >>>removed. > > Check your /usr/local/Sophos/lib directory to ensure that the links are > pointing to the right (latest) versions of the library in there. Sounds > like sweep is using a different version to SAVI. > When you built Perl-SAVI did you remember to make the mods to Makefile.PL? > Is your Sophos installation done with my Sophos.install script? > -- The Sophos installation is done using the (mostly unmodified) /opt/MailScanner/bin/Sophos.install script (I needed to change the DISTRIB var from solaris.sparc.tar to solariss.tar since we install it from the CD distribution). The links in /usr/local/Sophos/lib point to the correct libraries (libsavi.so is a symlink to libsavi.so.2 which is a symlink to libsavi.so.3.2.07.054). The modifications were made in the Makefile.PL file for SAVI-Perl-0.15 to link the libraries from /usr/local/Sophos/lib. With regards to your previous comment about batch mode and queue mode, we run MailScanner on a separate system from the main campus mailserver. All mail goes to the MailScanner system which is then delivered to the main mail server (listed as a SMARTHOST in sendmail). We found that running in batch mode with >1 MailScanner process would, at times swamp the main mail server with sendmail connections. Therefore we have left it in queue mode. If we change that my guess is that we'd see the same effect. However, the slow down isin't on the outbound queue side, it's on the inbound queue side. The number of messages in the /var/spool/mqueue.in directory keeps growing and we're slowly getting a real backlog. Thanks for the help. Mike From maillists at CONACTIVE.COM Fri Feb 13 17:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: Adding Envelope Headers? In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BB@tormail2.algorithmics.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BB@tormail2.algorithmics.com> Message-ID: Derek Winkler wrote on Fri, 13 Feb 2004 10:08:52 -0500: > Make this change to your MailScanner.conf > Derek, many thanks, will try this today or tomorrow! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 13 17:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: SA timeout setting? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108E5@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629274108E5@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Fri, 13 Feb 2004 09:32:56 -0500: > # If SpamAssassin takes longer than this (in seconds), the check is > # abandoned and the timeout noted. > SpamAssassin Timeout = 200 Thanks, I'll try that. What's the default value if not present? This is not in the MailScanner.conf of a freshly installed 4.26.8-1 nor is it mentioned here: http://www.sng.ecs.soton.ac.uk/mailscanner/man/MailScanner.conf.3.html Any reason? > > Better try to see where the timeouts come from, though. I agree, but how? SA doesn't time out when I run it manually on the same messages. It's usually thru in about five seconds or less. > > So you disabled all the RBL tests in SA? > Yes. We test three RBLs at MTA level, No RBL tests at MS or SA level. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 13 17:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: SA timeout setting? In-Reply-To: <6.0.0.22.0.20040213105648.026720b8@xanadu.evi-inc.com> References: <6.0.0.22.0.20040213105648.026720b8@xanadu.evi-inc.com> Message-ID: Matt Kettler wrote on Fri, 13 Feb 2004 10:59:47 -0500: > # If SpamAssassin takes longer than this (in seconds), the check is > # abandoned and the timeout noted. > SpamAssassin Timeout = 60 is that the default? Should be sufficient. > > # This means that remote network failures causing SpamAssassin trouble will > # not mean your mail stops flowing. > Max SpamAssassin Timeouts = 20 Hm, both settings are not in my Mailscanner.conf file. Weird. I have only similar settings for spam lists. > > Note: in general you shouldn't be getting timeouts for SA if you don't use > RBLS, and don't use razor/dcc/pyzor. It's all off. I've never used any of these. It could be a matter of bayes expiry > runs causing timeouts if you use bayes. > > Some of the most recent versions of MailScanner actively manage bayes > expiry to prevent timeouts while processing messages. If your version > doesn't, you can make a short-term fix by having a daily cron job call > sa-learn --force-expire. > Bayes-expiry *was* the reason for the many time-outs I was getting when starting with Mailscanner, see my message Message-Id: on SAtalk. That came from a bayes db having some tokens in the future. Until I have fixed that I set the maximum token count to 1 mio. which stops any expiry runs and also stopped the many time-outs. Nevertheless, I'm still getting too many time-outs. I'm currently sending only about 100 or 200 messages (most of of them spam) per day to the testing server with Mailscanner and I have about 10 SA time-outs per day. That's too many for my taste. I have about one year's experience with Mailcorral (milter) in connection with spamd and didn't see a time-out rate like this on the other machines. Can you suggest a debugging method to find out more about why the time-outs happen? I assume I would need to change the SA invocation string in some Mailscanner module or so? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 13 17:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: Afterthought about bouncing In-Reply-To: <007801c3f240$c6ef34e0$e301a8c0@cnpapers.net> References: <200402131354.i1DDsBaa028981@avwall.bladeware.com> <007801c3f240$c6ef34e0$e301a8c0@cnpapers.net> Message-ID: Stephe Campbell wrote on Fri, 13 Feb 2004 09:50:51 -0500: > Based on what both of you have said, I may not have to change over. I have > looked many times for a way to drop messages completely at the MTA based on > whether the user exists or not, similar to the way a firewall can drop > packets. That's exactly what sendmail does by default. But it looks like at the very least, I will always either generate > and send a "user unknown message" back to the sender (real or not) No, you don't. The sender sends either a message directly to your SMTP or to another SMTP (f.i. his ISPs). If the user is unknown sendmail will generate a user unknown response right at SMTP delivery time, even before the body is processed and the other side knows it can't deliver. If it's another server it will try to send the mail back to the sender, if it's a client it will inform the user that it was undeliverable. That's how it is supposed to work. If you don't bounce these messages it means that people sending legimate mail will not know that they sent a message to a recipient with a typo and it never got to the recipient. There is NO mail your SMTP produces here unless you have opted to get a postmaster notify to yourself on any such bounces. > If I don't use the catch all account, though, am I really returning the > email back to the sender, or just the notification that the user doesn't > exist and dropping the original email? This is up to the remote MTA. F.i. it could decide to just send a notification and drop the mail. You are not involved in that at all. Look at it like a ball being thrown at a wall with lots of holes. If it is too big to fit in one of them it will simply get bounced, you are not involved. Either way, aren't I spamming the > innocent returnee who probably never sent the original? No, it's supposed to work this way. See above - otherwise messages go to a black void and no one knows that it didn't reach the recipient. Unless I misread Mr. > Kercher below, he indicates that my server will not generate an email to the > *sender*, but won't it still send the "user_unknown" reply back. How do I > stop the "user_unknown" reply other than using a catch all account? You can't, either it is unknown or not. There are two types of "bounces" (or maybe more). "Good" ones and "evil" ones. A "user unknown" bounce is a good one in my taste while bouncing a virus or spam (or generating a return message "you sent us a virus") is a bad one, at least most people consider it nowadays a bad one for obvious reasons. Do you see the difference? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mkipness at GENIANT.COM Fri Feb 13 17:38:31 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:30 2006 Subject: vscan (trend filescan) wrapper? Message-ID: <399D85F2BB50BC4295F78EAE203D5C2221811E@dalsxc01.geniant.net> Hi, I downloaded the Trend FileScan from the freetools ftp site. The scanner works fine, and I modified the wrapper so that it works from the command line, but when adding 'trend' to MailScanner.conf, I get the following in the logs: Feb 13 11:12:37 endpoint MailScanner[18918]: FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as it will tell you what to do. Feb 13 11:12:38 endpoint MailScanner[18917]: New Batch: Scanning 1 messages, 96991 bytes Feb 13 11:12:38 endpoint MailScanner[18917]: Spam Checks: Starting Feb 13 11:12:38 endpoint MailScanner[18917]: Virus and Content Scanning: Starting Feb 13 11:12:42 endpoint MailScanner[18917]: FATAL: Encountered code that does not meet configured acceptable stability Does anybody have a wrapper that works? Is the default wrapper not feeding the right info to MailScanner? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040213/fbd7c8fc/attachment.html From gdoris at rogers.com Fri Feb 13 18:02:03 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:30 2006 Subject: vscan (trend filescan) wrapper? In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2221811E@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C2221811E@dalsxc01.geniant.net> Message-ID: <35524.129.80.22.133.1076695323.squirrel@65.48.246.102> > Hi, > > > > I downloaded the Trend FileScan from the freetools ftp site. The scanner > works fine, and I modified the wrapper so that it works from the command > line, but when adding 'trend' to MailScanner.conf, I get the following > in the logs: > > > > Feb 13 11:12:37 endpoint MailScanner[18918]: FATAL: *Please go and READ* > http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as > it will tell you what to do. > > Feb 13 11:12:38 endpoint MailScanner[18917]: New Batch: Scanning 1 > messages, 96991 bytes > > Feb 13 11:12:38 endpoint MailScanner[18917]: Spam Checks: Starting > > Feb 13 11:12:38 endpoint MailScanner[18917]: Virus and Content Scanning: > Starting > > Feb 13 11:12:42 endpoint MailScanner[18917]: FATAL: Encountered code > that does not meet configured acceptable stability > > > > Does anybody have a wrapper that works? Is the default wrapper not > feeding the right info to MailScanner? > > > > Thanks, > > Max > Try changing the code status to alpha in MailScanner.conf (it's near the bottom of the file). Gerry From campbell at CNPAPERS.COM Fri Feb 13 18:09:33 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:30 2006 Subject: Afterthought about bouncing References: <200402131354.i1DDsBaa028981@avwall.bladeware.com> <007801c3f240$c6ef34e0$e301a8c0@cnpapers.net> Message-ID: <001701c3f25c$8862df80$e301a8c0@cnpapers.net> Thank you Kai, I guess what I didn't realize, through all of this, is that I was testing by turning my catch-all account off, and sending a test to an invalid user at my domain, and my SMTP server (whose else?) was generating the reply. I was of the notion that my server would generate a reply for all invalid user receipts, not the sending SMTP server. Sorry to be so thick. I assume then that sendmail reacts exactly the same for multiple recipient emails (CC: and the like) even when they have valid and invalid recipients at the same domain, regardless of whether the first recipient is valid or not? Thanks loads for turning on the light. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Kai Schaetzl" To: Sent: Friday, February 13, 2004 12:31 PM Subject: Re: Afterthought about bouncing Stephe Campbell wrote on Fri, 13 Feb 2004 09:50:51 -0500: > Based on what both of you have said, I may not have to change over. I have > looked many times for a way to drop messages completely at the MTA based on > whether the user exists or not, similar to the way a firewall can drop > packets. That's exactly what sendmail does by default. But it looks like at the very least, I will always either generate > and send a "user unknown message" back to the sender (real or not) No, you don't. The sender sends either a message directly to your SMTP or to another SMTP (f.i. his ISPs). If the user is unknown sendmail will generate a user unknown response right at SMTP delivery time, even before the body is processed and the other side knows it can't deliver. If it's another server it will try to send the mail back to the sender, if it's a client it will inform the user that it was undeliverable. That's how it is supposed to work. If you don't bounce these messages it means that people sending legimate mail will not know that they sent a message to a recipient with a typo and it never got to the recipient. There is NO mail your SMTP produces here unless you have opted to get a postmaster notify to yourself on any such bounces. > If I don't use the catch all account, though, am I really returning the > email back to the sender, or just the notification that the user doesn't > exist and dropping the original email? This is up to the remote MTA. F.i. it could decide to just send a notification and drop the mail. You are not involved in that at all. Look at it like a ball being thrown at a wall with lots of holes. If it is too big to fit in one of them it will simply get bounced, you are not involved. Either way, aren't I spamming the > innocent returnee who probably never sent the original? No, it's supposed to work this way. See above - otherwise messages go to a black void and no one knows that it didn't reach the recipient. Unless I misread Mr. > Kercher below, he indicates that my server will not generate an email to the > *sender*, but won't it still send the "user_unknown" reply back. How do I > stop the "user_unknown" reply other than using a catch all account? You can't, either it is unknown or not. There are two types of "bounces" (or maybe more). "Good" ones and "evil" ones. A "user unknown" bounce is a good one in my taste while bouncing a virus or spam (or generating a return message "you sent us a virus") is a bad one, at least most people consider it nowadays a bad one for obvious reasons. Do you see the difference? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From dahlberg at BUCKNELL.EDU Fri Feb 13 18:42:02 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <20040213153559.GA1477@bucknell.edu> References: <20040213153559.GA1477@bucknell.edu> Message-ID: <20040213184201.GD1477@bucknell.edu> Michael Dahlberg [dahlberg@bucknell.edu] wrote: > Fanatastic piece of software...I can't imagine running a mail server > without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has > uncovered a few issues. > > A little about our config: MailScanner (4.26.8) runs with Sophos > (3.78d) on a dual processor Sun 220R with 2GB RAM. The > MailScanner.conf file is set to start 10 child processes which will > scan a max of 30 messages. MailScanner also runs in queue mode rather > than batch. We do no spam analysis, just virus scanning. I've also > installed the first Message.pm perl mod that Julian Fields released a > couple of days ago. > > I've noticed that when running the SAVI engine (Virus Scanner = > sophossavi), rather than `sweep` (Virus Scanner = sophos) it > takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > messages using SAVI versus 1 min with sweep). Also when I use the > SAVI engine, more MyDoom-infected email messages are found and > removed. > > Is this the experience of other readers of this list? Does anyone > have an explanation or advice on which virus scanner (Sophos or SAVI) > to use? > Unfortunately, we had to downgrade MailScanner back to 4.13-3. The rate at which messages were being scanned and moved to an outbound mail queue was so slow that mail delivery times had increased to half an hour and the inbound queue size was steadily increasing. Using the same Sophos installation, we downgraded MailScanner back to 4.13-3. While we are now keeping up with the mail flow on campus, there are a number of MyDoom-infected email messages passing through MailScanner. These are the messages with an incomplete MIME header, which prompted the release of the new Message.pm file. This was the reason for the upgrade. I don't believe my problems are related to Sophos or the mail delivery method since the downgrade (which preserved both) solved the problem. Any suggestions would be greatly appreciated. Thanks, Mike From hermit921 at YAHOO.COM Fri Feb 13 18:45:21 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:30 2006 Subject: Patches missing? In-Reply-To: <6.0.1.1.2.20040213101958.035f9b30@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040213101958.035f9b30@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.2.20040213104329.01ee0008@pop.mail.yahoo.com> At 02:22 AM 2/13/2004, Julian Field wrote: >At 10:09 13/02/2004, you wrote: >> > >How about the current unstable? >> > >> > They are in there. >> >>Perfect. Good to know since I am about to update the mailscanner-devel >>port in a few seconds... :-) >> >> > Won't be necessary once 4.27 is produced. But if you want to >> > support them in BSD 4.26 then that's fine with me. >> >>Is 4.27 coming so soon? I expected to see 4.26.8 to be the final release >>for a few weeks. > >No, I'm just putting out betas when I feel like it. I probably won't >release the stable version until start of April. > >>I think I missed parts of the "to bounce or not to bounce" discussion. >>Should we not alter the manpages for the new bounce stuff? > >There is a new "Enable Spam Bounce" option, for which the docs are below. >Feel free to tell people not to use it. The default value is "no". > ># You can use this ruleset to enable the "bounce" Spam Action. ># You must *only* enable this for mail from sites with which you have ># agreed to bounce possible spam. Use it on low-scoring spam only (<10) ># and only to your regular customers for use in the rare case that a ># message is mis-tagged as spam when it shouldn't have been. ># Beware that many sites will automatically delete the bounce messages ># created by using this option unless you have agreed this with them in ># advance. >Enable Spam Bounce = %rules-dir%/bounce.rules > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support How about adding a line to your comments that bouncing to others may generate an irate response because you are sending them spam. From sailer at BNL.GOV Fri Feb 13 20:55:59 2004 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:22:30 2006 Subject: archive mail Message-ID: <20040213205559.GA13480@bnl.gov> I've been asked to archive email to and from certain users for various legal reasons (nothing criminal, thank goodness!). More like CYA purposes/tracking. Anyway, it's a old box, Mailscanner 3.27.1 . I'm not allowed to update mailscanner, so my question is, can I filter and archive mail for certain addresses in this version, or everything. From the looks, it's all or nothing, but I hope I'm wrong... Thanks, Tim From jrudd at UCSC.EDU Fri Feb 13 22:17:14 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:30 2006 Subject: Adding Envelope Headers? References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> Message-ID: <402D4CEA.58A49D86@ucsc.edu> Kai Schaetzl wrote: > and still no X-Envelope-From. IIRC, the propper header for "envelope from" is "Return-Path". I think that's in one of the standards. I know that at least one MTA (CommuniGate Pro) will take the envelope from and put it into the Return-Path if there isn't a Return-Path already. (but I'm not sure what it does if the envelope from doesn't match the return path ... ) > We are currently using a milter which happily adds both headers by default > and I found that they are very useful for everything concerning anti-spam > measures, adding to access.db etc. but also for whitelisting. Actually, I > was quite surprised when first checking out Mailscanner that it doesn't add > these headers and wonder why it doesn't. Mailscanner seems to be the perfect > place to do it. Obviously, sendmail doesn't do, that's why several milters > add them (f.i. amavis-new does it, but why add another milter to the chain > if I don't need it for other things?). My interest is slightly different. There are some mailers out there that use a queue format that is closer to RFC822 format, and a "modified RFC822" format that is like this: (1 or more Envelope-To: headers) Return-Path: (rest of RFC822 message) would be an ideal thing, to me, to support for a "plain" MTA in mailscanner. Converting to this format would make my CommuniGate Pro modules trivial, and CommuniGate Pro will take this format directly as a submission (if the file's name ends with ".sub", so the difference between a "plain" MTA and a "CGP" MTA would be that it would put the files into a particular directory (instead of batch mode) and give them a .sub suffix). The only thing this leaves out, that mailscanner wants, is the relay. Right now, I extract this from the first received header. A "plain" MTA for mailscanner could do the same thing. I would even be happy to see my code for the CGP modules directly used in this effort. (what they do now is: "cgp2ms" converts a CGP queue file into a sendmail-like queue file and puts it in mailscanner's mqueue.in directory; "ms2cgp" is the mailscanner "Sendmail2" variable, and it takes the sendmail queue format and converts into something CGP can use ... the next version I'm working on of ms2cgp actually converts it into the above format and sticks in into the CGP "Submitted" directory). Some of that code might help in making both a "plain" MTA for mailscanner, and in making a "CGP" MTA for mailscanner. From kevin at KEVINSPICER.CO.UK Fri Feb 13 22:28:55 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:30 2006 Subject: Hidden dangers of bouncing spam Message-ID: <1076711336.3642.7.camel@bach.kevinspicer.co.uk> I just read something on the clamav list that got me thinking abut the recent threads about bouncing spam and the reasons not to do it. It struck me that no-one brought up the hidden dangers of bouncing messages to the apparent senders of spam. Perhaps this will help to persuade some of the doubters. I'll let the original post speak for itself (this was from a thread about ASK - the annoying challenge response 'spam killer') >We used to offer ASK here... until spammers started using spamcop's spamtrap >accounts in their return address. >Spamcop didn't care that the messages were confirmations request. They just >blacklisted us without notification. Thats a pretty good reason not to bounce spam in my book. -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040213/2add30d8/attachment.bin From jrudd at UCSC.EDU Fri Feb 13 22:23:05 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:30 2006 Subject: Adding Envelope Headers? References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> Message-ID: <402D4E48.1A8709B1@ucsc.edu> Julian Field wrote: > > At 14:00 13/02/2004, you wrote: > >X-Envelope-To: > I am of the opinion that ... > putting in the envelope recipient is a bad idea. It's a bad idea to put it into the file when you don't know if the MTA will remove it. With MTA's that support Envelope-From (such as Communigate Pro), it will take the leading Envelope-From headers and remove them. Their presence is for communicating between MailScanner (or any other message submission agent) and the MTA. It's exactly like the R(PFD) lines in the sendmail qf file, except everything is in one file. The MTA gets its RPFD type data from the Envelope-To headers, removes them from the actual message, and then proceeds. When you know that the MTA will do the right thing, it's not "a bad idea". And for some MTA's, it's definitely "the right idea". From ka at PACIFIC.NET Fri Feb 13 23:05:05 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:30 2006 Subject: Preference for batch sizes In-Reply-To: <1076639595.402c376b28cae@kanawha.cnpapers.net> References: <065e01c3f1ba$dcbf6e10$0b00a8c0@djh01> <1076639595.402c376b28cae@kanawha.cnpapers.net> Message-ID: <402D5821.6080500@pacific.net> It depends on how much mail you are processing too. Setting only 3 MS children and 10msg per batch may be fine for <50 msgs/minute, but will quickly fall behind if you are receiving 500 msgs/minute. You'll need more children, bigger batches, and an additional server. Ken A Pacific.Net Steve Campbell wrote: > Mr. Hooton, > > Thank you for a very informative response. I am seeing some really strange > things happening here, as I have alluded to in prior post with this subject. I > will more than likely have to start using tempfs for some things, but first I > will break up our domains across multiple boxes. > > The strangeness of no timeouts for RBL and SA as a general rule, small amounts > of mail in incoming taking a very long time to clear, and the load average > dropping regardless of what is in either queues has me baffled. Especially, > since before Tuesday night, large amounts of email being dumped into this > server was handled very swiftly. Load average usually remained proportionate > to emails waiting to be scanned or delivered. > > One other thing I am going to do is wean myself away from linuxconf and begin > using sendmail to it's fullest. (Be warned - Another post coming to either > this list or some other). I really have a problem with non-existent user > email. I feel it's a shame to waste resources just to eliminate bounces, but I > have yet to find how these are resolved by Sendmail. > > Thanks very much > > Steve Campbell > > > Quoting David Hooton : > > >>>-----Original Message----- >>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>>Behalf Of Stephe Campbell >>>Sent: Friday, 13 February 2004 3:55 AM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Preference for batch sizes >>> >>>I do not use Razor, but the suggestion to lower the message count per scan >>>seemed to fix it up. I am not running at 2 or 3 messages in my incoming. >>>Somehow, I missed the prior thread. >>> >> >> >>Hi Steve, >> >>I've found on an i386 box with 1 gig of ram, 80 Gig 7200RPM IDE disk and an >>AMD 2200 processor, using tempfs for the work dir that 3 children and 10 >>messages per batch is the most efficient combination. >> >>If you have an evening free, write yourself a script to flood the box with a >>decent number of messages and do some timings on how long each combination >>takes to clear the queue - results below. >> >>Spam Load Test >> >>Messages Children Msg/batch Mins >>50 4 5 0:08:39 Workdir = DISK >>50 3 5 0:08:05 Workdir = DISK >>50 3 10 0:09:38 Workdir = DISK >>50 2 10 0:13:07 Workdir = DISK >>50 1 10 0:17:00 Workdir = DISK >>50 0 10 0:15:00 Workdir = DISK >>50 3 5 0:01:51 Workdir = TEMPFS >>50 3 10 0:01:02 Workdir = TEMPFS >>50 3 15 0:01:10 Workdir = TEMPFS >> >>We've managed to drop load on the box to 1/3 of it's old load just by >>playing with these settings alone, and a further reduction in load after >>that by tuning our spamassassin rules very savagely. >> >>We have also recently taken to storing the Bayes DB's in tempfs which has >>helped further reduce load and improve performance. >> >>Hope this helps you and anyone else with these kinds of issues. >> >>Cheers! >> >>Dave >> >> >>======================================================================== >> Pain free spam & virus protection by: www.mailsecurity.net.au >> Forward undetected SPAM to: spam@mailsecurity.net.au >>======================================================================== >> > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > From maillists at CONACTIVE.COM Fri Feb 13 23:31:40 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:30 2006 Subject: SA timeout setting? In-Reply-To: References: <6.0.0.22.0.20040213105648.026720b8@xanadu.evi-inc.com> Message-ID: Kai Schaetzl wrote on Fri, 13 Feb 2004 18:31:35 +0100: > Hm, both settings are not in my Mailscanner.conf file. Weird. I have only > similar settings for spam lists. > Not sure, but possible that the Webmin module wiped these settings because I had them stay at default. Nevertheless, they are not mentioned in the conf documentation either, so maybe they aren't there in a mint config file. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From david at PLATFORMHOSTING.COM Sat Feb 14 01:27:21 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:30 2006 Subject: Preference for batch sizes In-Reply-To: <402D5821.6080500@pacific.net> Message-ID: <016601c3f299$b2c2ba10$0b00a8c0@djh01> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Ken Anderson > Sent: Saturday, 14 February 2004 10:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Preference for batch sizes > > It depends on how much mail you are processing too. Setting only 3 MS > children and 10msg per batch may be fine for <50 msgs/minute, but will > quickly fall behind if you are receiving 500 msgs/minute. You'll need > more children, bigger batches, and an additional server. > Ken, I agree - the stats we ran were on one particular type of hardware, obviously if you're processing more mail you're going to need more hardware or some kind of load sharing. The machine we tested on was the only one we had spare at the time, but seems to be a pretty typical kind of spec for the average MailScanner user. The original aim of the tests were to show what the effect of changing from disk to tempfs were and to try and work out what additional changes could be made to minimise message scan time. Cheers! Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From kisuije at tiscali.fr Sat Feb 14 09:24:49 2004 From: kisuije at tiscali.fr (kisuije) Date: Thu Jan 12 21:22:30 2006 Subject: Can anyone help plse Message-ID: <200402140924.50008.kisuije@tiscali.fr> Hi I have just installed MailScanner from the 4.26.8-1 rpm. I am running on an updated mdk 9.2 and using postfix and BitDefender. I have configured MailScanner as per this page: http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml 1. When I ty and run the service, I get a message from cron to root saying this: MailScanner manually shut down (no /var/lock/subsys/MailScanner.off file). Not restarting. I am not quite sure why. Any help would be appreciated. 2. In the MailScanner.conf file (lines 312 thru' 335) it does not specifically mention BitDefender. However in the virus.scanners.conf file it does. Can I just declare bitdefender in the MailScanner.conf file? Can anybody confirm please? 3. I use Fetchmail to bring in mail from a generic account and then postfix sorts it using the alias database. Is this going to have any effect upon the way I need to set up MailScanner and /or fetchmail? Any help or comments would be great since I am new to Linux and pretty stuck right now on these issues. Thanks Regards Hugh Norris From test at NEXTMILL.NET Sat Feb 14 08:57:42 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:30 2006 Subject: bayes_toks.expire###### 1.9 gigs worth! Message-ID: Mailscanner 4.26.8 SpamAssassin 2.63 After 10 days since the install I have over 1.9 gigs worth of bayes_toks.expire##### files sitting in /root/.spamassassin/ Why are these being created? Can I delete them? How can I prevent the system from creating them? -rw------- 1 root root 4530176 Feb 12 06:16 bayes_toks.expire9400 -rw------- 1 root root 5255168 Feb 12 19:14 bayes_toks.expire9491 -rw------- 1 root root 5292032 Feb 13 13:36 bayes_toks.expire9525 -rw------- 1 root root 5259264 Feb 12 19:19 bayes_toks.expire9590 -rw------- 1 root root 4550656 Feb 12 06:22 bayes_toks.expire9610 -rw------- 1 root root 5140480 Feb 13 10:37 bayes_toks.expire968 -rw------- 1 root root 5259264 Feb 12 19:24 bayes_toks.expire9690 -rw------- 1 root root 5173248 Feb 13 13:42 bayes_toks.expire9760 -rw------- 1 root root 5259264 Feb 12 19:30 bayes_toks.expire9763 -rw------- 1 root root 4546560 Feb 12 06:28 bayes_toks.expire9786 -rw------- 1 root root 5259264 Feb 12 19:36 bayes_toks.expire9863 -rw------- 1 root root 4546560 Feb 12 06:33 bayes_toks.expire9963 -rw------- 1 root root 2879488 Feb 13 13:47 bayes_toks.expire9978 -rw------- 1 root root 5259264 Feb 12 19:41 bayes_toks.expire9982 From raymond at PROLOCATION.NET Sat Feb 14 10:32:49 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:30 2006 Subject: MailScanner -> Spamassassin taking insane amount of bandwidth In-Reply-To: <200402131415.i1DEFi127221@3webserv2.3webmedia.com> Message-ID: Hi! > Still, it doesn't justify for 124GB extra in a month! > Before activating that feature, we were using 80-100GB of bandwidth per > month. Now we're up to 224GB for last month. I dont think this list can help you on determing where your bits and bytes went on your own network. You should do log analyzing on your end, that will tell. Bye, Raymond. From peter at UCGBOOK.COM Sat Feb 14 11:10:36 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:30 2006 Subject: bayes_toks.expire###### 1.9 gigs worth! In-Reply-To: References: Message-ID: <402E022C.7010708@ucgbook.com> Brian Lewis wrote: > Mailscanner 4.26.8 > SpamAssassin 2.63 > > After 10 days since the install I have over 1.9 gigs worth of > bayes_toks.expire##### files sitting in /root/.spamassassin/ > > Why are these being created? Can I delete them? How can I prevent the > system from creating them? Are you using the bayes expire feature in 4.26.8? If you're not you should try it (unless you're on Solaris). The files you're seeing are orphaned due to the expire operation taking too long to complete. I run a "sa-learn --rebuild --force-expire" from crontab every night to fight it and since I started doing that I've had no problems. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.66 + GMP 4.1.2 From ugob at CAMO-ROUTE.COM Sat Feb 14 13:32:37 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:30 2006 Subject: Can anyone help plse Message-ID: <54C38A0B814C8E438EF73FC76F3629274108EB@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : kisuije [mailto:kisuije@tiscali.fr] > Envoy? : Saturday, February 14, 2004 4:25 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Can anyone help plse > > > Hi > > I have just installed MailScanner from the 4.26.8-1 rpm. I am > running on an > updated mdk 9.2 and using postfix and BitDefender. I have configured > MailScanner as per this page: > http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml > > 1. When I ty and run the service, I get a message from cron > to root saying > this: > > MailScanner manually shut down (no > /var/lock/subsys/MailScanner.off file). > Not restarting. > > I am not quite sure why. Any help would be appreciated. It is a script that makes sure that MailScanner is running, if it has been started. This usually happens when you did not start MailScanner or you manually stopped it. > > 2. In the MailScanner.conf file (lines 312 thru' 335) it does > not specifically > mention BitDefender. However in the virus.scanners.conf file > it does. Can I > just declare bitdefender in the MailScanner.conf file? Can > anybody confirm > please? > > 3. I use Fetchmail to bring in mail from a generic account > and then postfix > sorts it using the alias database. Is this going to have any > effect upon the > way I need to set up MailScanner and /or fetchmail? I've configured mine and it worked without any modifs. > > Any help or comments would be great since I am new to Linux > and pretty stuck > right now on these issues. You just need some patience, it should be solved soon. Very important: look at your logs. Stay tuned on this list :). > > Thanks > > Regards > > Hugh Norris > From mkipness at GENIANT.COM Sat Feb 14 14:16:08 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:30 2006 Subject: Archives not being scanned, help! Message-ID: <399D85F2BB50BC4295F78EAE203D5C22218126@dalsxc01.geniant.net> Hello, I've started archiving one of our domains and forwarding them to mbox format files locally. Everything is working fine, however when I open one of the files with a webmail program, I notice that they are not being scanned. The original email that processes and is routed to another email server gets scanned however. It appears as though the archive sends the email to the file without traversing the scanner. I even sent the eicar test file and it went through fine. Is there something I need to configure to have archived mail get scanned? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040214/faa2eb80/attachment.html From mailscanner at ecs.soton.ac.uk Sat Feb 14 15:30:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Patches missing? In-Reply-To: <6.0.0.22.2.20040213104329.01ee0008@pop.mail.yahoo.com> References: <6.0.1.1.2.20040213101958.035f9b30@imap.ecs.soton.ac.uk> <6.0.0.22.2.20040213104329.01ee0008@pop.mail.yahoo.com> Message-ID: <6.0.1.1.2.20040214152957.039ef5f8@imap.ecs.soton.ac.uk> At 18:45 13/02/2004, you wrote: >How about adding a line to your comments that bouncing to others may >generate an irate response because you are sending them spam. Good idea. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 15:33:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Hidden dangers of bouncing spam In-Reply-To: <1076711336.3642.7.camel@bach.kevinspicer.co.uk> References: <1076711336.3642.7.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040214153213.039ef740@imap.ecs.soton.ac.uk> I don't advise anyone to use spamcop, I certainly won't use it on my own systems. They are far too willing to list completely innocent people and it is very difficult to get off their list again. I have heard dozens of stories from people saying they were included somewhere in the mail headers of a message they reported to spamcop, and spamcop listed them instead of the spammer! :-( At 22:28 13/02/2004, you wrote: > I just read something on the clamav list that got me thinking abut the >recent threads about bouncing spam and the reasons not to do it. It >struck me that no-one brought up the hidden dangers of bouncing messages >to the apparent senders of spam. Perhaps this will help to persuade >some of the doubters. I'll let the original post speak for itself (this >was from a thread about ASK - the annoying challenge response 'spam >killer') > > >We used to offer ASK here... until spammers started using spamcop's > >spamtrap > > >accounts in their return address. > > > >Spamcop didn't care that the messages were confirmations request. They > >just > > >blacklisted us without notification. > >Thats a pretty good reason not to bounce spam in my book. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 16:02:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Archives not being scanned, help! In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C22218126@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C22218126@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040214155851.03967e08@imap.ecs.soton.ac.uk> At 14:16 14/02/2004, you wrote: >Hello, > >I've started archiving one of our domains and forwarding them to mbox >format files locally. Everything is working fine, however when I open one >of the files with a webmail program, I notice that they are not being >scanned. The original email that processes and is routed to another email >server gets scanned however. It appears as though the archive sends the >email to the file without traversing the scanner. I even sent the eicar >test file and it went through fine. > >Is there something I need to configure to have archived mail get scanned? The mail archive is completely intentionally an unmodified copy of the incoming mail feed. If you are having to archive mail for legal reasons or (like I do) to collect test data sets, the last thing you want is to have anything missing from the original copy. Once you are changing anything in the archive, I very much doubt its trustworthiness would stand up in court should it be necessary. The court opponents could then argue that a bug in the software could have deleted something it shouldn't have. By not modifying it at all, you have a much stronger defence against this argument. Handle your mail archive carefully. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 15:35:57 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: SA timeout setting? In-Reply-To: References: <6.0.0.22.0.20040213105648.026720b8@xanadu.evi-inc.com>

Message-ID: <6.0.1.1.2.20040214153517.039ddd48@imap.ecs.soton.ac.uk> At 23:31 13/02/2004, you wrote: >Kai Schaetzl wrote on Fri, 13 Feb 2004 18:31:35 +0100: > > > Hm, both settings are not in my Mailscanner.conf file. Weird. I have only > > similar settings for spam lists. > > > >Not sure, but possible that the Webmin module wiped these settings because I >had them stay at default. Nevertheless, they are not mentioned in the conf >documentation either, so maybe they aren't there in a mint config file. They are in MailScanner.conf.5.html and MailScanner.conf.5. They are definitely in a mint config file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 15:27:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: vscan (trend filescan) wrapper? In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2221811E@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C2221811E@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040214152636.039ef888@imap.ecs.soton.ac.uk> At 17:38 13/02/2004, you wrote: >Hi, > >I downloaded the Trend FileScan from the freetools ftp site. The scanner >works fine, and I modified the wrapper so that it works from the command >line, but when adding 'trend' to MailScanner.conf, I get the following in >the logs: > >Feb 13 11:12:37 endpoint MailScanner[18918]: FATAL: *Please go and READ* >http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as it >will tell you what to do. That is fairly obvious isn't it? Have you read that web page and followed its instructions? Apart from making the text flash at you there's not much I can do to make it clearer :-( >Feb 13 11:12:38 endpoint MailScanner[18917]: New Batch: Scanning 1 >messages, 96991 bytes >Feb 13 11:12:38 endpoint MailScanner[18917]: Spam Checks: Starting >Feb 13 11:12:38 endpoint MailScanner[18917]: Virus and Content Scanning: >Starting >Feb 13 11:12:42 endpoint MailScanner[18917]: FATAL: Encountered code that >does not meet configured acceptable stability > >Does anybody have a wrapper that works? Is the default wrapper not feeding >the right info to MailScanner? > >Thanks, >Max -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040214/755012f4/attachment.html From mailscanner at ecs.soton.ac.uk Sat Feb 14 15:23:37 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:30 2006 Subject: Performance and accuracy issues In-Reply-To: <20040213172843.GC1477@bucknell.edu> References: <20040213153559.GA1477@bucknell.edu> <402CF5A6.1080008@solid-state-logic.com> <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040213161515.03c91a98@imap.ecs.soton.ac.uk> <20040213172843.GC1477@bucknell.edu> Message-ID: <6.0.1.1.2.20040214152125.039fd658@imap.ecs.soton.ac.uk> At 17:28 13/02/2004, you wrote: >Julian Field [mailscanner@ECS.SOTON.AC.UK] wrote: > > At 16:08 13/02/2004, you wrote: > > >At 16:04 13/02/2004, you wrote: > > >>Michael Dahlberg wrote: > > >>>I've noticed that when running the SAVI engine (Virus Scanner = > > >>>sophossavi), rather than `sweep` (Virus Scanner = sophos) it > > >>>takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > > >>>messages using SAVI versus 1 min with sweep). Also when I use the > > >>>SAVI engine, more MyDoom-infected email messages are found and > > >>>removed. > > > > Check your /usr/local/Sophos/lib directory to ensure that the links are > > pointing to the right (latest) versions of the library in there. Sounds > > like sweep is using a different version to SAVI. > > When you built Perl-SAVI did you remember to make the mods to Makefile.PL? > > Is your Sophos installation done with my Sophos.install script? > > -- > > The Sophos installation is done using the (mostly unmodified) > /opt/MailScanner/bin/Sophos.install script (I needed to change the > DISTRIB var from solaris.sparc.tar to solariss.tar since we install > it from the CD distribution). > > The links in /usr/local/Sophos/lib point to the correct libraries > (libsavi.so is a symlink to libsavi.so.2 which is a symlink to > libsavi.so.3.2.07.054). The modifications were made in the > Makefile.PL file for SAVI-Perl-0.15 to link the libraries from > /usr/local/Sophos/lib. > > With regards to your previous comment about batch mode and queue > mode, we run MailScanner on a separate system from the main campus > mailserver. All mail goes to the MailScanner system which is then > delivered to the main mail server (listed as a SMARTHOST in > sendmail). We found that running in batch mode with >1 MailScanner > process would, at times swamp the main mail server with sendmail > connections. Therefore we have left it in queue mode. If we change > that my guess is that we'd see the same effect. Fair enough. There is a good reason to leave it in after all :-) > However, the slow down isin't on the outbound queue side, it's on > the inbound queue side. The number of messages in the > /var/spool/mqueue.in directory keeps growing and we're slowly > getting a real backlog. Set Debug = yes Debug SpamAssassin = yes and then stop MailScanner, then run check_MailScanner once. You may well be seeing pauses in the SpamAssassin output, which should tell you where the problem is. May well be Razor or Bayes. > Thanks for the help. > > Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkipness at GENIANT.COM Sat Feb 14 16:19:53 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:30 2006 Subject: Archives not being scanned, help! Message-ID: <399D85F2BB50BC4295F78EAE203D5C22218129@dalsxc01.geniant.net> >I've started archiving one of our domains and forwarding them to mbox >format files locally. Everything is working fine, however when I open one >of the files with a webmail program, I notice that they are not being >scanned. The original email that processes and is routed to another email >server gets scanned however. It appears as though the archive sends the >email to the file without traversing the scanner. I even sent the eicar >test file and it went through fine. > >Is there something I need to configure to have archived mail get scanned? The mail archive is completely intentionally an unmodified copy of the incoming mail feed. If you are having to archive mail for legal reasons or (like I do) to collect test data sets, the last thing you want is to have anything missing from the original copy. Once you are changing anything in the archive, I very much doubt its trustworthiness would stand up in court should it be necessary. The court opponents could then argue that a bug in the software could have deleted something it shouldn't have. By not modifying it at all, you have a much stronger defence against this argument. Handle your mail archive carefully. We are actually archiving at a client's request. I've configured them access via webmail for them to view their archived mbox files and actually reply to email. This is mainly for times when their own server may be down. There are no legal concerns here. So is their anyway to configure MailScanner to scan archived mail? Thanks, Max From mike at ZANKER.ORG Sat Feb 14 16:20:45 2004 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:22:30 2006 Subject: Hidden dangers of bouncing spam In-Reply-To: <6.0.1.1.2.20040214153213.039ef740@imap.ecs.soton.ac.uk> References: <1076711336.3642.7.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040214153213.039ef740@imap.ecs.soton.ac.uk> Message-ID: <19513031.1076775645@jemima.zanker.org> On 14 February 2004 15:33 +0000 Julian Field wrote: > I have heard dozens of > stories from people saying they were included somewhere in the mail > headers > of a message they reported to spamcop, and spamcop listed them > instead of > the spammer! :-( Yup, happens all the time. One of our users reported some spam they had received and SpamCop sent a notification to me (as RIPE technical contact) asking me to confirm that our user's account had been cancelled! Mike. From mkipness at GENIANT.COM Sat Feb 14 16:25:04 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:30 2006 Subject: vscan (trend filescan) wrapper? Message-ID: <399D85F2BB50BC4295F78EAE203D5C2221812A@dalsxc01.geniant.net> >I downloaded the Trend FileScan from the freetools ftp site. The scanner works fine, and I modified the wrapper so that it works from the command line, but when adding 'trend' to MailScanner.conf, I get >the following in the logs: >Feb 13 11:12:37 endpoint MailScanner[18918]: FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as it will tell you what to do. >That is fairly obvious isn't it? Have you read that web page and followed its instructions? Apart from making the text flash at you there's not much I can do to make it clearer :-( I have tried changing the setting to 'alpha', and then the message is suppressed and it seems to work. However, then I removed my functioning virus scanner and just added 'trend' as the only scanner. It doesn't work as viruses pass right through it. So I was wondering if anybody else has dealt with FileScan, had a functioning wrapper, or advice on how to get it working. I'm guessing that the data parsed from the wrapper is not interpreted by MailScanner correctly? Thanks for any help you can give on this. Max -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040214/e142c848/attachment.html From kisuije at tiscali.fr Sat Feb 14 17:27:59 2004 From: kisuije at tiscali.fr (kisuije) Date: Thu Jan 12 21:22:30 2006 Subject: Can anyone help plse In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108EB@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629274108EB@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200402141727.59882.kisuije@tiscali.fr> Thanks for the reply. It now seems to work fine. A couple of things also seemed important though. 1. I use petidomo to manage mailing lists. Using the suggested postfix setup from the page below creates errors from petidomo. I had to add a line in /etc/postfix/main.cf: alternate_config_directories = /etc/postfix.in otherwise the mail error log gets very large and petidomo does not deliver mail to members of the lists 2. To get MailScanner to work without reporting errors whilst using BitDefender, I needed to change the line Minimum code status in mailscanner.conf from supported to beta. So thanks for your help Regards Hugh Norris Le Samedi 14 F?vrier 2004 13:32, vous avez ?crit : > > -----Message d'origine----- > > De : kisuije [mailto:kisuije@tiscali.fr] > > Envoy? : Saturday, February 14, 2004 4:25 AM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Can anyone help plse > > > > > > Hi > > > > I have just installed MailScanner from the 4.26.8-1 rpm. I am > > running on an > > updated mdk 9.2 and using postfix and BitDefender. I have configured > > MailScanner as per this page: > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml > > > > 1. When I ty and run the service, I get a message from cron > > to root saying > > this: > > > > MailScanner manually shut down (no > > /var/lock/subsys/MailScanner.off file). > > Not restarting. > > > > I am not quite sure why. Any help would be appreciated. > > It is a script that makes sure that MailScanner is running, if it has been > started. This usually happens when you did not start MailScanner or you > manually stopped it. > > > 2. In the MailScanner.conf file (lines 312 thru' 335) it does > > not specifically > > mention BitDefender. However in the virus.scanners.conf file > > it does. Can I > > just declare bitdefender in the MailScanner.conf file? Can > > anybody confirm > > please? > > > > 3. I use Fetchmail to bring in mail from a generic account > > and then postfix > > sorts it using the alias database. Is this going to have any > > effect upon the > > way I need to set up MailScanner and /or fetchmail? > > I've configured mine and it worked without any modifs. > > > Any help or comments would be great since I am new to Linux > > and pretty stuck > > right now on these issues. > > You just need some patience, it should be solved soon. > Very important: look at your logs. > Stay tuned on this list :). > > > Thanks > > > > Regards > > > > Hugh Norris From mailscanner at ecs.soton.ac.uk Sat Feb 14 16:39:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: vscan (trend filescan) wrapper? In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2221812A@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C2221812A@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040214163821.03e52998@imap.ecs.soton.ac.uk> If you send me a copy of trend (off-list) then I will take a look at it for you and see if any changes to MailScanner are necessary. It is alpha or beta because I am not sure it works properly. At 16:25 14/02/2004, you wrote: > > >I downloaded the Trend FileScan from the freetools ftp site. The scanner > works fine, and I modified the wrapper so that it works from the command > line, but when adding 'trend' to MailScanner.conf, I get >the following > in the logs: > > >Feb 13 11:12:37 endpoint MailScanner[18918]: FATAL: *Please go and READ* > http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as it > will tell you what to do. > > >That is fairly obvious isn't it? Have you read that web page and > followed its instructions? Apart from making the text flash at you > there's not much I can do to make it clearer :-( > > >I have tried changing the setting to 'alpha', and then the message is >suppressed and it seems to work. However, then I removed my functioning >virus scanner and just added 'trend' as the only scanner. It doesn't work >as viruses pass right through it. > >So I was wondering if anybody else has dealt with FileScan, had a >functioning wrapper, or advice on how to get it working. I'm guessing that >the data parsed from the wrapper is not interpreted by MailScanner correctly? > >Thanks for any help you can give on this. > >Max > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040214/d5c7945d/attachment.html From jonc at nc.rr.com Sat Feb 14 16:35:55 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? Message-ID: <1076776555.3147.27.camel@localhost.localdomain> Oy! Such a week. I need more information to figure this out. Does MailScanner runs the Anti-virus app on the mail spool (complete with uuencoded application) or does it un-encode the attachment and run the scan on that? Is there a way to log the virus scanning portion of MailScanners activities? My anti-virus app is not catching any viruses in emails - so either some of my munging has caused MailScanner not to run my app or there is a problem with my virus scanner... - I've captured a MyDoom example and my app finds it just fine with ordinary scanning. - I've captured the incoming queue and scanned queued files with a MyDoom attachment - the app does NOT detect the virus in its transit encoded form. - I've quarantined email using filename.rules.conf, and the anti-virus app DOES detect the virus in the attachment in the quarantine area. - I've let the email pass through to the users spool and then scanned the spool, the anti-virus app DOES detect it. I stop most attachments but allow zip files using filename.rules.conf. I thought the infected zip files would be caught by my virus scanner, being run by MailScanner, but they are not. This is very frustrating. I've googled, searched the archives and re-read the docs several times. I've even hacked a bit into the SweepViruses.pm code to try and find how it's applying the virus scanner. I'm running mailscanner-4.23-11 on Red Hat Linux 9 and using mcafee (uvscan) as my virus scanner. Some pertinent info from MailScanner.conf Virus Scanning = yes Virus Scanners = mcafee ====== Some notes for the archives: In order to get uvscan to work properly on RH9 I had to modify the mcafee-wrapper program used by MailScanner. The commented out statement is the old one, and the one below it is the modified statement which works fine (but doesn't seem to catch the zipped versions of MyDoom). # exec ${PackageDir}/$prog -d $datDIR "$@" exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" === Further notes: UVScan will not ordinarily scan an archive file (.zip), but if you add the switch "--secure" it will. Originally (last week), I thought this was the problem and so I modified the mcafee-wrapper again and added that switch: # exec ${PackageDir}/$prog -d $datDIR "$@" # exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" # added "--secure" to enable scanning of zipped files - JonC 2/11/2004 exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR "$@" === Any help or insights would be appreciated Jon Carnes jonc@nc.rr.com From gdoris at rogers.com Sat Feb 14 16:49:08 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:31 2006 Subject: vscan (trend filescan) wrapper? In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2221812A@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C2221812A@dalsxc01.geniant.net> Message-ID: <36024.10.0.10.1.1076777348.squirrel@tiger.dorfam.ca> > I have tried changing the setting to 'alpha', and then the message is > suppressed and it seems to work. However, then I removed my functioning > virus scanner and just added 'trend' as the only scanner. It doesn't > work as viruses pass right through it. > > > > So I was wondering if anybody else has dealt with FileScan, had a > functioning wrapper, or advice on how to get it working. I'm guessing > that the data parsed from the wrapper is not interpreted by MailScanner > correctly? > > > > Thanks for any help you can give on this. > > > > Max I suggest you try running iscan outside of MailScanner to verify that it works and is installed correctly. If that's working then be sure that you have the correct paths set in the MailScanner config files so they point to the correct install location for iscan. Gerry From mailscanner at ecs.soton.ac.uk Sat Feb 14 16:55:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? In-Reply-To: <1076776555.3147.27.camel@localhost.localdomain> References: <1076776555.3147.27.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> Make sure your path to the Incoming Work Dir does not include any links. Also make sure the installation path of mcafee in virus.scanners.conf does not contain any links. At 16:35 14/02/2004, you wrote: >Oy! Such a week. I need more information to figure this out. > >Does MailScanner runs the Anti-virus app on the mail spool (complete >with uuencoded application) or does it un-encode the attachment and run >the scan on that? > >Is there a way to log the virus scanning portion of MailScanners >activities? > >My anti-virus app is not catching any viruses in emails - so either some >of my munging has caused MailScanner not to run my app or there is a >problem with my virus scanner... > > - I've captured a MyDoom example and my app finds it just fine with >ordinary scanning. > - I've captured the incoming queue and scanned queued files with a >MyDoom attachment - the app does NOT detect the virus in its transit >encoded form. > - I've quarantined email using filename.rules.conf, and the anti-virus >app DOES detect the virus in the attachment in the quarantine area. > - I've let the email pass through to the users spool and then scanned >the spool, the anti-virus app DOES detect it. > >I stop most attachments but allow zip files using filename.rules.conf. >I thought the infected zip files would be caught by my virus scanner, >being run by MailScanner, but they are not. > >This is very frustrating. I've googled, searched the archives and >re-read the docs several times. I've even hacked a bit into the >SweepViruses.pm code to try and find how it's applying the virus >scanner. > >I'm running mailscanner-4.23-11 >on Red Hat Linux 9 >and using mcafee (uvscan) as my virus scanner. > >Some pertinent info from MailScanner.conf > Virus Scanning = yes > Virus Scanners = mcafee > >====== >Some notes for the archives: > >In order to get uvscan to work properly on RH9 I had to modify the >mcafee-wrapper program used by MailScanner. The commented out statement >is the old one, and the one below it is the modified statement which >works fine (but doesn't seem to catch the zipped versions of MyDoom). > ># exec ${PackageDir}/$prog -d $datDIR "$@" >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > >=== >Further notes: > >UVScan will not ordinarily scan an archive file (.zip), but if you add >the switch "--secure" it will. Originally (last week), I thought this >was the problem and so I modified the mcafee-wrapper again and added >that switch: > ># exec ${PackageDir}/$prog -d $datDIR "$@" ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004 >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR >"$@" > >=== >Any help or insights would be appreciated > >Jon Carnes >jonc@nc.rr.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 17:03:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? In-Reply-To: <1076776555.3147.27.camel@localhost.localdomain> References: <1076776555.3147.27.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040214170110.04003b28@imap.ecs.soton.ac.uk> At 16:35 14/02/2004, you wrote: >Does MailScanner runs the Anti-virus app on the mail spool (complete >with uuencoded application) or does it un-encode the attachment and run >the scan on that? The latter. >UVScan will not ordinarily scan an archive file (.zip), but if you add >the switch "--secure" it will. Originally (last week), I thought this >was the problem and so I modified the mcafee-wrapper again and added >that switch: The --secure switch is already provided to the wrapper by MailScanner. The command-line switches added by MailScanner itself are --recursive --ignore-links --analyze --mime --secure --noboot ># exec ${PackageDir}/$prog -d $datDIR "$@" ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004 >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR >"$@" > >=== >Any help or insights would be appreciated > >Jon Carnes >jonc@nc.rr.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 14 20:51:05 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:31 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402142051.i1EKp5VI016744@seer.ecs.soton.ac.uk> New Guestbook-Entry from Ashlyn Stein Pachinko\'\'s are hard to find out of japan, if you\'\'re actually lookin here\'\'s a good place to start

We bring to you the best http://pachinko-manufacturers.best-slot.com manufacturers information of the net From faq at mailscanner.info Sun Feb 15 00:28:01 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:31 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402150028.i1F0S19g012176@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-02-11-12-39-14 2.717 error editPart 27792 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 4; in item: 8) From mhewryk at SYMCOR.COM Sat Feb 14 20:34:26 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:31 2006 Subject: spam.lists.conf and SORBS Message-ID: Hi, ORDB-RBL times out quiet often and I'd like to use SORBS list for spam blacklist. Which one of the following is the best to use in addition to relays.ordb.org and dnsbl.njabl.org ? Thanks, Magda SORBS-DNSBL dnsbl.sorbs.net. >SORBS-HTTP http.dnsbl.sorbs.net. >SORBS-SOCKS socks.dnsbl.sorbs.net. >SORBS-MISC misc.dnsbl.sorbs.net. >SORBS-SMTP smtp.dnsbl.sorbs.net. >SORBS-WEB web.dnsbl.sorbs.net. >SORBS-SPAM spam.dnsbl.sorbs.net. >SORBS-BLOCK block.dnsbl.sorbs.net. >SORBS-ZOMBIE zombie.dnsbl.sorbs.net. >SORBS-DUL dul.dnsbl.sorbs.net. >SORBS-RHSBL rhsbl.sorbs.net. >SORBS-BADCONF badconf.rhsbl.sorbs.net. >SORBS-NOMAIL nomail.rhsbl.sorbs.net. > ># dnsbl.sorbs.net - Aggregate zone (contains all DNS zones) ># http.dnsbl.sorbs.net - List of Open HTTP Proxy Servers. ># socks.dnsbl.sorbs.net - List of Open SOCKS Proxy Servers. ># misc.dnsbl.sorbs.net - List of open Proxy Servers not listed in ># the SOCKS or HTTP lists. ># smtp.dnsbl.sorbs.net - List of Open SMTP relay servers. ># web.dnsbl.sorbs.net - List of web (WWW) server which have spammer ># abused vulnerabilities (e.g. FormMail scripts) ># spam.dnsbl.sorbs.net - List of hosts that have been noted as sending ># spam/UCE/UBE to the admins of SORBS. This ># zone also contains netblocks of spam supporting ># service providers, this could be for providing ># websites, DNS or drop boxes for a spammer. Spam ># supporters are added on a 'third strike and you >are ># out' basis, where the third spam will cause the ># supporter to be blocked. ># block.dnsbl.sorbs.net - List of hosts demanding they are never tested by ># SORBS. ># zombie.dnsbl.sorbs.net - List of networks hijacked from their original ># owners. Some already used for spamming. ># dul.dnsbl.sorbs.net - Dynamic IP Address ranges (NOT a Dial Up list!) ># rhsbl.sorbs.net - Aggregate zone (contains all RHS zones) >#badconf.rhsbl.sorbs.net - List of domain names where the A or MX ># records point to bad address space. ># nomail.rhsbl.sorbs.net - List of domain names where the owners have ># indicated no mail should ever be sent with these ># domains. From raymond at PROLOCATION.NET Sat Feb 14 20:38:47 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:31 2006 Subject: spam.lists.conf and SORBS In-Reply-To: Message-ID: Hi! > ORDB-RBL times out quiet often and I'd like to use SORBS list for spam > blacklist. > > Which one of the following is the best to use in addition to > relays.ordb.org and dnsbl.njabl.org ? SBL+XBL (Spamhaus), DSBL and/or AHBL. Bye, Raymond. From mhewryk at SYMCOR.COM Sat Feb 14 21:24:29 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:31 2006 Subject: [OT] Re: MAPS-RBL Message-ID: Hi, How can I try the combined XBL+SBL list from spamhaus.org ? Can I see an example from spam.lists.conf ? None of DNS can't resolve sbl.spamhaus.org, I've tried different servers for a sake. >From the list below only relays.ordb.org can be resolved by DNS. Are other definitely closed? What is the experience with NJABL dnsbl.njabl.org? Thanks, Magda ORDB-RBL relays.ordb.org. #spamhaus.org sbl.spamhaus.org. #spamcop.net bl.spamcop.net. #Infinite-Monkeys proxies.relays.monkeys.com. From mlm at LOANPROCESSING.NET Sat Feb 14 21:51:37 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:31 2006 Subject: MailScanner and Spam Actions with ClamAV Message-ID: <00e801c3f344$b8b792f0$0300a8c0@Spike> Hi All, I've just installed MailScanner with SpamAssassin and ClamAV on a RH 7.3 system. So far so good. Everything seems to basically work and I'm really pleased with how all this works together. I have one issue I can't figure out. I would like to set "Spam Actions" to "attachment". However when I do this, Spam Checks show up in the log as they should but Virus and Content scanning start and never complete. The message is never delivered. If I set Spam Actions back to deliver, everything works just fine and the message is tagged as spam and delivered. I'm new to all 3; MailScanner, SpamAssassin and ClamAV so if I am missing something obvious please let me know. Thanks, Mike From steve.swaney at FSL.COM Sat Feb 14 22:13:04 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:31 2006 Subject: MailScanner and Spam Actions with ClamAV In-Reply-To: <00e801c3f344$b8b792f0$0300a8c0@Spike> Message-ID: <20040214221304.881D421C13A@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike McMullen > Sent: Saturday, February 14, 2004 4:52 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner and Spam Actions with ClamAV > > Hi All, > > I've just installed MailScanner with SpamAssassin and ClamAV on > a RH 7.3 system. > > So far so good. Everything seems to basically work and I'm really > pleased with how all this works together. > > I have one issue I can't figure out. I would like to set > "Spam Actions" to "attachment". > > However when I do this, Spam Checks show up in the > log as they should but Virus and Content scanning start > and never complete. > > The message is never delivered. > Try setting Spam Actions = attachment deliver Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From raymond at PROLOCATION.NET Sat Feb 14 22:46:13 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:31 2006 Subject: [OT] Re: MAPS-RBL In-Reply-To: Message-ID: Hi! > How can I try the combined XBL+SBL list from spamhaus.org ? > Can I see an example from spam.lists.conf ? > None of DNS can't resolve sbl.spamhaus.org, I've tried different servers > for a sake. Its inside spam.lists.conf in newer distributions: spamhaus.org sbl.spamhaus.org. spamhaus-XBL xbl.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. > What is the experience with NJABL dnsbl.njabl.org? Thas ok also. Bye, Raymond. From dahlberg at bucknell.edu Sun Feb 15 06:43:17 2004 From: dahlberg at bucknell.edu (Michael Dahlberg) Date: Thu Jan 12 21:22:31 2006 Subject: Performance and accuracy issues In-Reply-To: <6.0.1.1.2.20040214152125.039fd658@imap.ecs.soton.ac.uk> References: <20040213153559.GA1477@bucknell.edu> <402CF5A6.1080008@solid-state-logic.com> <6.0.1.1.2.20040213160721.03ea77a8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040213161515.03c91a98@imap.ecs.soton.ac.uk> <20040213172843.GC1477@bucknell.edu> <6.0.1.1.2.20040214152125.039fd658@imap.ecs.soton.ac.uk> Message-ID: <20040215064317.GA16485@bucknell.edu> Julian Field [mailscanner@ECS.SOTON.AC.UK] wrote: > > Set > Debug = yes > Debug SpamAssassin = yes > and then stop MailScanner, then run check_MailScanner once. You may well be > seeing pauses in the SpamAssassin output, which should tell you where the > problem is. May well be Razor or Bayes. > No problem. However, we're not doing spam analysis on this system. So all the spam checks are set to "no". Just virus scanning. Do you still think this is worth trying? Thanks, Mike From mailscanner at ecs.soton.ac.uk Sun Feb 15 08:41:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Performance and accuracy issues In-Reply-To: <20040213184201.GD1477@bucknell.edu> References: <20040213153559.GA1477@bucknell.edu> <20040213184201.GD1477@bucknell.edu> Message-ID: <6.0.1.1.2.20040215083700.03da7ec0@imap.ecs.soton.ac.uk> At 18:42 13/02/2004, you wrote: >Michael Dahlberg [dahlberg@bucknell.edu] wrote: > > Fanatastic piece of software...I can't imagine running a mail server > > without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has > > uncovered a few issues. > > > > A little about our config: MailScanner (4.26.8) runs with Sophos > > (3.78d) on a dual processor Sun 220R with 2GB RAM. The > > MailScanner.conf file is set to start 10 child processes which will > > scan a max of 30 messages. MailScanner also runs in queue mode rather > > than batch. We do no spam analysis, just virus scanning. I've also > > installed the first Message.pm perl mod that Julian Fields released a > > couple of days ago. > > > > I've noticed that when running the SAVI engine (Virus Scanner = > > sophossavi), rather than `sweep` (Virus Scanner = sophos) it > > takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > > messages using SAVI versus 1 min with sweep). Also when I use the > > SAVI engine, more MyDoom-infected email messages are found and > > removed. > > > > Is this the experience of other readers of this list? Does anyone > > have an explanation or advice on which virus scanner (Sophos or SAVI) > > to use? > > > > Unfortunately, we had to downgrade MailScanner back to 4.13-3. > The rate at which messages were being scanned and moved to an > outbound mail queue was so slow that mail delivery times had > increased to half an hour and the inbound queue size was steadily > increasing. Switch on the speed logging with "Log Speed = true" and see if it sheds any light on the subject. Take a careful look at the "Allow Form Tags" and the other related HTML tag checks. If you switch off detection and logging of all of them, it optimises the code out completely. Have you added any large rulesets since your 4.13 installation? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Sun Feb 15 15:42:30 2004 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:22:31 2006 Subject: Some e-mails not being scanned? {Scanned} Message-ID: <003a01c3f3da$58331a30$0d01a8c0@Toshiba> Can someone tell me why some e-mails don't get scanned by MS/SA? I know they are not being scanned because they are missing the mailscanner header info. The only thing I can think of is that there is something in mailscanner which ignores e-mails that contain in the header 'X-AntiAbuse' and flags them as non-spam. Not sure if I'm right but hopefully someone here can help. Here is a sample e-mail header which does not get scanned by mailscanner: Return-Path: Received: from free-web-hosting-and-free-email.com (pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114]) by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925 for ; Wed, 11 Feb 2004 17:46:30 -0500 Received: (from www@localhost) by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id J87Gz037587771 for ; Wed, 11 Feb 2004 17:44:37 -0500 (EST) (envelope-from www) Message-ID: <823244444119.yyr36h3MgwRq8N@localhost> From: "Ruthie Nixon" To: sales@wppi.net Subject: Website Intros and Animated Logos {Scanned} Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] X-AntiAbuse: Sender Address Domain - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" Thanks, SW ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From wppiphoto at wppi.com Sun Feb 15 15:49:32 2004 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:22:31 2006 Subject: spamcop timeout {Scanned} Message-ID: <004401c3f3db$5115dac0$0d01a8c0@Toshiba> Hi folks, Was wondering how I can fix time outs in mailscanner? If tried to increase a few of the timout setting in mailscanner.conf but still keep getting time outs. Here is what I have in mailscanner.conf: Spam List Timeout = 20 SpamAssassin Timeout = 40 Here is the message I get in my log files: RBL Check spamcop.net timed out and was killed, consecutive failure 1 of 15 Thanks, SW ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From prandal at HEREFORDSHIRE.GOV.UK Thu Feb 12 10:20:30 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:31 2006 Subject: Mydoom Virus getting Through Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C514@jessica.herefordshire.gov.uk> That's exactly what I've seen too. Well spotted Martin and Julian. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: 11 February 2004 16:48 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mydoom Virus getting Through > > > Julian Field wrote: > > I found at least 1 part of the problem. > > > > The message that contained the MyDoom that got through > Sophos (before > > 3.78d) was actually a bounce from another mail server that > included the > > entire text of the original message. > > > > This message does not have the right MIME structure for the > MIME-tools to > > be able to open it, as it is a text/plain messsage that > just happens to > > contain text which contains a mime structure. So MIME-tools > quite fairly > > won't extract the attachments from within it. > > > > I now have an example message of this type, and so I will > spend some time > > working on a solution to it. No guarantees, though, the > MIME-tools code is > > pretty heavy reading. > > > > So don't bother sending me any more, I think the one > message I have is a > > good example of the type of problem. It can also occur with > other viruses, > > it's a problem caused by MTA's bouncing the entire message. > Fortunately > > it's not been a big problem so far, but I would quite like > to fix it if > > I can. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Julian > > that's exactly what I've just seen. > > the virus was in a base64 attached multipart message, with only 1 part > there, the second being non-existant, even though it says next-part... > > clunk. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From ugob at CAMO-ROUTE.COM Sun Feb 15 16:21:12 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:31 2006 Subject: spamcop timeout {Scanned} Message-ID: <54C38A0B814C8E438EF73FC76F3629274108EE@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : SW [mailto:wppiphoto@wppi.com] > Envoy? : Sunday, February 15, 2004 10:50 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : spamcop timeout {Scanned} > > > Hi folks, > > Was wondering how I can fix time outs in mailscanner? If > tried to increase a > few of the timout setting in mailscanner.conf but still keep > getting time > outs. You should investigate on the cause then, dns, razor, pyzor, dcc...? >Here is what I have in mailscanner.conf: > > Spam List Timeout = 20 > SpamAssassin Timeout = 40 > > Here is the message I get in my log files: > > RBL Check spamcop.net timed out and was > killed, consecutive failure 1 of 15 > > Thanks, > > SW > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > From raymond at PROLOCATION.NET Sun Feb 15 17:55:21 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:31 2006 Subject: [Clamav-announce] announcing ClamAV 0.67 (fwd) Message-ID: FYI ---------- Forwarded message ---------- Date: Sun, 15 Feb 2004 15:39:28 +0100 From: Luca Gibelli To: clamav-announce@lists.sourceforge.net Subject: [Clamav-announce] announcing ClamAV 0.67 ClamAV 0.67 has been released. This release fixes a memory management problem (platform dependent; can lead to a DoS attack) with messages that only have attachments (reported by Oliver Brandmueller). It also contains patches for a few problems found in 0.66 and has better Cygwin support. You can download it at http://download.sourceforge.net/clamav/ The ClamAV team (http://www.clamav.net) -- Luca Gibelli (luca@gibelli.it || bofh@oltrelinux.com) Home Page: http://www.nervous.it ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-announce mailing list Clamav-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clamav-announce From 20020401 at DUH.NET Sun Feb 15 16:39:02 2004 From: 20020401 at DUH.NET (Travis Taylor) Date: Thu Jan 12 21:22:31 2006 Subject: Adding Envelope Headers? Message-ID: <1076863142@otherbbs.com> Kai Schaetzl wrote on Fri, 13 Feb 2004 15:00:11 +0100: >> That's your MTA's job. >> > >Almost overlooked that one. I think that's strictly a point-of-view >thing. Why should it be natural for the MTA to do? Anyway, I searched >around how sendmail could do this and it simply doesn't. In sendmail add the following line in the "Format of headers" section of your sendmail.cf: HX-Envelope-From: $g HX-Envelope-To: $u Myself, I prefer to have the envelope addresses in Received line. --- Travis Taylor From ugob at CAMO-ROUTE.COM Sun Feb 15 18:46:03 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:31 2006 Subject: spamcop timeout {Scanned} Message-ID: <54C38A0B814C8E438EF73FC76F3629274108EF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kai Schaetzl [mailto:maillists@CONACTIVE.COM] > Envoy? : Sunday, February 15, 2004 12:32 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: spamcop timeout {Scanned} > > > Ugo Bellavance wrote on Sun, 15 Feb 2004 11:21:12 -0500: > > > > RBL Check spamcop.net timed out and was > > > killed, consecutive failure 1 of 15 > > > > Well, he just has to take notice of the cause ;-) Oups, sorry. I read too fast... > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From maillists at CONACTIVE.COM Sun Feb 15 19:18:13 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:31 2006 Subject: Adding Envelope Headers? In-Reply-To: <1076863142@otherbbs.com> References: <1076863142@otherbbs.com> Message-ID: Travis Taylor wrote on Sun, 15 Feb 2004 10:39:02 -0600: > In sendmail add the following line in the "Format of headers" section > of your sendmail.cf: > > HX-Envelope-From: $g > HX-Envelope-To: $u Wow, fairly easy. Thanks! I wonder why they don't tell you this in the sendmail groups on Usenet. All solutions I could find involved procmail. Only caveat here is that it won't add any to if there is more than one recipient. I prefer to have this generated from the mc files, so I can easily recreate after a small config change and carry over to other machines. If everyone else wants to know: this is in proto.m4, you can just add it below the other header lines in the "Format of headers" section and it will show up in the sendmail.cf then. > > Myself, I prefer to have the envelope addresses in Received line. > Doesn't add extra lines, I see, but makes it harder to build mail filing rules. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Sun Feb 15 19:18:13 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:31 2006 Subject: spamcop timeout {Scanned} In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274108EF@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629274108EF@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Sun, 15 Feb 2004 13:46:03 -0500: > Oups, sorry. I read too fast... > In most cases it's better to be too fast than too slow ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mailscanner at ecs.soton.ac.uk Sun Feb 15 18:08:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Some e-mails not being scanned? {Scanned} In-Reply-To: <003a01c3f3da$58331a30$0d01a8c0@Toshiba> References: <003a01c3f3da$58331a30$0d01a8c0@Toshiba> Message-ID: <6.0.1.1.2.20040215180600.0323a5a0@imap.ecs.soton.ac.uk> I suspect from the headers that you have an email-generating app (a webmail system perhaps?) that is sending mail by directly invoking the sendmail binary. You need to get this app to send mail by talking SMTP to localhost instead. Either that or you have bypassed the MS host in some way for this mail. As you don't say which of the systems involved is the MS host, it is impossible to say for definite. At 15:42 15/02/2004, you wrote: >Can someone tell me why some e-mails don't get scanned by MS/SA? I know they >are not being scanned because they are missing the mailscanner header info. >The only thing I can think of is that there is something in mailscanner >which ignores e-mails that contain in the header 'X-AntiAbuse' and flags >them as non-spam. Not sure if I'm right but hopefully someone here can help. > >Here is a sample e-mail header which does not get scanned by mailscanner: > >Return-Path: >Received: from free-web-hosting-and-free-email.com >(pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114]) > by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925 > for ; Wed, 11 Feb 2004 17:46:30 -0500 >Received: (from www@localhost) > by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id >J87Gz037587771 > for ; Wed, 11 Feb 2004 17:44:37 -0500 (EST) > (envelope-from www) >Message-ID: <823244444119.yyr36h3MgwRq8N@localhost> >From: "Ruthie Nixon" >To: sales@wppi.net >Subject: Website Intros and Animated Logos {Scanned} >Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST) >X-AntiAbuse: This header was added to track abuse, please include it with >any abuse report >X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com >X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] >X-AntiAbuse: Sender Address Domain - >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > > >Thanks, > >SW > > > >------------------------------------------------- > WPPi.com | WPPi.Net >------------------------------------------------- > http://www.wppi.com | http://www.wppi.net >------------------------------------------------- >WPPi.com & WPPi.Net MailScanner Signature >This message has been scanned for viruses >and dangerous content by WPPi MailScanner, >and has been found to be clean. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 15 20:05:35 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:31 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402152005.i1FK5ZQ6011139@seer.ecs.soton.ac.uk> New Guestbook-Entry from Alicia Kunzi in online casinos there are many games like

http://www.angelfire.com/ct3/baccarat_download download and even

baccarat internet casino game

baccarat internet casino

baccarat on-line

From maillists at CONACTIVE.COM Sun Feb 15 22:31:33 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:31 2006 Subject: Some conf settings not honored? Message-ID: I have set Hide Incoming Work Dir = yes Warning Is Attachment = no As I understand the warning should not be an attachment but inline text and the file information should only show the filename. That's not the case here. Doing something wrong? I still get the warning attached in Attachment-Warning.txt (and no inline warning but the notice to open the Attachment-Warning.txt) and the warning looks like this (parts snipped): ----- Am Sun Feb 15 22:41:28 2004 meldete der Virenscanner folgendes: virus.exe contains Worm.Gibe.F Executable DOS/Windows programs are dangerous in email (virus.exe) Hinweis an den Administrator: Datei ist auf Rechner: n7 im Verzeichnis /var/spool/MailScanner/quarantine/20040215 (NachrichtenID i1FLfPS7006353) abgespeichert. ----- This is using the German report files from the de dir. Also note the English text in it: virus.exe contains Worm.Gibe.F Executable DOS/Windows programs are dangerous in email (virus.exe) There doesn't seem to be a chance of translating these via languages.conf. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Sun Feb 15 22:31:33 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:31 2006 Subject: Mydoom Virus getting Through - High Spam In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C527@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Fri, 13 Feb 2004 14:18:32 -0000: > High Scoring Spam Actions = store delete > I can repro this here now, too, with High Scoring Spam Actions = store I must have had it at "deliver" in the first test. The viruses we get are usually scoring as spam and are not scanned for virus or content anymore, only if I send myself a virus with no spam it gets scanned and detected as a virus. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From ryan.finnesey at CORPDSG.COM Sun Feb 15 23:26:32 2004 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:22:31 2006 Subject: Mcafee Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C401E9D0@dc012.corpdsg.com> Can anyone join this list? I have been trying to get in contact with someone at Mcafee's XSP OEM group for some time now. Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Randal, Phil Sent: Wednesday, February 11, 2004 4:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mcafee No, it has recently been updated, runs like a charm here. I've just asked on the (McAfee) Total Virus Defense User Group mailinglist, so hopefully one of the NAI support guys will get back to me. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Remco Barendse > Sent: 11 February 2004 12:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mcafee > > > My ISP used to provide it for free with the account but they > stopped it > because mcafee supposedly ceased development / support on the > virusscan > for linux?? > > Have not been able to find any info about it though > > On Mon, 9 Feb 2004, Steve Churcher wrote: > > > Hi All > > > > Does anyone know where I can purchase a license for McAfee > Command line > > for unix in the UK? Or indeed anywhere really! > > > > Seems a hard one to track down or maybe its just me.. > > > > Thanks > > Steve > > > From brose at MED.WAYNE.EDU Mon Feb 16 01:55:58 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:31 2006 Subject: Sophos bug Message-ID: Did anyone see this bug report? http://www.prognosisx.com/cgi-bin/cgi-script/csNews/csNews.cgi?database= JanDD%2edb&command=viewone&id=74&op=t From stefanzman at YAHOO.COM Mon Feb 16 02:14:46 2004 From: stefanzman at YAHOO.COM (Stefan Z) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin and alternate Perl, Cobalt Message-ID: Hello, I have a client that is using MailScanner with SpamAssassin on a Sun Cobalt XTR. With the requirement for a Perl instance greater than 5.003 (Cobalt default), Perl 5.8 and all SpamAssassin files were installed into the /home/spam-filter directory (by another consultant). The customer would not like to upgrade his SpamAssassan (from 2.54 to 2.63) while leaving MailScanner alone. My questions: - How does MailScanner know that spamassassin in /home/spam-filter? - Would using /home/spam-filter/bin/perl Makefile.PL during installation of SpamAssasssin take care of necessary depdencies for MailScanner? - Does this apply to an upgrade as well? - Is there anything specifically I should be concerned about when upgrading SpamAssassin as it relates to MailScanner integration? Thanks and regards, Stefan From jonc at nc.rr.com Mon Feb 16 04:32:38 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus In-Reply-To: <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> References: <1076776555.3147.27.camel@localhost.localdomain> <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> Message-ID: <1076905958.3180.87.camel@localhost.localdomain> On Sat, 2004-02-14 at 11:55, Julian Field wrote: > Make sure your path to the Incoming Work Dir does not include any links. > Also make sure the installation path of mcafee in virus.scanners.conf does > not contain any links. > There are no links in the Incoming Work Dir and the installation path of mcafee in virus.scanners.conf does not contain any links. Could the problem be my modification of the mcafee-wrapper program? exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" If I run without the "LD_PRELOAD=/lib/libc.so.6 " on that line, then the mail just stops being processed - which I assume is the virus scanner locking up (well at least I know it's running the virus scanner then!) With that added to the line, things run, but apparently no mail gets scanned. I've been running this for awhile and the mail policies defined by filename.rules.conf have been stopping almost all the viruses... In fact if it hadn't been for the recent MyDoom flood that uses zip files, I would still be blissfully ignorant of the problem. BTW: The only way to get this version of mcafee to run run on this server (RH 9) is to add the "LD_PRELOAD..." before running the application. Thanks for the response, Jon Carnes > At 16:35 14/02/2004, you wrote: > >Oy! Such a week. I need more information to figure this out. > > > >Does MailScanner runs the Anti-virus app on the mail spool (complete > >with uuencoded application) or does it un-encode the attachment and run > >the scan on that? > > > >Is there a way to log the virus scanning portion of MailScanners > >activities? > > > >My anti-virus app is not catching any viruses in emails - so either some > >of my munging has caused MailScanner not to run my app or there is a > >problem with my virus scanner... > > > > - I've captured a MyDoom example and my app finds it just fine with > >ordinary scanning. > > - I've captured the incoming queue and scanned queued files with a > >MyDoom attachment - the app does NOT detect the virus in its transit > >encoded form. > > - I've quarantined email using filename.rules.conf, and the anti-virus > >app DOES detect the virus in the attachment in the quarantine area. > > - I've let the email pass through to the users spool and then scanned > >the spool, the anti-virus app DOES detect it. > > > >I stop most attachments but allow zip files using filename.rules.conf. > >I thought the infected zip files would be caught by my virus scanner, > >being run by MailScanner, but they are not. > > > >This is very frustrating. I've googled, searched the archives and > >re-read the docs several times. I've even hacked a bit into the > >SweepViruses.pm code to try and find how it's applying the virus > >scanner. > > > >I'm running mailscanner-4.23-11 > >on Red Hat Linux 9 > >and using mcafee (uvscan) as my virus scanner. > > > >Some pertinent info from MailScanner.conf > > Virus Scanning = yes > > Virus Scanners = mcafee > > > >====== > >Some notes for the archives: > > > >In order to get uvscan to work properly on RH9 I had to modify the > >mcafee-wrapper program used by MailScanner. The commented out statement > >is the old one, and the one below it is the modified statement which > >works fine (but doesn't seem to catch the zipped versions of MyDoom). > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > > > >=== > >Further notes: > > > >UVScan will not ordinarily scan an archive file (.zip), but if you add > >the switch "--secure" it will. Originally (last week), I thought this > >was the problem and so I modified the mcafee-wrapper again and added > >that switch: > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004 > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR > >"$@" > > > >=== > >Any help or insights would be appreciated > > > >Jon Carnes > >jonc@nc.rr.com From jonc at nc.rr.com Mon Feb 16 04:32:38 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? In-Reply-To: <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> References: <1076776555.3147.27.camel@localhost.localdomain> <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> Message-ID: <1076905958.3180.87.camel@localhost.localdomain> On Sat, 2004-02-14 at 11:55, Julian Field wrote: > Make sure your path to the Incoming Work Dir does not include any links. > Also make sure the installation path of mcafee in virus.scanners.conf does > not contain any links. > There are no links in the Incoming Work Dir and the installation path of mcafee in virus.scanners.conf does not contain any links. Could the problem be my modification of the mcafee-wrapper program? exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" If I run without the "LD_PRELOAD=/lib/libc.so.6 " on that line, then the mail just stops being processed - which I assume is the virus scanner locking up (well at least I know it's running the virus scanner then!) With that added to the line, things run, but apparently no mail gets scanned. I've been running this for awhile and the mail policies defined by filename.rules.conf have been stopping almost all the viruses... In fact if it hadn't been for the recent MyDoom flood that uses zip files, I would still be blissfully ignorant of the problem. BTW: The only way to get this version of mcafee to run run on this server (RH 9) is to add the "LD_PRELOAD..." before running the application. Thanks for the response, Jon Carnes > At 16:35 14/02/2004, you wrote: > >Oy! Such a week. I need more information to figure this out. > > > >Does MailScanner runs the Anti-virus app on the mail spool (complete > >with uuencoded application) or does it un-encode the attachment and run > >the scan on that? > > > >Is there a way to log the virus scanning portion of MailScanners > >activities? > > > >My anti-virus app is not catching any viruses in emails - so either some > >of my munging has caused MailScanner not to run my app or there is a > >problem with my virus scanner... > > > > - I've captured a MyDoom example and my app finds it just fine with > >ordinary scanning. > > - I've captured the incoming queue and scanned queued files with a > >MyDoom attachment - the app does NOT detect the virus in its transit > >encoded form. > > - I've quarantined email using filename.rules.conf, and the anti-virus > >app DOES detect the virus in the attachment in the quarantine area. > > - I've let the email pass through to the users spool and then scanned > >the spool, the anti-virus app DOES detect it. > > > >I stop most attachments but allow zip files using filename.rules.conf. > >I thought the infected zip files would be caught by my virus scanner, > >being run by MailScanner, but they are not. > > > >This is very frustrating. I've googled, searched the archives and > >re-read the docs several times. I've even hacked a bit into the > >SweepViruses.pm code to try and find how it's applying the virus > >scanner. > > > >I'm running mailscanner-4.23-11 > >on Red Hat Linux 9 > >and using mcafee (uvscan) as my virus scanner. > > > >Some pertinent info from MailScanner.conf > > Virus Scanning = yes > > Virus Scanners = mcafee > > > >====== > >Some notes for the archives: > > > >In order to get uvscan to work properly on RH9 I had to modify the > >mcafee-wrapper program used by MailScanner. The commented out statement > >is the old one, and the one below it is the modified statement which > >works fine (but doesn't seem to catch the zipped versions of MyDoom). > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > > > >=== > >Further notes: > > > >UVScan will not ordinarily scan an archive file (.zip), but if you add > >the switch "--secure" it will. Originally (last week), I thought this > >was the problem and so I modified the mcafee-wrapper again and added > >that switch: > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004 > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR > >"$@" > > > >=== > >Any help or insights would be appreciated > > > >Jon Carnes > >jonc@nc.rr.com From jonc at nc.rr.com Mon Feb 16 07:12:59 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? - Answered In-Reply-To: <1076905958.3180.87.camel@localhost.localdomain> References: <1076776555.3147.27.camel@localhost.localdomain> <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> <1076905958.3180.87.camel@localhost.localdomain> Message-ID: <1076915579.3180.213.camel@localhost.localdomain> Well, I captured some incoming viruses using the /etc/MailScanner/filename.rules.conf settings, then took one of those viruses and sent it through the MailScanner system as my test The key that I needed to know was that MailScanner will identify when it finds a virus in the log with a message like this: # grep virus\ \! maillog Feb 16 01:21:44 twconn MailScanner[11029]: /i1G6LUrw011045/text Found the W32/Mydoom.a@MM virus !!! Feb 16 01:25:05 twconn MailScanner[11034]: /i1G6Oorw011125/text.zip Found the W32/Mydoom.a@MM virus !!! My problem was that McAfee needed to be modified to run properly on my Red Hat 9 server. Originally I put the modification into the mcafee-wrapper - that did not work. I moved the modification into a shell script and replaced the application: /usr/local/uvscan/uvscan with the shell script. That worked! The uvscan shell script is: #! /bin/sh # wrapper for virus scan - to make it work on RH9 LD_PRELOAD=/lib/libc.so.6 /usr/local/uvscan/uvscan.x $1 $2 $3 $4 $5 $6 $7 $8 $9 The original uvscan application was renamed uvscan.x Everything is working well. Thanks for your insights Julian (and the great MailScanner application!) Take care - Jon Carnes On Sun, 2004-02-15 at 23:32, Jon Carnes wrote: > On Sat, 2004-02-14 at 11:55, Julian Field wrote: > > Make sure your path to the Incoming Work Dir does not include any links. > > Also make sure the installation path of mcafee in virus.scanners.conf does > > not contain any links. > > > > There are no links in the Incoming Work Dir and the installation path of > mcafee in virus.scanners.conf does not contain any links. > > Could the problem be my modification of the mcafee-wrapper program? > > exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > > If I run without the "LD_PRELOAD=/lib/libc.so.6 " on that line, then the > mail just stops being processed - which I assume is the virus scanner > locking up (well at least I know it's running the virus scanner then!) > > With that added to the line, things run, but apparently no mail gets > scanned. I've been running this for awhile and the mail policies defined > by filename.rules.conf have been stopping almost all the viruses... In > fact if it hadn't been for the recent MyDoom flood that uses zip files, > I would still be blissfully ignorant of the problem. > > BTW: The only way to get this version of mcafee to run run on this > server (RH 9) is to add the "LD_PRELOAD..." before running the > application. > > Thanks for the response, > > Jon Carnes > > > At 16:35 14/02/2004, you wrote: > > >Oy! Such a week. I need more information to figure this out. > > > > > >Does MailScanner runs the Anti-virus app on the mail spool (complete > > >with uuencoded application) or does it un-encode the attachment and run > > >the scan on that? > > > > > >Is there a way to log the virus scanning portion of MailScanners > > >activities? > > > > > >My anti-virus app is not catching any viruses in emails - so either some > > >of my munging has caused MailScanner not to run my app or there is a > > >problem with my virus scanner... > > > > > > - I've captured a MyDoom example and my app finds it just fine with > > >ordinary scanning. > > > - I've captured the incoming queue and scanned queued files with a > > >MyDoom attachment - the app does NOT detect the virus in its transit > > >encoded form. > > > - I've quarantined email using filename.rules.conf, and the anti-virus > > >app DOES detect the virus in the attachment in the quarantine area. > > > - I've let the email pass through to the users spool and then scanned > > >the spool, the anti-virus app DOES detect it. > > > > > >I stop most attachments but allow zip files using filename.rules.conf. > > >I thought the infected zip files would be caught by my virus scanner, > > >being run by MailScanner, but they are not. > > > > > >This is very frustrating. I've googled, searched the archives and > > >re-read the docs several times. I've even hacked a bit into the > > >SweepViruses.pm code to try and find how it's applying the virus > > >scanner. > > > > > >I'm running mailscanner-4.23-11 > > >on Red Hat Linux 9 > > >and using mcafee (uvscan) as my virus scanner. > > > > > >Some pertinent info from MailScanner.conf > > > Virus Scanning = yes > > > Virus Scanners = mcafee > > > > > >====== > > >Some notes for the archives: > > > > > >In order to get uvscan to work properly on RH9 I had to modify the > > >mcafee-wrapper program used by MailScanner. The commented out statement > > >is the old one, and the one below it is the modified statement which > > >works fine (but doesn't seem to catch the zipped versions of MyDoom). > > > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > > > > > >=== > > >Further notes: > > > > > >UVScan will not ordinarily scan an archive file (.zip), but if you add > > >the switch "--secure" it will. Originally (last week), I thought this > > >was the problem and so I modified the mcafee-wrapper again and added > > >that switch: > > > > > ># exec ${PackageDir}/$prog -d $datDIR "$@" > > ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@" > > ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004 > > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR > > >"$@" > > > > > >=== > > >Any help or insights would be appreciated > > > > > >Jon Carnes From kevins at BMRB.CO.UK Mon Feb 16 07:44:24 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:31 2006 Subject: Sophos bug In-Reply-To: References: Message-ID: <1076917464.10099.22.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-16 at 01:55, Rose, Bobby wrote: > Did anyone see this bug report? > There was a thread last week about upgrading to Sophos 3.78d for this reason BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 16 08:52:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Some conf settings not honored? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040216085116.03bd2c80@imap.ecs.soton.ac.uk> At 22:31 15/02/2004, you wrote: >I have set > >Hide Incoming Work Dir = yes Does the path to your Incoming Work Dir contain any links? That's the usual cause. >Warning Is Attachment = no That's dependent on the MUA the user is using. Some MUAs support this better than others. >As I understand the warning should not be an attachment but inline text >and the file information should only show the filename. That's not the >case here. > >Doing something wrong? > >I still get the warning attached in Attachment-Warning.txt (and no inline >warning but the notice to open the Attachment-Warning.txt) and the warning >looks like this (parts snipped): >----- >Am Sun Feb 15 22:41:28 2004 meldete der Virenscanner folgendes: > virus.exe contains Worm.Gibe.F > Executable DOS/Windows programs are dangerous in email (virus.exe) > >Hinweis an den Administrator: >Datei ist auf Rechner: n7 im Verzeichnis >/var/spool/MailScanner/quarantine/20040215 (NachrichtenID i1FLfPS7006353) >abgespeichert. >----- > >This is using the German report files from the de dir. Also note the >English text in it: > virus.exe contains Worm.Gibe.F > Executable DOS/Windows programs are dangerous in email (virus.exe) > >There doesn't seem to be a chance of translating these via languages.conf. > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 16 08:55:57 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: How can I log whether MailScanner is running the Antivirus app? - Answered In-Reply-To: <1076915579.3180.213.camel@localhost.localdomain> References: <1076776555.3147.27.camel@localhost.localdomain> <6.0.1.1.2.20040214165141.03a42c58@imap.ecs.soton.ac.uk> <1076905958.3180.87.camel@localhost.localdomain> <1076915579.3180.213.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040216085418.03d82a28@imap.ecs.soton.ac.uk> At 07:12 16/02/2004, you wrote: > #! /bin/sh > # wrapper for virus scan - to make it work on RH9 > LD_PRELOAD=/lib/libc.so.6 /usr/local/uvscan/uvscan.x $1 $2 $3 $4 $5 $6 >$7 $8 $9 Instead of all those $1 etc numbers, you should put this LD_PRELOAD=/lib/libc.so.6 /usr/local/uvscan/uvscan.x "$@" That will handle all the quoting, spaces, etc properly. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From danikostyal at HOME.RO Mon Feb 16 08:53:02 2004 From: danikostyal at HOME.RO (Daniel Kostyal) Date: Thu Jan 12 21:22:31 2006 Subject: install problem Message-ID: <003301c3f46a$498af4e0$0c00a8c0@instalari> Hi, I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.1 Linux. During the intalation script I get errors like: perl_IO-strigy-2.108-1 needs perl-base>=5.800. I have perl-base-5.8.0-19mdk. I have tryed also to install each module manualy and then install mailscanner with --nodeps but I still recive the following error when I try to start the service: MailScanner: Can't locate Net/CIDR.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Config.pm line 34. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Config.pm line 34. Compilation failed in require at /usr/sbin/MailScanner line 42. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42. [ OK ] Please help me. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040216/3db362ec/attachment.html From mailscanner at ecs.soton.ac.uk Mon Feb 16 09:08:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: install problem In-Reply-To: <003301c3f46a$498af4e0$0c00a8c0@instalari> References: <003301c3f46a$498af4e0$0c00a8c0@instalari> Message-ID: <6.0.1.1.2.20040216090822.03dcf478@imap.ecs.soton.ac.uk> You haven't installed the Net::CIDR perl module. At 08:53 16/02/2004, you wrote: >Hi, > >I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.1 Linux. >During the intalation script I get errors like: perl_IO-strigy-2.108-1 >needs perl-base>=5.800. I have perl-base-5.8.0-19mdk. >I have tryed also to install each module manualy and then install >mailscanner with --nodeps but I still recive the following error when I >try to start the service: > > MailScanner: Can't locate Net/CIDR.pm in @INC (@INC > contains: /usr/lib/MailScanner > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Config.pm line 34. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Config.pm line 34. >Compilation failed in require at /usr/sbin/MailScanner line 42. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42. > [ OK ] >Please help me. > > >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From david at PLATFORMHOSTING.COM Mon Feb 16 09:49:21 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:31 2006 Subject: Footers In-Reply-To: <1076915579.3180.213.camel@localhost.localdomain> Message-ID: <200402160949.i1G9nKp14242@mx1.mailsecurity.net.au> Hi All, We have customers beginning to go mental at us again for the fact that footers are applied multiple times on their email conversations - ie. They reply to an email and don't trim the footer off and wind up with a heap of footers on the bottom of their mail. While I know this is more an issue of them not trimming is there any way MailScanner can check to see if the message already has the footer & either removes to old one and re-appends to the bottom /or/ just plain doesn't append it if a copy already exists in the message? I had an idea that perhaps MailScanner could look for a string (the first line of the footer) in the message and if it exists, don't append the footer. I think I've asked this before and no real solution was offered, it would be a very nice thing to have added if it is at all possible! I'm sure I'm not the only person who has customers who have asked for this.. Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From mailscanner at ecs.soton.ac.uk Mon Feb 16 10:07:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Footers In-Reply-To: <200402160949.i1G9nKp14242@mx1.mailsecurity.net.au> References: <1076915579.3180.213.camel@localhost.localdomain> <200402160949.i1G9nKp14242@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040216100638.03cb9b20@imap.ecs.soton.ac.uk> Please see MailScanner.conf: # If this is "no", then (as far as possible) messages which have already # been processed by another MailScanner server will not have the clean # signature added to the message. This prevents messages getting many # copies of the signature as they flow through your site. # This can also be the filename of a ruleset. Sign Messages Already Processed = no It relies on the "Mail Header" setting being the same across all your MailScanner servers. At 09:49 16/02/2004, you wrote: >Hi All, > >We have customers beginning to go mental at us again for the fact that >footers are applied multiple times on their email conversations - ie. They >reply to an email and don't trim the footer off and wind up with a heap of >footers on the bottom of their mail. > >While I know this is more an issue of them not trimming is there any way >MailScanner can check to see if the message already has the footer & either >removes to old one and re-appends to the bottom /or/ just plain doesn't >append it if a copy already exists in the message? > >I had an idea that perhaps MailScanner could look for a string (the first >line of the footer) in the message and if it exists, don't append the >footer. > >I think I've asked this before and no real solution was offered, it would be >a very nice thing to have added if it is at all possible! I'm sure I'm not >the only person who has customers who have asked for this.. > >Regards, > >David Hooton > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From david at PLATFORMHOSTING.COM Mon Feb 16 10:36:09 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:31 2006 Subject: Footers In-Reply-To: <6.0.1.1.2.20040216100638.03cb9b20@imap.ecs.soton.ac.uk> Message-ID: <200402161036.i1GAa9p25685@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Monday, 16 February 2004 9:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Footers > > Please see MailScanner.conf: > > # If this is "no", then (as far as possible) messages which have already > # been processed by another MailScanner server will not have the clean > # signature added to the message. This prevents messages getting many > # copies of the signature as they flow through your site. > # This can also be the filename of a ruleset. > Sign Messages Already Processed = no > > It relies on the "Mail Header" setting being the same across all your > MailScanner servers. Hi Julian, We do have that set as you've described. Below is an example of a user sending to another user on the same server (Mail Header setting obviously not an issue). > > ======================================================================== > > Dave's Test Footer > > ==================================================================== > > ==== > > > ======================================================================== > Dave's Test Footer > ====================================================================== > == ======================================================================== Dave's Test Footer ======================================================================== I've asked about this before and was given the suggestion you've just given me, user comments backed off for a while so I forgot it was still an issue for them :) They have just started harassing me again! Any other hints? Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From jonc at nc.rr.com Mon Feb 16 13:37:55 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:31 2006 Subject: Footers In-Reply-To: <200402161036.i1GAa9p25685@mx1.mailsecurity.net.au> References: <200402161036.i1GAa9p25685@mx1.mailsecurity.net.au> Message-ID: <1076938675.3155.10.camel@localhost.localdomain> On Mon, 2004-02-16 at 05:36, David Hooton wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Monday, 16 February 2004 9:08 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Footers > > > > Please see MailScanner.conf: > > > > # If this is "no", then (as far as possible) messages which have already > > # been processed by another MailScanner server will not have the clean > > # signature added to the message. This prevents messages getting many > > # copies of the signature as they flow through your site. > > # This can also be the filename of a ruleset. > > Sign Messages Already Processed = no > > > > It relies on the "Mail Header" setting being the same across all your > > MailScanner servers. > > Hi Julian, > > We do have that set as you've described. Below is an example of a user > sending to another user on the same server (Mail Header setting obviously > not an issue). > > > > ======================================================================== > > > Dave's Test Footer > > > ==================================================================== > > > ==== > > > > > > ======================================================================== > > Dave's Test Footer > > ====================================================================== > > == > > > ======================================================================== > Dave's Test Footer > ======================================================================== > > I've asked about this before and was given the suggestion you've just given > me, user comments backed off for a while so I forgot it was still an issue > for them :) They have just started harassing me again! > > Any other hints? > > Regards, > > David Hooton Well, I'm sure you realize that MailScanner is acting properly in this situation. Each response from a user is really a different message - even though the folks responding failed to trim off the footer. The old footer indicating that the message was scanned (that's what the footer is for) is no longer valid, once a user modifies the message in any way. Your best bet is to modify the footer so that it is recognized as something to be thrown away during a response. One standard that some MUA's use is to have the throw-away footer formed like this: -- Daves Footer Good Luck - Jon Carnes From ycayer at 3webmedia.com Mon Feb 16 14:46:22 2004 From: ycayer at 3webmedia.com (Yannick Cayer) Date: Thu Jan 12 21:22:31 2006 Subject: MailScanner suddently taking all the CPU and a lot of memory. In-Reply-To: <4915A8E67C498D42BAB5CB1351FD026E22D853@3webad1.3WebMedia.int> Message-ID: <200402161446.i1GEkGB01697@3webserv2.3webmedia.com> I found out while investigating another problem, that if disabled Spam checking and Spamassassin, that MailScanner is no longer randomly taking all the CPU and crashing. So it would appear that the problem is in Spamassassin. As anyone ever experienced this with Spamassassin? Thank you again for your help. _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Yannick Cayer Sent: Monday, February 02, 2004 5:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner suddently taking all the CPU and a lot of memory. Greetings, I have the following configuration: mailscanner-4.25-14 with spamassassin 2.61 sendmail 8.11.6-27 on an IBM x235 2 2.4GHZ Processors 1.25 GHZ of RAM Hot swapable raid 5 config. We have about a 100 small sites configured for mail mostly and some, web. This is running on RedHat Linux 7.3 Kernel 2.4.18-27.7.xsmp We have been running MailScanner on that machine for almost 2 years now without any problems. Since last week, MailScanner has been bringing the server almost to a complete halt, loads are skyrocking very suddently to 200! It is also taking at that time about 25MB per MailScanner process. It does this for several minutes to a few hours and then suddently comes back. I really don't know what can be causing this. I have read the mail archives for this problem but the solutions I found were not appropriate to my specific problem/condition. My config has the max attachments set to 5 and the MailScanner processes set to 10 (5 per CPU). Can anyone help? Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040216/d8064da6/attachment.html From stefanzman at yahoo.com Mon Feb 16 15:44:57 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location Message-ID: <20040216154457.66813.qmail@web41313.mail.yahoo.com> How does MailScanner determine the install location of SpamAssassin (assuming SA has not been installed its default path)? Thanks, Stefan __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html From mkettler at EVI-INC.COM Mon Feb 16 16:03:58 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: <20040216154457.66813.qmail@web41313.mail.yahoo.com> References: <20040216154457.66813.qmail@web41313.mail.yahoo.com> Message-ID: <6.0.0.22.0.20040216105620.02852630@xanadu.evi-inc.com> At 10:44 AM 2/16/2004, Stefan Zauchenberger wrote: >How does MailScanner determine the install location of >SpamAssassin (assuming SA has not been installed its >default path)? Well, mailscanner doesn't care so much about spamassassin, just where the Mail::SpamAssassin perl module is. And technicaly, it's not MailScanner that cares, it's perl. Where perl looks for modules is going to be based on your perl @INC path. If perl doesn't know where to find the module, perl won't find it, and thus MailScanner can't use it. perl -e 'print @INC;' usually the Mail::SpamAssassin module is under /usr/lib/perl5/site_perl/(version)/. If you're using some other path for perl modules I'm not sure how, but you'll need to make perl aware of them. From craig at WESTPRESS.COM Mon Feb 16 16:13:42 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: <6.0.0.22.0.20040216105620.02852630@xanadu.evi-inc.com> References: <20040216154457.66813.qmail@web41313.mail.yahoo.com> <6.0.0.22.0.20040216105620.02852630@xanadu.evi-inc.com> Message-ID: >At 10:44 AM 2/16/2004, Stefan Zauchenberger wrote: >>How does MailScanner determine the install location of >>SpamAssassin (assuming SA has not been installed its >>default path)? > >Well, mailscanner doesn't care so much about spamassassin, just where the >Mail::SpamAssassin perl module is. And technicaly, it's not MailScanner >that cares, it's perl. > >Where perl looks for modules is going to be based on your perl @INC path. >If perl doesn't know where to find the module, perl won't find it, and thus >MailScanner can't use it. > >perl -e 'print @INC;' > >usually the Mail::SpamAssassin module is under >/usr/lib/perl5/site_perl/(version)/. > > >If you're using some other path for perl modules I'm not sure how, but >you'll need to make perl aware of them. I know that when I upgraded to SpamAssassin 2.63 from 2.61, MailScanner could not find SpamAssassin. MailScanner was looking in '/usr/lib/perl5/site_perl/5.8.0/Mail' for the SpamAssassin directory and couldn't find it because it was in '/usr/lib/perl5/5.6.1/Mail'. So I just symlinked it and everything worked great after that. (It might have been the other way around, I can't quite recall.) -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From mkettler at EVI-INC.COM Mon Feb 16 16:24:02 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: References: <20040216154457.66813.qmail@web41313.mail.yahoo.com> <6.0.0.22.0.20040216105620.02852630@xanadu.evi-inc.com> Message-ID: <6.0.0.22.0.20040216112222.028405f0@xanadu.evi-inc.com> At 11:13 AM 2/16/2004, Craig Daters wrote: >I know that when I upgraded to SpamAssassin 2.63 from 2.61, >MailScanner could not find SpamAssassin. > >MailScanner was looking in '/usr/lib/perl5/site_perl/5.8.0/Mail' for >the SpamAssassin directory and couldn't find it because it was in >'/usr/lib/perl5/5.6.1/Mail'. So I just symlinked it and everything >worked great after that. (It might have been the other way around, I >can't quite recall.) Ouch.. That's *not* a good thing.... This means that when SA was configured, it found perl version 5.6.1. When MailScanner was run, it was run under version 5.8.0. Perhaps you should do some digging and find out why two different perl versions exist on your server, and properly re-install SA under the version of perl you want to use. From craig at WESTPRESS.COM Mon Feb 16 16:41:18 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: <6.0.0.22.0.20040216112222.028405f0@xanadu.evi-inc.com> References: <20040216154457.66813.qmail@web41313.mail.yahoo.com> <6.0.0.22.0.20040216105620.02852630@xanadu.evi-inc.com> <6.0.0.22.0.20040216112222.028405f0@xanadu.evi-inc.com> Message-ID: >At 11:13 AM 2/16/2004, Craig Daters wrote: >>I know that when I upgraded to SpamAssassin 2.63 from 2.61, >>MailScanner could not find SpamAssassin. >> >>MailScanner was looking in '/usr/lib/perl5/site_perl/5.8.0/Mail' for >>the SpamAssassin directory and couldn't find it because it was in >>'/usr/lib/perl5/5.6.1/Mail'. So I just symlinked it and everything >>worked great after that. (It might have been the other way around, I >>can't quite recall.) > >Ouch.. That's *not* a good thing.... > >This means that when SA was configured, it found perl version 5.6.1. When >MailScanner was run, it was run under version 5.8.0. > >Perhaps you should do some digging and find out why two different perl >versions exist on your server, and properly re-install SA under the version >of perl you want to use. Well, I had SpamAssassin installed prior to MailScanner using RH9 stock RPM's. I then installed 'MailScanner' with 'MailWatch' and desired to utilize 'teach sa-learn spam/ham' feature of 'MailWatch'. When I started getting errors, I realized that 'sa-learn' is not part of the stock RH RPM. I posed a question to the 'RedHat Users List' that it '...was not on my system, what gives?' and I got a reply back that RH '...does not include it, that I was using an old version' and that i should upgrade to the current version found at the SpamAssassin site. I downloaded the three RPM's available there; SpamAssassin, SpamAssassin-tools, and ReqPerlModules. I could not update the RH9 SpamAssassin RPM, so I uninstalled it, and then the three newer RPM's installed fine. I suspect that the ReqPerlModules RPM may be the culprit here? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From mailscanner at ecs.soton.ac.uk Mon Feb 16 14:01:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Footers In-Reply-To: <1076938675.3155.10.camel@localhost.localdomain> References: <200402161036.i1GAa9p25685@mx1.mailsecurity.net.au> <1076938675.3155.10.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040216135928.03933d70@imap.ecs.soton.ac.uk> At 13:37 16/02/2004, you wrote: >On Mon, 2004-02-16 at 05:36, David Hooton wrote: > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Julian Field > > > Sent: Monday, 16 February 2004 9:08 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Footers > > > > > > Please see MailScanner.conf: > > > > > > # If this is "no", then (as far as possible) messages which have already > > > # been processed by another MailScanner server will not have the clean > > > # signature added to the message. This prevents messages getting many > > > # copies of the signature as they flow through your site. > > > # This can also be the filename of a ruleset. > > > Sign Messages Already Processed = no > > > > > > It relies on the "Mail Header" setting being the same across all your > > > MailScanner servers. > > > > Hi Julian, > > > > We do have that set as you've described. Below is an example of a user > > sending to another user on the same server (Mail Header setting obviously > > not an issue). > > > > > > > ======================================================================== > > > > Dave's Test Footer > > > > ==================================================================== > > > > ==== > > > > > > > > > ======================================================================== > > > Dave's Test Footer > > > ====================================================================== > > > == > > > > > > ======================================================================== > > Dave's Test Footer > > ======================================================================== > > > > I've asked about this before and was given the suggestion you've just given > > me, user comments backed off for a while so I forgot it was still an issue > > for them :) They have just started harassing me again! > > > > Any other hints? > > > > Regards, > > > > David Hooton > >Well, I'm sure you realize that MailScanner is acting properly in this >situation. Each response from a user is really a different message - >even though the folks responding failed to trim off the footer. > >The old footer indicating that the message was scanned (that's what the >footer is for) is no longer valid, once a user modifies the message in >any way. > >Your best bet is to modify the footer so that it is recognized as >something to be thrown away during a response. One standard that some >MUA's use is to have the throw-away footer formed like this: > >-- >Daves Footer > >Good Luck - Jon Carnes Ah, yes, I misunderstood. I thought it was a problem with a single message going through more than 1 MailScanner on its way to its recipient. What you actually mean is a conversation between 2 people winding up with multiple signatures on it. If you want to stop them, then the easiest way is a ruleset that stops it signing messages if the message comes from you and goes to you. Use a "FromAndTo: yourdomain.com no" ruleset entry to do this. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Feb 16 17:03:31 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: Message-ID: Hi! > that RH '...does not include it, that I was using an old version' and > that i should upgrade to the current version found at the > SpamAssassin site. I downloaded the three RPM's available there; > SpamAssassin, SpamAssassin-tools, and ReqPerlModules. I could not > update the RH9 SpamAssassin RPM, so I uninstalled it, and then the > three newer RPM's installed fine. I suspect that the ReqPerlModules > RPM may be the culprit here? We should make a shortcut to that part of the FAQ :) Install SA via CPAN, Source or make your own RPMs via the SRPS. Installing from plain RPM is known to give trouble. Bye, Raymond. From stefanzman at yahoo.com Mon Feb 16 17:33:18 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:31 2006 Subject: SpamAssassin location In-Reply-To: <6.0.0.22.0.20040216112222.028405f0@xanadu.evi-inc.com> Message-ID: <20040216173318.16739.qmail@web41312.mail.yahoo.com> In our situation, the target box is a Cobalt machine that requires that the "old" perl remain untouched. Hence, the new perl was in installed in /home/spam-filter simply to support SpamAssassin with MailScanner. My concern now is how best to upgrade SA from 2.54 to the latest version without breaking any of the other pieces. --- Matt Kettler wrote: > At 11:13 AM 2/16/2004, Craig Daters wrote: > >I know that when I upgraded to SpamAssassin 2.63 > from 2.61, > >MailScanner could not find SpamAssassin. > > > >MailScanner was looking in > '/usr/lib/perl5/site_perl/5.8.0/Mail' for > >the SpamAssassin directory and couldn't find it > because it was in > >'/usr/lib/perl5/5.6.1/Mail'. So I just symlinked it > and everything > >worked great after that. (It might have been the > other way around, I > >can't quite recall.) > > Ouch.. That's *not* a good thing.... > > This means that when SA was configured, it found > perl version 5.6.1. When > MailScanner was run, it was run under version 5.8.0. > > Perhaps you should do some digging and find out why > two different perl > versions exist on your server, and properly > re-install SA under the version > of perl you want to use. __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html From mlm at LOANPROCESSING.NET Mon Feb 16 19:05:16 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types Message-ID: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> Hi All, I am using the latest version of MailScanner with ClamAV. So far so good. I have "Deliver Disinfected Files" set to no which works well. Actually a little too well. We have a certain file type with a .PCF extenstion that we need to be able to receive. Currently it is quarrantined and the warning report delivered instead of the attachment. How do I set MailScanner to allow this type of attachment? I've looked at the MailScanner.conf but don't see a place where excepted filetypes such as .PDF are allowed. Any help on how to do this would be appreciated! Mike From mlm at LOANPROCESSING.NET Mon Feb 16 19:07:08 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types References: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> Message-ID: <003c01c3f4c0$1369b9e0$3e01a8c0@express.loanprocessing.net> Never mind. I found the filename.rules.conf. I need to look before I shout! ;-) Mike > Hi All, > > I am using the latest version of MailScanner with > ClamAV. > > So far so good. I have "Deliver Disinfected Files" set to > no which works well. Actually a little too well. > > We have a certain file type with a .PCF extenstion that > we need to be able to receive. Currently it is quarrantined > and the warning report delivered instead of the attachment. > > How do I set MailScanner to allow this type of attachment? > I've looked at the MailScanner.conf but don't see a place > where excepted filetypes such as .PDF are allowed. > > Any help on how to do this would be appreciated! > > Mike > From mlm at LOANPROCESSING.NET Mon Feb 16 19:22:44 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types References: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> Message-ID: <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> > Hi All, > > I am using the latest version of MailScanner with > ClamAV. > > So far so good. I have "Deliver Disinfected Files" set to > no which works well. Actually a little too well. > > We have a certain file type with a .PCF extenstion that > we need to be able to receive. Currently it is quarrantined > and the warning report delivered instead of the attachment. > > How do I set MailScanner to allow this type of attachment? > I've looked at the MailScanner.conf but don't see a place > where excepted filetypes such as .PDF are allowed. > > Any help on how to do this would be appreciated! > > Mike > Well, I spoke too soon. The file extension of the files we want to receive are .PCF. It's data exported from a financial application our customers use. I created an "allow" entry for it in "filename.rules.conf". I thought that would fix it. However, when I sent a test email with a sample PCF format, it came back with a "executables not allowed" error. I ran "file" on the sample.pcf file and it comes back as: point.pcf: VAX-order 68k Blit mpx/mux executable Well, it definitely ain't a VAX executable. How do I create the appropriate allow rule in "filetype.rules.conf" to permit this attachment to go through? I still want to deny other executables. TIA, Mike From dwinkler at ALGORITHMICS.COM Mon Feb 16 19:24:10 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1C4@tormail2.algorithmics.com> Modify /etc/magic so that the file command doesn't know .PCF's as that file type. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Mike McMullen > Sent: Monday, February 16, 2004 2:23 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Allowing Certain File Types > > > > Hi All, > > > > I am using the latest version of MailScanner with > > ClamAV. > > > > So far so good. I have "Deliver Disinfected Files" set to > > no which works well. Actually a little too well. > > > > We have a certain file type with a .PCF extenstion that > > we need to be able to receive. Currently it is quarrantined > > and the warning report delivered instead of the attachment. > > > > How do I set MailScanner to allow this type of attachment? > > I've looked at the MailScanner.conf but don't see a place > > where excepted filetypes such as .PDF are allowed. > > > > Any help on how to do this would be appreciated! > > > > Mike > > > > Well, I spoke too soon. The file extension of the files we > want to receive are .PCF. It's data exported from a financial > application our customers use. > > I created an "allow" entry for it in "filename.rules.conf". I thought > that would fix it. However, when I sent a test email with a sample > PCF format, it came back with a "executables not allowed" error. > > I ran "file" on the sample.pcf file and it comes back as: > > point.pcf: VAX-order 68k Blit mpx/mux executable > > Well, it definitely ain't a VAX executable. > > How do I create the appropriate allow rule in > "filetype.rules.conf" to permit this attachment to go through? > > I still want to deny other executables. > > TIA, > > Mike > From kevins at BMRB.CO.UK Mon Feb 16 19:33:23 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types In-Reply-To: <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> References: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> Message-ID: <1076960003.23611.6.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-16 at 19:22, Mike McMullen wrote: > point.pcf: VAX-order 68k Blit mpx/mux executable > > Well, it definitely ain't a VAX executable. > > How do I create the appropriate allow rule in > "filetype.rules.conf" to permit this attachment to go through? > > I still want to deny other executables. > In filetype-rules.conf (near the top)... allow VAX-order - - (note that those are tabs betwen the fields) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 16 19:43:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types In-Reply-To: <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> References: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> Message-ID: <6.0.1.1.2.20040216194134.032b4d08@imap.ecs.soton.ac.uk> At 19:22 16/02/2004, you wrote: > > Hi All, > > > > I am using the latest version of MailScanner with > > ClamAV. > > > > So far so good. I have "Deliver Disinfected Files" set to > > no which works well. Actually a little too well. > > > > We have a certain file type with a .PCF extenstion that > > we need to be able to receive. Currently it is quarrantined > > and the warning report delivered instead of the attachment. > > > > How do I set MailScanner to allow this type of attachment? > > I've looked at the MailScanner.conf but don't see a place > > where excepted filetypes such as .PDF are allowed. > > > > Any help on how to do this would be appreciated! > > > > Mike > > > >Well, I spoke too soon. The file extension of the files we >want to receive are .PCF. It's data exported from a financial >application our customers use. > >I created an "allow" entry for it in "filename.rules.conf". I thought >that would fix it. However, when I sent a test email with a sample >PCF format, it came back with a "executables not allowed" error. > >I ran "file" on the sample.pcf file and it comes back as: > >point.pcf: VAX-order 68k Blit mpx/mux executable > >Well, it definitely ain't a VAX executable. > >How do I create the appropriate allow rule in >"filetype.rules.conf" to permit this attachment to go through? > >I still want to deny other executables. Something like allow VAX.*executable$ - - (separated with tabs and not spaces) should do it. I don't think there are many viruses around which hide in VAX executables :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Mon Feb 16 20:17:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:31 2006 Subject: [Fwd: RE: [Clamav-users] Implementation Questions] Message-ID: <4031254C.7010107@ucgbook.com> This is from the ClamAV list, thought especially Julian would like to see it... :-) -------- Original Message -------- Subject: RE: [Clamav-users] Implementation Questions Date: Mon, 16 Feb 2004 11:36:43 -0800 From: Michael St. Laurent Reply-To: clamav-users@lists.sourceforge.net To: 'clamav-users@lists.sourceforge.net' Antony Stone wrote: > I run MailScanner http://www.mailscanner.info as a wrapper to ClamAV > and SpamAssassin (it can also handle many other A-V engines, and does > further tests & checks of its own), and I find this a very good > solution to handling email. I recently moved to MailScanner as well after discovering that I would not be able to use the clamav-milter given the special circumstances involved here. Wow. I'm really, really happy with it. It has one of the best install scripts I've ever seen for unix. It took a while to get it configured because it is *very* configurable. -- Michael St. Laurent Hartwell Corporation ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list Clamav-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clamav-users -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.66 + GMP 4.1.2 From mlm at LOANPROCESSING.NET Mon Feb 16 19:44:47 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:31 2006 Subject: Allowing Certain File Types References: <002b01c3f4bf$d115bee0$3e01a8c0@express.loanprocessing.net> <005f01c3f4c2$415f4020$3e01a8c0@express.loanprocessing.net> <1076960003.23611.6.camel@bach.kevinspicer.co.uk> Message-ID: <00e001c3f4c5$5621dba0$3e01a8c0@express.loanprocessing.net> ----- Original Message ----- From: "Kevin Spicer" > On Mon, 2004-02-16 at 19:22, Mike McMullen wrote: > > point.pcf: VAX-order 68k Blit mpx/mux executable > > > > Well, it definitely ain't a VAX executable. > > > > How do I create the appropriate allow rule in > > "filetype.rules.conf" to permit this attachment to go through? > > > > I still want to deny other executables. > > > In filetype-rules.conf (near the top)... > allow VAX-order - - > (note that those are tabs betwen the fields) > That did the trick! Thanks! Mike From mailscanner at ecs.soton.ac.uk Mon Feb 16 20:24:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:31 2006 Subject: [Fwd: RE: [Clamav-users] Implementation Questions] In-Reply-To: <4031254C.7010107@ucgbook.com> References: <4031254C.7010107@ucgbook.com> Message-ID: <6.0.1.1.2.20040216202354.03779f40@imap.ecs.soton.ac.uk> At 20:17 16/02/2004, you wrote: >This is from the ClamAV list, thought especially Julian would like to >see it... :-) > >-------- Original Message -------- >Subject: RE: [Clamav-users] Implementation Questions >Date: Mon, 16 Feb 2004 11:36:43 -0800 >From: Michael St. Laurent >Reply-To: clamav-users@lists.sourceforge.net >To: 'clamav-users@lists.sourceforge.net' > > >Antony Stone wrote: >>I run MailScanner http://www.mailscanner.info as a wrapper to ClamAV >>and SpamAssassin (it can also handle many other A-V engines, and does >>further tests & checks of its own), and I find this a very good >>solution to handling email. > >I recently moved to MailScanner as well after discovering that I would not >be able to use the clamav-milter given the special circumstances involved >here. > >Wow. I'm really, really happy with it. It has one of the best install >scripts I've ever seen for unix. It took a while to get it configured >because it is *very* configurable. > >-- >Michael St. Laurent >Hartwell Corporation Thanks for sending me that. It's amazing what a bit of plain jargon-free English and a few "sleep" statements can do! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Mon Feb 16 21:31:50 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:31 2006 Subject: size of mailscanner processes? In-Reply-To: References: Message-ID: Kai Schaetzl wrote on Thu, 12 Feb 2004 18:31:36 +0100: > so, the main starter process seems to have only 15 MB, but any of the real > work processes has 50. > System is Suse 9.0 with Perl 5.8.1 > I'm using clamavmodule, could this be the culprit for grabbing so much > RAM? > I changed from clamavmodule to clamav. This reduced the size from 50 to 40 MB. I still find that this is huge. With the default 5 processes this means there are 200 MB just for MailScanner. Is this really normal? Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Mon Feb 16 21:31:50 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:32 2006 Subject: Some conf settings not honored? In-Reply-To: <6.0.1.1.2.20040216085116.03bd2c80@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040216085116.03bd2c80@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Mon, 16 Feb 2004 08:52:00 +0000: > >Hide Incoming Work Dir = yes > > Does the path to your Incoming Work Dir contain any links? That's the usual > cause. No, no links involved at all. oops, I misinterpreted this. I'm talking of the quarantine path, not of the incoming work dir. It's shown in full: /var/spool/MailScanner/quarantine/20040215 (NachrichtenID i1FLfPS7006353) Is there an option to remove the path? > > >Warning Is Attachment = no > > That's dependent on the MUA the user is using. Some MUAs support this > better than others. > Not sure if I understand that. I thought it changes the (the beginning of the) body from: inline.warning.txt plus attachment to f.i. stored.virus.message.txt and no attachment (and no inline.warning.txt) but I still have inline.warning.txt plus attachment I see that the content-disposition for that attachment is inline (and my reader doesn't display it), but it's still an attachment coming after the complete body and doesn't replace the original inline.warning. see below I quite the complete body, is that really what it should look like with "attachment = no"? (german text version, sorry, hope you can identify it. Note, that there's still English parts in the virus description block!) ---------------------------------------------------------------------------- This is a Mime message, which your current mail reader may not understand. Parts of the message will appear as text. To process the rest, use a Mime compatible reader or Base64 conversion utility. --Next part of message (VA.0000385b.06fb6602:conactive.com) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Warnung: Diese Nachricht enthielt einen oder mehrere Dateianhaenge, die entfernt wurden Warnung: (virus.exe) Warnung: Bitte lesen Sie den oder die "ON-Attachment-Warning.txt" Dateianhaenge fuer genauere Informationen. Kai Sch�tzl -- Get your web at Conactive Internet Services: http://www.conactive.com --Next part of message (VA.0000385b.06fb6602:conactive.com) Content-Type: text/plain; charset="ISO-8859-1"; name="ON-Attachment-Warning.txt" Content-Disposition: inline; filename="ON-Attachment-Warning.txt" Content-Transfer-Encoding: quoted-printable Dies ist eine Nachricht vom MailScanner (E-Mail Virus Protection Service) ------------------------------------------------------------------------- Der Dateianhang "virus.exe" ist von einem Virus verseucht und wurde durch diese Nachricht ersetzt. Wenn Sie eine Kopie der Original Nachricht wuenschen, wenden Sie sich bitte per Mail oder Telefon an Ihren Systemadministrator. Bitte halten Sie diese Meldung bereit. Am Sun Feb 15 22:41:28 2004 meldete der Virenscanner folgendes: virus.exe contains Worm.Gibe.F=20 Executable DOS/Windows programs are dangerous in email (virus.exe) Hinweis an den Administrator: Datei ist auf Rechner: n7 im Verzeichnis /var/spool/MailScanner/quarantine/= 20040215 (NachrichtenID i1FLfPS7006353) abgespeichert. -- Postmaster --Next part of message (VA.0000385b.06fb6602:conactive.com)-- This is the end of the Mime message. ---------------------------------------------------------------------------- Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From cwharris at MORGAN.NET Mon Feb 16 21:39:53 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:32 2006 Subject: User doesnt want mail scanned Message-ID: <000801c3f4d5$69a7ec90$2105a8c0@delta> I have a user who does not want his mail scanned at all. How do I exlude him? Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040216/02d9cbe2/attachment.html From peter at UCGBOOK.COM Mon Feb 16 21:41:37 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:32 2006 Subject: size of mailscanner processes? In-Reply-To: References: Message-ID: <40313911.8050701@ucgbook.com> Kai Schaetzl wrote: > I changed from clamavmodule to clamav. This reduced the size from 50 to 40 > MB. I still find that this is huge. With the default 5 processes this means > there are 200 MB just for MailScanner. Is this really normal? Mine currently run at 14 MB for the first and 30 MB for the rest. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Mon Feb 16 21:43:56 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:32 2006 Subject: User doesnt want mail scanned In-Reply-To: <000801c3f4d5$69a7ec90$2105a8c0@delta> References: <000801c3f4d5$69a7ec90$2105a8c0@delta> Message-ID: <4031399C.5090709@ucgbook.com> Chris Harris wrote: > I have a user who does not want his mail scanned at all. How do I exlude > him? Read about rulesets here: /opt/MailScanner/etc/rules (tar dist) /etc/MailScanner/rules (Linux dist) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From cwharris at MORGAN.NET Mon Feb 16 21:49:56 2004 From: cwharris at MORGAN.NET (Chris Harris) Date: Thu Jan 12 21:22:32 2006 Subject: User doesnt want mail scanned References: <000801c3f4d5$69a7ec90$2105a8c0@delta> <4031399C.5090709@ucgbook.com> Message-ID: <002601c3f4d6$d1578b60$2105a8c0@delta> So would this be appropriate? FromOrTo: default yes To: foolishuser@domain.com no Thanks, Chris ----- Original Message ----- From: "Peter Bonivart" To: Sent: Monday, February 16, 2004 3:43 PM Subject: Re: User doesnt want mail scanned > Chris Harris wrote: > > I have a user who does not want his mail scanned at all. How do I exlude > > him? > > Read about rulesets here: > > /opt/MailScanner/etc/rules (tar dist) > /etc/MailScanner/rules (Linux dist) > > -- > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 > From steve.swaney at FSL.COM Mon Feb 16 21:58:48 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:32 2006 Subject: User doesnt want mail scanned In-Reply-To: <002601c3f4d6$d1578b60$2105a8c0@delta> Message-ID: <20040216215848.D579521C14C@mail.fsl.com> NO. The default must come Last. I've already fixed it Look at /etc/MailScanner/rules/use.mailscanner.rules And in the /etc/MailScanner.conf file Spam Checks = %rules-dir%/use.mailscanner.rules Do a MS-reload after changing this file Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Chris Harris > Sent: Monday, February 16, 2004 4:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: User doesnt want mail scanned > > So would this be appropriate? > > FromOrTo: default yes > To: foolishuser@domain.com no > > Thanks, > Chris > > ----- Original Message ----- > From: "Peter Bonivart" > To: > Sent: Monday, February 16, 2004 3:43 PM > Subject: Re: User doesnt want mail scanned > > > > Chris Harris wrote: > > > I have a user who does not want his mail scanned at all. How do I > exlude > > > him? > > > > Read about rulesets here: > > > > /opt/MailScanner/etc/rules (tar dist) > > /etc/MailScanner/rules (Linux dist) > > > > -- > > /Peter Bonivart > > > > --Unix lovers do it in the Sun > > > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > > SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From mailscanner at ecs.soton.ac.uk Mon Feb 16 21:38:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: size of mailscanner processes? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040216213750.037c6f98@imap.ecs.soton.ac.uk> At 21:31 16/02/2004, you wrote: >Kai Schaetzl wrote on Thu, 12 Feb 2004 18:31:36 +0100: > > > so, the main starter process seems to have only 15 MB, but any of the real > > work processes has 50. > > System is Suse 9.0 with Perl 5.8.1 > > I'm using clamavmodule, could this be the culprit for grabbing so much > > RAM? > > > >I changed from clamavmodule to clamav. This reduced the size from 50 to 40 >MB. I still find that this is huge. With the default 5 processes this means >there are 200 MB just for MailScanner. Is this really normal? Yes. MailScanner likes RAM. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Mon Feb 16 22:23:35 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) Message-ID: <403142E7.6080008@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Community. All of us Sendmail + Mailscanner user might know the case where MailScanner queues up a message for a User that is Unknown. THe Message gets scanned, then bounced by the local delivery agent. For all of us that use Cyrus as their local Mail Store I found a nice solution to prevent this behaviour without having to implement LDAP routing, be it real or via a faked map. With some very great tutoring from Andrzej Filip, along with Claus A?man one of the best sendmail hackers imho it is quite easy to implement. I just wanted to gauge reactions, if there is a need for this, I will gladly try and write a howto. However if just two or three are interested in this, I think they should contact me off list and I will explain the steps to them. Thank you - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMULrPMoaMn4kKR4RAyiEAJ0YN8ikWr/BPW29VFA6Ro/JCvNZLgCfbe8Q /YW44JHWmn5+Om9X05tAeZA= =zz/n -----END PGP SIGNATURE----- From mhewryk at SYMCOR.COM Mon Feb 16 22:32:10 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:32 2006 Subject: spam.lists.conf and SORBS Message-ID: On Sat, 14 Feb 2004 21:38:47 +0100, Raymond Dijkxhoorn wrote: >Hi! > >> ORDB-RBL times out quiet often and I'd like to use SORBS list for spam >> blacklist. >> >> Which one of the following is the best to use in addition to >> relays.ordb.org and dnsbl.njabl.org ? > >SBL+XBL (Spamhaus), DSBL and/or AHBL. Spamhous can't be resolved (sbl.spamhaus.org)so why you are using spamhaus? Maybe I have a wrong FQDN ...? Can you list your spam.lists.config for RBLs, please. Here is my list: ORDB-RBL relays.ordb.org. #spamhaus.org sbl.spamhaus.org. #spamcop.net bl.spamcop.net. #Infinite-Monkeys proxies.relays.monkeys.com. #osirusoft.com relays.osirusoft.com. >Bye, >Raymond. From mhewryk at SYMCOR.COM Mon Feb 16 22:33:21 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:32 2006 Subject: need a good sample of spam.lists.config file Message-ID: Hi, How can I try the combined XBL+SBL list from spamhaus.org ? Can I see an example from spam.lists.conf ? None of DNS can't resolve sbl.spamhaus.org, I've tried different servers for a sake. >From the list below only relays.ordb.org can be resolved by DNS. Are other definitely closed? What is the experience with NJABL dnsbl.njabl.org? Thanks, Magda ORDB-RBL relays.ordb.org. #spamhaus.org sbl.spamhaus.org. #spamcop.net bl.spamcop.net. #Infinite-Monkeys proxies.relays.monkeys.com. ---------------------------------------------------------------------------- ---- From raymond at PROLOCATION.NET Mon Feb 16 22:41:01 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:32 2006 Subject: spam.lists.conf and SORBS In-Reply-To: Message-ID: Hi > >SBL+XBL (Spamhaus), DSBL and/or AHBL. > > Spamhous can't be resolved (sbl.spamhaus.org)so why you are using spamhaus? > Maybe I have a wrong FQDN ...? > > Can you list your spam.lists.config for RBLs, please. > Here is my list: What do you mean cant resolve? It is used to lookup hosts. And works fine. You wont get a A record for sbl.spamhaus.org if thats what you mean. But: Non-authoritative answer: Name: 210.62.208.206.sbl.spamhaus.org Address: 127.0.0.2 So that works just fine, whats your problem with it ? > ORDB-RBL relays.ordb.org. > #spamhaus.org sbl.spamhaus.org. > #spamcop.net bl.spamcop.net. > #Infinite-Monkeys proxies.relays.monkeys.com. > #osirusoft.com relays.osirusoft.com. Thats fine, you can just take a fresh one from the last beta anyway, lists all active ones. Bye, Raymond. From raymond at PROLOCATION.NET Mon Feb 16 22:41:56 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:32 2006 Subject: need a good sample of spam.lists.config file In-Reply-To: Message-ID: Hi! > How can I try the combined XBL+SBL list from spamhaus.org ? > Can I see an example from spam.lists.conf ? > None of DNS can't resolve sbl.spamhaus.org, I've tried different servers > for a sake. They will, see my previous posting. For the XBL, update MS, its in there by default. > What is the experience with NJABL dnsbl.njabl.org? Ok list. Bye, Raymond. From ka at PACIFIC.NET Mon Feb 16 22:50:29 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <403142E7.6080008@uptime.at> References: <403142E7.6080008@uptime.at> Message-ID: <40314935.7070909@pacific.net> If it's sendmail, one simple way is to use the access map and reject it. TO:user1@domain.com RELAY TO:user2@domain.com RELAY # Default entry to reject TO:domain.com ERROR:5.1.1:550 User unknown How are you doing this? Ken A Pacific.Net David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello Community. > > All of us Sendmail + Mailscanner user might know the case where > MailScanner queues up a message for a User that is Unknown. THe Message > gets scanned, then bounced by the local delivery agent. > For all of us that use Cyrus as their local Mail Store I found a nice > solution to prevent this behaviour without having to implement LDAP > routing, be it real or via a faked map. > > With some very great tutoring from Andrzej Filip, along with Claus A?man > one of the best sendmail hackers imho it is quite easy to implement. > I just wanted to gauge reactions, if there is a need for this, I will > gladly try and write a howto. However if just two or three are > interested in this, I think they should contact me off list and I will > explain the steps to them. > > Thank you > > - -d > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQFAMULrPMoaMn4kKR4RAyiEAJ0YN8ikWr/BPW29VFA6Ro/JCvNZLgCfbe8Q > /YW44JHWmn5+Om9X05tAeZA= > =zz/n > -----END PGP SIGNATURE----- > > From esandquist at IHMS.NET Mon Feb 16 22:45:01 2004 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <403142E7.6080008@uptime.at> Message-ID: Being that you didn't give your email for off-list reply... I am definately interested... Eric : esandquist@ihms.net -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of David H. Sent: Monday, February 16, 2004 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Community. All of us Sendmail + Mailscanner user might know the case where MailScanner queues up a message for a User that is Unknown. THe Message gets scanned, then bounced by the local delivery agent. For all of us that use Cyrus as their local Mail Store I found a nice solution to prevent this behaviour without having to implement LDAP routing, be it real or via a faked map. With some very great tutoring from Andrzej Filip, along with Claus A?man one of the best sendmail hackers imho it is quite easy to implement. I just wanted to gauge reactions, if there is a need for this, I will gladly try and write a howto. However if just two or three are interested in this, I think they should contact me off list and I will explain the steps to them. Thank you - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMULrPMoaMn4kKR4RAyiEAJ0YN8ikWr/BPW29VFA6Ro/JCvNZLgCfbe8Q /YW44JHWmn5+Om9X05tAeZA= =zz/n -----END PGP SIGNATURE----- From dh at UPTIME.AT Mon Feb 16 22:55:01 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <40314935.7070909@pacific.net> References: <403142E7.6080008@uptime.at> <40314935.7070909@pacific.net> Message-ID: <40314A45.6020608@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ken Anderson wrote: > If it's sendmail, one simple way is to use the access map and reject it. > > TO:user1@domain.com RELAY > TO:user2@domain.com RELAY > # Default entry to reject > TO:domain.com ERROR:5.1.1:550 User unknown > > How are you doing this? It utilises a few patches made by Andrzej Filip, namely http://www.polbox.com/a/anfi/sendmail/rtcyrus.html http://www.polbox.com/a/anfi/sendmail/_FFR_MAP_FSTAT.html and if you want it http://www.polbox.com/a/anfi/sendmail/localNalias.html Basically it assumes that the IMAP server is present on the same machine. Then it executes a fstat on /var/spool/yourimap/users/ After ALL expansion has been finished and all virtual look ups finished. As I said, if you want details and I see some feedback, I am willing to write a howto - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMUpJPMoaMn4kKR4RA6vwAKCVRQZK9iRsQK2IxrIup1PeDw9pZACggD/N 6NNqIjOOV1WoAOPESYhASKA= =OIon -----END PGP SIGNATURE----- From mlm at LOANPROCESSING.NET Mon Feb 16 23:00:03 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner Message-ID: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> Hi All, I fed about 1000 spam emails today to sa-learn. Watching the mail logs for MailScanner entries, I never see the Bayes Score show up. Should I see this for mail that is scanned for spam? If so, am I missing something in configuring this to be used? Thanks, Mike From david at PLATFORMHOSTING.COM Mon Feb 16 23:19:22 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Footers In-Reply-To: <6.0.1.1.2.20040216135928.03933d70@imap.ecs.soton.ac.uk> Message-ID: <200402162319.i1GNJKf08913@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, 17 February 2004 1:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Footers > > Ah, yes, I misunderstood. I thought it was a problem with a single message > going through more than 1 MailScanner on its way to its recipient. What > you > actually mean is a conversation between 2 people winding up with multiple > signatures on it. > > If you want to stop them, then the easiest way is a ruleset that stops it > signing messages if the message comes from you and goes to you. Use a > "FromAndTo: yourdomain.com no" ruleset entry to do this. Thanks Julian, This really only works when sending to and from your own domain, doesn't work with multiple domains. We use MailScanner as a gateway solution for DSL customers, when they are emailing their own domain this isn't a problem because it's delivered locally on their own mail server. The real problem is when they are having long conversations via email with external domains. I know I'm being a pain, I will try the other suggestion of using -- before the footer to see if that helps. Finding a way to make this work cleanly would very much assist the uneducated joe average user which we seem to encounter. Cheers! Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From mkettler at EVI-INC.COM Mon Feb 16 23:38:12 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner In-Reply-To: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> References: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> Message-ID: <6.0.0.22.0.20040216183500.028d7248@xanadu.evi-inc.com> At 06:00 PM 2/16/2004, Mike McMullen wrote: >I fed about 1000 spam emails today to sa-learn. Watching the >mail logs for MailScanner entries, I never see the Bayes Score >show up. How many ham emails did you feed to sa-learn? Bayes will NOT activate without 500 spam and 500 ham messages, minimum. Also, beware that spam.assassin.prefs.conf makes mailscanner's bayes_path different bayes_path /var/spool/spamassassin/bayes Thus, when you train, you need to train with an account that has that same bayes path in it's user_prefs (ie: I do this with root). Also make sure that /var/spool/spamassassin exists as a directory. DO NOT make a subdirectory named "bayes" in there. From mlm at LOANPROCESSING.NET Mon Feb 16 23:50:50 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner References: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> <6.0.0.22.0.20040216183500.028d7248@xanadu.evi-inc.com> Message-ID: <031601c3f4e7$b510b6a0$3e01a8c0@express.loanprocessing.net> > At 06:00 PM 2/16/2004, Mike McMullen wrote: > > >I fed about 1000 spam emails today to sa-learn. Watching the > >mail logs for MailScanner entries, I never see the Bayes Score > >show up. > > How many ham emails did you feed to sa-learn? > > Bayes will NOT activate without 500 spam and 500 ham messages, minimum. > > Also, beware that spam.assassin.prefs.conf makes mailscanner's > bayes_path different > > bayes_path /var/spool/spamassassin/bayes > > Thus, when you train, you need to train with an account that has that same > bayes path in it's user_prefs (ie: I do this with root). > > Also make sure that /var/spool/spamassassin exists as a directory. > > DO NOT make a subdirectory named "bayes" in there. > Matt, this is all good info. I have not fed it any ham mail. Now I see I'll have to do that. In my MailScanner.conf, the bayes_path is commented out. It is using /root/.spamassassin which is fine by me. I use root to do the training. I'm assuming that all the results are getting stored there and not just mail to root. Is this true? So if I feed about 500 - 1000 ham messages to sa-learn, bayes will kick in? If I have a large number of ham messages in mail folder created by Outlook Express, can I copy that to the server and then just feed it to sa-learn? I did that with sa-learn for the spam messages. sa-learn kicked back that it had read one message. Is that an appropriate respones? The bayes_toks database grew to about 2.75M so I assumed it did the right thing. Thanks for all your help on this, Mike From mja at FAMILYRADIO.ORG Mon Feb 16 23:58:20 2004 From: mja at FAMILYRADIO.ORG (Michael J. Allen) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <403142E7.6080008@uptime.at> References: <403142E7.6080008@uptime.at> Message-ID: <4031591C.3060109@familyradio.org> David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello Community. > > All of us Sendmail + Mailscanner user might know the case where > MailScanner queues up a message for a User that is Unknown. THe > Message gets scanned, then bounced by the local delivery agent. > For all of us that use Cyrus as their local Mail Store I found a nice > solution to prevent this behaviour without having to implement LDAP > routing, be it real or via a faked map. > > With some very great tutoring from Andrzej Filip, along with Claus > A?man one of the best sendmail hackers imho it is quite easy to > implement. > I just wanted to gauge reactions, if there is a need for this, I will > gladly try and write a howto. However if just two or three are > interested in this, I think they should contact me off list and I will > explain the steps to them. > > Thank you > > - -d > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQFAMULrPMoaMn4kKR4RAyiEAJ0YN8ikWr/BPW29VFA6Ro/JCvNZLgCfbe8Q > /YW44JHWmn5+Om9X05tAeZA= > =zz/n > -----END PGP SIGNATURE---- > - I am definitely interested. Mike From pete at eatathome.com.au Tue Feb 17 00:02:02 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:32 2006 Subject: Sendmail Question (OT) Message-ID: <403159FA.9080702@eatathome.com.au> I have some in herited Hylafax machines here and they use sendmail to route mail. Everything lives on Private subnet, no DNS services only WINS NT4 server. Hylafax does regular real world MX lookups and all mail then routes to our main SMTP gateway (public IP). I want to change this to point it at a another mail server on the private subnet, to save poking holes in the firewalls for users we are diverting all outbound SMTP traffic to internal mail servers. To force the sendmail (hylafax machines) to send all outdound mail to the local mail server i tried the following. I changed the mailertable and added the 10.1.10.4 IP of the local mail server using the following format xxx.com.au SMTP:10.1.10.4 (i used a tab to space it) then did # /usr/sbin/makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable I also tried to add the mail server host name of "tardis" to /etc/hosts 10.1.10.4 tardis But this didnt work, i get the following in the maillog Feb 16 09:47:44 HylaFAX sendmail[5605]: i1FMlh3D005604: to=mfax@xxx.com.au , ctladdr= (10/14), delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=36118, relay=tardis, dsn=5.1.2, stat=Host unknown (Name server: tardis: host not found) What do i need to do to sendmail to specify the server for all outbound mail? Appreciate any heklp or suggestions i can get. Thanks From steve.swaney at FSL.COM Mon Feb 16 23:59:55 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner In-Reply-To: <031601c3f4e7$b510b6a0$3e01a8c0@express.loanprocessing.net> Message-ID: <20040216235954.B7CD821C14C@mail.fsl.com> Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike McMullen > Sent: Monday, February 16, 2004 6:51 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin Bayes filter and MailScanner > > > At 06:00 PM 2/16/2004, Mike McMullen wrote: > > > > >I fed about 1000 spam emails today to sa-learn. Watching the > > >mail logs for MailScanner entries, I never see the Bayes Score > > >show up. > > > > How many ham emails did you feed to sa-learn? > > > > Bayes will NOT activate without 500 spam and 500 ham messages, minimum. > > > > Also, beware that spam.assassin.prefs.conf makes mailscanner's > > bayes_path different > > > > bayes_path /var/spool/spamassassin/bayes > > > > Thus, when you train, you need to train with an account that has that > same > > bayes path in it's user_prefs (ie: I do this with root). > > > > Also make sure that /var/spool/spamassassin exists as a directory. > > > > DO NOT make a subdirectory named "bayes" in there. > > > > Matt, this is all good info. I have not fed it any ham mail. Now I see > I'll have to do that. > > In my MailScanner.conf, the bayes_path is commented out. It is using > /root/.spamassassin which is fine by me. I use root to do the training. > I'm assuming that all the results are getting stored there and not just > mail to root. Is this true? > > So if I feed about 500 - 1000 ham messages to sa-learn, bayes will kick > in? Actually this is configurable. From http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html bayes_min_ham_num (Default: 200) bayes_min_spam_num (Default: 200) You can configure these settings by adding the to your spam.assassin.prefs.conf file Steve The score threshold above which a mail has to score, to be fed into SpamAssassin's learning systems automatically as a spam message. > > If I have a large number of ham messages in mail folder created by > Outlook Express, can I copy that to the server and then just feed it > to sa-learn? > > I did that with sa-learn for the spam messages. sa-learn kicked back > that it had read one message. Is that an appropriate respones? The > bayes_toks database grew to about 2.75M so I assumed it did the > right thing. > > Thanks for all your help on this, > > Mike > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From ugob at CAMO-ROUTE.COM Tue Feb 17 01:05:57 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:32 2006 Subject: Sendmail Question (OT) Message-ID: <54C38A0B814C8E438EF73FC76F362927410900@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Pete [mailto:pete@eatathome.com.au] > Envoy? : Monday, February 16, 2004 7:02 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Sendmail Question (OT) > > > I have some in herited Hylafax machines here and they use sendmail to > route mail. Everything lives on Private subnet, no DNS services only > WINS NT4 server. Hylafax does regular real world MX lookups > and all mail > then routes to our main SMTP gateway (public IP). > > I want to change this to point it at a another mail server on the > private subnet, to save poking holes in the firewalls for users we are > diverting all outbound SMTP traffic to internal mail servers. > > To force the sendmail (hylafax machines) to send all outdound mail to > the local mail server i tried the following. > > I changed the mailertable and added the 10.1.10.4 IP of the local mail > server using the following format > xxx.com.au SMTP:10.1.10.4 (i used a tab to space it) Did you try: xxx.com.au SMTP:[10.1.10.4] ? > then did # /usr/sbin/makemap hash /etc/mail/mailertable.db < > /etc/mail/mailertable > > I also tried to add the mail server host name of "tardis" to > /etc/hosts > 10.1.10.4 tardis > > But this didnt work, i get the following in the maillog > Feb 16 09:47:44 HylaFAX sendmail[5605]: i1FMlh3D005604: > to=mfax@xxx.com.au , ctladdr= > (10/14), delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=36118, > relay=tardis, dsn=5.1.2, stat=Host unknown (Name server: tardis: host > not found) > > What do i need to do to sendmail to specify the server for > all outbound > mail? > > Appreciate any heklp or suggestions i can get. > Thanks > From pete at eatathome.com.au Tue Feb 17 01:32:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:32 2006 Subject: Sendmail Question (OT) In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410900@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410900@mtlnt501fs.CAMOROUTE.COM> Message-ID: <40316F18.6080907@eatathome.com.au> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Pete [mailto:pete@eatathome.com.au] >>Envoy? : Monday, February 16, 2004 7:02 PM >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Sendmail Question (OT) >> >> >>I have some in herited Hylafax machines here and they use sendmail to >>route mail. Everything lives on Private subnet, no DNS services only >>WINS NT4 server. Hylafax does regular real world MX lookups >>and all mail >>then routes to our main SMTP gateway (public IP). >> >>I want to change this to point it at a another mail server on the >>private subnet, to save poking holes in the firewalls for users we are >>diverting all outbound SMTP traffic to internal mail servers. >> >>To force the sendmail (hylafax machines) to send all outdound mail to >>the local mail server i tried the following. >> >>I changed the mailertable and added the 10.1.10.4 IP of the local mail >>server using the following format >>xxx.com.au SMTP:10.1.10.4 (i used a tab to space it) >> >> > >Did you try: xxx.com.au SMTP:[10.1.10.4] > >? > > > >>then did # /usr/sbin/makemap hash /etc/mail/mailertable.db < >>/etc/mail/mailertable >> >>I also tried to add the mail server host name of "tardis" to >>/etc/hosts >>10.1.10.4 tardis >> >>But this didnt work, i get the following in the maillog >>Feb 16 09:47:44 HylaFAX sendmail[5605]: i1FMlh3D005604: >>to=mfax@xxx.com.au , ctladdr= >>(10/14), delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=36118, >>relay=tardis, dsn=5.1.2, stat=Host unknown (Name server: tardis: host >>not found) >> >>What do i need to do to sendmail to specify the server for >>all outbound >>mail? >> >>Appreciate any heklp or suggestions i can get. >>Thanks >> >> >> > > > > > Yeah i restarted the service after making the changes, i havent used a FQDN cos we dont have any DNS service inside the network, nor do i want to use them, just send all outbound mail from sendmail to the ip or wins name of the mail server, both on same subnet, i would have thought this would be pretty easy...sendmail is too hard for me :( Should the IP in the mailtertable be in square brackets like in your expanmple? I didnt have that. From campbell at CNPAPERS.COM Tue Feb 17 02:38:10 2004 From: campbell at CNPAPERS.COM (Steve Campbell) Date: Thu Jan 12 21:22:32 2006 Subject: Sendmail question, multiple recipients Message-ID: <1076985490.40317e92951ad@kanawha.cnpapers.net> To the list, I realize this is not the Sendmail list, but I will ask here, if you please, a question that keep perplexing me. This sort of is a followup of a prior post I sent, one which I thought I had this all figured out (with a lot of patient help from this list). I have finally turned off my fail-over (catch-all) mailbox, and it seems to work most of the time (meaning it rejects mail to invalid users right away). But it seems that when an email with a valid recipient and multiple invalid CC recipients, Sendmail will accept the email due to the valid recipient, and then send out NDR replies for all of the invalid recipients. Is there a way I am missing to avoid this or is this just the way it has to be? Is there a way to scrub my outgoing queue of these without manually deleting these? A long while back, there was discussion of configuring sendmail to break these up into separate emails, but would this fix this problem? Thanks loads, Steve Campbell Charleston Newspapers campbell@cnpapers.com ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From david at PLATFORMHOSTING.COM Tue Feb 17 02:47:54 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <1076985490.40317e92951ad@kanawha.cnpapers.net> Message-ID: <200402170247.i1H2lpf01897@mx1.mailsecurity.net.au> Hi, I've just upgraded to 4.26.8 and have noticed that on one of our linux boxes running Sendmail MailScanner seems to have spawned all the processes, but one process always uses 99-100% CPU and the box is killing itself to keep up regardless of weather mail is waiting to be processed or not. If I kill that individual MailScanner process the box begins to run normally. Has anyone else seen this? It's a pretty big issue as this box is one of our core message routing boxes. Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From michele at BLACKNIGHTSOLUTIONS.COM Tue Feb 17 02:51:58 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402170247.i1H2lpf01897@mx1.mailsecurity.net.au> Message-ID: We had a *similar* situation a few weeks ago. Upgrading DCC, SA and a couple of other bits and pieces seemed to resolve the problem Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of David Hooton > Sent: 17 February 2004 02:48 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Single process taking over? > > > Hi, > > I've just upgraded to 4.26.8 and have noticed that on one of our > linux boxes > running Sendmail MailScanner seems to have spawned all the processes, but > one process always uses 99-100% CPU and the box is killing itself > to keep up > regardless of weather mail is waiting to be processed or not. > > If I kill that individual MailScanner process the box begins to run > normally. > > Has anyone else seen this? It's a pretty big issue as this box is one of > our core message routing boxes. > > Regards, > > David Hooton > > > ======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au > ======================================================================== > From pete at eatathome.com.au Tue Feb 17 02:54:28 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:32 2006 Subject: Sendmail Question (OT) In-Reply-To: <210DF55DED65B547896F728FB057F3B202E30139@seaver.ussco.com> References: <210DF55DED65B547896F728FB057F3B202E30139@seaver.ussco.com> Message-ID: <40318264.7080300@eatathome.com.au> Shortt, Kevin wrote: > >Try putting your 10.1.10.4 IP address in the DS variable (SMART_HOST in .mc >file) of sendmail.cf. > >Let me know if that works for you. > >-k > >-----Original Message----- >From: Pete >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: 2/16/2004 6:02 PM >Subject: Sendmail Question (OT) > >I have some in herited Hylafax machines here and they use sendmail to >route mail. Everything lives on Private subnet, no DNS services only >WINS NT4 server. Hylafax does regular real world MX lookups and all mail >then routes to our main SMTP gateway (public IP). > >I want to change this to point it at a another mail server on the >private subnet, to save poking holes in the firewalls for users we are >diverting all outbound SMTP traffic to internal mail servers. > >To force the sendmail (hylafax machines) to send all outdound mail to >the local mail server i tried the following. > >I changed the mailertable and added the 10.1.10.4 IP of the local mail >server using the following format >xxx.com.au SMTP:10.1.10.4 (i used a tab to space it) >then did # /usr/sbin/makemap hash /etc/mail/mailertable.db < >/etc/mail/mailertable > >I also tried to add the mail server host name of "tardis" to /etc/hosts >10.1.10.4 tardis > >But this didnt work, i get the following in the maillog >Feb 16 09:47:44 HylaFAX sendmail[5605]: i1FMlh3D005604: >to=mfax@xxx.com.au , ctladdr= >(10/14), delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=36118, >relay=tardis, dsn=5.1.2, stat=Host unknown (Name server: tardis: host >not found) > >What do i need to do to sendmail to specify the server for all outbound >mail? > >Appreciate any heklp or suggestions i can get. >Thanks > > > I tried that using the webmin UI, but i am not so sure if it worked. Webmin doesnt make the the sendmail configs any easier to nav, well not for me. From david at PLATFORMHOSTING.COM Tue Feb 17 03:06:01 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: Message-ID: <200402170306.i1H364C08027@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: Tuesday, 17 February 2004 1:52 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Single process taking over? > > We had a *similar* situation a few weeks ago. Upgrading DCC, SA and a > couple > of other bits and pieces seemed to resolve the problem > We've just had to back off to 4.25-14 and have found it is back to performing as per usual. Has anyone found a specific reason for this? It's a bit of a concern that the current stable release can have this effect! Also: Julian - any possibility that the website can list previous versions? We had to guess the url to get the older version :) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From stefanzman at yahoo.com Tue Feb 17 04:39:33 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:32 2006 Subject: Multiple Perl instances Message-ID: <20040217043933.30121.qmail@web41302.mail.yahoo.com> Does anyone have any experience installing Mailscanner and SpamAssassin separate instance of Perl? Is compiling/making the proudct with the correct preceding perl path sufficient for correct setup? Lastly, will the appropriate SpamAssassin perl module be created and be accessible for other applications? Please advise...anyone? __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html From Uwe.Krause at FEP.FRAUNHOFER.DE Tue Feb 17 08:31:24 2004 From: Uwe.Krause at FEP.FRAUNHOFER.DE (Krause, Uwe) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F43803C@midgard.fep.fhg.de> > Should I see this for mail that is scanned for spam? If so, am I > missing something in configuring this to be used? watch the output of "spamassassin --lint -D" ... debug: bayes corpus size: nspam = xxxx, nham = xxxx Uwe From mailscanner at ecs.soton.ac.uk Tue Feb 17 08:42:05 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402170247.i1H2lpf01897@mx1.mailsecurity.net.au> References: <1076985490.40317e92951ad@kanawha.cnpapers.net> <200402170247.i1H2lpf01897@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040217084103.03ac4080@imap.ecs.soton.ac.uk> Is there a particular message in your incoming queue that causes this? Is anything being logged? What is the last log entry from the rogue process? What OS/distribution/version are you running? At 02:47 17/02/2004, you wrote: >Hi, > >I've just upgraded to 4.26.8 and have noticed that on one of our linux boxes >running Sendmail MailScanner seems to have spawned all the processes, but >one process always uses 99-100% CPU and the box is killing itself to keep up >regardless of weather mail is waiting to be processed or not. > >If I kill that individual MailScanner process the box begins to run >normally. > >Has anyone else seen this? It's a pretty big issue as this box is one of >our core message routing boxes. > >Regards, > >David Hooton > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From david at PLATFORMHOSTING.COM Tue Feb 17 09:28:31 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <6.0.1.1.2.20040217084103.03ac4080@imap.ecs.soton.ac.uk> Message-ID: <200402170928.i1H9STC07304@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, 17 February 2004 7:42 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Single process taking over? > > Is there a particular message in your incoming queue that causes this? > Is anything being logged? > What is the last log entry from the rogue process? > What OS/distribution/version are you running? > Hi Julian, No, this happens the moment we start MailScanner with that code release. The box is running RedHat 9, has 1 gig of RAM, hardware mirrored 80GB SATA drives and dual 2.8Ghz processors. At one stage yesterday the box was running at a load average of 16 from this one process, mqueue.in only had 2kb in it! We've had to back off to an older code version because of the load. Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From mailscanner at ecs.soton.ac.uk Tue Feb 17 09:36:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402170928.i1H9STC07304@mx1.mailsecurity.net.au> References: <6.0.1.1.2.20040217084103.03ac4080@imap.ecs.soton.ac.uk> <200402170928.i1H9STC07304@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> At 09:28 17/02/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Tuesday, 17 February 2004 7:42 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Single process taking over? > > > > Is there a particular message in your incoming queue that causes this? > > Is anything being logged? > > What is the last log entry from the rogue process? > > What OS/distribution/version are you running? > > > >Hi Julian, > >No, this happens the moment we start MailScanner with that code release. > >The box is running RedHat 9, has 1 gig of RAM, hardware mirrored 80GB SATA >drives and dual 2.8Ghz processors. > >At one stage yesterday the box was running at a load average of 16 from this >one process, mqueue.in only had 2kb in it! > >We've had to back off to an older code version because of the load. Ah, a reproducible fault! I like those :-) What does your MailScanner.conf look like? (just the interesting bits, don't care what all the filenames of your reports are and stuff like that). What virus scanner(s), SpamAssassin, etc? What is the last thing the runaway process logs before CPU hogging? Does the CPU hogging start the instant you start MailScanner, or the instant the first child process runs, or when? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 17 10:05:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402170928.i1H9STC07304@mx1.mailsecurity.net.au> References: <6.0.1.1.2.20040217084103.03ac4080@imap.ecs.soton.ac.uk> <200402170928.i1H9STC07304@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040217100447.03a604a8@imap.ecs.soton.ac.uk> At 09:28 17/02/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Tuesday, 17 February 2004 7:42 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Single process taking over? > > > > Is there a particular message in your incoming queue that causes this? > > Is anything being logged? > > What is the last log entry from the rogue process? > > What OS/distribution/version are you running? > > > >Hi Julian, > >No, this happens the moment we start MailScanner with that code release. > >The box is running RedHat 9, has 1 gig of RAM, hardware mirrored 80GB SATA >drives and dual 2.8Ghz processors. > >At one stage yesterday the box was running at a load average of 16 from this >one process, mqueue.in only had 2kb in it! Had you put in any of my patches to 4.26.8 that I published here? If so, that might be the problem (have since fixed). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From viers at UNILIM.FR Tue Feb 17 11:26:06 2004 From: viers at UNILIM.FR (Nicolas Viers - SCI) Date: Thu Jan 12 21:22:32 2006 Subject: Spamassassin and Bayes files Message-ID: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> Hello, if i change the bayes_path on /etc/MailScanner/spam.assassin.prefs.conf file it 's ok. The db files are now in the new directory. But when i do sa-learn manually how tell to spamassassin to write rules in this directory and no more in /root/.spamassassin ? Thanks ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From david at PLATFORMHOSTING.COM Tue Feb 17 11:29:11 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <6.0.1.1.2.20040217100447.03a604a8@imap.ecs.soton.ac.uk> Message-ID: <200402171129.i1HBT8C03983@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, 17 February 2004 9:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Single process taking over? > > Had you put in any of my patches to 4.26.8 that I published here? If so, > that might be the problem (have since fixed). Yes, Wouldn't the upgrade to the new code overwrite that though? Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From david at PLATFORMHOSTING.COM Tue Feb 17 11:38:11 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> Message-ID: <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, 17 February 2004 8:36 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Single process taking over? > > Ah, a reproducible fault! I like those :-) I don't!! :) > What does your MailScanner.conf look like? (just the interesting bits, > don't care what all the filenames of your reports are and stuff like > that). See below.. > What virus scanner(s), SpamAssassin, etc? ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > What is the last thing the runaway process logs before CPU hogging? Nothing abnormal, just the process starting and mail being processed, even in verbose logging, it just appears to be a normal process that won't let the other threads have any resources. If I kill it, the other threads spawn and run as per normal. > Does the CPU hogging start the instant you start MailScanner, or the > instant the first child process runs, or when? As soon as mail begins to be processed. If no mail is in the queue, not hogging, but the second any mail is in queue it's hogging. MailScanner.conf ============================================ Max Children = 4 Queue Scan Interval = 1 MTA = sendmail Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 15 Max Unsafe Messages Per Scan = 15 Virus Scanning = yes Virus Scanners = mcafee clamav Virus Scanner Timeout = 300 Spam Checks = yes Spam List = Use SpamAssassin = yes Max SpamAssassin Size = 90000 Deliver In Background = yes Delivery Method = batch Let me know if you want any more detail.. Cheers! Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From mailscanner at ecs.soton.ac.uk Tue Feb 17 12:24:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> At 11:38 17/02/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Tuesday, 17 February 2004 8:36 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Single process taking over? > > > > Ah, a reproducible fault! I like those :-) > >I don't!! :) > > > What does your MailScanner.conf look like? (just the interesting bits, > > don't care what all the filenames of your reports are and stuff like > > that). > >See below.. > > > What virus scanner(s), SpamAssassin, etc? > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > What is the last thing the runaway process logs before CPU hogging? > >Nothing abnormal, just the process starting and mail being processed, even >in verbose logging, it just appears to be a normal process that won't let >the other threads have any resources. If I kill it, the other threads spawn >and run as per normal. > > > Does the CPU hogging start the instant you start MailScanner, or the > > instant the first child process runs, or when? > >As soon as mail begins to be processed. If no mail is in the queue, not >hogging, but the second any mail is in queue it's hogging. > >MailScanner.conf >============================================ >Max Children = 4 >Queue Scan Interval = 1 >MTA = sendmail >Max Unscanned Bytes Per Scan = 100000000 >Max Unsafe Bytes Per Scan = 50000000 >Max Unscanned Messages Per Scan = 15 >Max Unsafe Messages Per Scan = 15 >Virus Scanning = yes >Virus Scanners = mcafee clamav >Virus Scanner Timeout = 300 >Spam Checks = yes >Spam List = >Use SpamAssassin = yes >Max SpamAssassin Size = 90000 >Deliver In Background = yes >Delivery Method = batch Do you reckon you could reproduce the problem on a box to which you could give me login access? I suspect it's something very simple, but I have never witnessed it here and it's apparently not a common problem. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 17 12:32:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040217123121.03fb60d8@imap.ecs.soton.ac.uk> At 11:38 17/02/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian Field > > Sent: Tuesday, 17 February 2004 8:36 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Single process taking over? > > > > Ah, a reproducible fault! I like those :-) > >I don't!! :) > > > What does your MailScanner.conf look like? (just the interesting bits, > > don't care what all the filenames of your reports are and stuff like > > that). > >See below.. > > > What virus scanner(s), SpamAssassin, etc? > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > What is the last thing the runaway process logs before CPU hogging? > >Nothing abnormal, just the process starting and mail being processed, even >in verbose logging, it just appears to be a normal process that won't let >the other threads have any resources. If I kill it, the other threads spawn >and run as per normal. > > > Does the CPU hogging start the instant you start MailScanner, or the > > instant the first child process runs, or when? > >As soon as mail begins to be processed. If no mail is in the queue, not >hogging, but the second any mail is in queue it's hogging. > >MailScanner.conf >============================================ >Max Children = 4 >Queue Scan Interval = 1 >MTA = sendmail >Max Unscanned Bytes Per Scan = 100000000 >Max Unsafe Bytes Per Scan = 50000000 >Max Unscanned Messages Per Scan = 15 >Max Unsafe Messages Per Scan = 15 >Virus Scanning = yes >Virus Scanners = mcafee clamav >Virus Scanner Timeout = 300 >Spam Checks = yes >Spam List = >Use SpamAssassin = yes >Max SpamAssassin Size = 90000 >Deliver In Background = yes >Delivery Method = batch > > >Let me know if you want any more detail.. One more thing. If you set "Debug = yes" and then kill the MailScanner processes and run check_mailscanner once, what happens? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Ulysees at ULYSEES.COM Tue Feb 17 13:01:19 2004 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:22:32 2006 Subject: [OT ish] converting charsets References: <000701c3ea73$5f951410$3201010a@nimitz> Message-ID: > The mails that cause this always come from the same group of sites. > I've also found that it happens if I turn on full headers in the virus > reports. > This doesn't happen on a 4.23-11 on rh7.2 box that I'm retiring. > > Uly > Turns out it was the MTA using a funny charset, O DefaultCharSet=iso-8859-1 in the sendmail.cf sorted it. From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 17 13:35:50 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:32 2006 Subject: Mcafee Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C52C@jessica.herefordshire.gov.uk> Yes, it's at http://groups.yahoo.com/group/tvdug/ Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Ryan Finnesey [mailto:ryan.finnesey@corpdsg.com] > Sent: 15 February 2004 23:27 > To: MailScanner mailing list > Cc: Randal, Phil > Subject: RE: Mcafee > > > Can anyone join this list? I have been trying to get in > contact with someone at Mcafee's XSP OEM group for some time now. > > > > > > > Ryan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: Wednesday, February 11, 2004 4:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mcafee > > > No, it has recently been updated, runs like a charm here. > > I've just asked on the (McAfee) Total Virus Defense User > Group mailinglist, > so hopefully one of the NAI support guys will get back to me. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Remco Barendse > > Sent: 11 February 2004 12:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Mcafee > > > > > > My ISP used to provide it for free with the account but they > > stopped it > > because mcafee supposedly ceased development / support on the > > virusscan > > for linux?? > > > > Have not been able to find any info about it though > > > > On Mon, 9 Feb 2004, Steve Churcher wrote: > > > > > Hi All > > > > > > Does anyone know where I can purchase a license for McAfee > > Command line > > > for unix in the UK? Or indeed anywhere really! > > > > > > Seems a hard one to track down or maybe its just me.. > > > > > > Thanks > > > Steve > > > > > > From maillists at CONACTIVE.COM Tue Feb 17 14:31:34 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <403142E7.6080008@uptime.at> References: <403142E7.6080008@uptime.at> Message-ID: David H. wrote on Mon, 16 Feb 2004 23:23:35 +0100: > All of us Sendmail + Mailscanner user might know the case where > MailScanner queues up a message for a User that is Unknown. > I'm trying to repro that. When does this occur? I suppose only in those setups where the MTA accepts every message because it doesn't know if the user exists or not? I tried sending a mail to an unknown user and our sendmail just bounced it and nothing is in the MailScanner logs (seen via Mailwatch). Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From dh at UPTIME.AT Tue Feb 17 14:37:14 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:32 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: References: <403142E7.6080008@uptime.at> Message-ID: <4032271A.2060306@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Kai Schaetzl wrote: > David H. wrote on Mon, 16 Feb 2004 23:23:35 +0100: > > >>All of us Sendmail + Mailscanner user might know the case where >>MailScanner queues up a message for a User that is Unknown. >> > > > I'm trying to repro that. When does this occur? I suppose only in those > setups where the MTA accepts every message because it doesn't know if the > user exists or not? I tried sending a mail to an unknown user and our > sendmail just bounced it and nothing is in the MailScanner logs (seen via > Mailwatch). > > When you set the Local Mailer to CyrusV2 because you wish to deliver all mail to the Cyrus store, the border Sendmail will accept and message since it doesnot know which Cyrus User is actually existant. The second sendmail process then actually talks to the lmtp socket of the Cyrus Mailserver and learns if the user exists or not. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMicaPMoaMn4kKR4RA/r/AJ9IJ/uHxV4cOVfx1PSwHzSPYgGPswCePoeb 5ajrvLugR9FcK271Epo8IaM= =dyUy -----END PGP SIGNATURE----- From dustin.baer at IHS.COM Tue Feb 17 14:45:20 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:32 2006 Subject: Some conf settings not honored? References: <6.0.1.1.2.20040216085116.03bd2c80@imap.ecs.soton.ac.uk> Message-ID: <40322900.3404AADB@ihs.com> Kai Schaetzl wrote: > > > No, no links involved at all. oops, I misinterpreted this. I'm talking of the > quarantine path, not of the incoming work dir. It's shown in full: > /var/spool/MailScanner/quarantine/20040215 (NachrichtenID i1FLfPS7006353) > > Is there an option to remove the path? The full path you see in the reports is translated from "$quarantinedir/$datenumber" in the reports. You should just need to modify those lines: Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From gthagard at ENG.FSU.EDU Tue Feb 17 15:13:11 2004 From: gthagard at ENG.FSU.EDU (Gordon Thagard) Date: Thu Jan 12 21:22:32 2006 Subject: Wrong elf class: ELFCLASS64 Message-ID: Solaris 9 perl-5.8.3-sol9-sparc-local from SunFreeware.com gcc 3.3.2 I'v been trying, unsuccessfully, to install some perl modules so that, ultimately, I can get MailScanner running for our environment. There are three perl modules that give troubles and the problem is clearly seen when running 'make test'. The three perl modules are: Digest-MD5 HTML-Parser Net-DNS Here's the output from 'make test' for 'Digest-MD5': ------------------- Running Mkbootstrap for Digest::MD5 () chmod 644 MD5.bs rm -f blib/arch/auto/Digest/MD5/MD5.so LD_RUN_PATH="" gcc -B/usr/ccs/bin/ -G -L/usr/local/lib MD5.o -o blib/arch/auto/Digest/MD5/MD5.so chmod 755 blib/arch/auto/Digest/MD5/MD5.so cp MD5.bs blib/arch/auto/Digest/MD5/MD5.bs chmod 644 blib/arch/auto/Digest/MD5/MD5.bs PERL_DL_NONLAZY=1 /usr/local/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/align......Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/align.t line 13 Compilation failed in require at t/align.t line 13. BEGIN failed--compilation aborted at t/align.t line 13. t/align......dubious Test returned status 2 (wstat 512, 0x200) t/badfile....Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/badfile.t line 3 Compilation failed in require at t/badfile.t line 3. BEGIN failed--compilation aborted at t/badfile.t line 3. t/badfile....dubious Test returned status 2 (wstat 512, 0x200) t/bits.......Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/bits.t line 6 Compilation failed in require at t/bits.t line 6. BEGIN failed--compilation aborted at t/bits.t line 6. t/bits.......dubious Test returned status 2 (wstat 512, 0x200) t/clone......Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/clone.t line 6 Compilation failed in require at t/clone.t line 6. BEGIN failed--compilation aborted at t/clone.t line 6. t/clone......dubious Test returned status 2 (wstat 512, 0x200) t/files......Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/files.t line 11 Compilation failed in require at t/files.t line 11. BEGIN failed--compilation aborted at t/files.t line 11. t/files......dubious Test returned status 2 (wstat 512, 0x200) t/md5-aaa....Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/md5-aaa.t line 11 Compilation failed in require at t/md5-aaa.t line 11. BEGIN failed--compilation aborted at t/md5-aaa.t line 11. t/md5-aaa....dubious Test returned status 2 (wstat 512, 0x200) t/utf8.......Can't load '/root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so' for module Digest::MD5: ld.so.1: /usr/local/bin/perl: fatal: /root/src/perl/Digest-MD5-2.33/blib/arch/auto/Digest/MD5/MD5.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at t/utf8.t line 13 Compilation failed in require at t/utf8.t line 13. BEGIN failed--compilation aborted at t/utf8.t line 13. t/utf8.......dubious Test returned status 2 (wstat 512, 0x200) FAILED--7 test scripts could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 -------------------------- As such, my MailScanner fails with the same sort of error: [root@testbed bin]# ./check_mailscanner.solaris Starting MailScanner... Can't load '/usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/auto/HTML/Parser/Parser.so' for module HTML::Parser: ld.so.1: /usr/local/bin/perl: fatal: /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/auto/HTML/Parser/Parser.so: wrong ELF class: ELFCLASS64 at /usr/local/lib/perl5/5.8.3/sun4-solaris/DynaLoader.pm line 229. at /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/HTML/Entities.pm line 113 Compilation failed in require at /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/HTML/Entities.pm line 113. Compilation failed in require at /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/HTML/TokeParser.pm line 11. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris/HTML/TokeParser.pm line 11. Compilation failed in require at /opt/MailScanner/lib/MailScanner/MCPMessage.pm line 44. BEGIN failed--compilation aborted at /opt/MailScanner/lib/MailScanner/MCPMessage.pm line 44. Compilation failed in require at /opt/MailScanner/bin/MailScanner line 51. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 51. I've see many references to this sort of problem doing Google searches but the only thing I found that might be relevant was a suggestion to build my own perl and make sure that it is compiled 64bit. Is the SunFreeware package my problem or is there some modification I could make to the makefile after running a 'perl Makefile.PL' that might fix this? Any assistance would be greatly appreciated. G From mailscanner at THEBUC.COM Tue Feb 17 15:34:20 2004 From: mailscanner at THEBUC.COM (Bryan Jones) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information Message-ID: Can someone please tell me where I can find a download of Sophos, also is this free for linux. I am looking for a good free virus scanning software. Thanks From jwilliam at KCR.UKY.EDU Tue Feb 17 15:48:29 2004 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information In-Reply-To: References: Message-ID: <6.0.0.22.2.20040217104613.01b7ef60@mail.kcr.uky.edu> At 10:34 AM 2/17/2004, you wrote: >Can someone please tell me where I can find a download of Sophos, also is >this free for linux. I am looking for a good free virus scanning software. > >Thanks Sophos will give you a trial but they typically use an annual agreement. The cost depends on how many users, servers, etc... --Statement of Confidentiality-- This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Thank you. From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 17 15:47:56 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C533@jessica.herefordshire.gov.uk> The only free one is ClamAV (http://www.clamav.net). Once again it has caught W32/Bagle.b@MM (which it calls Worm.YoursID) well in advance of the commercial virus scanners. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Bryan Jones > Sent: 17 February 2004 15:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos Information > > > Can someone please tell me where I can find a download of > Sophos, also is > this free for linux. I am looking for a good free virus > scanning software. > > Thanks > From cstamas at digitus.itk.ppke.hu Tue Feb 17 15:48:42 2004 From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=) Date: Thu Jan 12 21:22:32 2006 Subject: SpamAssassin Bayes filter and MailScanner In-Reply-To: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> References: <026701c3f4e0$9d1bc3c0$3e01a8c0@express.loanprocessing.net> Message-ID: <20040217154842.GP26319@digitus> On 02/16, Mike McMullen wrote: > Hi All, > > I fed about 1000 spam emails today to sa-learn. Watching the > mail logs for MailScanner entries, I never see the Bayes Score > show up. > > Should I see this for mail that is scanned for spam? If so, am I > missing something in configuring this to be used? It is also important to do this(sa-learn) as a right user. (if user runs as user foo you have chown foo bayes...) > > Thanks, > > Mike -- cstamas From campbell at CNPAPERS.COM Tue Feb 17 15:31:16 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> Message-ID: <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> Mr. Field, I have been going through pretty much the same situation as described with this post. The exception is that my machine does not show a domineering process and load average drops to near nothing. I have been trying to change sendmail to remedy this problem, but I may be looking at the wrong part of the puzzle. I have still not determined what is going on, but I do see a lot of Bayes lock files and one main bayes.lock file. It peaks once I see the bayes_toks.new file which seems to stay around forever. I offer this only to maybe point things toward a solution. I am running MS 4.26.8-1 SA 2.61-1 ClamAV 0.65 MailWatch 0.5.1 Sendmail 8.11.6-27.73 RH 7.3 I upgraded MS on a Monday and MailWatch on a Wednesday. That week problems started happening. The problems seemed to be resolved by my removing my Bayes files (you suggested poisoning, and this appeared to have been the case), but since I must stop MS, remove all of the bayes lock files, the bayes_tok.new file, restart MS and all appears fine. Load average climbs to normal to normal-high limits, my incoming backlog clears quickly and everything is fine. I replaced my Message.pm file with the the one you posted to the list, and that is the only other change I have made to the above installed programs. I hope some common thread may appear from my configuration and what others describe to shed some light on this. Most people don't complain about load averages this low, but to me it signals a slow down in my mail system, creating backlogs in the incoming queue. Thank you for your efforts, sir. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, February 17, 2004 7:24 AM Subject: Re: Single process taking over? > At 11:38 17/02/2004, you wrote: > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Julian Field > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Single process taking over? > > > > > > Ah, a reproducible fault! I like those :-) > > > >I don't!! :) > > > > > What does your MailScanner.conf look like? (just the interesting bits, > > > don't care what all the filenames of your reports are and stuff like > > > that). > > > >See below.. > > > > > What virus scanner(s), SpamAssassin, etc? > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > What is the last thing the runaway process logs before CPU hogging? > > > >Nothing abnormal, just the process starting and mail being processed, even > >in verbose logging, it just appears to be a normal process that won't let > >the other threads have any resources. If I kill it, the other threads spawn > >and run as per normal. > > > > > Does the CPU hogging start the instant you start MailScanner, or the > > > instant the first child process runs, or when? > > > >As soon as mail begins to be processed. If no mail is in the queue, not > >hogging, but the second any mail is in queue it's hogging. > > > >MailScanner.conf > >============================================ > >Max Children = 4 > >Queue Scan Interval = 1 > >MTA = sendmail > >Max Unscanned Bytes Per Scan = 100000000 > >Max Unsafe Bytes Per Scan = 50000000 > >Max Unscanned Messages Per Scan = 15 > >Max Unsafe Messages Per Scan = 15 > >Virus Scanning = yes > >Virus Scanners = mcafee clamav > >Virus Scanner Timeout = 300 > >Spam Checks = yes > >Spam List = > >Use SpamAssassin = yes > >Max SpamAssassin Size = 90000 > >Deliver In Background = yes > >Delivery Method = batch > > Do you reckon you could reproduce the problem on a box to which you could > give me login access? I suspect it's something very simple, but I have > never witnessed it here and it's apparently not a common problem. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Feb 17 15:54:10 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C533@jessica.herefordshire.gov.uk> Message-ID: Hi! > The only free one is ClamAV (http://www.clamav.net). > > Once again it has caught W32/Bagle.b@MM (which it calls Worm.YoursID) well > in advance of the commercial virus scanners. I am scanning with both clam and f-prot on one of my boxes, f-prot trapped them around 1.5 before clam did. But can naturally cary on other systems. Bye, Raymond. From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 17 15:55:38 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C534@jessica.herefordshire.gov.uk> I stand corrected. phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Raymond Dijkxhoorn > Sent: 17 February 2004 15:54 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Information > > > Hi! > > > The only free one is ClamAV (http://www.clamav.net). > > > > Once again it has caught W32/Bagle.b@MM (which it calls > Worm.YoursID) well > > in advance of the commercial virus scanners. > > I am scanning with both clam and f-prot on one of my boxes, > f-prot trapped > them around 1.5 before clam did. But can naturally cary on > other systems. > > Bye, > Raymond. > From maillists at CONACTIVE.COM Tue Feb 17 16:05:12 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:32 2006 Subject: Some conf settings not honored? In-Reply-To: <40322900.3404AADB@ihs.com> References: <6.0.1.1.2.20040216085116.03bd2c80@imap.ecs.soton.ac.uk> <40322900.3404AADB@ihs.com> Message-ID: Dustin Baer wrote on Tue, 17 Feb 2004 07:45:20 -0700: > The full path you see in the reports is translated from > "$quarantinedir/$datenumber" in the reports. You should just need to > modify those lines: > Oh, stupid me, yes, thanks! Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Tue Feb 17 16:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:32 2006 Subject: Sophos Information In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C533@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C533@jessica.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Tue, 17 Feb 2004 15:47:56 -0000: > W32/Bagle.b@MM (which it calls Worm.YoursID) > Ah, that's it :-) I was looking around for a description, but couldn't find one. I really wished all vendors would use the same name :-( Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From Denis.Beauchemin at USHERBROOKE.CA Tue Feb 17 16:35:40 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:32 2006 Subject: MS config suggestions Message-ID: <1077035740.25666.176.camel@dbeauchemin.sti.usherbrooke.ca> Hi Julian, I am installing the newest MS (mailscanner-4.26.8-1) on a brand new server and I noticed the following configuration directives in MailScanner.conf: Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Scanned Subject Text = {Scanned} Virus Subject Text = {Virus?} Filename Subject Text = {Filename?} Content Subject Text = {Blocked Content} Spam Subject Text = {Spam?} High Scoring Spam Subject Text = {Spam?} Attachment Warning Filename = %org-name%-Attachment-Warning.txt Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Shouldn't these be moved to %report-dir%/languages.conf with the other stuff that gets localized by people? I translate all of them to French on my systems... Would it be worth the efforts? How about file(name|type).rules.conf? Would you like to get our localized versions? You also indicate the following default value has been changed to no but it is still yes... # Do you want to notify the people who sent you messages containing # viruses or badly-named filenames? # The default value has been changed to "no" as most viruses now fake # sender addresses and therefore should be on the "Silent Viruses" list. # This can also be the filename of a ruleset. Notify Senders = yes As always, many thanks for this great software! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From richard.lush at NTLWORLD.COM Tue Feb 17 16:36:48 2004 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:22:32 2006 Subject: MailScanner reports FATAL Code error and sendmail stops. Message-ID: <8C4A83966C27354C928048C4A1620EF8C216@lando.rebel.com> ? Hi All, I have a situation where one of the MailScanner servers has about 40 email messages on it and has stopped processing I'm getting some strange error messages as can be seen below and has only started today. I've checked the MailScanner.conf and the code is supported. Any one have any ideas why I am seeing this FATAL error and why sendmail would be rejecting the emails. Feb 17 16:30:46 obiwan MailScanner[2002]: Using locktype = flock Feb 17 16:31:06 obiwan MailScanner[1780]: Virus and Content Scanning: Starting Feb 17 16:31:06 obiwan MailScanner[1780]: FATAL: Encountered code that does not meet configured acceptable stability Feb 17 16:31:06 obiwan MailScanner[1780]: FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as it will tell you what to do. Feb 17 16:31:10 obiwan MailScanner[1791]: Virus and Content Scanning: Starting Feb 17 16:31:11 obiwan MailScanner[1791]: FATAL: Encountered code that does not meet configured acceptable stability Feb 17 16:31:49 obiwan MailScanner[2064]: Read whitelist for 4 emails Feb 17 16:31:50 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:31:50 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:32:01 obiwan dccproc[2074]: DCC servers dcc1.dcc-servers.net dcc2.dcc-servers.net dcc3.dcc-servers.net ... at 208.201.249.232 209.157.153.22 212.20 Feb 17 16:32:05 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:32:05 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:32:06 obiwan MailScanner[2062]: Using locktype = flock Feb 17 16:32:20 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:32:20 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 Feb 17 16:32:30 obiwan dccproc[2085]: DCC servers dcc1.dcc-servers.net dcc2.dcc-servers.net dcc3.dcc-servers.net ... at 208.201.249.232 209.157.153.22 212.20 Feb 17 16:32:32 obiwan MailScanner[2064]: Using locktype = flock Feb 17 16:32:35 obiwan sendmail[1741]: rejecting connections on daemon MTA: load average: 12 I've tried rebooting and stopped the SMTP connection to this box. Any ideas? Thanks Richard ==================================== In Security there are no victims....only volunteers! From raymond at PROLOCATION.NET Tue Feb 17 16:41:47 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:32 2006 Subject: MailScanner reports FATAL Code error and sendmail stops. In-Reply-To: <8C4A83966C27354C928048C4A1620EF8C216@lando.rebel.com> Message-ID: Hi! > Feb 17 16:31:06 obiwan MailScanner[1780]: FATAL: *Please go and READ* > http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as > it will tell you what to do. Dit you actually take time to look at that url ? Most likely you are using a virus scanner thats not fully supported yet. Bye, raymond. From chris at FRACTALWEB.COM Tue Feb 17 16:43:06 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:32 2006 Subject: implications of bogus-virus-warnings.cf Message-ID: <4032449A.4010007@fractalweb.com> Hi everyone, I just read the updates to the original article over at www.attrition.org slamming a number of anti-virus vendors for spamming people with virus warnings. One of the updates has a link to a spamassassin rule file that filters all of these (bogus) virus warnings out of email. It's at http://www.timj.co.uk/linux/bogus-virus-warnings.cf I'm sitting on the fence with this one. Is filtering out all virus warnings a good idea? Perhaps it is. I'm still a bit hesitant about putting this on the mail server though. What does the "collective" think? Cheers, Chris From mailscanner at ecs.soton.ac.uk Tue Feb 17 16:31:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: Single process taking over? In-Reply-To: <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> Can you try switching off Bayes (use_bayes 0 in spam.assassin.prefs.conf). Then let me know if the problem recurs. Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. At 15:31 17/02/2004, you wrote: >Mr. Field, > >I have been going through pretty much the same situation as described with >this post. The exception is that my machine does not show a domineering >process and load average drops to near nothing. I have been trying to change >sendmail to remedy this problem, but I may be looking at the wrong part of >the puzzle. I have still not determined what is going on, but I do see a lot >of Bayes lock files and one main bayes.lock file. It peaks once I see the >bayes_toks.new file which seems to stay around forever. I offer this only to >maybe point things toward a solution. > >I am running > MS 4.26.8-1 > SA 2.61-1 > ClamAV 0.65 > MailWatch 0.5.1 > Sendmail 8.11.6-27.73 > RH 7.3 > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week problems >started happening. The problems seemed to be resolved by my removing my >Bayes files (you suggested poisoning, and this appeared to have been the >case), but since I must stop MS, remove all of the bayes lock files, the >bayes_tok.new file, restart MS and all appears fine. Load average climbs to >normal to normal-high limits, my incoming backlog clears quickly and >everything is fine. I replaced my Message.pm file with the the one you >posted to the list, and that is the only other change I have made to the >above installed programs. > >I hope some common thread may appear from my configuration and what others >describe to shed some light on this. Most people don't complain about load >averages this low, but to me it signals a slow down in my mail system, >creating backlogs in the incoming queue. > >Thank you for your efforts, sir. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, February 17, 2004 7:24 AM >Subject: Re: Single process taking over? > > > > At 11:38 17/02/2004, you wrote: > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > Behalf Of Julian Field > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Single process taking over? > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > >I don't!! :) > > > > > > > What does your MailScanner.conf look like? (just the interesting bits, > > > > don't care what all the filenames of your reports are and stuff like > > > > that). > > > > > >See below.. > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > What is the last thing the runaway process logs before CPU hogging? > > > > > >Nothing abnormal, just the process starting and mail being processed, >even > > >in verbose logging, it just appears to be a normal process that won't let > > >the other threads have any resources. If I kill it, the other threads >spawn > > >and run as per normal. > > > > > > > Does the CPU hogging start the instant you start MailScanner, or the > > > > instant the first child process runs, or when? > > > > > >As soon as mail begins to be processed. If no mail is in the queue, not > > >hogging, but the second any mail is in queue it's hogging. > > > > > >MailScanner.conf > > >============================================ > > >Max Children = 4 > > >Queue Scan Interval = 1 > > >MTA = sendmail > > >Max Unscanned Bytes Per Scan = 100000000 > > >Max Unsafe Bytes Per Scan = 50000000 > > >Max Unscanned Messages Per Scan = 15 > > >Max Unsafe Messages Per Scan = 15 > > >Virus Scanning = yes > > >Virus Scanners = mcafee clamav > > >Virus Scanner Timeout = 300 > > >Spam Checks = yes > > >Spam List = > > >Use SpamAssassin = yes > > >Max SpamAssassin Size = 90000 > > >Deliver In Background = yes > > >Delivery Method = batch > > > > Do you reckon you could reproduce the problem on a box to which you could > > give me login access? I suspect it's something very simple, but I have > > never witnessed it here and it's apparently not a common problem. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 17 16:46:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:32 2006 Subject: MS config suggestions In-Reply-To: <1077035740.25666.176.camel@dbeauchemin.sti.usherbrooke.ca> References: <1077035740.25666.176.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20040217164527.0406a528@imap.ecs.soton.ac.uk> At 16:35 17/02/2004, you wrote: >Hi Julian, > >I am installing the newest MS (mailscanner-4.26.8-1) on a brand new >server and I noticed the following configuration directives in >MailScanner.conf: > Clean Header Value = Found to be clean > Infected Header Value = Found to be infected > Disinfected Header Value = Disinfected > Information Header Value = Please contact the ISP for more information > Unscanned Header Value = Not scanned: please contact your Internet > E-Mail Service Provider for details > Scanned Subject Text = {Scanned} > Virus Subject Text = {Virus?} > Filename Subject Text = {Filename?} > Content Subject Text = {Blocked Content} > Spam Subject Text = {Spam?} > High Scoring Spam Subject Text = {Spam?} > Attachment Warning Filename = %org-name%-Attachment-Warning.txt > Notice Signature = -- \nMailScanner\nEmail Virus > Scanner\nwww.mailscanner.info > >Shouldn't these be moved to %report-dir%/languages.conf with the other >stuff that gets localized by people? I translate all of them to French >on my systems... Would it be worth the efforts? It's a matter of how to manage that without breaking anyone's existing configurations. >How about file(name|type).rules.conf? Would you like to get our >localized versions? That's easier to move, will think about that. >You also indicate the following default value has been changed to no but >it is still yes... > # Do you want to notify the people who sent you messages containing > # viruses or badly-named filenames? > # The default value has been changed to "no" as most viruses now fake > # sender addresses and therefore should be on the "Silent Viruses" list. > # This can also be the filename of a ruleset. > Notify Senders = yes Actually, the default is what I intended but I put the comment in the wrong place. >As always, many thanks for this great software! My pleasure :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dahlberg at BUCKNELL.EDU Tue Feb 17 16:55:24 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:32 2006 Subject: Performance and accuracy issues In-Reply-To: <6.0.1.1.2.20040215083700.03da7ec0@imap.ecs.soton.ac.uk> References: <20040213153559.GA1477@bucknell.edu> <20040213184201.GD1477@bucknell.edu> <6.0.1.1.2.20040215083700.03da7ec0@imap.ecs.soton.ac.uk> Message-ID: <20040217165523.GA1466@bucknell.edu> Julian Field [mailscanner@ECS.SOTON.AC.UK] wrote: > At 18:42 13/02/2004, you wrote: > >Michael Dahlberg [dahlberg@bucknell.edu] wrote: > >> Fanatastic piece of software...I can't imagine running a mail server > >> without it. However, the latest upgrade (from 4.13-3 to 4.26.8) has > >> uncovered a few issues. > >> > >> A little about our config: MailScanner (4.26.8) runs with Sophos > >> (3.78d) on a dual processor Sun 220R with 2GB RAM. The > >> MailScanner.conf file is set to start 10 child processes which will > >> scan a max of 30 messages. MailScanner also runs in queue mode rather > >> than batch. We do no spam analysis, just virus scanning. I've also > >> installed the first Message.pm perl mod that Julian Fields released a > >> couple of days ago. > >> > >> I've noticed that when running the SAVI engine (Virus Scanner = > >> sophossavi), rather than `sweep` (Virus Scanner = sophos) it > >> takes about 3x as long with the SAVI engine (approx. 3 min to scan 100 > >> messages using SAVI versus 1 min with sweep). Also when I use the > >> SAVI engine, more MyDoom-infected email messages are found and > >> removed. > >> > >> Is this the experience of other readers of this list? Does anyone > >> have an explanation or advice on which virus scanner (Sophos or SAVI) > >> to use? > >> > > > > Unfortunately, we had to downgrade MailScanner back to 4.13-3. > > The rate at which messages were being scanned and moved to an > > outbound mail queue was so slow that mail delivery times had > > increased to half an hour and the inbound queue size was steadily > > increasing. > > Switch on the speed logging with "Log Speed = true" and see if it sheds any > light on the subject. Take a careful look at the "Allow Form Tags" and the > other related HTML tag checks. If you switch off detection and logging of > all of them, it optimises the code out completely. > > Have you added any large rulesets since your 4.13 installation? > Julian: Thanks for the suggestions. These are the way I have set the HTML tag checks: Allow IFrame Tags = yes Log IFrame Tags = no Allow Form Tags = yes Allow Object Codebase Tags = yes Convert Dangerous HTML To Text = no Convert HTML To Text = no I tried logging the speed. The speed of the spam and MCP checks is very high and identical, because I'm not doing spam or MCP checks. I've also turned off filetype checks. The virus scan check usually runs between 1 - 3 kB/sec. Any other suggestions? Thanks, Mike From maillists at CONACTIVE.COM Tue Feb 17 12:31:29 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: Spamassassin and Bayes files In-Reply-To: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> Message-ID: Nicolas Viers - SCI wrote on Tue, 17 Feb 2004 12:26:06 +0100: > if i change the bayes_path on /etc/MailScanner/spam.assassin.prefs.conf > file it 's ok. The db files are now in the new directory. But when i do > sa-learn manually how tell to spamassassin to write rules in this directory > and no more in /root/.spamassassin ? > Make the same change in the /etc/mail/spamassassin/local.cf I did it the other way. I left it where it was for SA and used /etc/mail/spamassassin/local.cf for MailScanner.conf. No need to change. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Tue Feb 17 17:31:47 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: size of mailscanner processes? In-Reply-To: <40313911.8050701@ucgbook.com> References: <40313911.8050701@ucgbook.com> Message-ID: Peter Bonivart wrote on Mon, 16 Feb 2004 22:41:37 +0100: > Mine currently run at 14 MB for the first and 30 MB for the rest. > Hm, I wonder why you have 10 MB less than we for the worker processes. What's your Perl version? Or it's because of your older version of MailScanner? Looking in your sig: what's GMP 4.1.2 ? Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Tue Feb 17 17:31:47 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: Solved: MailScanner + Sendmail and User Unknown not bounced at once...(this does NOT use LDAP routing) In-Reply-To: <4032271A.2060306@uptime.at> References: <403142E7.6080008@uptime.at> <4032271A.2060306@uptime.at> Message-ID: Thanks! Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Tue Feb 17 17:31:47 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: size of mailscanner processes? In-Reply-To: <6.0.1.1.2.20040216213750.037c6f98@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040216213750.037c6f98@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Mon, 16 Feb 2004 21:38:26 +0000: > MailScanner likes RAM. > What a pity. Not suitable to have it grab 150 or 200 MB on our older machines :-( Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mailscanner at ecs.soton.ac.uk Tue Feb 17 17:55:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: size of mailscanner processes? In-Reply-To: References: <6.0.1.1.2.20040216213750.037c6f98@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040217175508.03ccb978@imap.ecs.soton.ac.uk> At 17:31 17/02/2004, you wrote: >Julian Field wrote on Mon, 16 Feb 2004 21:38:26 +0000: > > > MailScanner likes RAM. > > > >What a pity. Not suitable to have it grab 150 or 200 MB on our older >machines :-( RAM is very cheap these days, that's why I don't worry about it. $50 buys a lot of memory. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From robert at HARPHAM.ECLIPSE.CO.UK Tue Feb 17 17:54:47 2004 From: robert at HARPHAM.ECLIPSE.CO.UK (Robert Harpham) Date: Thu Jan 12 21:22:33 2006 Subject: auto updating sophos IDEs Message-ID: <002c01c3f57f$25932d80$2101a8c0@robert> Hi i know some people on here use sophos and i was wundering how you keep it uptodate? i have it installed on mylinux box but right now i have to download the IDEs my self from there site. i read the docs to find a auto update command for sophos but no joy.! i found one here http://lists.q-linux.com/pipermail/plug/2001-August/008104.html but does any one have a better one? thanks robert -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040217/daa95b18/attachment.html From mailscanner at ecs.soton.ac.uk Tue Feb 17 18:09:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: auto updating sophos IDEs In-Reply-To: <002c01c3f57f$25932d80$2101a8c0@robert> References: <002c01c3f57f$25932d80$2101a8c0@robert> Message-ID: <6.0.1.1.2.20040217180820.03a7fdb0@imap.ecs.soton.ac.uk> MailScanner includes a sophos-autoupdate script which will do what you want. If you installed MailScanner from the MS distribution for Linux (either of the RPM distributions) then you already have a cron job running hourly updating your IDE files by calling sophos-autoupdate. At 17:54 17/02/2004, you wrote: >Hi > >i know some people on here use sophos and i was wundering how you keep it >uptodate? i have it installed on mylinux box but right now i have to >download the IDEs my self from there site. i read the docs to find a auto >update command for sophos but no joy.! > >i found one here >http://lists.q-linux.com/pipermail/plug/2001-August/008104.html >but does any one have a better one? > >thanks >robert > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for >their support. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From craig at WESTPRESS.COM Tue Feb 17 18:13:22 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:33 2006 Subject: Trend Micro In-Reply-To: <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> Message-ID: Does Trend Micro no longer have a free for personal use Linux AV scanner? I can find nothing on their website but 'buy me' links? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From kodak at FRONTIERHOMEMORTGAGE.COM Tue Feb 17 18:21:55 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:33 2006 Subject: auto updating sophos IDEs In-Reply-To: <002c01c3f57f$25932d80$2101a8c0@robert> Message-ID: <014101c3f582$ec2cf9f0$0501a8c0@darkside> >i know some people on here use sophos and i was wundering how you keep it uptodate? i have it >installed on mylinux box but right now i have to download the IDEs my self from there site. i read >the docs to find a auto update command for sophos but no joy.! >i found one here http://lists.q-linux.com/pipermail/plug/2001-August/008104.html >but does any one have a better one? Robert, If you're using Sophos with MailScanner, MailScanner will automaticaly update the IDE files for you. You can invoke this manually by running: [MailScannerRoot]/bin/update_virus_scanners If you're not using MailScanner (for whatever reason) you can now use Enterprise Manager Library to automaticaly download any version of Sophos to a central installation directory (CID). The EM Library requires a Win2K or better client to function. You can also use the exellent utility "MajorSophos.sh" to download the Linux version. It's available at: http://www.tippingmar.com/majorsophos/ HTH, --J(K) From maillists at CONACTIVE.COM Tue Feb 17 18:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports Message-ID: It seems the sig seperator is wrong in all reports over all languages. I didn't check them all, but some across, and they all had the same small mistake. The sig separator is "-- ", not "--". Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From peter at UCGBOOK.COM Tue Feb 17 18:32:25 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:33 2006 Subject: size of mailscanner processes? In-Reply-To: References: <40313911.8050701@ucgbook.com> Message-ID: <40325E39.7000600@ucgbook.com> Kai Schaetzl wrote: > Hm, I wonder why you have 10 MB less than we for the worker processes. > What's your Perl version? Or it's because of your older version of > MailScanner? I think it's because of Solaris being so good... ;-) > Looking in your sig: what's GMP 4.1.2 ? GNU Multiple Precision Arithmetic Library. You need it to verify the digital signatures of the Clam databases when you download them. http://www.swox.com/gmp -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From lists at STHOMAS.NET Tue Feb 17 18:32:57 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:33 2006 Subject: auto updating sophos IDEs In-Reply-To: <002c01c3f57f$25932d80$2101a8c0@robert>; from robert@HARPHAM.ECLIPSE.CO.UK on Tue, Feb 17, 2004 at 05:54:47PM -0000 References: <002c01c3f57f$25932d80$2101a8c0@robert> Message-ID: <20040217103257.B9725@sthomas.net> On Tue, Feb 17, 2004 at 05:54:47PM -0000, Robert Harpham is rumored to have said: > > i know some people on here use sophos and i was wundering how you keep it uptodate? i have it installed on mylinux box but right now i have to download the IDEs my self from there site. i read the docs to find a auto update command for sophos but no joy.! > > i found one here http://lists.q-linux.com/pipermail/plug/2001-August/008104.html > but does any one have a better one? I wrote one that processes the e-mails that Sophos sends when a new IDE file is released. The only advantages of using it over the others mentioned are that it doesn't hit the Sophos website unnecessarily (only when there's an update, as opposed to every hour or whatever) and you typically get protected against new bugs a little faster. http://www.sthomas.net/perl/scripts/sidefire.php -- "I think there is a world market for maybe five computers." - Thomas Watson (1874-1956), Chairman of IBM, 1943 From lists at STHOMAS.NET Tue Feb 17 18:46:16 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:33 2006 Subject: Trend Micro In-Reply-To: ; from craig@WESTPRESS.COM on Tue, Feb 17, 2004 at 11:13:22AM -0700 References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> Message-ID: <20040217104616.A11352@sthomas.net> On Tue, Feb 17, 2004 at 11:13:22AM -0700, Craig Daters is rumored to have said: > > Does Trend Micro no longer have a free for personal use Linux AV > scanner? I can find nothing on their website but 'buy me' links? This is an e-mail that I got on the amavis list a while ago and held onto. I believe that the info provided in it is still good, but I make no guarantees. ----------------------------------------- Hi, Here is an email I wrote ages ago and posted to this list about trend filescan, how to get it, how to update the engine, and how to update the patterns,,, I have yet to find a virus that this didn't find.... anyway, here is the email... ====================================================== I thought I'd mention all the links and stuff, so that people can search the archives here if they want to know how it is done. Here is the url to download it, ftp://ftp.antivirus.com/products/freetools/ (the address listed in the "openantivirus" readme didn't work for me, but this one did... download filescanlinux.tar (when you untar it, it has install instructions and a pdf file) If the scanner install gives you a message that it wont' install because you don't have redhat release 6, (and you do have a modern linux)I got that message with mandrake 7.2, edit /etc/issue (create it if you don't already have one, go into /etc and type 'touch issue') and put the words "release 6" in it somewhere, you can delete it after install. (thats how the install program works out what version of linux you have) pretty lame method thinks me, but its a good thing that its lame if you don't have redhat. I have it working flawlessly on Mandrake and I don't think there would be much problem getting it working on other distro's. Here is the link to get the latest engine update, (the version I have now is "Virus Scanner v3.1") http://www.antivirus.com/download/engines/ Go to the Interscan viruswall table and look in the linux box. download that tarball. open the tarball, and copy the file in it into /etc/iscan, overwrite the file of the same name that's in there.(it might not be a bad idea to backup the old one in case there are problems.) thats your engine updated to their latest version. If for some reason the web manager pattern update feature doesn't work, (it didn't for me, think its a isp problem, we have a strange proxy.,) go here: http://www.antivirus.com/download/pattern.asp choose the linux tarball and you have the latest pattern file. Thats it,, This is a very comprhensive scanner for a freebie... much better then the network associates vscan I was using before,,, (admitadly an old version). the web interface is an exceptional feature... Thats it, I have yet to test this with all the virus's that I have on file for that purpose, and I will post the results when I do, but I am quietly confident. -----Original Message----- From: amavis-user-admin@lists.sourceforge.net [mailto:amavis-user-admin@lists.sourceforge.net]On Behalf Of Carlos Santos Sent: Friday, 14 September 2001 1:20 AM To: amavis-user@lists.sourceforge.net Subject: [AMaViS-user] Free virus scanner ? Hi, Does anybody know of a good free virus scanner i can use along with Amavis ? Thanks, Carlos Santos. _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 -- "Democracy does not guarantee equality of conditions - it only guarantees equality of opportunity." - Irving Kristol From m.sapsed at BANGOR.AC.UK Tue Feb 17 18:52:10 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:33 2006 Subject: Silent Viruses update Message-ID: <403262DA.6090209@bangor.ac.uk> Anyone still maintaining a Silent Viruses list should add Tanx to it if they use Sophos. I think Symantec have put it in the Beagle family. Don't know about the others. Anyone who's given up on notifying senders about Viruses, please ignore this message! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From peter at UCGBOOK.COM Tue Feb 17 19:02:50 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:33 2006 Subject: Spamassassin and Bayes files In-Reply-To: References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> Message-ID: <4032655A.8070207@ucgbook.com> Kai Schaetzl wrote: >>if i change the bayes_path on /etc/MailScanner/spam.assassin.prefs.conf >>file it 's ok. The db files are now in the new directory. But when i do >>sa-learn manually how tell to spamassassin to write rules in this directory >>and no more in /root/.spamassassin ? > > Make the same change in the /etc/mail/spamassassin/local.cf > I did it the other way. I left it where it was for SA and used > /etc/mail/spamassassin/local.cf for MailScanner.conf. No need to change. I think it's best to rename /etc/mail/spamassassin/local.cf and then create a symlink pointing to spam.assassin.prefs.conf. Then you will always use the same config and you don't have to bother with adding -p to all commands. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From dustin.baer at IHS.COM Tue Feb 17 19:17:51 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:33 2006 Subject: auto updating sophos IDEs References: <002c01c3f57f$25932d80$2101a8c0@robert> <20040217103257.B9725@sthomas.net> Message-ID: <403268DF.D98DFBA4@ihs.com> Steve Thomas wrote: > > > i found one here http://lists.q-linux.com/pipermail/plug/2001-August/008104.html > > but does any one have a better one? > > I wrote one that processes the e-mails that Sophos sends when a > new IDE file is released. The only advantages of using it over > the others mentioned are that it doesn't hit the Sophos website > unnecessarily (only when there's an update, as opposed to every > hour or whatever) and you typically get protected against new > bugs a little faster. I have seen Sophos email notifications of new IDEs arrive LONG after the IDE is actually available. Dustin From mailscanner at ecs.soton.ac.uk Tue Feb 17 19:27:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: References: Message-ID: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> At 18:31 17/02/2004, you wrote: >It seems the sig seperator is wrong in all reports over all languages. I >didn't check them all, but some across, and they all had the same small >mistake. > >The sig separator is "-- ", not "--". The sig separator is supposed to be "-- ". It's in an RFC somewhere... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Tue Feb 17 19:43:45 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> Message-ID: <40326EF1.8050708@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > At 18:31 17/02/2004, you wrote: > >> It seems the sig seperator is wrong in all reports over all languages. I >> didn't check them all, but some across, and they all had the same small >> mistake. >> >> The sig separator is "-- ", not "--". > > > The sig separator is supposed to be "-- ". It's in an RFC somewhere... "-- " is the signature seperator used in USENET messages this sperator is invalid for Email. Please see: http://www.ietf.org/rfc/rfc2646.txt --> 4.3 Quote "4.3. Usenet Signature Convention There is a convention in Usenet news of using "-- " as the separator line between the body and the signature of a message. When generating a Format=Flowed message containing a Usenet-style separator before the signature, the separator line is sent as-is. This is a special case; an (optionally quoted) line consisting of DASH DASH SP is not considered flowed." Furter Down section 5 states Quote "5. ABNF The constructs used in Text/Plain; Format=Flowed body parts are described using [ABNF], including the Core Rules:" [...] "sig-sep = [quote] "--" SP CRLF" I hope this helps - -d > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMm71PMoaMn4kKR4RAxvuAKCDAg4ZW3qIVVq51kIFSxmTlBZD4wCeKRsf WzZLeHv8WmB205x94YrkdjQ= =chkK -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Tue Feb 17 19:50:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: <40326EF1.8050708@uptime.at> References: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> <40326EF1.8050708@uptime.at> Message-ID: <6.0.1.1.2.20040217194928.03ec1de0@imap.ecs.soton.ac.uk> Does that mean I can use "-- " (with the space) as I am not setting any "Format=flowed" headers? Out of context I don't understand what they are saying. At 19:43 17/02/2004, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Julian Field wrote: > >>At 18:31 17/02/2004, you wrote: >> >>>It seems the sig seperator is wrong in all reports over all languages. I >>>didn't check them all, but some across, and they all had the same small >>>mistake. >>> >>>The sig separator is "-- ", not "--". >> >> >>The sig separator is supposed to be "-- ". It's in an RFC somewhere... > >"-- " is the signature seperator used in USENET messages this sperator >is invalid for Email. Please see: >http://www.ietf.org/rfc/rfc2646.txt --> 4.3 > >Quote >"4.3. Usenet Signature Convention > > There is a convention in Usenet news of using "-- " as the separator > line between the body and the signature of a message. When > generating a Format=Flowed message containing a Usenet-style > separator before the signature, the separator line is sent as-is. > This is a special case; an (optionally quoted) line consisting of > DASH DASH SP is not considered flowed." > >Furter Down section 5 states > >Quote >"5. ABNF > > The constructs used in Text/Plain; Format=Flowed body parts are > described using [ABNF], including the Core Rules:" >[...] > "sig-sep = [quote] "--" SP CRLF" > >I hope this helps > >- -d > > >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (Darwin) > >iD8DBQFAMm71PMoaMn4kKR4RAxvuAKCDAg4ZW3qIVVq51kIFSxmTlBZD4wCeKRsf >WzZLeHv8WmB205x94YrkdjQ= >=chkK >-----END PGP SIGNATURE----- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chicks at CHICKS.NET Tue Feb 17 20:49:43 2004 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> Message-ID: On Tue, 17 Feb 2004, Julian Field wrote: > The sig separator is supposed to be "-- ". It's in an RFC somewhere... :-) RFC 2646 states: > 4.3. Usenet Signature Convention > > There is a convention in Usenet news of using "-- " as the separator > line between the body and the signature of a message. When > generating a Format=Flowed message containing a Usenet-style > separator before the signature, the separator line is sent as-is. > This is a special case; an (optionally quoted) line consisting of > DASH DASH SP is not considered flowed. -- No, no, you're not thinking, you're just being logical. -Niels Bohr, physicist (1885-1962) From shrek-m at GMX.DE Tue Feb 17 19:51:42 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: References: Message-ID: <403270CE.7050500@gmx.de> Kai Schaetzl wrote: >It seems the sig seperator is wrong in all reports over all languages. I >didn't check them all, but some across, and they all had the same small >mistake. > >The sig separator is "-- ", not "--". > indeed, but not in all in reports/en/* it is ok "-- " in reports/de/* it is not ok "--" # grep -r "\-\- " /etc/MailScanner/reports/en/ | wc -l 19 # grep -r "\-\- " /etc/MailScanner/reports/de/ | wc -l 17 # rpm -q mailscanner mailscanner-4.26.8-1 From bob.jones at USG.EDU Tue Feb 17 19:52:34 2004 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:22:33 2006 Subject: clean filename/type, do not deliver virus Message-ID: <40327102.4090407@usg.edu> Hey all. Is there a way to do the following. We want to not deliver messages that have been scanned and a virus has been found by one of our virus scanners. However, if a message is found to have a bad (i.e. executable) type or extension, we want to clean it (strip the attachment out) and deliver the message on to the user (preferably with a message stating the attachment was stripped). Is there an easy way to do this? Am I just blind/stupid? (don't answer that last one). -- Thanks, Bob Jones OIIT The Board of Regents, USG From dh at UPTIME.AT Tue Feb 17 19:53:59 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: <6.0.1.1.2.20040217194928.03ec1de0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> <40326EF1.8050708@uptime.at> <6.0.1.1.2.20040217194928.03ec1de0@imap.ecs.soton.ac.uk> Message-ID: <40327157.1080408@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > Does that mean I can use "-- " (with the space) as I am not setting any > "Format=flowed" headers? > Out of context I don't understand what they are saying. > It is my interpretation that this is correct. It is simply not a valid Format=Flowed when you have a construct like "-- ", thus as long as you are not using that Header you should be allowed to send "-- " on a single line with the trailing CRLF following immideately - -d > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD4DBQFAMnFXPMoaMn4kKR4RA+P7AJjaNNO5dO7CMIWfPzX6SkHCCZsRAJ4uWugc gcM87F4xs1gKf6nqX4p5rg== =rhDD -----END PGP SIGNATURE----- From danielk at AVALONPUB.COM Tue Feb 17 19:50:06 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:22:33 2006 Subject: Trend Micro In-Reply-To: References: Message-ID: <4032706E.9060409@avalonpub.com> Craig Daters wrote: >Does Trend Micro no longer have a free for personal use Linux AV >scanner? I can find nothing on their website but 'buy me' links? > > > Free for personal use command line antivirus: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=7353 Install instructions for MailScanner (slightly out of date, but mostly correct): http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/179.html Daniel From mhewryk at SYMCOR.COM Tue Feb 17 19:56:36 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:33 2006 Subject: spam.lists.conf and SORBS Message-ID: On Mon, 16 Feb 2004 23:41:01 +0100, Raymond Dijkxhoorn wrote: >Hi > >> >SBL+XBL (Spamhaus), DSBL and/or AHBL. >> >> Spamhous can't be resolved (sbl.spamhaus.org)so why you are using spamhaus? >> Maybe I have a wrong FQDN ...? >> >> Can you list your spam.lists.config for RBLs, please. >> Here is my list: > >What do you mean cant resolve? It is used to lookup hosts. And works >fine. You wont get a A record for sbl.spamhaus.org if thats what you mean. > By "I can't resolve" I mean I can't dig or nslookup on it: # nslookup sbl.spamhaus.org ** server can't find sbl.spamhaus.org: SERVFAIL However I can resolve relays.ordb.org Name: relays.ordb.org Address: 62.242.0.190 I set different servers and still can't resolve my RBLs except ordb. Any thoughts? >But: > >Non-authoritative answer: >Name: 210.62.208.206.sbl.spamhaus.org >Address: 127.0.0.2 > >So that works just fine, whats your problem with it ? > >> ORDB-RBL relays.ordb.org. >> #spamhaus.org sbl.spamhaus.org. >> #spamcop.net bl.spamcop.net. >> #Infinite-Monkeys proxies.relays.monkeys.com. >> #osirusoft.com relays.osirusoft.com. > >Thats fine, you can just take a fresh one from the last beta anyway, lists >all active ones. > >Bye, >Raymond. From richard.lush at NTLWORLD.COM Tue Feb 17 20:18:06 2004 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:22:33 2006 Subject: MailScanner reports FATAL Code error and sendmail stops. Message-ID: <8C4A83966C27354C928048C4A1620EF8C219@lando.rebel.com> ? I did look at the URL thanks! I've finally tracked it down to bitdefender which I have running on one of the MailScanners. I thought bitdefender was supported but it would appear not. The sendmail issue was a bit of a red herring. MailScanner was failing the scans, because of bitdefender, and hence not releasing the mail. ==================================== In Security there are no victims....only volunteers! ________________________________ From: MailScanner mailing list on behalf of Raymond Dijkxhoorn Sent: Tue 17/02/2004 16:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner reports FATAL Code error and sendmail stops. Hi! > Feb 17 16:31:06 obiwan MailScanner[1780]: FATAL: *Please go and READ* > http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml as > it will tell you what to do. Dit you actually take time to look at that url ? Most likely you are using a virus scanner thats not fully supported yet. Bye, raymond. From mhewryk at SYMCOR.COM Tue Feb 17 20:28:02 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:33 2006 Subject: How to turn off: rbl checks, razor/pyzor/dcc and bayes Message-ID: Hi, How can I turn off the following: 1. RBL checks under MailScanner I know that I need to skip Spamassassin's RBL (skip_rbl_checks = 1) but I need to turn off RBL check on MailScanner SpamList= <= this doesn't work, MailScanner changs when tryng to verify an email against spam 2. Pazor,Razor, DCC, Bayes ? Is it enough if I modify ../MailScanner/spam.assassin.prefs.conf file as listed below and restart daemon. # Enable the Bayes system use_bayes 0 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 1 use_razor2 0 use_dcc 0 use_pyzor 0 Any hints? Magda From dh at UPTIME.AT Tue Feb 17 20:47:48 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:33 2006 Subject: Heads up to Julian sendmail 8.13 (upcoming release) Linux 2.4 Series and broken flock() Message-ID: <40327DF4.3070207@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Please first of all review http://www.ussg.iu.edu/hypermail/linux/kernel/0207.0/0212.html It has the original text from sendmail.org and the explanation by some kernel hackers. I just wanted to give an early heads up that yet another lock method might be needed. Thanks PS: in short... Quote "> NOTE: Linux appears to have broken flock() again. Unless > the bug is fixed before sendmail 8.13 is shipped, > 8.13 will change the default locking method to > fcntl() for Linux kernel 2.4 and later. You may > want to do this in 8.12 by compiling with > -DHASFLOCK=0. Be sure to update other sendmail > related programs to match locking techniques. > Is it really broken or is sendmail smoking crack like when they said > that itimers in Linux didn't work? It really is broken, and sendmail triggers it " -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAMn34PMoaMn4kKR4RA3sRAJ9UEQBN4k5sfCnPQqLgrnP9p6UY6gCfa+cY mg8zKiFyOorCA3KFR4IGUJY= =SBug -----END PGP SIGNATURE----- From ugob at CAMO-ROUTE.COM Tue Feb 17 20:50:38 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:33 2006 Subject: How to turn off: rbl checks, razor/pyzor/dcc and bayes Message-ID: <54C38A0B814C8E438EF73FC76F362927410903@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Magda Hewryk [mailto:mhewryk@SYMCOR.COM] > Envoy? : Tuesday, February 17, 2004 3:28 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : How to turn off: rbl checks, razor/pyzor/dcc and bayes > > > Hi, > How can I turn off the following: > > 1. RBL checks under MailScanner > I know that I need to skip Spamassassin's RBL (skip_rbl_checks = 1) > but I need to turn off RBL check on MailScanner > SpamList= <= this doesn't work, MailScanner changs when tryng to > verify an email against spam > > 2. Pazor,Razor, DCC, Bayes ? > Is it enough if I modify > ../MailScanner/spam.assassin.prefs.conf file as > listed below and restart daemon. what I would do it http://www.spamassassin.org/tests.html and search for pyzor, razor, dcc > > # Enable the Bayes system > use_bayes 0 > > # Enable Bayes auto-learning > auto_learn 1 > > # Enable or disable network checks > skip_rbl_checks 1 > use_razor2 0 > use_dcc 0 > use_pyzor 0 > > > Any hints? > Magda > From campbell at CNPAPERS.COM Tue Feb 17 20:59:09 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:33 2006 Subject: Single process taking over? References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> Message-ID: <055601c3f598$e3b30420$a801a8c0@cnpapers.net> Mr. Field: Thank you very much. I have updated clamav to 0.67, and SA to their latest (one at a time, of course for testing purposes). Neither seemed to provide much help, but turning off Bayes, so far has seemed to allow MS to keep up. Again, my load average is back to it's normal range of 5.00+ whenever there are emails to scan instead of spiralling down to sub 0.75 levels regardless of what was in incoming. If only I had a machine where the lower range was normal. I will follow the list in the event something is found with the latest bayes engine. Thank you very much. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, February 17, 2004 11:31 AM Subject: Re: Single process taking over? > Can you try switching off Bayes (use_bayes 0 in spam.assassin.prefs.conf). > Then let me know if the problem recurs. > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > At 15:31 17/02/2004, you wrote: > >Mr. Field, > > > >I have been going through pretty much the same situation as described with > >this post. The exception is that my machine does not show a domineering > >process and load average drops to near nothing. I have been trying to change > >sendmail to remedy this problem, but I may be looking at the wrong part of > >the puzzle. I have still not determined what is going on, but I do see a lot > >of Bayes lock files and one main bayes.lock file. It peaks once I see the > >bayes_toks.new file which seems to stay around forever. I offer this only to > >maybe point things toward a solution. > > > >I am running > > MS 4.26.8-1 > > SA 2.61-1 > > ClamAV 0.65 > > MailWatch 0.5.1 > > Sendmail 8.11.6-27.73 > > RH 7.3 > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week problems > >started happening. The problems seemed to be resolved by my removing my > >Bayes files (you suggested poisoning, and this appeared to have been the > >case), but since I must stop MS, remove all of the bayes lock files, the > >bayes_tok.new file, restart MS and all appears fine. Load average climbs to > >normal to normal-high limits, my incoming backlog clears quickly and > >everything is fine. I replaced my Message.pm file with the the one you > >posted to the list, and that is the only other change I have made to the > >above installed programs. > > > >I hope some common thread may appear from my configuration and what others > >describe to shed some light on this. Most people don't complain about load > >averages this low, but to me it signals a slow down in my mail system, > >creating backlogs in the incoming queue. > > > >Thank you for your efforts, sir. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, February 17, 2004 7:24 AM > >Subject: Re: Single process taking over? > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > -----Original Message----- > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > > Behalf Of Julian Field > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: Single process taking over? > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > >I don't!! :) > > > > > > > > > What does your MailScanner.conf look like? (just the interesting bits, > > > > > don't care what all the filenames of your reports are and stuff like > > > > > that). > > > > > > > >See below.. > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > What is the last thing the runaway process logs before CPU hogging? > > > > > > > >Nothing abnormal, just the process starting and mail being processed, > >even > > > >in verbose logging, it just appears to be a normal process that won't let > > > >the other threads have any resources. If I kill it, the other threads > >spawn > > > >and run as per normal. > > > > > > > > > Does the CPU hogging start the instant you start MailScanner, or the > > > > > instant the first child process runs, or when? > > > > > > > >As soon as mail begins to be processed. If no mail is in the queue, not > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > >MailScanner.conf > > > >============================================ > > > >Max Children = 4 > > > >Queue Scan Interval = 1 > > > >MTA = sendmail > > > >Max Unscanned Bytes Per Scan = 100000000 > > > >Max Unsafe Bytes Per Scan = 50000000 > > > >Max Unscanned Messages Per Scan = 15 > > > >Max Unsafe Messages Per Scan = 15 > > > >Virus Scanning = yes > > > >Virus Scanners = mcafee clamav > > > >Virus Scanner Timeout = 300 > > > >Spam Checks = yes > > > >Spam List = > > > >Use SpamAssassin = yes > > > >Max SpamAssassin Size = 90000 > > > >Deliver In Background = yes > > > >Delivery Method = batch > > > > > > Do you reckon you could reproduce the problem on a box to which you could > > > give me login access? I suspect it's something very simple, but I have > > > never witnessed it here and it's apparently not a common problem. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From craig at WESTPRESS.COM Tue Feb 17 21:02:56 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:33 2006 Subject: Trend Micro In-Reply-To: <20040217104616.A11352@sthomas.net> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <20040217104616.A11352@sthomas.net> Message-ID: Worked like a champ. And after looking at Daniel's post as well, determined that his is a valid option as well. I now have TrendMicro up and running with MailScanner >This is an e-mail that I got on the amavis list a while ago and held >onto. I believe that the info provided in it is still good, but I >make no guarantees. > >----------------------------------------- > >Hi, > >Here is an email I wrote ages ago and posted to this list about trend >filescan, how to get it, how to update the engine, and how to update the >patterns,,, I have yet to find a virus that this didn't find.... > >anyway, here is the email... -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From mailscanner at ecs.soton.ac.uk Tue Feb 17 21:04:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: Heads up to Julian sendmail 8.13 (upcoming release) Linux 2.4 Series and broken flock() In-Reply-To: <40327DF4.3070207@uptime.at> References: <40327DF4.3070207@uptime.at> Message-ID: <6.0.1.1.2.20040217210122.03ea7828@imap.ecs.soton.ac.uk> Hopefully all that is required is Lock Type = posix in MailScanner.conf for these systems. And I should be able to auto-detect this from the output of sendmail -d0.4 -bt < /dev/null as hopefully it will show up there. At 20:47 17/02/2004, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Please first of all review >http://www.ussg.iu.edu/hypermail/linux/kernel/0207.0/0212.html > >It has the original text from sendmail.org and the explanation by some >kernel hackers. >I just wanted to give an early heads up that yet another lock method >might be needed. > >Thanks > >PS: in short... > >Quote > >"> NOTE: Linux appears to have broken flock() again. Unless > > the bug is fixed before sendmail 8.13 is shipped, > > 8.13 will change the default locking method to > > fcntl() for Linux kernel 2.4 and later. You may > > want to do this in 8.12 by compiling with > > -DHASFLOCK=0. Be sure to update other sendmail > > related programs to match locking techniques. > > > Is it really broken or is sendmail smoking crack like when they said > > that itimers in Linux didn't work? > > >It really is broken, and sendmail triggers it >" >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (Darwin) > >iD8DBQFAMn34PMoaMn4kKR4RA3sRAJ9UEQBN4k5sfCnPQqLgrnP9p6UY6gCfa+cY >mg8zKiFyOorCA3KFR4IGUJY= >=SBug >-----END PGP SIGNATURE----- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 17 20:31:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: clean filename/type, do not deliver virus In-Reply-To: <40327102.4090407@usg.edu> References: <40327102.4090407@usg.edu> Message-ID: <6.0.1.1.2.20040217203028.03f1a938@imap.ecs.soton.ac.uk> At 19:52 17/02/2004, you wrote: >Hey all. Is there a way to do the following. We want to not deliver >messages that have been scanned and a virus has been found by one of our >virus scanners. However, if a message is found to have a bad (i.e. >executable) type or extension, we want to clean it (strip the attachment >out) and deliver the message on to the user (preferably with a message >stating the attachment was stripped). > >Is there an easy way to do this? Am I just blind/stupid? (don't answer >that last one). Silent Viruses = All-Viruses Still Deliver Silent Viruses = no Deliver Cleaned Messages = yes (you better check I have the config names correct). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 17 21:08:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: Single process taking over? In-Reply-To: <055601c3f598$e3b30420$a801a8c0@cnpapers.net> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <055601c3f598$e3b30420$a801a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040217210631.03cc1490@imap.ecs.soton.ac.uk> As a rather off-the-wall test, can you check to ensure there are no stray locks outstanding. cd ~root/.spamassassin mkdir temp cp * temp rm * mv temp/* . then restart MailScanner with the bayes engine turned back on. It theoretically shouldn't help, but have seen this improve things in the past in other applications. At 20:59 17/02/2004, you wrote: >Mr. Field: > >Thank you very much. I have updated clamav to 0.67, and SA to their latest >(one at a time, of course for testing purposes). Neither seemed to provide >much help, but turning off Bayes, so far has seemed to allow MS to keep up. > >Again, my load average is back to it's normal range of 5.00+ whenever there >are emails to scan instead of spiralling down to sub 0.75 levels regardless >of what was in incoming. If only I had a machine where the lower range was >normal. > >I will follow the list in the event something is found with the latest bayes >engine. > >Thank you very much. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, February 17, 2004 11:31 AM >Subject: Re: Single process taking over? > > > > Can you try switching off Bayes (use_bayes 0 in spam.assassin.prefs.conf). > > Then let me know if the problem recurs. > > > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > > > At 15:31 17/02/2004, you wrote: > > >Mr. Field, > > > > > >I have been going through pretty much the same situation as described >with > > >this post. The exception is that my machine does not show a domineering > > >process and load average drops to near nothing. I have been trying to >change > > >sendmail to remedy this problem, but I may be looking at the wrong part >of > > >the puzzle. I have still not determined what is going on, but I do see a >lot > > >of Bayes lock files and one main bayes.lock file. It peaks once I see the > > >bayes_toks.new file which seems to stay around forever. I offer this only >to > > >maybe point things toward a solution. > > > > > >I am running > > > MS 4.26.8-1 > > > SA 2.61-1 > > > ClamAV 0.65 > > > MailWatch 0.5.1 > > > Sendmail 8.11.6-27.73 > > > RH 7.3 > > > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week >problems > > >started happening. The problems seemed to be resolved by my removing my > > >Bayes files (you suggested poisoning, and this appeared to have been the > > >case), but since I must stop MS, remove all of the bayes lock files, the > > >bayes_tok.new file, restart MS and all appears fine. Load average climbs >to > > >normal to normal-high limits, my incoming backlog clears quickly and > > >everything is fine. I replaced my Message.pm file with the the one you > > >posted to the list, and that is the only other change I have made to the > > >above installed programs. > > > > > >I hope some common thread may appear from my configuration and what >others > > >describe to shed some light on this. Most people don't complain about >load > > >averages this low, but to me it signals a slow down in my mail system, > > >creating backlogs in the incoming queue. > > > > > >Thank you for your efforts, sir. > > > > > >Steve Campbell > > >campbell@cnpapers.com > > >Charleston Newspapers > > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Tuesday, February 17, 2004 7:24 AM > > >Subject: Re: Single process taking over? > > > > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > > -----Original Message----- > > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] >On > > > > > > Behalf Of Julian Field > > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > Subject: Re: Single process taking over? > > > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > > > >I don't!! :) > > > > > > > > > > > What does your MailScanner.conf look like? (just the interesting >bits, > > > > > > don't care what all the filenames of your reports are and stuff >like > > > > > > that). > > > > > > > > > >See below.. > > > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > > > What is the last thing the runaway process logs before CPU >hogging? > > > > > > > > > >Nothing abnormal, just the process starting and mail being processed, > > >even > > > > >in verbose logging, it just appears to be a normal process that won't >let > > > > >the other threads have any resources. If I kill it, the other >threads > > >spawn > > > > >and run as per normal. > > > > > > > > > > > Does the CPU hogging start the instant you start MailScanner, or >the > > > > > > instant the first child process runs, or when? > > > > > > > > > >As soon as mail begins to be processed. If no mail is in the queue, >not > > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > > > >MailScanner.conf > > > > >============================================ > > > > >Max Children = 4 > > > > >Queue Scan Interval = 1 > > > > >MTA = sendmail > > > > >Max Unscanned Bytes Per Scan = 100000000 > > > > >Max Unsafe Bytes Per Scan = 50000000 > > > > >Max Unscanned Messages Per Scan = 15 > > > > >Max Unsafe Messages Per Scan = 15 > > > > >Virus Scanning = yes > > > > >Virus Scanners = mcafee clamav > > > > >Virus Scanner Timeout = 300 > > > > >Spam Checks = yes > > > > >Spam List = > > > > >Use SpamAssassin = yes > > > > >Max SpamAssassin Size = 90000 > > > > >Deliver In Background = yes > > > > >Delivery Method = batch > > > > > > > > Do you reckon you could reproduce the problem on a box to which you >could > > > > give me login access? I suspect it's something very simple, but I have > > > > never witnessed it here and it's apparently not a common problem. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james at grayonline.id.au Tue Feb 17 21:26:27 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:33 2006 Subject: should we kill incoming virus notifications In-Reply-To: <4032821E.7090806@fractalweb.com> References: <4032821E.7090806@fractalweb.com> Message-ID: <200402180826.27186.james@grayonline.id.au> On Wed, 18 Feb 2004 08:05 am, Chris Yuzik wrote: > I have my mail server configured to not bounce virus notifications, as > I'm sure most of us do. > > Would it be a good idea to kill incoming virus notifications from other > mail servers that DO bounce (or is it spam?) virus messages? Most, if > not all, viruses these days forge the sender email anyways. > > Cheers, > Chris Personally I'd like to educate admins NOT to send virus alerts at all - even for viruses that are known to have real sender addresses. If the user of the infected machine is naive enough not to use a virus scanner and keep it up to date, they are not going to care if they get an alert. Secondly, sending these alerts to spoofed senders has caused an exponential rise in my workload from concerned clients. I almost got to the stage where I was going to record an explanation about spoofed/faked sender addresses, Mydoom and bad admins on my voice mail! ;) If admins start accepting these virus alerts to faked senders, and filtering them etc, then we simply re-enforce the actions of the admins who have poorly configured machines. Just my $0.02 worth. James -- Fortune cookies says: BOFH excuse #141: disks spinning backwards - toggle the hemisphere jumper. From maillists at CONACTIVE.COM Tue Feb 17 21:30:18 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:33 2006 Subject: small bug in all reports In-Reply-To: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040217192728.03d22488@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Tue, 17 Feb 2004 19:27:53 +0000: > The sig separator is supposed to be "-- ". > Yes, I know, but it shows up here on my Windows workstation as "--". This is weird. I checked on the machine with pico and it's indeed "-- ". And when I copy it back it's still "-- ". But in Notetab Pro it shows as "--". Hm, it shows like this in other programs on Windows as well. Is this really the standard whitespace character? I've not seen this before, when there is a whitespace I usually see it, at the end of a line or not. And this Notetab is set to save in Unix linebreak format, anyway. Sorry, for the false alarm, must be something Windows-specific! Anyone else seeing this? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mike at ZANKER.ORG Tue Feb 17 21:30:40 2004 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:22:33 2006 Subject: spam.lists.conf and SORBS In-Reply-To: References: Message-ID: <297308281.1077053440@jemima.zanker.org> On 17 February 2004 19:56 +0000 Magda Hewryk wrote: > By "I can't resolve" I mean I can't dig or nslookup on it: ># nslookup sbl.spamhaus.org > ** server can't find sbl.spamhaus.org: SERVFAIL > > However I can resolve relays.ordb.org > Name: relays.ordb.org > Address: 62.242.0.190 > > I set different servers and still can't resolve my RBLs except ordb. > Any thoughts? Yes - don't worry about it, it doesn't matter. You don't need to be able to resolve sbl.spamhaus.org because that's not how blacklist DNS lookups work. If you want to check if the IP address 1.2.3.4 against sbl.spamhaus.org you need to check 4.3.2.1.sbl.spamhaus.org If it doesn't resolve then 1.2.3.4 is not in that list - if it resolves (to 127.0.0.x) then it is in the list. Don't worry that you can't resolve sbl.spamhaus.org by itself - it's irrelevant. Mike. From campbell at CNPAPERS.COM Tue Feb 17 21:34:32 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:33 2006 Subject: Single process taking over? References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <055601c3f598$e3b30420$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217210631.03cc1490@imap.ecs.soton.ac.uk> Message-ID: <057201c3f59d$d4dc8c00$a801a8c0@cnpapers.net> Mr. Field: Done. There were 4 files in the /root/.spamassassin folder, the 3 bayes files along with user prefs. I assume you wanted bayes turned back on, so it is running that way. I will try to let it run overnight and see how it does, unless it starts crapping sooner. By the way, I don't have in either MailScanner.conf or spam.assassin.prefs.conf a configuration line such as: auto_learn 0 Could this have helped in any way? I was auto learning on most of my mail before I turned it off. I have also disabled the auto_expire, which was running and maybe causing the .new files. Thanks again. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, February 17, 2004 4:08 PM Subject: Re: Single process taking over? > As a rather off-the-wall test, can you check to ensure there are no stray > locks outstanding. > cd ~root/.spamassassin > mkdir temp > cp * temp > rm * > mv temp/* . > then restart MailScanner with the bayes engine turned back on. > It theoretically shouldn't help, but have seen this improve things in the > past in other applications. > > At 20:59 17/02/2004, you wrote: > >Mr. Field: > > > >Thank you very much. I have updated clamav to 0.67, and SA to their latest > >(one at a time, of course for testing purposes). Neither seemed to provide > >much help, but turning off Bayes, so far has seemed to allow MS to keep up. > > > >Again, my load average is back to it's normal range of 5.00+ whenever there > >are emails to scan instead of spiralling down to sub 0.75 levels regardless > >of what was in incoming. If only I had a machine where the lower range was > >normal. > > > >I will follow the list in the event something is found with the latest bayes > >engine. > > > >Thank you very much. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, February 17, 2004 11:31 AM > >Subject: Re: Single process taking over? > > > > > > > Can you try switching off Bayes (use_bayes 0 in spam.assassin.prefs.conf). > > > Then let me know if the problem recurs. > > > > > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > > > > > At 15:31 17/02/2004, you wrote: > > > >Mr. Field, > > > > > > > >I have been going through pretty much the same situation as described > >with > > > >this post. The exception is that my machine does not show a domineering > > > >process and load average drops to near nothing. I have been trying to > >change > > > >sendmail to remedy this problem, but I may be looking at the wrong part > >of > > > >the puzzle. I have still not determined what is going on, but I do see a > >lot > > > >of Bayes lock files and one main bayes.lock file. It peaks once I see the > > > >bayes_toks.new file which seems to stay around forever. I offer this only > >to > > > >maybe point things toward a solution. > > > > > > > >I am running > > > > MS 4.26.8-1 > > > > SA 2.61-1 > > > > ClamAV 0.65 > > > > MailWatch 0.5.1 > > > > Sendmail 8.11.6-27.73 > > > > RH 7.3 > > > > > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week > >problems > > > >started happening. The problems seemed to be resolved by my removing my > > > >Bayes files (you suggested poisoning, and this appeared to have been the > > > >case), but since I must stop MS, remove all of the bayes lock files, the > > > >bayes_tok.new file, restart MS and all appears fine. Load average climbs > >to > > > >normal to normal-high limits, my incoming backlog clears quickly and > > > >everything is fine. I replaced my Message.pm file with the the one you > > > >posted to the list, and that is the only other change I have made to the > > > >above installed programs. > > > > > > > >I hope some common thread may appear from my configuration and what > >others > > > >describe to shed some light on this. Most people don't complain about > >load > > > >averages this low, but to me it signals a slow down in my mail system, > > > >creating backlogs in the incoming queue. > > > > > > > >Thank you for your efforts, sir. > > > > > > > >Steve Campbell > > > >campbell@cnpapers.com > > > >Charleston Newspapers > > > > > > > >----- Original Message ----- > > > >From: "Julian Field" > > > >To: > > > >Sent: Tuesday, February 17, 2004 7:24 AM > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > > > -----Original Message----- > > > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] > >On > > > > > > > Behalf Of Julian Field > > > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > Subject: Re: Single process taking over? > > > > > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > > > > > >I don't!! :) > > > > > > > > > > > > > What does your MailScanner.conf look like? (just the interesting > >bits, > > > > > > > don't care what all the filenames of your reports are and stuff > >like > > > > > > > that). > > > > > > > > > > > >See below.. > > > > > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > > > > > What is the last thing the runaway process logs before CPU > >hogging? > > > > > > > > > > > >Nothing abnormal, just the process starting and mail being processed, > > > >even > > > > > >in verbose logging, it just appears to be a normal process that won't > >let > > > > > >the other threads have any resources. If I kill it, the other > >threads > > > >spawn > > > > > >and run as per normal. > > > > > > > > > > > > > Does the CPU hogging start the instant you start MailScanner, or > >the > > > > > > > instant the first child process runs, or when? > > > > > > > > > > > >As soon as mail begins to be processed. If no mail is in the queue, > >not > > > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > > > > > >MailScanner.conf > > > > > >============================================ > > > > > >Max Children = 4 > > > > > >Queue Scan Interval = 1 > > > > > >MTA = sendmail > > > > > >Max Unscanned Bytes Per Scan = 100000000 > > > > > >Max Unsafe Bytes Per Scan = 50000000 > > > > > >Max Unscanned Messages Per Scan = 15 > > > > > >Max Unsafe Messages Per Scan = 15 > > > > > >Virus Scanning = yes > > > > > >Virus Scanners = mcafee clamav > > > > > >Virus Scanner Timeout = 300 > > > > > >Spam Checks = yes > > > > > >Spam List = > > > > > >Use SpamAssassin = yes > > > > > >Max SpamAssassin Size = 90000 > > > > > >Deliver In Background = yes > > > > > >Delivery Method = batch > > > > > > > > > > Do you reckon you could reproduce the problem on a box to which you > >could > > > > > give me login access? I suspect it's something very simple, but I have > > > > > never witnessed it here and it's apparently not a common problem. > > > > > -- > > > > > Julian Field > > > > > www.MailScanner.info > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chris at FRACTALWEB.COM Tue Feb 17 21:05:34 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:33 2006 Subject: should we kill incoming virus notifications Message-ID: <4032821E.7090806@fractalweb.com> I have my mail server configured to not bounce virus notifications, as I'm sure most of us do. Would it be a good idea to kill incoming virus notifications from other mail servers that DO bounce (or is it spam?) virus messages? Most, if not all, viruses these days forge the sender email anyways. Cheers, Chris From mailscanner at ecs.soton.ac.uk Tue Feb 17 23:55:06 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:33 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402172355.i1HNt6dV007716@seer.ecs.soton.ac.uk> New Guestbook-Entry from Abner Smyser The movie http://members.fortunecity.com/aboutthematrix/ is one of all time blockbastards, on this Site we''re reviewing the phenomenon of how could such a ****** movie Turn out so Popular, From mike at CAMAROSS.NET Tue Feb 17 22:23:36 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:22:33 2006 Subject: blocking read and delivery receipts In-Reply-To: <73F0CEC63C14FC41ACBE35A3E23DB9B303664E@dianna.thehill.org> Message-ID: <200402172221.i1HMLWjR021736@avwall.bladeware.com> Was this question ever answered? I'd be interested to know if someone has a sendmail solution for this. Mike ________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stein, Mr. Fred Sent: Monday, December 22, 2003 8:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: blocking read and delivery receipts Is there a way to block read and delivery receipts in MailScanner? RH9 Postfix MailScanner 4.25-14 SA 2.61 Razor 2.0 Fred Stein Network Administrator The Hill School 717 High Street Pottstown, PA 19464 610-326-1000 ext. 7356 fstein@thehill.org www.thehill.org From richard.lush at NTLWORLD.COM Tue Feb 17 22:49:46 2004 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:22:33 2006 Subject: [annoucement] Webmin module 0.9 release Message-ID: <8C4A83966C27354C928048C4A1620EF8C21C@lando.rebel.com> ? Hi All, Just to a let you know I've put an update version of the webmin module up with includes all the options of MailScanner 4.26.8. I'm still investigating reports that the a module does not restart MailScanner correctly but have been unable to recreate it. I've added all the options for MailScanner 4.26.8 and it now has the ability to just stop MailScanner without restarting. It is available from download at http://lushsoft.dyndns.org/mailscanner-webmin or http://sourceforge.net/projects/ msfrontend . Richard ==================================== In Security there are no victims....only volunteers! From jrudd at UCSC.EDU Tue Feb 17 23:05:05 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:33 2006 Subject: Adding Envelope Headers? References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> Message-ID: <40329E21.7D82BCA5@ucsc.edu> John Rudd wrote: > > Julian Field wrote: > > > > At 14:00 13/02/2004, you wrote: > > > >X-Envelope-To: > > > I am of the opinion that ... > > putting in the envelope recipient is a bad idea. > [snip] > When you know that the MTA will do the right thing, it's not "a bad > idea". And for some MTA's, it's definitely "the right idea". So, does the lack of response to my two messages indicate they fell on deaf ears? Are my arguments unconvincing? From ka at PACIFIC.NET Wed Feb 18 01:04:34 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:33 2006 Subject: spam handling rules with +detail email addresses? Message-ID: <4032BA22.7090507@pacific.net> How does MailScanner/SA handle incoming email addressed to user+detail@domain.com in rules? Sendmail will strip everything after/including the + sign, and deliver to the 'user', but rules in MailScanner for both user+detail@domain.com AND user@domain.com seem to be bypassed when using this syntax in an email. I've only tested with rules/spam.actions.rules like this: To: user+detail@domain.com store notify To: user@domain.com store notify Both are bypassed and mail gets the default action applied to it if it's addressed to user+detail@domain.com Any ideas? Thanks, Ken Anderson Pacific.Net From support at EAGLE-ACCESS.NET Wed Feb 18 01:13:04 2004 From: support at EAGLE-ACCESS.NET (Eagle Net Support) Date: Thu Jan 12 21:22:33 2006 Subject: stop MS for single user {Scanned} Message-ID: <4032BC20.26AD97F9@eagle-access.net> Here's a good one. Gota client that wants his spam, ("every once in awhile there's good stuff in there"), ALL of it. How do I not scan a single users account? thanks joe -- This message has been scanned for viruses and dangerous content, and is believed to be clean. From dahlberg at bucknell.edu Wed Feb 18 01:25:07 2004 From: dahlberg at bucknell.edu (Michael Dahlberg) Date: Thu Jan 12 21:22:33 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks Message-ID: <20040218012507.GA13566@bucknell.edu> I recently upgraded our mail system from MailScanner 4.13 to 4.26.8 in order to correct a problem scanning messages with MyDoom-infected attachments. Certain messages would contain data that some MUAs would not interpret as an attachment, while others would. This data contained an encoded version of the MyDoom virus. MailScanner 4.13 would not detect the virus-infected attachment while 4.26.8 would. I am using Sophos 3.78(d) as the virus scanner (virus scanner = sophossavi). I do no spam analysis through MailScanner, I don't have MailScanner look analyze attachments for file type, and I don't block messages based on HTML tags. I am running MailScanner on a Sun Solaris dual SPARC II system with 2GB RAM. My problem is that MailScanner 4.26.8 is SO SLOW that it can't keep up with our mail flow (virus scanning speeds are between 1 - 3 kB/sec). The problem is with MailScanner, since a downgrade (which retains the same Sophos installation) to 4.13 returns virus scanning back to its normal speed. When we're not hit with a virus outbreak we process 200,000 - 400,000 emails per day. Has anyone observed this behavior? Can anyone offer a suggestion on what I might try tuning to recover adequate performance? Thanks, Mike From rich at MAIL.WVNET.EDU Wed Feb 18 01:34:26 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:33 2006 Subject: stop MS for single user {Scanned} In-Reply-To: <4032BC20.26AD97F9@eagle-access.net> References: <4032BC20.26AD97F9@eagle-access.net> Message-ID: <4032C122.1020501@mail.wvnet.edu> Eagle Net Support wrote: >Here's a good one. Gota client that wants his spam, ("every once in >awhile there's good stuff in there"), ALL of it. > >How do I not scan a single users account? > > > First, check the FAQ and search the mailing list archives. Then, learn about rulesets and check out "Spam Actions =" in MailScanner.conf. -- Richard E. Lynch West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From Denis.Beauchemin at USHERBROOKE.CA Wed Feb 18 02:18:14 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:33 2006 Subject: spam handling rules with +detail email addresses? In-Reply-To: <4032BA22.7090507@pacific.net> References: <4032BA22.7090507@pacific.net> Message-ID: <4032CB66.7080303@USherbrooke.ca> Ken Anderson wrote: > How does MailScanner/SA handle incoming email addressed to > user+detail@domain.com in rules? > > Sendmail will strip everything after/including the + sign, and deliver > to the 'user', but rules in MailScanner for both user+detail@domain.com > AND user@domain.com seem to be bypassed when using this syntax in an > email. > > I've only tested with rules/spam.actions.rules like this: > > To: user+detail@domain.com store notify Could it be that your address is interpreted as a regular expression (I didn't check)? If so try: user\+detail@domain.com > To: user@domain.com store notify > > Both are bypassed and mail gets the default action applied to it if it's > addressed to user+detail@domain.com > > Any ideas? > > Thanks, > Ken Anderson > Pacific.Net > From jonathan.arcand at CEGEPTR.QC.CA Wed Feb 18 04:06:27 2004 From: jonathan.arcand at CEGEPTR.QC.CA (Jonathan Arcand) Date: Thu Jan 12 21:22:33 2006 Subject: Web interface to manage black/whitelist Message-ID: <20040218040627.M31389@cegeptr.qc.ca> Hi, I'm searching a little web interface for add/remove an ip quickly to the spam.blacklist.rules or the spam.whitelist.rules I want to give the possibility at some trusted users to add an ip but i don't want give an access to the server. Someone already saw that somewhere? Thanks Jonathan From chris at FRACTALWEB.COM Wed Feb 18 04:46:26 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:33 2006 Subject: paypal virus notices annoying my users Message-ID: <4032EE22.5080002@fractalweb.com> Hi, I've got a request from above requesting that I stop the notifications to the intended recipients of the paypal virus (Mimail.J in this case). Would creating a custom spam rule looking for a key phrase in the message with a high spam score work? What's the best way of doing this? Cheers, Chris From raymond at PROLOCATION.NET Wed Feb 18 07:55:26 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:33 2006 Subject: paypal virus notices annoying my users In-Reply-To: <4032EE22.5080002@fractalweb.com> Message-ID: Hi! > I've got a request from above requesting that I stop the notifications > to the intended recipients of the paypal virus (Mimail.J in this case). > > Would creating a custom spam rule looking for a key phrase in the > message with a high spam score work? What's the best way of doing this? Why not put Mimail in your silent virus list ? Bye, Raymond. From dean.plant at ROKE.CO.UK Wed Feb 18 08:54:10 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:22:33 2006 Subject: Possible extra feature to Send Notices? Message-ID: I find the Send Notices feature doesn't quite work for me. When we have a major virus outbreak I have to turn it off due to the amount of messages produced and I end up ignoring the mails when we have the constant dribble of virus notices throughout a normal working day. It would be great to have some configurable settings like, Send Notices = outbreak Outbreak Window = 10mins No of Identical Virus For Trigger = 20 So that if you get 20 or more Identical Virus detected in 10 mins, alert me. Any thoughts? Dean Plant -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From raymond at PROLOCATION.NET Wed Feb 18 09:00:02 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:33 2006 Subject: Possible extra feature to Send Notices? In-Reply-To: Message-ID: Hi Dean, > It would be great to have some configurable settings like, > > Send Notices = outbreak > Outbreak Window = 10mins > No of Identical Virus For Trigger = 20 > > > So that if you get 20 or more Identical Virus detected in 10 mins, alert me. > > Any thoughts? Just analyze your logs, this is something that can be perfectly done with a log analyzer. Bye, Raymond. From JLM939 at hotmail.com Wed Feb 18 08:50:04 2004 From: JLM939 at hotmail.com (JLM) Date: Thu Jan 12 21:22:33 2006 Subject: MailScanner on Mac OS X Message-ID: Hi folks, I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X Server (10.3.2), and I'm running into a few trouble spots. I'm using MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive email management system that is designed to work along with Exim, Courier-IMAP, and MySQL. http://www.xams.org/ The trouble spots I'm running into are: [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems to be related to check_mailscanner, but other than that I don't anything about this error, how important it is, and whether there's anything we can do to fix it on Mac OS X. Any thoughts or suggestions would be much appreciated. [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS X that I have installed MailScanner on. I have to comment out the "Run as user = " and "Run as Group = " lines in order to get MailScanner to run. Does anyone have any suggestions as to how we might fix this? We'd rather not have MailScanner running as root if we can avoid it. [3] Other than the above, MailScanner appears to function normally. However, after a few hours of normal operation, the following error began repeatedly appearing in the mail log: Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of incoming queue dirs (/var/spool/exim-incoming/input) does not exist There is indeed a /var/spool/exim-incoming/input directory. I'm a bit puzzled as to why MailScanner thinks there is a file containing a list of incoming queue dirs at that location. Both the incoming and outgoing queue directories are specified in the mailscanner.conf file. MailScanner appears to continue functioning normally, so once again it's not clear how important this error is. Nonetheless, can anyone shed any light on what's causing this and how I might fix it? [4] After mail has been scanned for viruses and run through SpamAssassin, it may then be fed to TMDA if the spam/ham analysis is inconclusive. [I fully realize that many people are not big fans of challenge/response systems such as TMDA. Please keep in mind that messages with low spam scores are delivered unchallenged, and messages with high spam scores are discarded outright (again, without being challenged). The only messages that will be challenged are the very rare messages that SpamAssassin can't convincingly classify as either spam or ham. It is our hope that this method will address many of the objections against challenge/response systems.] I'm working with the other folks on the XAMS team to put together a few routines to pass mail from MailScanner to TMDA. The following test routines were added to the CustomConfig.pm component of MailScanner: ### Begin: Test routines added to CustomConfig.pm ### use Data::Dumper; sub InitXAMSTMDAMailer {} sub XAMSTMDAMailer { my ($message) = @_; $|++; open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; close XAMS_TMDA_FH; return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; } sub EndXAMSTMDAMailer {} ### End: Test routines added to CustomConfig.pm ### When a message is received by MailScanner and triggers the above routines, it delivers the mail but does two unexpected things: 1. The output of the first print command is: "$VAR1 = undef;" Can anyone think of why that might be? Any suggestions would be very, very helpful. 2. It repeats the output five times (see below). I realize that MailScanner has five processes running at any given time, but why are all five processing these routines when a message is received? Output: $VAR1 = undef; ==================================================================== XAMSTMDAMailer was here (repeated another four times) Does anyone have any ideas as to why this is being repeated five times? I realize this is a lot of questions to throw to the list at once. I and the other members of the XAMS team would be most grateful for any advice you can offer. On behalf of the XAMS team, thanks in advance for any pointers you might have for us! Best, Justin PS: I'd like to take a moment to recognize the superb support I've received so far from Nick Phillips, who has selflessly devoted his time to help me get MailScanner running on Mac OS X (in at least a basic incarnation). Without his guidance, I would never even made it this far. Many thanks, Nick! From mailscanner at ecs.soton.ac.uk Wed Feb 18 09:18:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: spam handling rules with +detail email addresses? In-Reply-To: <4032BA22.7090507@pacific.net> References: <4032BA22.7090507@pacific.net> Message-ID: <6.0.1.1.2.20040218091643.03e433c0@imap.ecs.soton.ac.uk> At 01:04 18/02/2004, you wrote: >How does MailScanner/SA handle incoming email addressed to >user+detail@domain.com in rules? > >Sendmail will strip everything after/including the + sign, and deliver >to the 'user', but rules in MailScanner for both user+detail@domain.com >AND user@domain.com seem to be bypassed when using this syntax in an email. > >I've only tested with rules/spam.actions.rules like this: > >To: user+detail@domain.com store notify >To: user@domain.com store notify > >Both are bypassed and mail gets the default action applied to it if it's >addressed to user+detail@domain.com But what is the envelope recipient address in this case? user or user+detail? You could do it with To: user@domain.com store notify To: user+*@domain.com store notify or To: /user(\+.*)?\@domain\.com/ store notify -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 18 09:15:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: blocking read and delivery receipts In-Reply-To: <200402172221.i1HMLWjR021736@avwall.bladeware.com> References: <73F0CEC63C14FC41ACBE35A3E23DB9B303664E@dianna.thehill.org> <200402172221.i1HMLWjR021736@avwall.bladeware.com> Message-ID: <6.0.1.1.2.20040218091500.03e72e90@imap.ecs.soton.ac.uk> You could do this with a couple of MCP rules. See www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/ At 22:23 17/02/2004, you wrote: >Was this question ever answered? I'd be interested to know if someone has a >sendmail solution for this. > >Mike > > > >________________________________ > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] >On Behalf Of Stein, Mr. Fred > Sent: Monday, December 22, 2003 8:30 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: blocking read and delivery receipts > > > > Is there a way to block read and delivery receipts in MailScanner? > > RH9 > > Postfix > > MailScanner 4.25-14 > > SA 2.61 > > Razor 2.0 > > > > Fred Stein > > Network Administrator > > The Hill School > > 717 High Street > > Pottstown, PA 19464 > > 610-326-1000 ext. 7356 > > fstein@thehill.org > > www.thehill.org -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Feb 18 09:36:47 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:33 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks In-Reply-To: <20040218012507.GA13566@bucknell.edu> References: <20040218012507.GA13566@bucknell.edu> Message-ID: <4033322F.1070908@solid-state-logic.com> Michael Dahlberg wrote: > I recently upgraded our mail system from MailScanner 4.13 to 4.26.8 > in order to correct a problem scanning messages with MyDoom-infected > attachments. Certain messages would contain data that some MUAs would > not interpret as an attachment, while others would. This data contained > an encoded version of the MyDoom virus. MailScanner 4.13 would not detect > the virus-infected attachment while 4.26.8 would. > > I am using Sophos 3.78(d) as the virus scanner > (virus scanner = sophossavi). I do no spam analysis through > MailScanner, I don't have MailScanner look analyze attachments for > file type, and I don't block messages based on HTML tags. I am > running MailScanner on a Sun Solaris dual SPARC II system with > 2GB RAM. > > My problem is that MailScanner 4.26.8 is SO SLOW that it can't keep > up with our mail flow (virus scanning speeds are between 1 - 3 kB/sec). > The problem is with MailScanner, since a > downgrade (which retains the same Sophos installation) to 4.13 returns > virus scanning back to its normal speed. When we're not hit with > a virus outbreak we process 200,000 - 400,000 emails per day. > > Has anyone observed this behavior? Can anyone offer a suggestion on > what I might try tuning to recover adequate performance? > > Thanks, > Mike Mike I'd make sure that all the required perl Modules are loaded (via CPAN is the best way), and these may have changed for 4.26 from 4.13. Also is there any indication of problems if you set Debug=yes in the MailScanner.conf and run MailScanner via check_MailScanner. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Wed Feb 18 09:43:20 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:33 2006 Subject: Spamassassin and Bayes files In-Reply-To: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> Message-ID: <403333B8.7020203@solid-state-logic.com> Nicolas Viers - SCI wrote: > Hello, > if i change the bayes_path on /etc/MailScanner/spam.assassin.prefs.conf > file it 's ok. The db files are now in the new directory. But when i do > sa-learn manually how tell to spamassassin to write rules in this directory > and no more in /root/.spamassassin ? > > Thanks > > > ____________________________________________________________ > > Nicolas Viers | Service Commun Informatique > M?l: viers@unilim.fr | 123, avenue Albert Thomas > | 87060 Limoges cedex > Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 > http://www.unilim.fr/sci > ___________________________________________________________ > _ or use sa-learn -C /etc/MailScanner/spam.assassin.prefs.conf -spam mboxfile it will pick up the settings from the MailScanner file.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From michele at BLACKNIGHTSOLUTIONS.COM Wed Feb 18 09:47:30 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:33 2006 Subject: [annoucement] Webmin module 0.9 release In-Reply-To: <8C4A83966C27354C928048C4A1620EF8C21C@lando.rebel.com> Message-ID: I downloaded and installed it - very nice so far :) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Richard Lush > Sent: 17 February 2004 22:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] [annoucement] Webmin module 0.9 release > > > ? > Hi All, > > Just to a let you know I've put an update version of the webmin > module up with includes all the options of MailScanner 4.26.8. > > I'm still investigating reports that the a module does not > restart MailScanner correctly but have been unable to recreate it. > > I've added all the options for MailScanner 4.26.8 and it now has > the ability to just stop MailScanner without restarting. > > It is available from download at > http://lushsoft.dyndns.org/mailscanner-webmin or > http://sourceforge.net/projects/ > msfrontend . > > Richard > > ==================================== > In Security there are no victims....only volunteers! > From P.G.M.Peters at utwente.nl Wed Feb 18 10:55:25 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:33 2006 Subject: MailScanner reload not honoring all MailScanner changes Message-ID: Normally when I change something in MailScanner it gets read the next time a child dies of old age or (when I need it fast) after a reload. But I noticed only the childs reread the config because configuration parameters used by the parent isn't read. The parameter I changed was the number of childs. Because of some diskproblems we had to decrease the number of childs and it didn't work. ;-( -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Feb 18 10:57:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:33 2006 Subject: MailScanner reload not honoring all MailScanner changes In-Reply-To: References: Message-ID: <6.0.1.1.2.20040218105634.037e35a0@imap.ecs.soton.ac.uk> It's just the children that re-read their config (basically they commit suicide and get restarted). Config options that affect the parent need a restart to take effect. At 10:55 18/02/2004, you wrote: >Normally when I change something in MailScanner it gets read the next >time a child dies of old age or (when I need it fast) after a reload. >But I noticed only the childs reread the config because configuration >parameters used by the parent isn't read. > >The parameter I changed was the number of childs. Because of some >diskproblems we had to decrease the number of childs and it didn't work. >;-( > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at TRADOC.FR Wed Feb 18 12:29:13 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:33 2006 Subject: Subject not changed when "__MailScanner_found_Cyrus_boundary_substring_problem__" Message-ID: <2rl630tm6v5pm9lg0pb68fkfrihemmftc2@tradoc.fr> I've noticed that the {Spam?} (or whatever) flag isn't prepended to the subject for messages where MailScanner alters the MIME boundary strings. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From ugob at CAMO-ROUTE.COM Wed Feb 18 13:39:32 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:33 2006 Subject: Web interface to manage black/whitelist In-Reply-To: <20040218040627.M31389@cegeptr.qc.ca> References: <20040218040627.M31389@cegeptr.qc.ca> Message-ID: <40336B14.4050008@camo-route.com> Jonathan Arcand wrote: >Hi, > >I'm searching a little web interface for add/remove an ip quickly to the >spam.blacklist.rules or the spam.whitelist.rules > >I want to give the possibility at some trusted users to add an ip but i don't >want give an access to the server. > >Someone already saw that somewhere? > > http://sourceforge.net/projects/phplistadmin/ >Thanks > >Jonathan > > From jrudd at UCSC.EDU Wed Feb 18 09:19:59 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:33 2006 Subject: MailScanner on Mac OS X In-Reply-To: References: Message-ID: <9FF2226C-61F3-11D8-9C36-003065F939FE@ucsc.edu> On Feb 18, 2004, at 12:50 AM, JLM wrote: > Hi folks, > > I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac > OS X > Server (10.3.2), > The trouble spots I'm running into are: > > [1] At launch, MailScanner complains: "ps: illegal option -- f" This > seems > to be related to check_mailscanner, but other than that I don't > anything > about this error, how important it is, and whether there's anything we > can > do to fix it on Mac OS X. Any thoughts or suggestions would be much > appreciated. f sounds like you're using the HPUX stanza instead of the BSD stanza in the check_mailscanner script. Make sure the BSD stanza is the one you're using (make sure the conditions work out, etc.). From mailscanner at ecs.soton.ac.uk Wed Feb 18 13:58:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: Subject not changed when "__MailScanner_found_Cyrus_boundary_substring_problem__" In-Reply-To: <2rl630tm6v5pm9lg0pb68fkfrihemmftc2@tradoc.fr> References: <2rl630tm6v5pm9lg0pb68fkfrihemmftc2@tradoc.fr> Message-ID: <6.0.1.1.2.20040218135821.040c9090@imap.ecs.soton.ac.uk> The aim was that it just quietly fixed the problem and no-one ever noticed the mail had been modified. At 12:29 18/02/2004, you wrote: >I've noticed that the {Spam?} (or whatever) flag isn't prepended to the >subject for messages where MailScanner alters the MIME boundary strings. > > >John. > >-- >-- Over 2400 webcams from ski resorts around the world - www.snoweye.com >-- Translate your technical documents and web pages - www.tradoc.fr -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at TRADOC.FR Wed Feb 18 14:13:25 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:34 2006 Subject: Subject not changed when "__MailScanner_found_Cyrus_boundary_substring_problem__" In-Reply-To: <6.0.1.1.2.20040218135821.040c9090@imap.ecs.soton.ac.uk> References: <2rl630tm6v5pm9lg0pb68fkfrihemmftc2@tradoc.fr> <6.0.1.1.2.20040218135821.040c9090@imap.ecs.soton.ac.uk> Message-ID: <8bs630tj5dtt2uva23ihoi7eevqi1hlhd6@tradoc.fr> On Wed, 18 Feb 2004 13:58:41 +0000, Julian Field wrote: > The aim was that it just quietly fixed the problem and no-one ever noticed > the mail had been modified. I certainly wouldn't have noticed myself that it had fixed anything, had the problem not occurred on (quite a number of) spam messages. All the other MailScanner-added headers are there, showing that the messages got a spam score from SA, but the spam subject text isn't added. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From campbell at CNPAPERS.COM Wed Feb 18 14:22:10 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:34 2006 Subject: Single process taking over? References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <055601c3f598$e3b30420$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217210631.03cc1490@imap.ecs.soton.ac.uk> <057201c3f59d$d4dc8c00$a801a8c0@cnpapers.net> Message-ID: <008401c3f62a$9915ade0$2501a8c0@cnpapers.net> Mr. Field, All seems resolved now. I still have auto_expire off, and will test this later in the week. By the way, should I have seen any other files in the root/.spamassassin directory other than the 3 bayes files and the user prefs file? If not, should your procedure of moving/rewriting these files be done on a regular basis? Thank you ever so much. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Stephe Campbell" To: Sent: Tuesday, February 17, 2004 4:34 PM Subject: Re: Single process taking over? > Mr. Field: > > Done. There were 4 files in the /root/.spamassassin folder, the 3 bayes > files along with user prefs. I assume you wanted bayes turned back on, so it > is running that way. I will try to let it run overnight and see how it does, > unless it starts crapping sooner. > > By the way, I don't have in either MailScanner.conf or > spam.assassin.prefs.conf a configuration line such as: > > auto_learn 0 > > Could this have helped in any way? I was auto learning on most of my mail > before I turned it off. I have also disabled the auto_expire, which was > running and maybe causing the .new files. > > Thanks again. > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Tuesday, February 17, 2004 4:08 PM > Subject: Re: Single process taking over? > > > > As a rather off-the-wall test, can you check to ensure there are no stray > > locks outstanding. > > cd ~root/.spamassassin > > mkdir temp > > cp * temp > > rm * > > mv temp/* . > > then restart MailScanner with the bayes engine turned back on. > > It theoretically shouldn't help, but have seen this improve things in the > > past in other applications. > > > > At 20:59 17/02/2004, you wrote: > > >Mr. Field: > > > > > >Thank you very much. I have updated clamav to 0.67, and SA to their > latest > > >(one at a time, of course for testing purposes). Neither seemed to > provide > > >much help, but turning off Bayes, so far has seemed to allow MS to keep > up. > > > > > >Again, my load average is back to it's normal range of 5.00+ whenever > there > > >are emails to scan instead of spiralling down to sub 0.75 levels > regardless > > >of what was in incoming. If only I had a machine where the lower range > was > > >normal. > > > > > >I will follow the list in the event something is found with the latest > bayes > > >engine. > > > > > >Thank you very much. > > > > > >Steve Campbell > > >campbell@cnpapers.com > > >Charleston Newspapers > > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Tuesday, February 17, 2004 11:31 AM > > >Subject: Re: Single process taking over? > > > > > > > > > > Can you try switching off Bayes (use_bayes 0 in > spam.assassin.prefs.conf). > > > > Then let me know if the problem recurs. > > > > > > > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > > > > > > > At 15:31 17/02/2004, you wrote: > > > > >Mr. Field, > > > > > > > > > >I have been going through pretty much the same situation as described > > >with > > > > >this post. The exception is that my machine does not show a > domineering > > > > >process and load average drops to near nothing. I have been trying to > > >change > > > > >sendmail to remedy this problem, but I may be looking at the wrong > part > > >of > > > > >the puzzle. I have still not determined what is going on, but I do > see a > > >lot > > > > >of Bayes lock files and one main bayes.lock file. It peaks once I see > the > > > > >bayes_toks.new file which seems to stay around forever. I offer this > only > > >to > > > > >maybe point things toward a solution. > > > > > > > > > >I am running > > > > > MS 4.26.8-1 > > > > > SA 2.61-1 > > > > > ClamAV 0.65 > > > > > MailWatch 0.5.1 > > > > > Sendmail 8.11.6-27.73 > > > > > RH 7.3 > > > > > > > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week > > >problems > > > > >started happening. The problems seemed to be resolved by my removing > my > > > > >Bayes files (you suggested poisoning, and this appeared to have been > the > > > > >case), but since I must stop MS, remove all of the bayes lock files, > the > > > > >bayes_tok.new file, restart MS and all appears fine. Load average > climbs > > >to > > > > >normal to normal-high limits, my incoming backlog clears quickly and > > > > >everything is fine. I replaced my Message.pm file with the the one > you > > > > >posted to the list, and that is the only other change I have made to > the > > > > >above installed programs. > > > > > > > > > >I hope some common thread may appear from my configuration and what > > >others > > > > >describe to shed some light on this. Most people don't complain about > > >load > > > > >averages this low, but to me it signals a slow down in my mail > system, > > > > >creating backlogs in the incoming queue. > > > > > > > > > >Thank you for your efforts, sir. > > > > > > > > > >Steve Campbell > > > > >campbell@cnpapers.com > > > > >Charleston Newspapers > > > > > > > > > >----- Original Message ----- > > > > >From: "Julian Field" > > > > >To: > > > > >Sent: Tuesday, February 17, 2004 7:24 AM > > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > > > > -----Original Message----- > > > > > > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > >On > > > > > > > > Behalf Of Julian Field > > > > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > > > > > > > >I don't!! :) > > > > > > > > > > > > > > > What does your MailScanner.conf look like? (just the > interesting > > >bits, > > > > > > > > don't care what all the filenames of your reports are and > stuff > > >like > > > > > > > > that). > > > > > > > > > > > > > >See below.. > > > > > > > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > > > > > > > What is the last thing the runaway process logs before CPU > > >hogging? > > > > > > > > > > > > > >Nothing abnormal, just the process starting and mail being > processed, > > > > >even > > > > > > >in verbose logging, it just appears to be a normal process that > won't > > >let > > > > > > >the other threads have any resources. If I kill it, the other > > >threads > > > > >spawn > > > > > > >and run as per normal. > > > > > > > > > > > > > > > Does the CPU hogging start the instant you start MailScanner, > or > > >the > > > > > > > > instant the first child process runs, or when? > > > > > > > > > > > > > >As soon as mail begins to be processed. If no mail is in the > queue, > > >not > > > > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > > > > > > > >MailScanner.conf > > > > > > >============================================ > > > > > > >Max Children = 4 > > > > > > >Queue Scan Interval = 1 > > > > > > >MTA = sendmail > > > > > > >Max Unscanned Bytes Per Scan = 100000000 > > > > > > >Max Unsafe Bytes Per Scan = 50000000 > > > > > > >Max Unscanned Messages Per Scan = 15 > > > > > > >Max Unsafe Messages Per Scan = 15 > > > > > > >Virus Scanning = yes > > > > > > >Virus Scanners = mcafee clamav > > > > > > >Virus Scanner Timeout = 300 > > > > > > >Spam Checks = yes > > > > > > >Spam List = > > > > > > >Use SpamAssassin = yes > > > > > > >Max SpamAssassin Size = 90000 > > > > > > >Deliver In Background = yes > > > > > > >Delivery Method = batch > > > > > > > > > > > > Do you reckon you could reproduce the problem on a box to which > you > > >could > > > > > > give me login access? I suspect it's something very simple, but I > have > > > > > > never witnessed it here and it's apparently not a common problem. > > > > > > -- > > > > > > Julian Field > > > > > > www.MailScanner.info > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From slwatts at WINCKWORTHS.CO.UK Wed Feb 18 14:47:23 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update Message-ID: Also need to add Netsky-B to the silent viruses list if you run Sophos (viruses or virii?!). Sam -----Original Message----- From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] Sent: 17 February 2004 18:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Silent Viruses update Anyone still maintaining a Silent Viruses list should add Tanx to it if they use Sophos. I think Symantec have put it in the Beagle family. Don't know about the others. Anyone who's given up on notifying senders about Viruses, please ignore this message! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 18 14:52:20 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C539@jessica.herefordshire.gov.uk> We've just got our first copy of this - ClamAv reports it as Worm.SomeFool Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Samuel Luxford-Watts > Sent: 18 February 2004 14:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses update > > > Also need to add Netsky-B to the silent viruses list if you run Sophos > (viruses or virii?!). > > Sam > > -----Original Message----- > From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Sent: 17 February 2004 18:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Silent Viruses update > > > Anyone still maintaining a Silent Viruses list should add > Tanx to it if they > use Sophos. I think Symantec have put it in the Beagle > family. Don't know > about the others. > > Anyone who's given up on notifying senders about Viruses, > please ignore this > message! > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > -Confidentiality- > This email message and any attachments are confidential; they > may be subject to legal professional privilege and are > intended for the named recipient only. If you are not the > named recipient, please return the message and enclosures > immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment > or otherwise) may be relied on, the authenticity of the > communication must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office > of the firm and on the firm's website at http://www.winckworths.co.uk > From chris at TRUDEAU.ORG Wed Feb 18 14:02:52 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:22:34 2006 Subject: Performance References: <6.0.1.1.2.20040218105634.037e35a0@imap.ecs.soton.ac.uk> Message-ID: <003601c3f627$e68eedf0$4919000a@ATLCPW13671> All, I have tried in the past to generate traffic that would provide me a decen idea of capacity. My production system is a dual 550 P4 with 512Mb RAM and SCSI Raid 0+1. I'm using tempfs and have made a number of tuning changes thanks to this list. I am running a full contingent of MailWatch (on another machine) and my production MTA is running MySQL logging into the second server's db for MailWatch. I added a new domain the day before yesterday and ran my message volume up over 10X what it was processing. I ran almost 20K messages through the system yesterday...is that inline with what you guys have seen am I on the high side or the low side. My machine took a beating, but kept on trucking. I did have a small bayes db corruption issue late last night...I ended up rebuilding from scratch and performance seems better today.... Any feedback? THX CT From slwatts at WINCKWORTHS.CO.UK Wed Feb 18 15:01:04 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update Message-ID: Its just started getting it here about an hour ago and its increasing rapidly -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 18 February 2004 14:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Silent Viruses update We've just got our first copy of this - ClamAv reports it as Worm.SomeFool Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Samuel Luxford-Watts > Sent: 18 February 2004 14:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses update > > > Also need to add Netsky-B to the silent viruses list if you run Sophos > (viruses or virii?!). > > Sam > > -----Original Message----- > From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Sent: 17 February 2004 18:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Silent Viruses update > > > Anyone still maintaining a Silent Viruses list should add Tanx to it > if they use Sophos. I think Symantec have put it in the Beagle > family. Don't know > about the others. > > Anyone who's given up on notifying senders about Viruses, please > ignore this message! > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > -Confidentiality- > This email message and any attachments are confidential; they may be > subject to legal professional privilege and are intended for the named > recipient only. If you are not the named recipient, please return the > message and enclosures immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment or > otherwise) may be relied on, the authenticity of the communication > must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office of the > firm and on the firm's website at http://www.winckworths.co.uk > -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From kodak at FRONTIERHOMEMORTGAGE.COM Wed Feb 18 15:02:36 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:34 2006 Subject: OT: Viruses or Virii Answered (Was: RE: Silent Viruses update) In-Reply-To: Message-ID: <004f01c3f630$3e8ac210$0501a8c0@darkside> >(viruses or virii?!). Viruses. There is a paper here: http://www.perl.com/language/misc/virus.html That explains why. If anyone disagrees, mail that author, not me. :) HTH, --J(K) From raymond at PROLOCATION.NET Wed Feb 18 15:07:15 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update In-Reply-To: Message-ID: Hi! > Its just started getting it here about an hour ago and its increasing > rapidly Spreading rapidly: 3790 W32/Netsky.B@mm 1783 W32/Mydoom.A@mm 1615 W32/Sober.C@mm 798 W32/Swen.A@mm 175 W32/Bagle.B@mm 157 W32/Lentin.F@mm 60 W32/Dumaru.Y@mm 48 W32/Mydoom.B@mm.unp 38 W32/Klez.H@mm 33 W32/Lentin.H@mm 28 W32/Mimail.J@mm 26 W32/Magistr.28672@mm 25 W32/Bugbear.B@mm 25 W32/Mimail.I@mm 21 W32/Dumaru.Z@mm 17 W32/Mimail.C@mm 11 W32/Ganda.A@mm 10 W32/Sobig.F@mm 9 W32/Swen.B@mm 7 W32/Mydoom.B@mm 6 UNKNOWN 6 W32/Lentin.J@mm 4 W32/Mimail.Q@mm 4 W32/Ska.10000.worm@m 4 W32/Lentin.D@mm Allready todays #1 in a few hours. Bye, Raymond. From dbird at SGHMS.AC.UK Wed Feb 18 15:09:26 2004 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update In-Reply-To: <403262DA.6090209@bangor.ac.uk> References: <403262DA.6090209@bangor.ac.uk> Message-ID: <40338026.4030408@sghms.ac.uk> Martin Sapsed wrote: > Anyone still maintaining a Silent Viruses list should add Tanx to it if > they use Sophos. I think Symantec have put it in the Beagle family. > Don't know about the others. Mcafee have it listed as W32/Netsky.b@MM. We just have added '@MM' to our list of silent viruses which I belive should do the trick for all the mass mailing worms from now on.. Dan > > Anyone who's given up on notifying senders about Viruses, please ignore > this message! > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Feb 18 15:02:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: Single process taking over? In-Reply-To: <008401c3f62a$9915ade0$2501a8c0@cnpapers.net> References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <055601c3f598$e3b30420$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217210631.03cc1490@imap.ecs.soton.ac.uk> <057201c3f59d$d4dc8c00$a801a8c0@cnpapers.net> <008401c3f62a$9915ade0$2501a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040218150212.040d21b0@imap.ecs.soton.ac.uk> At 14:22 18/02/2004, you wrote: >Mr. Field, > >All seems resolved now. I still have auto_expire off, and will test this >later in the week. > >By the way, should I have seen any other files in the root/.spamassassin >directory other than the 3 bayes files and the user prefs file? If not, >should your procedure of moving/rewriting these files be done on a regular >basis? What else have you got in there. Show us an "ls -al". >Thank you ever so much. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > > >----- Original Message ----- >From: "Stephe Campbell" >To: >Sent: Tuesday, February 17, 2004 4:34 PM >Subject: Re: Single process taking over? > > > > Mr. Field: > > > > Done. There were 4 files in the /root/.spamassassin folder, the 3 bayes > > files along with user prefs. I assume you wanted bayes turned back on, so >it > > is running that way. I will try to let it run overnight and see how it >does, > > unless it starts crapping sooner. > > > > By the way, I don't have in either MailScanner.conf or > > spam.assassin.prefs.conf a configuration line such as: > > > > auto_learn 0 > > > > Could this have helped in any way? I was auto learning on most of my mail > > before I turned it off. I have also disabled the auto_expire, which was > > running and maybe causing the .new files. > > > > Thanks again. > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > ----- Original Message ----- > > From: "Julian Field" > > To: > > Sent: Tuesday, February 17, 2004 4:08 PM > > Subject: Re: Single process taking over? > > > > > > > As a rather off-the-wall test, can you check to ensure there are no >stray > > > locks outstanding. > > > cd ~root/.spamassassin > > > mkdir temp > > > cp * temp > > > rm * > > > mv temp/* . > > > then restart MailScanner with the bayes engine turned back on. > > > It theoretically shouldn't help, but have seen this improve things in >the > > > past in other applications. > > > > > > At 20:59 17/02/2004, you wrote: > > > >Mr. Field: > > > > > > > >Thank you very much. I have updated clamav to 0.67, and SA to their > > latest > > > >(one at a time, of course for testing purposes). Neither seemed to > > provide > > > >much help, but turning off Bayes, so far has seemed to allow MS to keep > > up. > > > > > > > >Again, my load average is back to it's normal range of 5.00+ whenever > > there > > > >are emails to scan instead of spiralling down to sub 0.75 levels > > regardless > > > >of what was in incoming. If only I had a machine where the lower range > > was > > > >normal. > > > > > > > >I will follow the list in the event something is found with the latest > > bayes > > > >engine. > > > > > > > >Thank you very much. > > > > > > > >Steve Campbell > > > >campbell@cnpapers.com > > > >Charleston Newspapers > > > > > > > >----- Original Message ----- > > > >From: "Julian Field" > > > >To: > > > >Sent: Tuesday, February 17, 2004 11:31 AM > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > Can you try switching off Bayes (use_bayes 0 in > > spam.assassin.prefs.conf). > > > > > Then let me know if the problem recurs. > > > > > > > > > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > > > > > > > > > At 15:31 17/02/2004, you wrote: > > > > > >Mr. Field, > > > > > > > > > > > >I have been going through pretty much the same situation as >described > > > >with > > > > > >this post. The exception is that my machine does not show a > > domineering > > > > > >process and load average drops to near nothing. I have been trying >to > > > >change > > > > > >sendmail to remedy this problem, but I may be looking at the wrong > > part > > > >of > > > > > >the puzzle. I have still not determined what is going on, but I do > > see a > > > >lot > > > > > >of Bayes lock files and one main bayes.lock file. It peaks once I >see > > the > > > > > >bayes_toks.new file which seems to stay around forever. I offer >this > > only > > > >to > > > > > >maybe point things toward a solution. > > > > > > > > > > > >I am running > > > > > > MS 4.26.8-1 > > > > > > SA 2.61-1 > > > > > > ClamAV 0.65 > > > > > > MailWatch 0.5.1 > > > > > > Sendmail 8.11.6-27.73 > > > > > > RH 7.3 > > > > > > > > > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week > > > >problems > > > > > >started happening. The problems seemed to be resolved by my >removing > > my > > > > > >Bayes files (you suggested poisoning, and this appeared to have >been > > the > > > > > >case), but since I must stop MS, remove all of the bayes lock >files, > > the > > > > > >bayes_tok.new file, restart MS and all appears fine. Load average > > climbs > > > >to > > > > > >normal to normal-high limits, my incoming backlog clears quickly >and > > > > > >everything is fine. I replaced my Message.pm file with the the one > > you > > > > > >posted to the list, and that is the only other change I have made >to > > the > > > > > >above installed programs. > > > > > > > > > > > >I hope some common thread may appear from my configuration and what > > > >others > > > > > >describe to shed some light on this. Most people don't complain >about > > > >load > > > > > >averages this low, but to me it signals a slow down in my mail > > system, > > > > > >creating backlogs in the incoming queue. > > > > > > > > > > > >Thank you for your efforts, sir. > > > > > > > > > > > >Steve Campbell > > > > > >campbell@cnpapers.com > > > > > >Charleston Newspapers > > > > > > > > > > > >----- Original Message ----- > > > > > >From: "Julian Field" > > > > > >To: > > > > > >Sent: Tuesday, February 17, 2004 7:24 AM > > > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > > > > > -----Original Message----- > > > > > > > > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > >On > > > > > > > > > Behalf Of Julian Field > > > > > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > > Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > > > > > > > > > >I don't!! :) > > > > > > > > > > > > > > > > > What does your MailScanner.conf look like? (just the > > interesting > > > >bits, > > > > > > > > > don't care what all the filenames of your reports are and > > stuff > > > >like > > > > > > > > > that). > > > > > > > > > > > > > > > >See below.. > > > > > > > > > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > > > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > > > > > > > > > What is the last thing the runaway process logs before CPU > > > >hogging? > > > > > > > > > > > > > > > >Nothing abnormal, just the process starting and mail being > > processed, > > > > > >even > > > > > > > >in verbose logging, it just appears to be a normal process that > > won't > > > >let > > > > > > > >the other threads have any resources. If I kill it, the other > > > >threads > > > > > >spawn > > > > > > > >and run as per normal. > > > > > > > > > > > > > > > > > Does the CPU hogging start the instant you start >MailScanner, > > or > > > >the > > > > > > > > > instant the first child process runs, or when? > > > > > > > > > > > > > > > >As soon as mail begins to be processed. If no mail is in the > > queue, > > > >not > > > > > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > > > > > > > > > >MailScanner.conf > > > > > > > >============================================ > > > > > > > >Max Children = 4 > > > > > > > >Queue Scan Interval = 1 > > > > > > > >MTA = sendmail > > > > > > > >Max Unscanned Bytes Per Scan = 100000000 > > > > > > > >Max Unsafe Bytes Per Scan = 50000000 > > > > > > > >Max Unscanned Messages Per Scan = 15 > > > > > > > >Max Unsafe Messages Per Scan = 15 > > > > > > > >Virus Scanning = yes > > > > > > > >Virus Scanners = mcafee clamav > > > > > > > >Virus Scanner Timeout = 300 > > > > > > > >Spam Checks = yes > > > > > > > >Spam List = > > > > > > > >Use SpamAssassin = yes > > > > > > > >Max SpamAssassin Size = 90000 > > > > > > > >Deliver In Background = yes > > > > > > > >Delivery Method = batch > > > > > > > > > > > > > > Do you reckon you could reproduce the problem on a box to which > > you > > > >could > > > > > > > give me login access? I suspect it's something very simple, but >I > > have > > > > > > > never witnessed it here and it's apparently not a common >problem. > > > > > > > -- > > > > > > > Julian Field > > > > > > > www.MailScanner.info > > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > -- > > > > > Julian Field > > > > > www.MailScanner.info > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 18 15:04:26 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: Performance In-Reply-To: <003601c3f627$e68eedf0$4919000a@ATLCPW13671> References: <6.0.1.1.2.20040218105634.037e35a0@imap.ecs.soton.ac.uk> <003601c3f627$e68eedf0$4919000a@ATLCPW13671> Message-ID: <6.0.1.1.2.20040218150329.0411f720@imap.ecs.soton.ac.uk> At 14:02 18/02/2004, you wrote: >All, > >I have tried in the past to generate traffic that would provide me a decen >idea of capacity. > >My production system is a dual 550 P4 with 512Mb RAM and SCSI Raid 0+1. > >I'm using tempfs and have made a number of tuning changes thanks to this >list. I am running a full contingent of MailWatch (on another machine) and >my production MTA is running MySQL logging into the second server's db for >MailWatch. > >I added a new domain the day before yesterday and ran my message volume up >over 10X what it was processing. > >I ran almost 20K messages through the system yesterday...is that inline with >what you guys have seen am I on the high side or the low side. My machine >took a beating, but kept on trucking. > >I did have a small bayes db corruption issue late last night...I ended up >rebuilding from scratch and performance seems better today.... > >Any feedback? Give it some more RAM and increase the Max Children to about 10. It will need at least 1Gb in total. That should improve throughput. The database logging is quite an overhead. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From stefanzman at yahoo.com Wed Feb 18 15:32:23 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:34 2006 Subject: Perl version Message-ID: <20040218153223.60156.qmail@web41310.mail.yahoo.com> Can anyone advise me on this? The customers machine has two instances of Perl, one "real" one (for system purposes) and an updated version (5.8) in /home/spam-filter - along with SA. perl -e 'print @INC;' shows the following output: /usr/lib/perl5/5.00503/i386-linux/usr/lib/perl5/5.00503/usr/lib/perl5/site_perl/5.005/i386-linux/usr/lib/perl5/site_perl/5.005. Yet, MailScanner is using the SA and Perl in /home/spam-filter. How is this done and how can be sure not to break it when upgrading SA? TIA, Stefan __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From P.G.M.Peters at utwente.nl Wed Feb 18 15:44:40 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C539@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C539@jessica.herefordshire.gov.uk> Message-ID: On Wed, 18 Feb 2004 14:52:20 -0000, you wrote: >We've just got our first copy of this - ClamAv reports it as Worm.SomeFool I've got a load of them. Bot all of 0 size. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Wed Feb 18 15:57:22 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C539@jessica.herefordshire.gov.uk> Message-ID: On Wed, 18 Feb 2004 16:44:40 +0100, I wrote: >>We've just got our first copy of this - ClamAv reports it as Worm.SomeFool > >I've got a load of them. Bot all of 0 size. That's my mailbox. For our mailservers: | 267 W32/Sober.C@mm | 185 W32/Mydoom.A@mm | 170 W32/Dumaru.A@mm | 152 W32/Netsky.B@mm | 68 W32/Swen.A@mm For today on one of three. F-prot got update 15:00 GMT +0100. For the whole month it is still not in the top 10. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From campbell at CNPAPERS.COM Wed Feb 18 16:02:49 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:34 2006 Subject: Single process taking over? References: <6.0.1.1.2.20040217093414.03a46ab0@imap.ecs.soton.ac.uk> <200402171138.i1HBc8C06677@mx1.mailsecurity.net.au> <6.0.1.1.2.20040217122321.04062008@imap.ecs.soton.ac.uk> <019601c3f56b$155b0be0$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217163027.03a1bd48@imap.ecs.soton.ac.uk> <055601c3f598$e3b30420$a801a8c0@cnpapers.net> <6.0.1.1.2.20040217210631.03cc1490@imap.ecs.soton.ac.uk> <057201c3f59d$d4dc8c00$a801a8c0@cnpapers.net> <008401c3f62a$9915ade0$2501a8c0@cnpapers.net> <6.0.1.1.2.20040218150212.040d21b0@imap.ecs.soton.ac.uk> Message-ID: <00ba01c3f638$a8267540$2501a8c0@cnpapers.net> Mr. Field, That was it. 3 bayes files and the user_prefs: drwx------ 3 root root 4096 Feb 17 16:26 . drwxr-xr-x 17 root root 4096 Feb 18 09:16 .. -rw------- 1 root root 141509 Feb 17 16:25 bayes_journal -rw------- 1 root root 2506752 Feb 17 16:25 bayes_seen -rw------- 1 root root 8818688 Feb 17 16:25 bayes_toks drwxr-xr-x 2 root root 4096 Feb 17 16:26 temp -rw-r--r-- 1 root root 1178 Feb 17 16:25 user_prefs I'm not real sure, though, what caused the fix. As I indicated, I upgraded ClamAV and SpamAssassin, and tested each before proceding to the next step. Neither seemed to fix the problem on a short-term basis. Maybe letting them run longer would have fixed something or showed a different result. I then did your suggestion for the bayes locks in the root home directory. This was all that was there before and after the move. I did turn bayes off and back on after the move of these files to temp. I also have auto_expire off now. So I ventured from good problem solving and did two things at once - the mv of all the files into temp directory and turning off auto_expiry. That's why I thought I might turn this back on later since SA was updated. I never did see a "completion" in my maillogs for the expiry. My personal feelings about all of this has always been the Auto_expire stuff, but I'm no expert, as you may be able to tell from my sometimes sporadic posts, and was going to attempt the switching off of this prior to your replies. Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, February 18, 2004 10:02 AM Subject: Re: Single process taking over? > At 14:22 18/02/2004, you wrote: > >Mr. Field, > > > >All seems resolved now. I still have auto_expire off, and will test this > >later in the week. > > > >By the way, should I have seen any other files in the root/.spamassassin > >directory other than the 3 bayes files and the user prefs file? If not, > >should your procedure of moving/rewriting these files be done on a regular > >basis? > > What else have you got in there. Show us an "ls -al". > > > > >Thank you ever so much. > > > >Steve Campbell > >campbell@cnpapers.com > >Charleston Newspapers > > > > > >----- Original Message ----- > >From: "Stephe Campbell" > >To: > >Sent: Tuesday, February 17, 2004 4:34 PM > >Subject: Re: Single process taking over? > > > > > > > Mr. Field: > > > > > > Done. There were 4 files in the /root/.spamassassin folder, the 3 bayes > > > files along with user prefs. I assume you wanted bayes turned back on, so > >it > > > is running that way. I will try to let it run overnight and see how it > >does, > > > unless it starts crapping sooner. > > > > > > By the way, I don't have in either MailScanner.conf or > > > spam.assassin.prefs.conf a configuration line such as: > > > > > > auto_learn 0 > > > > > > Could this have helped in any way? I was auto learning on most of my mail > > > before I turned it off. I have also disabled the auto_expire, which was > > > running and maybe causing the .new files. > > > > > > Thanks again. > > > > > > Steve Campbell > > > campbell@cnpapers.com > > > Charleston Newspapers > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: > > > Sent: Tuesday, February 17, 2004 4:08 PM > > > Subject: Re: Single process taking over? > > > > > > > > > > As a rather off-the-wall test, can you check to ensure there are no > >stray > > > > locks outstanding. > > > > cd ~root/.spamassassin > > > > mkdir temp > > > > cp * temp > > > > rm * > > > > mv temp/* . > > > > then restart MailScanner with the bayes engine turned back on. > > > > It theoretically shouldn't help, but have seen this improve things in > >the > > > > past in other applications. > > > > > > > > At 20:59 17/02/2004, you wrote: > > > > >Mr. Field: > > > > > > > > > >Thank you very much. I have updated clamav to 0.67, and SA to their > > > latest > > > > >(one at a time, of course for testing purposes). Neither seemed to > > > provide > > > > >much help, but turning off Bayes, so far has seemed to allow MS to keep > > > up. > > > > > > > > > >Again, my load average is back to it's normal range of 5.00+ whenever > > > there > > > > >are emails to scan instead of spiralling down to sub 0.75 levels > > > regardless > > > > >of what was in incoming. If only I had a machine where the lower range > > > was > > > > >normal. > > > > > > > > > >I will follow the list in the event something is found with the latest > > > bayes > > > > >engine. > > > > > > > > > >Thank you very much. > > > > > > > > > >Steve Campbell > > > > >campbell@cnpapers.com > > > > >Charleston Newspapers > > > > > > > > > >----- Original Message ----- > > > > >From: "Julian Field" > > > > >To: > > > > >Sent: Tuesday, February 17, 2004 11:31 AM > > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > Can you try switching off Bayes (use_bayes 0 in > > > spam.assassin.prefs.conf). > > > > > > Then let me know if the problem recurs. > > > > > > > > > > > > Also, upgrade your SA to 2.63 in case you are seeing a bug in SA. > > > > > > > > > > > > At 15:31 17/02/2004, you wrote: > > > > > > >Mr. Field, > > > > > > > > > > > > > >I have been going through pretty much the same situation as > >described > > > > >with > > > > > > >this post. The exception is that my machine does not show a > > > domineering > > > > > > >process and load average drops to near nothing. I have been trying > >to > > > > >change > > > > > > >sendmail to remedy this problem, but I may be looking at the wrong > > > part > > > > >of > > > > > > >the puzzle. I have still not determined what is going on, but I do > > > see a > > > > >lot > > > > > > >of Bayes lock files and one main bayes.lock file. It peaks once I > >see > > > the > > > > > > >bayes_toks.new file which seems to stay around forever. I offer > >this > > > only > > > > >to > > > > > > >maybe point things toward a solution. > > > > > > > > > > > > > >I am running > > > > > > > MS 4.26.8-1 > > > > > > > SA 2.61-1 > > > > > > > ClamAV 0.65 > > > > > > > MailWatch 0.5.1 > > > > > > > Sendmail 8.11.6-27.73 > > > > > > > RH 7.3 > > > > > > > > > > > > > >I upgraded MS on a Monday and MailWatch on a Wednesday. That week > > > > >problems > > > > > > >started happening. The problems seemed to be resolved by my > >removing > > > my > > > > > > >Bayes files (you suggested poisoning, and this appeared to have > >been > > > the > > > > > > >case), but since I must stop MS, remove all of the bayes lock > >files, > > > the > > > > > > >bayes_tok.new file, restart MS and all appears fine. Load average > > > climbs > > > > >to > > > > > > >normal to normal-high limits, my incoming backlog clears quickly > >and > > > > > > >everything is fine. I replaced my Message.pm file with the the one > > > you > > > > > > >posted to the list, and that is the only other change I have made > >to > > > the > > > > > > >above installed programs. > > > > > > > > > > > > > >I hope some common thread may appear from my configuration and what > > > > >others > > > > > > >describe to shed some light on this. Most people don't complain > >about > > > > >load > > > > > > >averages this low, but to me it signals a slow down in my mail > > > system, > > > > > > >creating backlogs in the incoming queue. > > > > > > > > > > > > > >Thank you for your efforts, sir. > > > > > > > > > > > > > >Steve Campbell > > > > > > >campbell@cnpapers.com > > > > > > >Charleston Newspapers > > > > > > > > > > > > > >----- Original Message ----- > > > > > > >From: "Julian Field" > > > > > > >To: > > > > > > >Sent: Tuesday, February 17, 2004 7:24 AM > > > > > > >Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > > > > > > > At 11:38 17/02/2004, you wrote: > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: MailScanner mailing list > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > > >On > > > > > > > > > > Behalf Of Julian Field > > > > > > > > > > Sent: Tuesday, 17 February 2004 8:36 PM > > > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > > > Subject: Re: Single process taking over? > > > > > > > > > > > > > > > > > > > > Ah, a reproducible fault! I like those :-) > > > > > > > > > > > > > > > > > >I don't!! :) > > > > > > > > > > > > > > > > > > > What does your MailScanner.conf look like? (just the > > > interesting > > > > >bits, > > > > > > > > > > don't care what all the filenames of your reports are and > > > stuff > > > > >like > > > > > > > > > > that). > > > > > > > > > > > > > > > > > >See below.. > > > > > > > > > > > > > > > > > > > What virus scanner(s), SpamAssassin, etc? > > > > > > > > > > > > > > > > > >ClamAV, McAfee, Spamassassin 2.6.3, DCC, Razor > > > > > > > > > > > > > > > > > > > What is the last thing the runaway process logs before CPU > > > > >hogging? > > > > > > > > > > > > > > > > > >Nothing abnormal, just the process starting and mail being > > > processed, > > > > > > >even > > > > > > > > >in verbose logging, it just appears to be a normal process that > > > won't > > > > >let > > > > > > > > >the other threads have any resources. If I kill it, the other > > > > >threads > > > > > > >spawn > > > > > > > > >and run as per normal. > > > > > > > > > > > > > > > > > > > Does the CPU hogging start the instant you start > >MailScanner, > > > or > > > > >the > > > > > > > > > > instant the first child process runs, or when? > > > > > > > > > > > > > > > > > >As soon as mail begins to be processed. If no mail is in the > > > queue, > > > > >not > > > > > > > > >hogging, but the second any mail is in queue it's hogging. > > > > > > > > > > > > > > > > > >MailScanner.conf > > > > > > > > >============================================ > > > > > > > > >Max Children = 4 > > > > > > > > >Queue Scan Interval = 1 > > > > > > > > >MTA = sendmail > > > > > > > > >Max Unscanned Bytes Per Scan = 100000000 > > > > > > > > >Max Unsafe Bytes Per Scan = 50000000 > > > > > > > > >Max Unscanned Messages Per Scan = 15 > > > > > > > > >Max Unsafe Messages Per Scan = 15 > > > > > > > > >Virus Scanning = yes > > > > > > > > >Virus Scanners = mcafee clamav > > > > > > > > >Virus Scanner Timeout = 300 > > > > > > > > >Spam Checks = yes > > > > > > > > >Spam List = > > > > > > > > >Use SpamAssassin = yes > > > > > > > > >Max SpamAssassin Size = 90000 > > > > > > > > >Deliver In Background = yes > > > > > > > > >Delivery Method = batch > > > > > > > > > > > > > > > > Do you reckon you could reproduce the problem on a box to which > > > you > > > > >could > > > > > > > > give me login access? I suspect it's something very simple, but > >I > > > have > > > > > > > > never witnessed it here and it's apparently not a common > >problem. > > > > > > > > -- > > > > > > > > Julian Field > > > > > > > > www.MailScanner.info > > > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > -- > > > > > > Julian Field > > > > > > www.MailScanner.info > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz > > > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Feb 18 16:08:07 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C53F@jessica.herefordshire.gov.uk> (ED) stands for "Early Detection" - McAfee's 4325 DAT files are out now and call it W32/Netsky.b@MM Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Finch > Sent: 18 February 2004 15:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Silent Viruses update > > > Daniel Bird wrote: > > > >Mcafee have it listed as W32/Netsky.b@MM. > >We just have added '@MM' to our list of silent viruses which I belive > >should do the trick for all the mass mailing worms from now on.. > > Note that the extra.dat that I'm currently using to filter Netsky > calls it W32/Netsky (ED) which is not as helpful as would be nice. > > Tony. > -- > f.a.n.finch http://dotat.at/ > LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: > NORTHEAST 2 TO 4, > INCREASING 4 OR 5 OVERNIGHT. FAIR. GOOD. SLIGHT TO MODERATE, > BUT SMOOTH IN > SHELTER. > From mkettler at EVI-INC.COM Wed Feb 18 16:24:59 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? Message-ID: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> The debates on the merits of virus notifications go back and forth all the time, but that aside, I'm curious if an inversion of MailScanner's current "silent viruses" feature has ever been considered. Right now, I've got MailScanner set to never notify senders of viruses. I do this to save myself from the hassle of having to rush and update the "silent viruses" list every time a new worm hits the net. However, there are a few (albeit somewhat rare here) viruses which don't forge senders, or are pure file infectors without mass-mail capacity. Some question the merits of notifying senders of these as well, but at least in these cases one can argue that the notification is at least correct and could prove useful. I propose it would be useful to have a feature in which I can declare which viruses should have a notification sent, instead of declaring a list of which ones should not. This gives me the benefit of not puking on other networks when new viruses come out, as new viruses wouldn't be on the notify list until I manually added it. Yet it does offer the ability to notify senders of viruses of a specific list of viruses which are known to not use forgery. I've not seen a discussion of this before, but I could have missed it in my scan of my archives. Any comments, considerations that I may have overlooked? From bob.jones at USG.EDU Wed Feb 18 16:45:29 2004 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:22:34 2006 Subject: A problem. Message-ID: <403396A9.1060908@usg.edu> Hey... From bob.jones at USG.EDU Wed Feb 18 16:48:46 2004 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:22:34 2006 Subject: Apology. Message-ID: <4033976E.3010109@usg.edu> I apologize for the previous message fragment... it was sent to mailscanner by mistake. Sorry, Bob From jonc at nc.rr.com Wed Feb 18 16:52:48 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:34 2006 Subject: A problem. In-Reply-To: <403396A9.1060908@usg.edu> References: <403396A9.1060908@usg.edu> Message-ID: <1077123168.3182.12.camel@localhost.localdomain> On Wed, 2004-02-18 at 11:45, Bob Jones wrote: > Hey... Ho... From ka at PACIFIC.NET Wed Feb 18 16:52:48 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:34 2006 Subject: spam handling rules with +detail email addresses? In-Reply-To: <6.0.1.1.2.20040218091643.03e433c0@imap.ecs.soton.ac.uk> References: <4032BA22.7090507@pacific.net> <6.0.1.1.2.20040218091643.03e433c0@imap.ecs.soton.ac.uk> Message-ID: <40339860.7020309@pacific.net> Julian Field wrote: > At 01:04 18/02/2004, you wrote: > >> How does MailScanner/SA handle incoming email addressed to >> user+detail@domain.com in rules? >> >> Sendmail will strip everything after/including the + sign, and deliver >> to the 'user', but rules in MailScanner for both user+detail@domain.com >> AND user@domain.com seem to be bypassed when using this syntax in an >> email. >> >> I've only tested with rules/spam.actions.rules like this: >> >> To: user+detail@domain.com store notify >> To: user@domain.com store notify >> >> Both are bypassed and mail gets the default action applied to it if it's >> addressed to user+detail@domain.com > > > But what is the envelope recipient address in this case? user or > user+detail? user+detail@domain.com is the envelope recipient reported in the sendmail log. The entry below doesn't seem to work. The message gets the default rule applied instead of the 'store notify' rule. To: user+detail@domain.com store notify I tried both the suggestions below, and they do properly apply the action "store notify", but for some reason, sendmail then tries to deliver the message back to 127.0.0.1 instead of the mail hub! This creates a problem with the same message being scanned, then redelivered to the incoming sendmail and looping. Other 'store notify' rules that are defined for normal email addresses work fine. We forward mail from the MailScanner box to the mailhub using the virtusertable feature. No other rule or config issue has broken this before, so I'm not sure what's happening. I'll turn up logging in sendmail and see if it will tell me what it's doing with this mail. Any ideas what is going on? Thanks, Ken Anderson Pacific.Net > You could do it with > To: user@domain.com store notify > To: user+*@domain.com store notify > or > To: /user(\+.*)?\@domain\.com/ store notify > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From lists at STHOMAS.NET Wed Feb 18 17:08:08 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:34 2006 Subject: A problem. In-Reply-To: <1077123168.3182.12.camel@localhost.localdomain>; from jonc@nc.rr.com on Wed, Feb 18, 2004 at 11:52:48AM -0500 References: <403396A9.1060908@usg.edu> <1077123168.3182.12.camel@localhost.localdomain> Message-ID: <20040218090808.B16520@sthomas.net> On Wed, Feb 18, 2004 at 11:52:48AM -0500, Jon Carnes is rumored to have said: > > On Wed, 2004-02-18 at 11:45, Bob Jones wrote: > > Hey... > > Ho... Let's go... From dahlberg at BUCKNELL.EDU Wed Feb 18 17:06:06 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:34 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks In-Reply-To: <20040218022717.1FE7E21C151@mail.fsl.com> References: <20040218012507.GA13566@bucknell.edu> <20040218022717.1FE7E21C151@mail.fsl.com> Message-ID: <20040218170604.GA1462@bucknell.edu> Stephen Swaney [steve.swaney@fsl.com] wrote: > > > > > The bottleneck will probably go away if you use sophos not sophossvai. > Check the list archives. Various versions of the SAVI module have caused > problems. > > Steve > Steve: Thanks for the suggestion. It did alleviate the problem to some degree. I've got MailScanner set to spawn 10 child processes, each scanning a max of 30 messages. Switching to sophos did increase mail scanning speed, but within ~1 hr the inbound queue had just about max'd out and the load on the system had peaked. I downgraded to 4.13 (switched the sym link) and the entire inbound queue was scanned within 20 min, while still accepting new messages for the queue. Any other suggestions? Thanks, Mike From dot at DOTAT.AT Wed Feb 18 15:16:21 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:34 2006 Subject: Silent Viruses update In-Reply-To: References: <403262DA.6090209@bangor.ac.uk> <403262DA.6090209@bangor.ac.uk> Message-ID: Daniel Bird wrote: > >Mcafee have it listed as W32/Netsky.b@MM. >We just have added '@MM' to our list of silent viruses which I belive >should do the trick for all the mass mailing worms from now on.. Note that the extra.dat that I'm currently using to filter Netsky calls it W32/Netsky (ED) which is not as helpful as would be nice. Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: NORTHEAST 2 TO 4, INCREASING 4 OR 5 OVERNIGHT. FAIR. GOOD. SLIGHT TO MODERATE, BUT SMOOTH IN SHELTER. From maillists at CONACTIVE.COM Wed Feb 18 17:31:37 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Spamassassin and Bayes files In-Reply-To: <4032655A.8070207@ucgbook.com> References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> <4032655A.8070207@ucgbook.com> Message-ID: Peter Bonivart wrote on Tue, 17 Feb 2004 20:02:50 +0100: > I think it's best to rename /etc/mail/spamassassin/local.cf and then > create a symlink pointing to spam.assassin.prefs.conf. Then you will > always use the same config and you don't have to bother with adding -p > to all commands. > Well, this means, this customized file would get overwritten each time I upgrade MailScanner, or not? We have been using SA much longer than MailScanner, so I prefer to configure and maintain SA at the location it used to be all the time. This way I can also easily switch to the other anti-spam solution we have. I simply changed the path to that file in MailScanner.conf and there aren't any problems. I checked the spam.assassin.prefs.conf file whether we need anything from it and decided we only need the Ignore-Header stuff, nothing else. I don't know what you mean with the -p switch. Of course, this still means we have to change the path each time we upgrade MailScanner or does it leave it's config directory untouched when upgrading? (This is our very first MailScanner installation.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From dahlberg at BUCKNELL.EDU Wed Feb 18 17:32:14 2004 From: dahlberg at BUCKNELL.EDU (Michael Dahlberg) Date: Thu Jan 12 21:22:34 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks In-Reply-To: <4033322F.1070908@solid-state-logic.com> References: <20040218012507.GA13566@bucknell.edu> <4033322F.1070908@solid-state-logic.com> Message-ID: <20040218173213.GB1462@bucknell.edu> Martin Hepworth [martinh@solid-state-logic.com] wrote: > Mike > > I'd make sure that all the required perl Modules are loaded (via CPAN is > the best way), and these may have changed for 4.26 from 4.13. > > Also is there any indication of problems if you set Debug=yes in the > MailScanner.conf and run MailScanner via check_MailScanner. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Martin: Thanks for the suggestions. I think the only new perl module requirement is Net-CIDR. I did add this via CPAN (MailScanner won't start without it). I just tried setting Debug=yes and logging the speed. I get the output that follows this message. It looks as if it spends the greatest amount of time creating attachment dirs for the 30 messages. Would you agree that this might be a place to look in the code for potential bottlenecks? Thanks, Mike Feb 18 10:17:58 antigen MailScanner[16912]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 18 10:18:02 antigen MailScanner[16912]: SophosSAVI 3.78 (engine 2.18) recognizing 87516 viruses Feb 18 10:18:02 antigen MailScanner[16912]: SophosSAVI using 41 IDE files Feb 18 10:18:04 antigen MailScanner[16912]: lock.pl sees Config LockType = flock Feb 18 10:18:04 antigen MailScanner[16912]: lock.pl sees have_module= 0 Feb 18 10:18:04 antigen MailScanner[16912]: Using locktype = flock Feb 18 10:18:05 antigen MailScanner[16912]: New Batch: Found 155 messages waiting Feb 18 10:18:05 antigen MailScanner[16912]: New Batch: Scanning 30 messages, 350656 bytes Feb 18 10:18:05 antigen MailScanner[16912]: MCP Checks completed at 350656 bytes per second Feb 18 10:18:05 antigen MailScanner[16912]: Spam Checks completed at 350656 bytes per second Feb 18 10:18:05 antigen MailScanner[16912]: Created attachment dirs for 30 messages Feb 18 10:18:39 antigen MailScanner[16912]: Virus and Content Scanning: Starting Feb 18 10:18:39 antigen MailScanner[16912]: Commencing scanning by sophossavi... Feb 18 10:18:39 antigen MailScanner[16912]: INFECTED:: W32/Sircam-A:: ./i1IFGKCR016673/stephs.doc.lnk Feb 18 10:18:40 antigen MailScanner[16912]: Completed scanning by sophossavi Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning: SophosSAVI found 1 infections Feb 18 10:18:40 antigen MailScanner[16912]: Infected message i1IFGKCR016673 came from 65.172.143.253 Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning: Found 1 viruses Feb 18 10:18:40 antigen MailScanner[16912]: Filename Checks: Possible Eudora *.lnk security hole attack (i1IFGKCR016673 steph's.doc.lnk) Feb 18 10:18:40 antigen MailScanner[16912]: Other Checks: Found 1 problems Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning completed at 10018 bytes per second Feb 18 10:18:41 antigen MailScanner[16912]: About to deliver 29 messages Feb 18 10:18:41 antigen MailScanner[16912]: Uninfected: Delivered 29 messages Feb 18 10:18:41 antigen MailScanner[16912]: About to deliver 1 messages Feb 18 10:18:41 antigen MailScanner[16912]: Cleaned: Delivered 1 cleaned messages Feb 18 10:18:41 antigen MailScanner[16912]: Virus Processing completed at 350656 bytes per second Feb 18 10:18:41 antigen MailScanner[16912]: Disinfection completed at 350656 bytes per second Feb 18 10:18:41 antigen MailScanner[16912]: Batch completed at 9740 bytes per second (350656 / 36) Feb 18 10:18:41 antigen MailScanner[16912]: MailScanner child dying of old age From martinh at SOLID-STATE-LOGIC.COM Wed Feb 18 17:43:48 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:34 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks In-Reply-To: <20040218173213.GB1462@bucknell.edu> References: <20040218012507.GA13566@bucknell.edu> <4033322F.1070908@solid-state-logic.com> <20040218173213.GB1462@bucknell.edu> Message-ID: <4033A454.102@solid-state-logic.com> Mike I can't remember what O/S you use, but most people have the tmp area as a ramdisk of sorts (tmpfs in Linux), or at least a journalled filesystem of some sort (ext3 or better in Linux, softupdates in FreeBSD) to reduce wait for I/O. I've done to basic testing on FreeBSD on ramdisk vs softupdates, it made little or no difference for either, but Linux is much better set with a tmpfs for this area. You might want to make sure that is done. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Michael Dahlberg wrote: > Martin Hepworth [martinh@solid-state-logic.com] wrote: > > >>Mike >> >>I'd make sure that all the required perl Modules are loaded (via CPAN is >>the best way), and these may have changed for 4.26 from 4.13. >> >>Also is there any indication of problems if you set Debug=yes in the >>MailScanner.conf and run MailScanner via check_MailScanner. >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> > > > Martin: > > Thanks for the suggestions. I think the only new perl module > requirement is Net-CIDR. I did add this via CPAN (MailScanner won't > start without it). > > I just tried setting Debug=yes and logging the speed. I get the > output that follows this message. It looks as if it spends the > greatest amount of time creating attachment dirs for the 30 > messages. Would you agree that this might be a place to look in the > code for potential bottlenecks? > > Thanks, > Mike > > Feb 18 10:17:58 antigen MailScanner[16912]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... > Feb 18 10:18:02 antigen MailScanner[16912]: SophosSAVI 3.78 (engine 2.18) recognizing 87516 viruses > Feb 18 10:18:02 antigen MailScanner[16912]: SophosSAVI using 41 IDE files > Feb 18 10:18:04 antigen MailScanner[16912]: lock.pl sees Config LockType = flock > Feb 18 10:18:04 antigen MailScanner[16912]: lock.pl sees have_module= 0 > Feb 18 10:18:04 antigen MailScanner[16912]: Using locktype = flock > Feb 18 10:18:05 antigen MailScanner[16912]: New Batch: Found 155 messages waiting > Feb 18 10:18:05 antigen MailScanner[16912]: New Batch: Scanning 30 messages, 350656 bytes > Feb 18 10:18:05 antigen MailScanner[16912]: MCP Checks completed at 350656 bytes per second > Feb 18 10:18:05 antigen MailScanner[16912]: Spam Checks completed at 350656 bytes per second > Feb 18 10:18:05 antigen MailScanner[16912]: Created attachment dirs for 30 messages > Feb 18 10:18:39 antigen MailScanner[16912]: Virus and Content Scanning: Starting > Feb 18 10:18:39 antigen MailScanner[16912]: Commencing scanning by sophossavi... > Feb 18 10:18:39 antigen MailScanner[16912]: INFECTED:: W32/Sircam-A:: ./i1IFGKCR016673/stephs.doc.lnk > Feb 18 10:18:40 antigen MailScanner[16912]: Completed scanning by sophossavi > Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning: SophosSAVI found 1 infections > Feb 18 10:18:40 antigen MailScanner[16912]: Infected message i1IFGKCR016673 came from 65.172.143.253 > Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning: Found 1 viruses > Feb 18 10:18:40 antigen MailScanner[16912]: Filename Checks: Possible Eudora *.lnk security hole attack (i1IFGKCR016673 steph's.doc.lnk) > Feb 18 10:18:40 antigen MailScanner[16912]: Other Checks: Found 1 problems > Feb 18 10:18:40 antigen MailScanner[16912]: Virus Scanning completed at 10018 bytes per second > Feb 18 10:18:41 antigen MailScanner[16912]: About to deliver 29 messages > Feb 18 10:18:41 antigen MailScanner[16912]: Uninfected: Delivered 29 messages > Feb 18 10:18:41 antigen MailScanner[16912]: About to deliver 1 messages > Feb 18 10:18:41 antigen MailScanner[16912]: Cleaned: Delivered 1 cleaned messages > Feb 18 10:18:41 antigen MailScanner[16912]: Virus Processing completed at 350656 bytes per second > Feb 18 10:18:41 antigen MailScanner[16912]: Disinfection completed at 350656 bytes per second > Feb 18 10:18:41 antigen MailScanner[16912]: Batch completed at 9740 bytes per second (350656 / 36) > Feb 18 10:18:41 antigen MailScanner[16912]: MailScanner child dying of old age ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From brose at MED.WAYNE.EDU Wed Feb 18 18:12:38 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? Message-ID: How many viruses are out there? Isn't in the thousands and aren't most of the non-forgers dead or rarely pass thru email? I only see the forgers hitting our mail router. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Kettler Sent: Wednesday, February 18, 2004 11:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature concept... "noisy viruses"? The debates on the merits of virus notifications go back and forth all the time, but that aside, I'm curious if an inversion of MailScanner's current "silent viruses" feature has ever been considered. Right now, I've got MailScanner set to never notify senders of viruses. I do this to save myself from the hassle of having to rush and update the "silent viruses" list every time a new worm hits the net. However, there are a few (albeit somewhat rare here) viruses which don't forge senders, or are pure file infectors without mass-mail capacity. Some question the merits of notifying senders of these as well, but at least in these cases one can argue that the notification is at least correct and could prove useful. I propose it would be useful to have a feature in which I can declare which viruses should have a notification sent, instead of declaring a list of which ones should not. This gives me the benefit of not puking on other networks when new viruses come out, as new viruses wouldn't be on the notify list until I manually added it. Yet it does offer the ability to notify senders of viruses of a specific list of viruses which are known to not use forgery. I've not seen a discussion of this before, but I could have missed it in my scan of my archives. Any comments, considerations that I may have overlooked? From kodak at FRONTIERHOMEMORTGAGE.COM Wed Feb 18 18:22:21 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: Message-ID: <008601c3f64c$25fc1250$0501a8c0@darkside> >How many viruses are out there? Isn't in the thousands and aren't most >of the non-forgers dead or rarely pass thru email? I only see the >forgers hitting our mail router. Gibe doesn't forge (well, it's more complicated than that, but it's easy to spot when it's not forged -- which is most of the time in my experience), and I get a boat load of those every time I post to the Samba mailing list. Try it, it's fun. Speaking of which, the Samba list has HUGE problems with Spam, viruses, bounces TO the list, etc. Is the MailScanner list set up to scan, or is it left to the endpoints to do that? I'm in back-channel conversations with a few other Samba list members and we're trying to come up with a solution to the deafening noise problem there. Please follow-up to me, not the list (unless you think it's a good topic for the list.) --J(K) From mailscanner at ecs.soton.ac.uk Wed Feb 18 18:38:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> Message-ID: <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> At 16:24 18/02/2004, you wrote: >However, there are a few (albeit somewhat rare here) viruses which don't >forge senders, or are pure file infectors without mass-mail capacity. Some I think the phrase "somewhat rare" hits the nail on the head. I think they are so rare now that they are not worth bothering about. The probably form 0.1% or less or your viruses in an average (recent) month. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From MyBSD at COMCAST.NET Wed Feb 18 18:42:09 2004 From: MyBSD at COMCAST.NET (My BSD) Date: Thu Jan 12 21:22:34 2006 Subject: DENY+DELETE NOT WORKING Message-ID: Happily running MS v. 4.25-14 under Gentoo Linux. It is really a great and wonderful application. Read the MS 4.24-5 Release Notes which assert: "Filename and Filetype allow/deny rules files now have a third option in addition to 'deny' and 'allow', you can now do 'deny+delete' (or any word containing 'deny' and 'delete'). This will stop the denied attachment from being quarantined." Created a "filename.rules" file with a single entry: deny+delete winmail.dat$ "Outlook RTF file" "Outlook RTF file." With a corresponding MS.conf entry: Filename Rules = /opt/MailScanner/etc/filename.rules Unfortunately, winmail.dat files are not deleted with this setting. Is this setting not supposed to "delete" (strip) the attachment from the message? What am I missing? Thank you! From mkettler at EVI-INC.COM Wed Feb 18 19:02:47 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20040218135448.023fdc00@xanadu.evi-inc.com> At 01:38 PM 2/18/2004, Julian Field wrote: >I think the phrase "somewhat rare" hits the nail on the head. I think they >are so rare now that they are not worth bothering about. The probably form >0.1% or less or your viruses in an average (recent) month. Agreed, they are extraordinarily rare.. Ordinarily I'd just say "Well then remove virus replies entirely"... However, there are those that continue to use Virus notifies and manually maintain their silent virus list.. This would offer those administrators a "reduced headache" alternative while still reaching their goals of notifying senders where it's practical. I'm mostly proposing it from a concept of "If people are going to use it, at least offer them an option which defaults to the most-safe behavior if they fall behind in maintenance" I myself might even consider using the feature on occasion, despite my opposition to general virus notifications. However, I won't push strongly for you to implement it or not. Thanks for considering it Julian.. From mailscanner at ecs.soton.ac.uk Wed Feb 18 19:00:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: spam handling rules with +detail email addresses? In-Reply-To: <40339860.7020309@pacific.net> References: <4032BA22.7090507@pacific.net> <6.0.1.1.2.20040218091643.03e433c0@imap.ecs.soton.ac.uk> <40339860.7020309@pacific.net> Message-ID: <6.0.1.1.2.20040218190001.039b0488@imap.ecs.soton.ac.uk> At 16:52 18/02/2004, you wrote: >Julian Field wrote: >>At 01:04 18/02/2004, you wrote: >> >>>How does MailScanner/SA handle incoming email addressed to >>>user+detail@domain.com in rules? >>> >>>Sendmail will strip everything after/including the + sign, and deliver >>>to the 'user', but rules in MailScanner for both user+detail@domain.com >>>AND user@domain.com seem to be bypassed when using this syntax in an >>>email. >>> >>>I've only tested with rules/spam.actions.rules like this: >>> >>>To: user+detail@domain.com store notify >>>To: user@domain.com store notify >>> >>>Both are bypassed and mail gets the default action applied to it if it's >>>addressed to user+detail@domain.com >> >> >>But what is the envelope recipient address in this case? user or >>user+detail? > >user+detail@domain.com is the envelope recipient reported in the >sendmail log. The entry below doesn't seem to work. The message gets the >default rule applied instead of the 'store notify' rule. >To: user+detail@domain.com store notify > >I tried both the suggestions below, and they do properly apply the >action "store notify", but for some reason, sendmail then tries to >deliver the message back to 127.0.0.1 instead of the mail hub! >This creates a problem with the same message being scanned, then >redelivered to the incoming sendmail and looping. Other 'store notify' >rules that are defined for normal email addresses work fine. > >We forward mail from the MailScanner box to the mailhub using the >virtusertable feature. No other rule or config issue has broken this >before, so I'm not sure what's happening. I'll turn up logging in >sendmail and see if it will tell me what it's doing with this mail. MailScanner doesn't get involved with message delivery at all, so I fail to see how it could have caused this delivery problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Feb 18 19:05:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:34 2006 Subject: Spamassassin and Bayes files In-Reply-To: References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> <4032655A.8070207@ucgbook.com> Message-ID: <6.0.1.1.2.20040218190453.0398c8e0@imap.ecs.soton.ac.uk> At 17:31 18/02/2004, you wrote: >Peter Bonivart wrote on Tue, 17 Feb 2004 20:02:50 +0100: > > > I think it's best to rename /etc/mail/spamassassin/local.cf and then > > create a symlink pointing to spam.assassin.prefs.conf. Then you will > > always use the same config and you don't have to bother with adding -p > > to all commands. > > > >Well, this means, this customized file would get overwritten each time I >upgrade MailScanner, or not? We have been using SA much longer than >MailScanner, so I prefer to configure and maintain SA at the location it >used to be all the time. This way I can also easily switch to the other >anti-spam solution we have. >I simply changed the path to that file in MailScanner.conf and there >aren't any problems. I checked the spam.assassin.prefs.conf file whether >we need anything from it and decided we only need the Ignore-Header stuff, >nothing else. I don't know what you mean with the -p switch. >Of course, this still means we have to change the path each time we >upgrade MailScanner or does it leave it's config directory untouched when >upgrading? (This is our very first MailScanner installation.) It won't touch a modified config file (or CustomConfig.pm). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dot at DOTAT.AT Wed Feb 18 19:37:13 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> Message-ID: Julian Field wrote: > >I think the phrase "somewhat rare" hits the nail on the head. I think they >are so rare now that they are not worth bothering about. The probably form >0.1% or less or your viruses in an average (recent) month. My virus counts for the last month follow. Yes, non-@MM viruses are rare, but there are quite a few trojans going around (especially of the phishing URL kind), malware spammings, and viruses spreading parasitically inside other viruses. 1 " Found the JS/Exploit-ActXComp trojan !!!" 1 " Found the W32/Aliz@MM virus !!!" 1 " Found the W32/Dumaru.h@MM virus !!!" 1 " Found the W32/Kriz.3863 virus !!!" 1 " Found the W32/Mimail.t@MM virus !!!" 1 " Found the W32/Nimda.s@MM virus !!!" 1 " Found the W32/Sober.dam virus !!!" 1 " Found the W32/Yaha.e@MM virus !!!" 1 " Found the W95/CIH.remnants virus !!!" 1 " Found the W95/MTX@M virus !!!" 1 " Found the W97M/Sat.dam.b virus !!!" 1 " Found the W97M/Titch.d.gen virus !!!" 1 " Found the W97M/Turn virus !!!" 1 " Found virus or variant W32/Bagle@MM !!!" 1 " Found virus or variant W32/Swen@MM !!!" 2 " Found the virus !!!" 2 " Found the BackDoor-AZV trojan !!!" 2 " Found the BackDoor-Sub7.svr trojan !!!" 2 " Found the Exploit-CodeBase trojan !!!" 2 " Found the W32/BadTrans@MM virus !!!" 2 " Found the W32/GOP@MM virus !!!" 2 " Found the W32/Ganda virus !!!" 2 " Found the W32/Gibe.dam virus !!!" 2 " Found the W32/Hybris.gen@MM virus !!!" 2 " Found the W32/Ska@M virus !!!" 2 " Found the W97M/Murke.gen virus !!!" 2 " Found the W97M/Myna.gen virus !!!" 2 " Found the WM/Showoff virus !!!" 2 " Found trojan or variant Exploit-URLSpoof.gen !!!" 2 " Found trojan or variant Keylog-Sklog !!!" 2 " Found virus or variant New Malware.b !!!" 3 " Found the W32/Darby.f@MM virus !!!" 3 " Found the W32/Klez.e@MM virus !!!" 3 " Found the W32/Sobig.c@MM virus !!!" 3 " Found virus or variant W32/Netsky !!!" 4 " Found the Keylog-Stawin trojan !!!" 4 " Found the Linux/Rst.b virus !!!" 4 " Found the W32/Holar.r@MM virus !!!" 4 " Found the W32/Yaha.q@MM virus !!!" 5 " Found the Exploit-MIME.gen.exe virus !!!" 5 " Found the JS/Kak@M virus !!!" 5 " Found the PWS-QQPass trojan !!!" 5 " Found the W32/Spybot.worm.gen virus !!!" 5 " Found the W95/Marburg.a virus !!!" 5 " Found the W97M/Thus.gen virus !!!" 6 " Found the W32/Cervivec@MM virus !!!" 6 " Found trojan or variant JS/Exploit-FileProxy !!!" 7 " Found the JS/Fortnight.gen@M virus !!!" 7 " Found the VBS/Psyme trojan !!!" 7 " Found the W32/Klez.gen@MM virus !!!" 7 " Found the W32/Mimail@MM virus !!!" 7 " Found the W32/Sobig.e@MM virus !!!" 8 " Found the W32/Sobig.b@MM virus !!!" 8 " Found virus or variant W32/Sober !!!" 9 " Found the W32/Holar.gen@MM virus !!!" 10 " Found the Exploit-URLSpoof trojan !!!" 10 " Found the W32/Pate.a virus !!!" 12 " Found the W32/Magistr.a@MM virus !!!" 13 " Found the W32/SirCam@MM virus !!!" 15 " Found the W95/CIH.1003a virus !!!" 15 " Found the W97M/Marker.gen virus !!!" 16 " Found the W32/Magistr.b@MM virus !!!" 18 " Found the W32/Klez.gen.b@MM virus !!!" 19 " Found the W32/Dumaru.gen@MM virus !!!" 19 " Found the W32/Nofear.c@MM virus !!!" 20 " Found virus or variant W32/Mimail !!!" 21 " Found the W32/Bugbear.b!data virus !!!" 25 " Found the W32/Mimail.dam virus !!!" 28 " Found the W32/Mimail.e@MM virus !!!" 29 " Found the W32/Mimail.gen@MM virus !!!" 29 " Found the W32/Yaha.y@MM virus !!!" 30 " Found the W32/Lovelorn.dr virus !!!" 34 " Found the W32/Holar.l@MM virus !!!" 36 " Found the W32/Sober!data trojan !!!" 41 " Found the W32/Dupator virus !!!" 43 " Found the MultiDropper-GP.a trojan !!!" 43 " Found the W32/Gibe.gen@MM virus !!!" 44 " Found the Exploit-CodeBase virus !!!" 50 " Found virus or variant W32/Mydoom@MM !!!" 56 " Found the VBS/Redlof@M virus !!!" 61 " Found the W32/Ganda@MM virus !!!" 64 " Found the W32/Fizzer.gen@MM virus !!!" 70 " Found the W32/Mydoom.eml!exe virus !!!" 74 " Found the W32/Mimail.f@MM virus !!!" 77 " Found the W32/Pate.b virus !!!" 78 " Found the W32/Mimail.h@MM virus !!!" 79 " Found the W32/Lovelorn@MM virus !!!" 93 " Found virus or variant W32/Mydoom !!!" 100 " Found the W32/Mydoom.a.eml!zip virus !!!" 101 " Found the W32/Yaha.l@MM virus !!!" 103 " Found the W32/Mimail.q@MM virus !!!" 113 " Found the W32/Mydoom.dam virus !!!" 121 " Found the W32/Lovgate.f@M virus !!!" 124 " Found the W32/Mimail.s@MM virus !!!" 130 " Found the W32/Yaha.g@MM virus !!!" 171 " Found the W32/Bugbear@MM virus !!!" 208 " Found the W95/Spaces.gen virus !!!" 279 " Found the W32/Elkern.cav.c virus !!!" 292 " Found the VBS/Inor trojan !!!" 292 " Found the W32/Yaha.k@MM virus !!!" 303 " Found the W32/Yaha.p@MM virus !!!" 332 " Found the W32/Bugbear.b.dam virus !!!" 332 " Found the W32/Mimail.g@MM virus !!!" 338 " Found the W32/Bugbear.b@MM virus !!!" 342 " Found the W32/Torvil@MM virus !!!" 469 " Found the W32/Dumaru.z@MM virus !!!" 589 " Found the W32/Dumaru.a@MM virus !!!" 728 " Found the W32/FunLove.gen virus !!!" 772 " Found the W32/Mydoom.b@MM virus !!!" 899 " Found the W32/Mimail.c@MM virus !!!" 1033 " Found the W32/Netsky.b@MM virus !!!" 1097 " Found the W32/Netsky@MM!zip virus !!!" 1212 " Found the W32/Valla.a virus !!!" 1240 " Found the W32/Netsky (ED) virus !!!" 1604 " Found the W32/Mimail.a@MM virus !!!" 1811 " Found the W32/Bagle.b@MM (ED) virus !!!" 2134 " Found the W32/Bagle@MM virus !!!" 2138 " Found the W32/Bagle.b@MM virus !!!" 2650 " Found the W32/Mimail.i@MM virus !!!" 2770 " Found the W32/Dumaru.y@MM virus !!!" 3054 " Found the W32/Sobig.f@MM virus !!!" 3328 " Found the W32/Mimail.j@MM virus !!!" 3461 " Found the W32/Klez.h@MM virus !!!" 4874 " Found the Exploit-URLSpoof.gen trojan !!!" 5259 " Found the W32/Sober.c@MM virus !!!" 37426 " Found the W32/Swen@MM virus !!!" 244581 " Found the W32/Mydoom@MM virus !!!" 1108947 " Found the W32/Mydoom.a@MM virus !!!" Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: NORTH OR NORTHEAST 4 OR 5, OCCASIONALLY 3 IN SHELTER, BECOMING 6 IN OPEN WATER OVERNIGHT. MAINLY FAIR. GOOD. SLIGHT TO MODERATE. From craig at WESTPRESS.COM Wed Feb 18 19:59:01 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> Message-ID: How are you guys generating these lists, where is the info coming from? >Julian Field wrote: >> >>I think the phrase "somewhat rare" hits the nail on the head. I think they >>are so rare now that they are not worth bothering about. The probably form >>0.1% or less or your viruses in an average (recent) month. > >My virus counts for the last month follow. Yes, non-@MM viruses are rare, >but there are quite a few trojans going around (especially of the phishing >URL kind), malware spammings, and viruses spreading parasitically inside >other viruses. > > 1 " Found the JS/Exploit-ActXComp trojan !!!" > 1 " Found the W32/Aliz@MM virus !!!" > 1 " Found the W32/Dumaru.h@MM virus !!!" > 1 " Found the W32/Kriz.3863 virus !!!" > 1 " Found the W32/Mimail.t@MM virus !!!" > 1 " Found the W32/Nimda.s@MM virus !!!" > 1 " Found the W32/Sober.dam virus !!!" > 1 " Found the W32/Yaha.e@MM virus !!!" > 1 " Found the W95/CIH.remnants virus !!!" > 1 " Found the W95/MTX@M virus !!!" > 1 " Found the W97M/Sat.dam.b virus !!!" > 1 " Found the W97M/Titch.d.gen virus !!!" > 1 " Found the W97M/Turn virus !!!" > 1 " Found virus or variant W32/Bagle@MM !!!" > 1 " Found virus or variant W32/Swen@MM !!!" > 2 " Found the virus !!!" > 2 " Found the BackDoor-AZV trojan !!!" > 2 " Found the BackDoor-Sub7.svr trojan !!!" > 2 " Found the Exploit-CodeBase trojan !!!" > 2 " Found the W32/BadTrans@MM virus !!!" > 2 " Found the W32/GOP@MM virus !!!" > 2 " Found the W32/Ganda virus !!!" > 2 " Found the W32/Gibe.dam virus !!!" > 2 " Found the W32/Hybris.gen@MM virus !!!" > 2 " Found the W32/Ska@M virus !!!" > 2 " Found the W97M/Murke.gen virus !!!" > 2 " Found the W97M/Myna.gen virus !!!" > 2 " Found the WM/Showoff virus !!!" > 2 " Found trojan or variant Exploit-URLSpoof.gen !!!" > 2 " Found trojan or variant Keylog-Sklog !!!" > 2 " Found virus or variant New Malware.b !!!" > 3 " Found the W32/Darby.f@MM virus !!!" > 3 " Found the W32/Klez.e@MM virus !!!" > 3 " Found the W32/Sobig.c@MM virus !!!" > 3 " Found virus or variant W32/Netsky !!!" > 4 " Found the Keylog-Stawin trojan !!!" > 4 " Found the Linux/Rst.b virus !!!" > 4 " Found the W32/Holar.r@MM virus !!!" > 4 " Found the W32/Yaha.q@MM virus !!!" > 5 " Found the Exploit-MIME.gen.exe virus !!!" > 5 " Found the JS/Kak@M virus !!!" > 5 " Found the PWS-QQPass trojan !!!" > 5 " Found the W32/Spybot.worm.gen virus !!!" > 5 " Found the W95/Marburg.a virus !!!" > 5 " Found the W97M/Thus.gen virus !!!" > 6 " Found the W32/Cervivec@MM virus !!!" > 6 " Found trojan or variant JS/Exploit-FileProxy !!!" > 7 " Found the JS/Fortnight.gen@M virus !!!" > 7 " Found the VBS/Psyme trojan !!!" > 7 " Found the W32/Klez.gen@MM virus !!!" > 7 " Found the W32/Mimail@MM virus !!!" > 7 " Found the W32/Sobig.e@MM virus !!!" > 8 " Found the W32/Sobig.b@MM virus !!!" > 8 " Found virus or variant W32/Sober !!!" > 9 " Found the W32/Holar.gen@MM virus !!!" > 10 " Found the Exploit-URLSpoof trojan !!!" > 10 " Found the W32/Pate.a virus !!!" > 12 " Found the W32/Magistr.a@MM virus !!!" > 13 " Found the W32/SirCam@MM virus !!!" > 15 " Found the W95/CIH.1003a virus !!!" > 15 " Found the W97M/Marker.gen virus !!!" > 16 " Found the W32/Magistr.b@MM virus !!!" > 18 " Found the W32/Klez.gen.b@MM virus !!!" > 19 " Found the W32/Dumaru.gen@MM virus !!!" > 19 " Found the W32/Nofear.c@MM virus !!!" > 20 " Found virus or variant W32/Mimail !!!" > 21 " Found the W32/Bugbear.b!data virus !!!" > 25 " Found the W32/Mimail.dam virus !!!" > 28 " Found the W32/Mimail.e@MM virus !!!" > 29 " Found the W32/Mimail.gen@MM virus !!!" > 29 " Found the W32/Yaha.y@MM virus !!!" > 30 " Found the W32/Lovelorn.dr virus !!!" > 34 " Found the W32/Holar.l@MM virus !!!" > 36 " Found the W32/Sober!data trojan !!!" > 41 " Found the W32/Dupator virus !!!" > 43 " Found the MultiDropper-GP.a trojan !!!" > 43 " Found the W32/Gibe.gen@MM virus !!!" > 44 " Found the Exploit-CodeBase virus !!!" > 50 " Found virus or variant W32/Mydoom@MM !!!" > 56 " Found the VBS/Redlof@M virus !!!" > 61 " Found the W32/Ganda@MM virus !!!" > 64 " Found the W32/Fizzer.gen@MM virus !!!" > 70 " Found the W32/Mydoom.eml!exe virus !!!" > 74 " Found the W32/Mimail.f@MM virus !!!" > 77 " Found the W32/Pate.b virus !!!" > 78 " Found the W32/Mimail.h@MM virus !!!" > 79 " Found the W32/Lovelorn@MM virus !!!" > 93 " Found virus or variant W32/Mydoom !!!" > 100 " Found the W32/Mydoom.a.eml!zip virus !!!" > 101 " Found the W32/Yaha.l@MM virus !!!" > 103 " Found the W32/Mimail.q@MM virus !!!" > 113 " Found the W32/Mydoom.dam virus !!!" > 121 " Found the W32/Lovgate.f@M virus !!!" > 124 " Found the W32/Mimail.s@MM virus !!!" > 130 " Found the W32/Yaha.g@MM virus !!!" > 171 " Found the W32/Bugbear@MM virus !!!" > 208 " Found the W95/Spaces.gen virus !!!" > 279 " Found the W32/Elkern.cav.c virus !!!" > 292 " Found the VBS/Inor trojan !!!" > 292 " Found the W32/Yaha.k@MM virus !!!" > 303 " Found the W32/Yaha.p@MM virus !!!" > 332 " Found the W32/Bugbear.b.dam virus !!!" > 332 " Found the W32/Mimail.g@MM virus !!!" > 338 " Found the W32/Bugbear.b@MM virus !!!" > 342 " Found the W32/Torvil@MM virus !!!" > 469 " Found the W32/Dumaru.z@MM virus !!!" > 589 " Found the W32/Dumaru.a@MM virus !!!" > 728 " Found the W32/FunLove.gen virus !!!" > 772 " Found the W32/Mydoom.b@MM virus !!!" > 899 " Found the W32/Mimail.c@MM virus !!!" >1033 " Found the W32/Netsky.b@MM virus !!!" >1097 " Found the W32/Netsky@MM!zip virus !!!" >1212 " Found the W32/Valla.a virus !!!" >1240 " Found the W32/Netsky (ED) virus !!!" >1604 " Found the W32/Mimail.a@MM virus !!!" >1811 " Found the W32/Bagle.b@MM (ED) virus !!!" >2134 " Found the W32/Bagle@MM virus !!!" >2138 " Found the W32/Bagle.b@MM virus !!!" >2650 " Found the W32/Mimail.i@MM virus !!!" >2770 " Found the W32/Dumaru.y@MM virus !!!" >3054 " Found the W32/Sobig.f@MM virus !!!" >3328 " Found the W32/Mimail.j@MM virus !!!" >3461 " Found the W32/Klez.h@MM virus !!!" >4874 " Found the Exploit-URLSpoof.gen trojan !!!" >5259 " Found the W32/Sober.c@MM virus !!!" >37426 " Found the W32/Swen@MM virus !!!" >244581 " Found the W32/Mydoom@MM virus !!!" >1108947 " Found the W32/Mydoom.a@MM virus !!!" > >Tony. >-- >f.a.n.finch http://dotat.at/ >SELSEY BILL TO LYME REGIS: NORTH OR NORTHEAST 4 OR 5, OCCASIONALLY 3 IN >SHELTER, BECOMING 6 IN OPEN WATER OVERNIGHT. MAINLY FAIR. GOOD. SLIGHT TO >MODERATE. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From dot at DOTAT.AT Wed Feb 18 20:04:23 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:34 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> Message-ID: Craig Daters wrote: >How are you guys generating these lists, where is the info coming from? for host in a b c d e f do ssh $host zgrep "'McAfee said.*!!!'" /spool/MailScanner/log/maillog* done | sed 's/[^"]*//' | sort | uniq -c | sort -n Tony. -- f.a.n.finch http://dotat.at/ LUNDY FASTNET: EAST BACKING NORTHEAST 3 OR 4, OCCASIONALLY 5. FAIR. GOOD. From jester at SPYDERINTERNET.COM Wed Feb 18 20:27:01 2004 From: jester at SPYDERINTERNET.COM (Michael) Date: Thu Jan 12 21:22:34 2006 Subject: queue.in clog Message-ID: <6.0.0.22.2.20040218142637.020d05a8@spyderinternet.com> Sorry if this is an old question... Im running MailScanner v4.25.14 Sophos Version 3.78 Redhat 7.3 im seeing tons of mail getting into the scanner queue, but im seeing very little going out. The queue.in is constanly growing (right now shows approx 2K messages waiting to scan). Right now there is approx a 40 min delay between receiving and actually sending the message. Any help would be much appreciated in speeding this up.This just started a few days ago. We have 8 children running, the delay is about 20 min from each "MailScanner" log. It seems to scan about 50 messages wait 20-25 min then scans another 50 messages. We've increased the children, the file scan size, etc,etc. Thanks in Advance. Michael -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 From maillists at CONACTIVE.COM Wed Feb 18 20:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? Message-ID: It seems MailScanner also scans all mail which is outgoing (f.i. relayed by SMTP authenticated clients). Is there a way to stop this? Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From listonly at WEBPRESENCEGROUP.NET Wed Feb 18 20:44:10 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:34 2006 Subject: MailScanner>SpamAssassin>Debian>Webmin Oddity Message-ID: I asked on Debian-ISP but no answer so far, hoping someone may have an answer here. We are setting up a Mailhub for our hosting clients, want to send all inbound mail to our Debian box, Woody with BF4, and then redirect mail to the hosting/email servers for user pickups (we use Cobalt Raq's for the clients.) We installed sendmail from stable Debian, and Mailscanner from stable per instructions on the FAQ at Mailscanner. We then uninstalled MailScanner and installed MailScanner and SpamAssassin from Testing Debian using the instructions from the MailScanner website. We felt we did everything correct except now we see 2 directories for MailScanner /etc/MailScanner /etc/mailscanner I am thinking we want the /etc/MailScanner as the true dir. Is this some left over items from doing the MailScanner install from stable first, then removing with apt and doing a testing install?? This was the method they recommended at MailScanner. Webmin seems to be picking up the lower case mail scanner. But when we go in to make modifications it kills MailScanner with the following error Cannot open config file /opt/MailScanner/etc/MailScanner.conf, no such file or directory at /usr/share/MailScanner/MailScanner/Config.pm line 535. The Debian apt-get install doesn't place files into /opt. Anyone have any hints or help to aid us?? -- Thanks!! David Thurman List Only at Web Presence Group Net From mike at TC3NET.COM Wed Feb 18 20:55:29 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:34 2006 Subject: queue.in clog In-Reply-To: <6.0.0.22.2.20040218142637.020d05a8@spyderinternet.com> References: <6.0.0.22.2.20040218142637.020d05a8@spyderinternet.com> Message-ID: <1077137729.7108.13.camel@mike-new2.tc3net.com> Run through a debug, (change some a couple of config options in MailScanner.conf, Debug=yes, Spamassassin Debug = Yes). Stop MailScanner, and restart it, then it will run through a batch in a verbose mode, by observing it, you can see where the hang up is. Usually it's one of the spamassassin test (Razor2, DCC, RBL checks), which you can turn off/on in the spam_prefs for MailScanner, or reduce the timeouts or whatever, after you determine which one is delaying your queue.in processing. Regards MIKE > Sorry if this is an old question... > > Im running MailScanner v4.25.14 > Sophos Version 3.78 > Redhat 7.3 > > > im seeing tons of mail getting into the scanner queue, but im seeing very > little going out. The queue.in is constanly growing (right now shows approx > 2K messages waiting to scan). Right now there is approx a 40 min delay > between receiving and actually sending the message. Any help would be much > appreciated in speeding this up.This just started a few days ago. We have 8 > children running, the delay is about 20 min from each "MailScanner" log. It > seems to scan about 50 messages wait 20-25 min then scans another 50 > messages. We've increased the children, the file scan size, etc,etc. > > > Thanks in Advance. > Michael > > > -- > Outgoing mail is certified Virus Free. > Checked by AVG Anti-Virus (http://www.grisoft.com). > Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 > From ka at PACIFIC.NET Wed Feb 18 21:07:21 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:34 2006 Subject: spam handling rules with +detail email addresses? In-Reply-To: <6.0.1.1.2.20040218190001.039b0488@imap.ecs.soton.ac.uk> References: <4032BA22.7090507@pacific.net> <6.0.1.1.2.20040218091643.03e433c0@imap.ecs.soton.ac.uk> <40339860.7020309@pacific.net> <6.0.1.1.2.20040218190001.039b0488@imap.ecs.soton.ac.uk> Message-ID: <4033D409.5020109@pacific.net> Julian Field wrote: > At 16:52 18/02/2004, you wrote: > >> Julian Field wrote: >> >>> At 01:04 18/02/2004, you wrote: >>> >>>> How does MailScanner/SA handle incoming email addressed to >>>> user+detail@domain.com in rules? >>>> >>>> Sendmail will strip everything after/including the + sign, and deliver >>>> to the 'user', but rules in MailScanner for both user+detail@domain.com >>>> AND user@domain.com seem to be bypassed when using this syntax in an >>>> email. >>>> >>>> I've only tested with rules/spam.actions.rules like this: >>>> >>>> To: user+detail@domain.com store notify >>>> To: user@domain.com store notify >>>> >>>> Both are bypassed and mail gets the default action applied to it if >>>> it's >>>> addressed to user+detail@domain.com >>> >>> >>> >>> But what is the envelope recipient address in this case? user or >>> user+detail? >> >> >> user+detail@domain.com is the envelope recipient reported in the >> sendmail log. The entry below doesn't seem to work. The message gets the >> default rule applied instead of the 'store notify' rule. >> To: user+detail@domain.com store notify >> >> I tried both the suggestions below, and they do properly apply the >> action "store notify", but for some reason, sendmail then tries to >> deliver the message back to 127.0.0.1 instead of the mail hub! >> This creates a problem with the same message being scanned, then >> redelivered to the incoming sendmail and looping. Other 'store notify' >> rules that are defined for normal email addresses work fine. >> >> We forward mail from the MailScanner box to the mailhub using the >> virtusertable feature. No other rule or config issue has broken this >> before, so I'm not sure what's happening. I'll turn up logging in >> sendmail and see if it will tell me what it's doing with this mail. > > > MailScanner doesn't get involved with message delivery at all, so I fail to > see how it could have caused this delivery problem. Yes, it seems like it has to be something with sendmail config, but then again, the notify action is the only action that triggers it. I changed the action to 'deliver', and the mail for user+detail is delivered properly. But with action 'store notify', it loops back to localhost (the incoming sendmail receives it again from notify?). One odd thing I notice in the log - with the notify function, mail is delivered to "to=user+detail@domain.com" (this loops back to localhost) With 'deliver' action, mail is delivered to "" (this gets correctly delivered to the mailhub) Note the missing <> in the looping email. I'm not a sendmail guru, so I'm not sure where this envelope TO is getting generated, but it may be a clue? Thanks for any ideas, Ken Anderson Pacific.Net > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From mailscanner at MINDWARESYSTEMS.COM Thu Feb 19 01:08:42 2004 From: mailscanner at MINDWARESYSTEMS.COM (Kourosh) Date: Thu Jan 12 21:22:34 2006 Subject: Send Spam to Folder? In-Reply-To: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> References: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> Message-ID: <1077152922.17281.56.camel@onizuka.mindwaresystems.com> On Wed, 2004-02-18 at 16:26, Mike McMullen wrote: > Hi All, > > Is there an easy way to get mail marked as spam automatically > moved to a folder (mbox format) in a user's IMAP mail folders? > > I'm new at trying to do this stuff so any easy examples or > pointers would be of great help. > > Thanks, > > Mike Mike, Depends on your MTA and how you're delivering mail. You can use promail or maildrop to filter the mail and deliver spam to the spam folder. That's how I have it set up on my system. I even have a default maildrop script set in the /etc/skel directory so that new users have it automagically. -- Kourosh From maillists at CONACTIVE.COM Wed Feb 18 21:31:28 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Spamassassin and Bayes files In-Reply-To: <6.0.1.1.2.20040218190453.0398c8e0@imap.ecs.soton.ac.uk> References: <5.0.2.1.2.20040217122203.01200498@127.0.0.1> <4032655A.8070207@ucgbook.com> <6.0.1.1.2.20040218190453.0398c8e0@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 18 Feb 2004 19:05:16 +0000: > It won't touch a modified config file (or CustomConfig.pm). > Good to know, thanks! Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From ugob at CAMO-ROUTE.COM Wed Feb 18 21:49:17 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? Message-ID: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Kai Schaetzl [mailto:maillists@CONACTIVE.COM] Envoy? : 18 f?vrier, 2004 15:32 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Stop scanning of outgoing mails? It seems MailScanner also scans all mail which is outgoing (f.i. relayed by SMTP authenticated clients). Is there a way to stop this? Stop virus scanning? Bad idea... for the rest, use rules. See examples in the rules folder or a tutorial I wrote in the faqs. Faqs on rules: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/207.html Tutorial: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From jrudd at UCSC.EDU Wed Feb 18 21:41:59 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:34 2006 Subject: Hello? (was Re: Adding Envelope Headers?) References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> Message-ID: <4033DC27.34BB2DA7@ucsc.edu> John Rudd wrote: > > John Rudd wrote: > > > > Julian Field wrote: > > > > > > At 14:00 13/02/2004, you wrote: > > > > > >X-Envelope-To: > > > > > I am of the opinion that ... > > > putting in the envelope recipient is a bad idea. > > > [snip] > > When you know that the MTA will do the right thing, it's not "a bad > > idea". And for some MTA's, it's definitely "the right idea". > > So, does the lack of response to my two messages indicate they fell on > deaf ears? Are my arguments unconvincing? *tap*tap*tap* Is this thing on? Beuller? Beuller? From jester at SPYDERINTERNET.COM Wed Feb 18 22:08:49 2004 From: jester at SPYDERINTERNET.COM (Michael) Date: Thu Jan 12 21:22:34 2006 Subject: queue.in clog In-Reply-To: <1077137729.7108.13.camel@mike-new2.tc3net.com> References: <6.0.0.22.2.20040218142637.020d05a8@spyderinternet.com> <1077137729.7108.13.camel@mike-new2.tc3net.com> Message-ID: <6.0.0.22.2.20040218154118.02045318@spyderinternet.com> well, thanks to the debug from below, its looking like its not able to use the spamassassin autowhite list, its saying its there, but unable to open file. In looking at the permissions, it was set to 600 so changed to 777 and no change, same error. Backed up the files that were there, removed all, including the auto-whitelist and restarted mailscanner, it created the auto-whitelist and remade the users_pref. Restarted mailscanner in debug and it goes on through now, but its still queuing incoming mail its apparently using some kind of .lock file and locking the autowhitelist, when the next scanner runs, its not allowing the file to be read, so its queuing and basically halting the send part. Feb 18 16:00:58 web2 MailScanner[14564]: Using locktype = flock Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Found 453 messages waiting Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Forwarding 9 unscanned messages, 11695 bytes Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Scanning 200 messages, 6212350 bytes next time mailscanner runs Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Found 456 messages waiting Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Forwarding 9 unscanned messages, 11695 bytes Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Scanning 200 messages, 6212350 bytes it does this and the queue just grows and nothing seems to send except a small few. thanks Michael At 02:55 PM 2/18/2004, you wrote: >Run through a debug, (change some a couple of config options in >MailScanner.conf, Debug=yes, Spamassassin Debug = Yes). Stop >MailScanner, and restart it, then it will run through a batch in a >verbose mode, by observing it, you can see where the hang up is. Usually >it's one of the spamassassin test (Razor2, DCC, RBL checks), which you >can turn off/on in the spam_prefs for MailScanner, or reduce the >timeouts or whatever, after you determine which one is delaying your >queue.in processing. > >Regards >MIKE > > > Sorry if this is an old question... > > > > Im running MailScanner v4.25.14 > > Sophos Version 3.78 > > Redhat 7.3 > > > > > > im seeing tons of mail getting into the scanner queue, but im seeing very > > little going out. The queue.in is constanly growing (right now shows approx > > 2K messages waiting to scan). Right now there is approx a 40 min delay > > between receiving and actually sending the message. Any help would be much > > appreciated in speeding this up.This just started a few days ago. We have 8 > > children running, the delay is about 20 min from each "MailScanner" log. It > > seems to scan about 50 messages wait 20-25 min then scans another 50 > > messages. We've increased the children, the file scan size, etc,etc. > > > > > > Thanks in Advance. > > Michael > > > > > > -- > > Outgoing mail is certified Virus Free. > > Checked by AVG Anti-Virus (http://www.grisoft.com). > > Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 > > > >-- >This message has been scanned for viruses and >dangerous content by our MailScanner, and is >believed to be clean. > > > > >-- >Incoming mail is certified Virus Free. >Checked by AVG Anti-Virus (http://www.grisoft.com). >Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 From david at PLATFORMHOSTING.COM Wed Feb 18 22:48:16 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:34 2006 Subject: Upgrade to 4.26.8 and performance bottlenecks In-Reply-To: <4033A454.102@solid-state-logic.com> Message-ID: <200402182248.i1IMm9C28883@mx1.mailsecurity.net.au> > Michael Dahlberg wrote: > > Martin Hepworth [martinh@solid-state-logic.com] wrote: > > > > > >>Mike > >> > >>I'd make sure that all the required perl Modules are loaded (via CPAN is > >>the best way), and these may have changed for 4.26 from 4.13. > >> > >>Also is there any indication of problems if you set Debug=yes in the > >>MailScanner.conf and run MailScanner via check_MailScanner. > >> Is it just me or is there more than a few people having issues with 4.26.8 and performance? Cheers, Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From mark at TIPPINGMAR.COM Wed Feb 18 23:18:04 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:22:34 2006 Subject: queue.in clog In-Reply-To: <6.0.0.22.2.20040218154118.02045318@spyderinternet.com> References: <1077137729.7108.13.camel@mike-new2.tc3net.com> Message-ID: <4033822C.23754.A13BA20@localhost> The auto whitelist is problematic when using SpamAssassin with mailscanner (at least I've seen lots of questions on this list about it). I've never tried it myself. I think most people set the following in MailScanner.conf: SpamAssassin Auto Whitelist = no Mark On 18 Feb 2004 at 16:08, Michael wrote: > well, thanks to the debug from below, its looking like its not able to use > the spamassassin autowhite list, its saying its there, but unable to open > file. In looking at the permissions, it was set to 600 so changed to 777 > and no change, same error. Backed up the files that were there, removed > all, including the auto-whitelist and restarted mailscanner, it created the > auto-whitelist and remade the users_pref. Restarted mailscanner in debug > and it goes on through now, but its still queuing incoming mail its > apparently using some kind of .lock file and locking the autowhitelist, > when the next scanner runs, its not allowing the file to be read, so its > queuing and basically halting the send part. > > > Feb 18 16:00:58 web2 MailScanner[14564]: Using locktype = flock > Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Found 453 messages waiting > Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Forwarding 9 unscanned > messages, 11695 bytes > Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Scanning 200 messages, > 6212350 bytes > > next time mailscanner runs > > Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Found 456 messages waiting > Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Forwarding 9 unscanned > messages, 11695 bytes > Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Scanning 200 messages, > 6212350 bytes > > it does this and the queue just grows and nothing seems to send except a > small few. > > > thanks > Michael > > > At 02:55 PM 2/18/2004, you wrote: > > >Run through a debug, (change some a couple of config options in > >MailScanner.conf, Debug=yes, Spamassassin Debug = Yes). Stop > >MailScanner, and restart it, then it will run through a batch in a > >verbose mode, by observing it, you can see where the hang up is. Usually > >it's one of the spamassassin test (Razor2, DCC, RBL checks), which you > >can turn off/on in the spam_prefs for MailScanner, or reduce the > >timeouts or whatever, after you determine which one is delaying your > >queue.in processing. > > > >Regards > >MIKE > > > > > Sorry if this is an old question... > > > > > > Im running MailScanner v4.25.14 > > > Sophos Version 3.78 > > > Redhat 7.3 > > > > > > > > > im seeing tons of mail getting into the scanner queue, but im seeing very > > > little going out. The queue.in is constanly growing (right now shows approx > > > 2K messages waiting to scan). Right now there is approx a 40 min delay > > > between receiving and actually sending the message. Any help would be much > > > appreciated in speeding this up.This just started a few days ago. We have 8 > > > children running, the delay is about 20 min from each "MailScanner" log. It > > > seems to scan about 50 messages wait 20-25 min then scans another 50 > > > messages. We've increased the children, the file scan size, etc,etc. > > > > > > > > > Thanks in Advance. > > > Michael > > > > > > From maillists at CONACTIVE.COM Wed Feb 18 23:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Wed, 18 Feb 2004 16:49:17 -0500: > Stop virus scanning? Bad idea... No. There are good reasons for us. > > for the rest, use rules. See examples in the rules folder or a > tutorial I wrote in the faqs. > That's why I ask, there are no rules I could apply here. I cannot simply stop scanning for "From: *@domain yes" because that also stops scanning of incoming messages with spoofed senders. So, is there a way to do this? Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From pete at eatathome.com.au Thu Feb 19 00:01:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4033FCD5.1060606@eatathome.com.au> Kai Schaetzl wrote: >Ugo Bellavance wrote on Wed, 18 Feb 2004 16:49:17 -0500: > > > >>Stop virus scanning? Bad idea... >> >> > >No. There are good reasons for us. > > > >>for the rest, use rules. See examples in the rules folder or a >>tutorial I wrote in the faqs. >> >> >> > >That's why I ask, there are no rules I could apply here. I cannot simply >stop scanning for "From: *@domain yes" because that also stops scanning of >incoming messages with spoofed senders. So, is there a way to do this? > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org > > > > > Whitelist the IPs of your mail servers that send outbound mail? From stefanzman at yahoo.com Thu Feb 19 00:16:13 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:34 2006 Subject: Fwd: Perl version Message-ID: <20040219001613.95255.qmail@web41313.mail.yahoo.com> Am I practicing bad list-iquette? Or does *no one* have any input/assistance on this scenario? Somone please enlighten/validate...? > Can anyone advise me on this? > > The customers machine has two instances of Perl, one > "real" one (for system purposes) and an updated > version (5.8) in /home/spam-filter - along with SA. > > perl -e 'print @INC;' shows the following output: > > /usr/lib/perl5/5.00503/i386-linux/usr/lib/perl5/5.00503/usr/lib/perl5/site_perl/5.005/i386-linux/usr/lib/perl5/site_perl/5.005. > > Yet, MailScanner is using the SA and Perl in > /home/spam-filter. How is this done and how can be > sure not to break it when upgrading SA? > > TIA, > > Stefan > __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From jrudd at UCSC.EDU Thu Feb 19 00:07:54 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4033FE5A.A4556AF6@ucsc.edu> Kai Schaetzl wrote: > > Ugo Bellavance wrote on Wed, 18 Feb 2004 16:49:17 -0500: > > > Stop virus scanning? Bad idea... > > No. There are good reasons for us. > > > > > for the rest, use rules. See examples in the rules folder or a > > tutorial I wrote in the faqs. > > > > That's why I ask, there are no rules I could apply here. I cannot simply > stop scanning for "From: *@domain yes" because that also stops scanning of > incoming messages with spoofed senders. So, is there a way to do this? > > How about doing it by IP address? Doesn't "From:", when presented with an IP address, use the relay's IP addr and not the email address of the sender? (otherwise, why does MailScanner care so much about the relay addr? if the qf file doesn't have one, it says the qf file is malformed) If I'm right, then you'd have "From: X.Y.Z.* no" and then a default rule of yes. From mlm at LOANPROCESSING.NET Thu Feb 19 00:26:19 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:34 2006 Subject: Send Spam to Folder? Message-ID: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> Hi All, Is there an easy way to get mail marked as spam automatically moved to a folder (mbox format) in a user's IMAP mail folders? I'm new at trying to do this stuff so any easy examples or pointers would be of great help. Thanks, Mike From mlm at LOANPROCESSING.NET Thu Feb 19 01:23:32 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:34 2006 Subject: Send Spam to Folder? References: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> <1077152922.17281.56.camel@onizuka.mindwaresystems.com> Message-ID: <066001c3f686$fd2f6c60$3e01a8c0@express.loanprocessing.net> ----- Original Message ----- From: "Kourosh" > On Wed, 2004-02-18 at 16:26, Mike McMullen wrote: > > Hi All, > > > > Is there an easy way to get mail marked as spam automatically > > moved to a folder (mbox format) in a user's IMAP mail folders? > > > > I'm new at trying to do this stuff so any easy examples or > > pointers would be of great help. > > > > Thanks, > > > > Mike > > Mike, > > Depends on your MTA and how you're delivering mail. You can use promail > or maildrop to filter the mail and deliver spam to the spam folder. > That's how I have it set up on my system. I even have a default > maildrop script set in the /etc/skel directory so that new users have it > automagically. > -- Hi Kourosh, I am using sendmail. Clients access IMAP folders using predominately Outlook Express. Thanks, Mike From maillists at CONACTIVE.COM Thu Feb 19 01:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <4033FE5A.A4556AF6@ucsc.edu> References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> <4033FE5A.A4556AF6@ucsc.edu> Message-ID: John Rudd wrote on Wed, 18 Feb 2004 16:07:54 -0800: > How about doing it by IP address? Doesn't "From:", when presented with > an IP address, use the relay's IP addr and not the email address of the > sender? > Yes, but the sender is not the machine but an SMTP authenticated client. I cannot whitelist the whole world there. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 19 01:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:34 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <4033FCD5.1060606@eatathome.com.au> References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> <4033FCD5.1060606@eatathome.com.au> Message-ID: Pete wrote on Thu, 19 Feb 2004 11:01:25 +1100: > Whitelist the IPs of your mail servers that send outbound mail? > I use whitelisting for some of our servers to whitelist traffic between the machines, but this is different: whitelisting IPs works on the client IP which is NOT the machine's IP. So, I would have to whitelist the connecting clients which basically means the whole world. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mark at TIPPINGMAR.COM Thu Feb 19 01:34:48 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:22:34 2006 Subject: Send Spam to Folder? In-Reply-To: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> Message-ID: <4033A238.24443.A90E6D6@localhost> On 18 Feb 2004 at 16:26, Mike McMullen wrote: > Is there an easy way to get mail marked as spam automatically > moved to a folder (mbox format) in a user's IMAP mail folders? If a user has a folder named "spam", and your system uses procmail for local delivery, then a rule like the following in the user's ".procmailrc" file will do it. # Move Mailscanner marked spam to Spam folder :0: * ^Subject:.\{Spam\? spam Mark From mlm at LOANPROCESSING.NET Thu Feb 19 02:10:33 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? References: <4033A238.24443.A90E6D6@localhost> Message-ID: <0c7801c3f68d$8e930fd0$0300a8c0@Spike> From: "Mark Nienberg" > On 18 Feb 2004 at 16:26, Mike McMullen wrote: > > Is there an easy way to get mail marked as spam automatically > > moved to a folder (mbox format) in a user's IMAP mail folders? > > If a user has a folder named "spam", and your system uses procmail for local > delivery, then a rule like the following in the user's ".procmailrc" file will do it. > > # Move Mailscanner marked spam to Spam folder > :0: > * ^Subject:.\{Spam\? > spam > > Mark > Mark, Thanks! This worked like a champ! Mike From ryan.finnesey at CORPDSG.COM Thu Feb 19 02:39:49 2004 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:22:35 2006 Subject: MailScanner on Mac OS X Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C401EA69@dc012.corpdsg.com> Can I ask why OS X? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of JLM Sent: Wednesday, February 18, 2004 12:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner on Mac OS X Hi folks, I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X Server (10.3.2), and I'm running into a few trouble spots. I'm using MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive email management system that is designed to work along with Exim, Courier-IMAP, and MySQL. http://www.xams.org/ The trouble spots I'm running into are: [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems to be related to check_mailscanner, but other than that I don't anything about this error, how important it is, and whether there's anything we can do to fix it on Mac OS X. Any thoughts or suggestions would be much appreciated. [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS X that I have installed MailScanner on. I have to comment out the "Run as user = " and "Run as Group = " lines in order to get MailScanner to run. Does anyone have any suggestions as to how we might fix this? We'd rather not have MailScanner running as root if we can avoid it. [3] Other than the above, MailScanner appears to function normally. However, after a few hours of normal operation, the following error began repeatedly appearing in the mail log: Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of incoming queue dirs (/var/spool/exim-incoming/input) does not exist There is indeed a /var/spool/exim-incoming/input directory. I'm a bit puzzled as to why MailScanner thinks there is a file containing a list of incoming queue dirs at that location. Both the incoming and outgoing queue directories are specified in the mailscanner.conf file. MailScanner appears to continue functioning normally, so once again it's not clear how important this error is. Nonetheless, can anyone shed any light on what's causing this and how I might fix it? [4] After mail has been scanned for viruses and run through SpamAssassin, it may then be fed to TMDA if the spam/ham analysis is inconclusive. [I fully realize that many people are not big fans of challenge/response systems such as TMDA. Please keep in mind that messages with low spam scores are delivered unchallenged, and messages with high spam scores are discarded outright (again, without being challenged). The only messages that will be challenged are the very rare messages that SpamAssassin can't convincingly classify as either spam or ham. It is our hope that this method will address many of the objections against challenge/response systems.] I'm working with the other folks on the XAMS team to put together a few routines to pass mail from MailScanner to TMDA. The following test routines were added to the CustomConfig.pm component of MailScanner: ### Begin: Test routines added to CustomConfig.pm ### use Data::Dumper; sub InitXAMSTMDAMailer {} sub XAMSTMDAMailer { my ($message) = @_; $|++; open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; close XAMS_TMDA_FH; return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; } sub EndXAMSTMDAMailer {} ### End: Test routines added to CustomConfig.pm ### When a message is received by MailScanner and triggers the above routines, it delivers the mail but does two unexpected things: 1. The output of the first print command is: "$VAR1 = undef;" Can anyone think of why that might be? Any suggestions would be very, very helpful. 2. It repeats the output five times (see below). I realize that MailScanner has five processes running at any given time, but why are all five processing these routines when a message is received? Output: $VAR1 = undef; ==================================================================== XAMSTMDAMailer was here (repeated another four times) Does anyone have any ideas as to why this is being repeated five times? I realize this is a lot of questions to throw to the list at once. I and the other members of the XAMS team would be most grateful for any advice you can offer. On behalf of the XAMS team, thanks in advance for any pointers you might have for us! Best, Justin PS: I'd like to take a moment to recognize the superb support I've received so far from Nick Phillips, who has selflessly devoted his time to help me get MailScanner running on Mac OS X (in at least a basic incarnation). Without his guidance, I would never even made it this far. Many thanks, Nick! From JLM939 at HOTMAIL.COM Thu Feb 19 03:15:52 2004 From: JLM939 at HOTMAIL.COM (JLM) Date: Thu Jan 12 21:22:35 2006 Subject: MailScanner on Mac OS X In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C401EA69@dc012.corpdsg.com> Message-ID: Ryan Finnesey asked: > Can I ask why OS X? Because my particular production environment is using Xserve hardware, and because that's the OS I'm most familiar with. Nearly all the other XAMS team members use some flavor of Linux. John Rudd helpfully suggested: > f sounds like you're using the HPUX stanza instead of the BSD stanza in > the check_mailscanner script. Make sure the BSD stanza is the one > you're using (make sure the conditions work out, etc.). Thanks for the suggestion, John. I'll take a look at that and see what I can figure out. Regarding item [4] below... After looking through the MailScanner code, it appears that the CustomConfig.pm routines are called from several different places. It seems that in some cases the ($message) is passed to the custom routines, and in some cases it is not. So when our custom routine is called from sendmail2... sendmail2 = &XAMSTMDAMailer ..for some reason MailScanner isn't passing the ($message) to the XAMSTMDAMailer custom routine. We can't seem to determine why. Does anyone have any thoughts on this? Also, as I mentioned before, it would be great if we could figure out a way to get MailScanner to successfully run as the "mail" user on OS X. I've searched the archives, and it seems people on other platforms have experienced the same problem in the past. I seem to gather that it's been fixed for most environments, but perhaps not for OS X. Any suggestions for troubleshooting this would be *most* appreciated. Sincere thanks, Justin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of JLM > Sent: Wednesday, February 18, 2004 12:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner on Mac OS X > > > Hi folks, > > I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X > Server (10.3.2), and I'm running into a few trouble spots. I'm using > MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive > email management system that is designed to work along with Exim, > Courier-IMAP, and MySQL. > > http://www.xams.org/ > > The trouble spots I'm running into are: > > [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems > to be related to check_mailscanner, but other than that I don't anything > about this error, how important it is, and whether there's anything we can > do to fix it on Mac OS X. Any thoughts or suggestions would be much > appreciated. > > [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This > occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS > X that I have installed MailScanner on. I have to comment out the "Run as > user = " and "Run as Group = " lines in order to get MailScanner to run. > Does anyone have any suggestions as to how we might fix this? We'd rather > not have MailScanner running as root if we can avoid it. > > [3] Other than the above, MailScanner appears to function normally. However, > after a few hours of normal operation, the following error began repeatedly > appearing in the mail log: > > Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of > incoming queue dirs (/var/spool/exim-incoming/input) does not exist > > There is indeed a /var/spool/exim-incoming/input directory. I'm a bit > puzzled as to why MailScanner thinks there is a file containing a list of > incoming queue dirs at that location. Both the incoming and outgoing queue > directories are specified in the mailscanner.conf file. > > MailScanner appears to continue functioning normally, so once again it's not > clear how important this error is. Nonetheless, can anyone shed any light on > what's causing this and how I might fix it? > > [4] After mail has been scanned for viruses and run through SpamAssassin, it > may then be fed to TMDA if the spam/ham analysis is inconclusive. > > [I fully realize that many people are not big fans of challenge/response > systems such as TMDA. Please keep in mind that messages with low spam scores > are delivered unchallenged, and messages with high spam scores are discarded > outright (again, without being challenged). The only messages that will be > challenged are the very rare messages that SpamAssassin can't convincingly > classify as either spam or ham. It is our hope that this method will address > many of the objections against challenge/response systems.] > > I'm working with the other folks on the XAMS team to put together a few > routines to pass mail from MailScanner to TMDA. The following test routines > were added to the CustomConfig.pm component of MailScanner: > > ### Begin: Test routines added to CustomConfig.pm ### > > use Data::Dumper; > sub InitXAMSTMDAMailer {} > > sub XAMSTMDAMailer > { > my ($message) = @_; > $|++; > open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; > print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; > print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; > close XAMS_TMDA_FH; > return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; > } > > sub EndXAMSTMDAMailer {} > > ### End: Test routines added to CustomConfig.pm ### > > When a message is received by MailScanner and triggers the above routines, > it delivers the mail but does two unexpected things: > > 1. The output of the first print command is: "$VAR1 = undef;" > Can anyone think of why that might be? Any suggestions would be very, > very helpful. > > 2. It repeats the output five times (see below). I realize that MailScanner > has five processes running at any given time, but why are all five > processing these routines when a message is received? > > Output: > > $VAR1 = undef; > ==================================================================== > XAMSTMDAMailer was here > > (repeated another four times) > > Does anyone have any ideas as to why this is being repeated five times? > > > I realize this is a lot of questions to throw to the list at once. I and the > other members of the XAMS team would be most grateful for any advice you can > offer. > > On behalf of the XAMS team, thanks in advance for any pointers you might > have for us! > > Best, > > Justin > > PS: > > I'd like to take a moment to recognize the superb support I've received so > far from Nick Phillips, who has selflessly devoted his time to help me get > MailScanner running on Mac OS X (in at least a basic incarnation). Without > his guidance, I would never even made it this far. Many thanks, Nick! > From jburzenski at AMERICANHM.COM Thu Feb 19 03:35:24 2004 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8090DFD42@ahm_exchange2.americanhm.com> Can you do the same for an Exchange rule? ;) -----Original Message----- From: Mike McMullen [mailto:mlm@LOANPROCESSING.NET] Sent: Wednesday, February 18, 2004 9:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Send Spam to Folder? From: "Mark Nienberg" > On 18 Feb 2004 at 16:26, Mike McMullen wrote: > > Is there an easy way to get mail marked as spam automatically moved > > to a folder (mbox format) in a user's IMAP mail folders? > > If a user has a folder named "spam", and your system uses procmail for local > delivery, then a rule like the following in the user's ".procmailrc" > file will do it. > > # Move Mailscanner marked spam to Spam folder > :0: > * ^Subject:.\{Spam\? > spam > > Mark > Mark, Thanks! This worked like a champ! Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040218/689ac6fc/attachment.html From ugob at CAMO-ROUTE.COM Thu Feb 19 05:31:28 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? Message-ID: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Kai Schaetzl [mailto:maillists@CONACTIVE.COM] >Envoy? : 18 f?vrier, 2004 20:32 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Stop scanning of outgoing mails? > > >John Rudd wrote on Wed, 18 Feb 2004 16:07:54 -0800: > >> How about doing it by IP address? Doesn't "From:", when >presented with >> an IP address, use the relay's IP addr and not the email >address of the >> sender? >> > >Yes, but the sender is not the machine but an SMTP >authenticated client. I >cannot whitelist the whole world there. Ok, I see rules won't work for you. Since I never encounter this topic on the list since September, I see two solutions: -Scan everything. -Ask Julian. hth Ugo > > > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org > From ryan.finnesey at CORPDSG.COM Thu Feb 19 07:18:54 2004 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:22:35 2006 Subject: MailScanner on Mac OS X Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C401EA6F@dc012.corpdsg.com> How do you like the Xserve? We have found it very hard to get in contact with a account manager at Apple. I would like to get a few to play with. I have called them and they tell us to go down to a local CompUSA. Do you know if they offer 4 hour hardware support like HP does? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of JLM Sent: Wednesday, February 18, 2004 7:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner on Mac OS X Ryan Finnesey asked: > Can I ask why OS X? Because my particular production environment is using Xserve hardware, and because that's the OS I'm most familiar with. Nearly all the other XAMS team members use some flavor of Linux. John Rudd helpfully suggested: > f sounds like you're using the HPUX stanza instead of the BSD stanza in > the check_mailscanner script. Make sure the BSD stanza is the one > you're using (make sure the conditions work out, etc.). Thanks for the suggestion, John. I'll take a look at that and see what I can figure out. Regarding item [4] below... After looking through the MailScanner code, it appears that the CustomConfig.pm routines are called from several different places. It seems that in some cases the ($message) is passed to the custom routines, and in some cases it is not. So when our custom routine is called from sendmail2... sendmail2 = &XAMSTMDAMailer ..for some reason MailScanner isn't passing the ($message) to the XAMSTMDAMailer custom routine. We can't seem to determine why. Does anyone have any thoughts on this? Also, as I mentioned before, it would be great if we could figure out a way to get MailScanner to successfully run as the "mail" user on OS X. I've searched the archives, and it seems people on other platforms have experienced the same problem in the past. I seem to gather that it's been fixed for most environments, but perhaps not for OS X. Any suggestions for troubleshooting this would be *most* appreciated. Sincere thanks, Justin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of JLM > Sent: Wednesday, February 18, 2004 12:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner on Mac OS X > > > Hi folks, > > I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X > Server (10.3.2), and I'm running into a few trouble spots. I'm using > MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive > email management system that is designed to work along with Exim, > Courier-IMAP, and MySQL. > > http://www.xams.org/ > > The trouble spots I'm running into are: > > [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems > to be related to check_mailscanner, but other than that I don't anything > about this error, how important it is, and whether there's anything we can > do to fix it on Mac OS X. Any thoughts or suggestions would be much > appreciated. > > [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This > occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS > X that I have installed MailScanner on. I have to comment out the "Run as > user = " and "Run as Group = " lines in order to get MailScanner to run. > Does anyone have any suggestions as to how we might fix this? We'd rather > not have MailScanner running as root if we can avoid it. > > [3] Other than the above, MailScanner appears to function normally. However, > after a few hours of normal operation, the following error began repeatedly > appearing in the mail log: > > Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of > incoming queue dirs (/var/spool/exim-incoming/input) does not exist > > There is indeed a /var/spool/exim-incoming/input directory. I'm a bit > puzzled as to why MailScanner thinks there is a file containing a list of > incoming queue dirs at that location. Both the incoming and outgoing queue > directories are specified in the mailscanner.conf file. > > MailScanner appears to continue functioning normally, so once again it's not > clear how important this error is. Nonetheless, can anyone shed any light on > what's causing this and how I might fix it? > > [4] After mail has been scanned for viruses and run through SpamAssassin, it > may then be fed to TMDA if the spam/ham analysis is inconclusive. > > [I fully realize that many people are not big fans of challenge/response > systems such as TMDA. Please keep in mind that messages with low spam scores > are delivered unchallenged, and messages with high spam scores are discarded > outright (again, without being challenged). The only messages that will be > challenged are the very rare messages that SpamAssassin can't convincingly > classify as either spam or ham. It is our hope that this method will address > many of the objections against challenge/response systems.] > > I'm working with the other folks on the XAMS team to put together a few > routines to pass mail from MailScanner to TMDA. The following test routines > were added to the CustomConfig.pm component of MailScanner: > > ### Begin: Test routines added to CustomConfig.pm ### > > use Data::Dumper; > sub InitXAMSTMDAMailer {} > > sub XAMSTMDAMailer > { > my ($message) = @_; > $|++; > open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; > print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; > print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; > close XAMS_TMDA_FH; > return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; > } > > sub EndXAMSTMDAMailer {} > > ### End: Test routines added to CustomConfig.pm ### > > When a message is received by MailScanner and triggers the above routines, > it delivers the mail but does two unexpected things: > > 1. The output of the first print command is: "$VAR1 = undef;" > Can anyone think of why that might be? Any suggestions would be very, > very helpful. > > 2. It repeats the output five times (see below). I realize that MailScanner > has five processes running at any given time, but why are all five > processing these routines when a message is received? > > Output: > > $VAR1 = undef; > ==================================================================== > XAMSTMDAMailer was here > > (repeated another four times) > > Does anyone have any ideas as to why this is being repeated five times? > > > I realize this is a lot of questions to throw to the list at once. I and the > other members of the XAMS team would be most grateful for any advice you can > offer. > > On behalf of the XAMS team, thanks in advance for any pointers you might > have for us! > > Best, > > Justin > > PS: > > I'd like to take a moment to recognize the superb support I've received so > far from Nick Phillips, who has selflessly devoted his time to help me get > MailScanner running on Mac OS X (in at least a basic incarnation). Without > his guidance, I would never even made it this far. Many thanks, Nick! > From chris at FRACTALWEB.COM Thu Feb 19 07:46:10 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:35 2006 Subject: how to troubleshoot timeouts Message-ID: <403469C2.3050006@fractalweb.com> Hi everyone, After enjoying the last couple of months with only the occasional spamassassin timeout (about 1 a week), I'm now getting a few dozen a day. Yesterday I had 84--today 24. Last night I ran "sa-learn --force-expire" and "sa-learn --rebuild" to see if that might fix the problem, but I guess not. Is there any way of turning on extra-verbose logging in spamassassin or mailscanner to see where exactly it's timing out? Could it be one of my blackhole lists? What are the steps to troubleshoot spamassassin timeouts? Cheers, Chris From ugob at CAMO-ROUTE.COM Thu Feb 19 07:51:18 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: how to troubleshoot timeouts Message-ID: <54C38A0B814C8E438EF73FC76F36292741090C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Chris Yuzik [mailto:chris@FRACTALWEB.COM] >Envoy? : 19 f?vrier, 2004 02:46 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : how to troubleshoot timeouts > > >Hi everyone, > >After enjoying the last couple of months with only the occasional >spamassassin timeout (about 1 a week), I'm now getting a few dozen a >day. Yesterday I had 84--today 24. > >Last night I ran "sa-learn --force-expire" and "sa-learn --rebuild" to >see if that might fix the problem, but I guess not. > >Is there any way of turning on extra-verbose logging in spamassassin or >mailscanner to see where exactly it's timing out? Could it be one of my >blackhole lists? > >What are the steps to troubleshoot spamassassin timeouts? That is what I can think of at 2.48 AM :) 1- run mailscanner in debug mode 2- disable sequentially razor, pyzor, dcc and see if the timeouts stop. Other tips - Update your dcc, pyzor, razor server lists - make sure you run a local caching dns server - if you have a lot of special rules, that might be a cause - check your network and system load when it happens - stay tuned, I'm sure you'll have other feedback. hth Ugo > >Cheers, >Chris > From rggarcia at IMGAME.NET Thu Feb 19 07:48:08 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:22:35 2006 Subject: Redhat 7.3 + Postfix 1.1.7-2 + MailScanner-4.26.7-1 Message-ID: Hello, Currently i have a running Redhat 7.3 , postfix-1.1.7-2 and recently i just download and installed MailScanner-4.26.7-1.tar.gz and here are the things ived done. How to Set Up Postfix for MailScanner Use Install Postfix (version 1 or 2) and get it all working. Stop Postfix using a command postfix stop Make sure you have the chroot jail set up in /var/spool/postfix. You should be able to see "etc", "usr" and "lib" directories inside /var/spool/postfix). If you haven't got the chroot jail setup already, then look in the "examples" directory of the Postfix documentation and you will find a script in there to set up it up for your operating system. If you can't find that, then see the "Problems or Errors" section further down this page. Copy the postfix configuration files for the incoming Postfix: cp -rp /etc/postfix /etc/postfix.in Tell the incoming Postfix not to deliver mail: Edit /etc/postfix.in/main.cf and add a line at the top that says this: defer_transports = smtp local virtual relay In the same file, look for the definition queue_directory = /var/spool/postfix and change it to queue_directory = /var/spool/postfix.in If you have a chroot jail setup in /var/spool/postfix, copy the postfix spool are to the incoming setup using a command cp -rp /var/spool/postfix /var/spool/postfix.in Otherwise, just create the new spool directory for the incoming Postfix using a command mkdir /var/spool/postfix.in When the incoming Postfix starts up, it will create any missing files and directories it needs in there. Tell the outgoing Postfix not to provide an SMTP service: Edit /etc/postfix/master.cf and comment out the following line by inserting a "#" at the start of the line: smtp inet n - y - - smtpd How to Set up MailScanner for Use with Postfix In your MailScanner.conf file (probably in /etc/MailScanner or /opt/MailScanner/etc), there are 5 settings you need to change. They are all really near the top of the file. The settings are Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix.in/deferred Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix If you are using the RedHat RPM distribution, one change will enable all the Postfix support in the init.d script. Edit /etc/sysconfig/MailScanner and set MTA=postfix You will need to ensure that the user "postfix" can write to /var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine: chown postfix.postfix /var/spool/MailScanner/incoming chown postfix.postfix /var/spool/MailScanner/quarantine If you upgrade your copy of MailScanner, unfortunately these directories will be changed back to being owned by root, so you will have to do those 2 commands again. Starting It All Running If on a system installed using the RedHat RPM distribution, please edit /etc/sysconfig/MailScanner and set it up for your mail system. Then just use the init.d script to do it all for you: /etc/rc.d/init.d/MailScanner start (or on RedHat systems just service MailScanner start) If not using the RedHat RPM distribution, then Start the incoming Postfix postfix -c /etc/postfix.in start Start the outgoing Postfix postfix -c /etc/postfix start Start MailScanner check_MailScanner The thing is when i put an # on : smtp inet n - y - - smtpd I get this error message on my mail client: "The TCP/IP connection was unexpectedly terminated by the server. (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number 0x800ccc0f)" Does this error message ever happened to anyone? Pls help. Thanks Rosaldo G. Garcia Systems Administrator Intermedia Solutions Inc. (http://www.imgame.net) From ugob at CAMO-ROUTE.COM Thu Feb 19 08:02:04 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: Redhat 7.3 + Postfix 1.1.7-2 + MailScanner-4.26.7-1 Message-ID: <54C38A0B814C8E438EF73FC76F36292741090D@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Rosaldo Garcia [mailto:rggarcia@IMGAME.NET] >Envoy? : 19 f?vrier, 2004 02:48 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Redhat 7.3 + Postfix 1.1.7-2 + MailScanner-4.26.7-1 > > >Hello, > > Currently i have a running Redhat 7.3 , postfix-1.1.7-2 >and recently i >just download and installed MailScanner-4.26.7-1.tar.gz and >here are the >things ived done. > > > > I get this error message on my mail client: > > "The TCP/IP connection was unexpectedly terminated by the server. > (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number >0x800ccc0f)" > > > > > >Does this error message ever happened to anyone? Pls help. Have you checked you server logs? They are your primary source of information. -- By the way, you linux distro is very old, and unsupported by redhat. I recommand switching to a supported distribution, for many reasons. hth Ugo. > >Thanks > >Rosaldo G. Garcia >Systems Administrator >Intermedia Solutions Inc. (http://www.imgame.net) > From rggarcia at IMGAME.NET Thu Feb 19 08:05:58 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:22:35 2006 Subject: Redhat 7.3 + Postfix-1.1.7-2 + MailScanner-4.26.7-1.tar.gz Message-ID: Hi, Just to clarify my previous mail im running redhat 7.3 , postfix-1.1.7-2 and MailScanner-4.26.7-1.tar.gz. When i try to send/received mail i got this error message: " The TCP/IP connection was unexpectedly terminated by the server. (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number 0x800ccc0f)" Any Help is much appreciated. Thanks in advance Rosaldo G. Garcia Systems Administrator Intermedia Solutions Inc. (http://www.imgame.net) From drew at THEMARSHALLS.CO.UK Thu Feb 19 08:20:19 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:35 2006 Subject: Silent Viruses update In-Reply-To: <40338026.4030408@sghms.ac.uk> References: <403262DA.6090209@bangor.ac.uk> <40338026.4030408@sghms.ac.uk> Message-ID: <30792.194.70.180.170.1077178819.squirrel@net.themarshalls.co.uk> Daniel Bird said: > Martin Sapsed wrote: > >> Anyone still maintaining a Silent Viruses list should add Tanx to it if >> they use Sophos. I think Symantec have put it in the Beagle family. >> Don't know about the others. > > Mcafee have it listed as W32/Netsky.b@MM. > > We just have added '@MM' to our list of silent viruses which I belive > should do the trick for all the mass mailing worms from now on.. > I run 2 antivirus products, just for my own peace of mind, if I list, for example, @MM as a silent viruses, will MailScanner accept the virus as a silent one even if the second antivirus product doesn't use the same virus name (And therefore may not be listed as silent)? Drew > Dan > >> >> Anyone who's given up on notifying senders about Viruses, please ignore >> this message! >> >> Cheers, >> >> Martin >> >> -- >> Martin Sapsed >> Information Services "Who do you say I am?" >> University of Wales, Bangor Jesus of Nazareth >> > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Thu Feb 19 09:16:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Silent Viruses update In-Reply-To: <30792.194.70.180.170.1077178819.squirrel@net.themarshalls. co.uk> References: <403262DA.6090209@bangor.ac.uk> <40338026.4030408@sghms.ac.uk> <30792.194.70.180.170.1077178819.squirrel@net.themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040219091549.03d086f8@imap.ecs.soton.ac.uk> At 08:20 19/02/2004, you wrote: >Daniel Bird said: > > Martin Sapsed wrote: > > > >> Anyone still maintaining a Silent Viruses list should add Tanx to it if > >> they use Sophos. I think Symantec have put it in the Beagle family. > >> Don't know about the others. > > > > Mcafee have it listed as W32/Netsky.b@MM. > > > > We just have added '@MM' to our list of silent viruses which I belive > > should do the trick for all the mass mailing worms from now on.. > > >I run 2 antivirus products, just for my own peace of mind, if I list, for >example, @MM as a silent viruses, will MailScanner accept the virus as a >silent one even if the second antivirus product doesn't use the same virus >name (And therefore may not be listed as silent)? It should treat it as silent if one of the "Silent Viruses" names appears anywhere in the virus report. So the answer to your question is "yes". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 09:10:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Fwd: Perl version In-Reply-To: <20040219001613.95255.qmail@web41313.mail.yahoo.com> References: <20040219001613.95255.qmail@web41313.mail.yahoo.com> Message-ID: <6.0.1.1.2.20040219090952.038cae48@imap.ecs.soton.ac.uk> It should just be using /usr/bin/perl. At 00:16 19/02/2004, you wrote: >Am I practicing bad list-iquette? Or does *no one* >have any input/assistance on this scenario? Somone >please enlighten/validate...? > > > > Can anyone advise me on this? > > > > The customers machine has two instances of Perl, one > > "real" one (for system purposes) and an updated > > version (5.8) in /home/spam-filter - along with SA. > > > > perl -e 'print @INC;' shows the following output: > > > > >/usr/lib/perl5/5.00503/i386-linux/usr/lib/perl5/5.00503/usr/lib/perl5/site_perl/5.005/i386-linux/usr/lib/perl5/site_perl/5.005. > > > > Yet, MailScanner is using the SA and Perl in > > /home/spam-filter. How is this done and how can be > > sure not to break it when upgrading SA? > > > > TIA, > > > > Stefan > > > >__________________________________ >Do you Yahoo!? >Yahoo! Mail SpamGuard - Read only the mail you want. >http://antispam.yahoo.com/tools -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 09:15:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: how to troubleshoot timeouts In-Reply-To: <403469C2.3050006@fractalweb.com> References: <403469C2.3050006@fractalweb.com> Message-ID: <6.0.1.1.2.20040219091319.038cb0d8@imap.ecs.soton.ac.uk> At 07:46 19/02/2004, you wrote: >Hi everyone, > >After enjoying the last couple of months with only the occasional >spamassassin timeout (about 1 a week), I'm now getting a few dozen a >day. Yesterday I had 84--today 24. > >Last night I ran "sa-learn --force-expire" and "sa-learn --rebuild" to >see if that might fix the problem, but I guess not. > >Is there any way of turning on extra-verbose logging in spamassassin or >mailscanner to see where exactly it's timing out? Could it be one of my >blackhole lists? > >What are the steps to troubleshoot spamassassin timeouts? In MailScanner.conf, set Debug = yes Debug SpamAssassin = yes then kill all your MailScanner processes. Wait for a few emails (4 or 5 will do) to appear in mqueue.in, then run check_mailscanner. When the SpamAssassin output pauses (it will spew up the screen very fast normally), thump Ctrl-S to pause it. (Ctrl-Q starts it again). Read the last few lines of output and you should get an idea what is holding it up. If it mentions cloudmark.com just before you stopped it, that's Razor. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 09:08:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: queue.in clog In-Reply-To: <6.0.0.22.2.20040218154118.02045318@spyderinternet.com> References: <6.0.0.22.2.20040218142637.020d05a8@spyderinternet.com> <1077137729.7108.13.camel@mike-new2.tc3net.com> <6.0.0.22.2.20040218154118.02045318@spyderinternet.com> Message-ID: <6.0.1.1.2.20040219090802.038cabb8@imap.ecs.soton.ac.uk> In which case you might just have to not use the auto-whitelist. At 22:08 18/02/2004, you wrote: >well, thanks to the debug from below, its looking like its not able to use >the spamassassin autowhite list, its saying its there, but unable to open >file. In looking at the permissions, it was set to 600 so changed to 777 >and no change, same error. Backed up the files that were there, removed >all, including the auto-whitelist and restarted mailscanner, it created the >auto-whitelist and remade the users_pref. Restarted mailscanner in debug >and it goes on through now, but its still queuing incoming mail its >apparently using some kind of .lock file and locking the autowhitelist, >when the next scanner runs, its not allowing the file to be read, so its >queuing and basically halting the send part. > > >Feb 18 16:00:58 web2 MailScanner[14564]: Using locktype = flock >Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Found 453 messages waiting >Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Forwarding 9 unscanned >messages, 11695 bytes >Feb 18 16:00:59 web2 MailScanner[14564]: New Batch: Scanning 200 messages, >6212350 bytes > >next time mailscanner runs > >Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Found 456 messages waiting >Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Forwarding 9 unscanned >messages, 11695 bytes >Feb 18 16:01:19 web2 MailScanner[14946]: New Batch: Scanning 200 messages, >6212350 bytes > >it does this and the queue just grows and nothing seems to send except a >small few. > > >thanks >Michael > > >At 02:55 PM 2/18/2004, you wrote: > >>Run through a debug, (change some a couple of config options in >>MailScanner.conf, Debug=yes, Spamassassin Debug = Yes). Stop >>MailScanner, and restart it, then it will run through a batch in a >>verbose mode, by observing it, you can see where the hang up is. Usually >>it's one of the spamassassin test (Razor2, DCC, RBL checks), which you >>can turn off/on in the spam_prefs for MailScanner, or reduce the >>timeouts or whatever, after you determine which one is delaying your >>queue.in processing. >> >>Regards >>MIKE >> >> > Sorry if this is an old question... >> > >> > Im running MailScanner v4.25.14 >> > Sophos Version 3.78 >> > Redhat 7.3 >> > >> > >> > im seeing tons of mail getting into the scanner queue, but im seeing very >> > little going out. The queue.in is constanly growing (right now shows >> approx >> > 2K messages waiting to scan). Right now there is approx a 40 min delay >> > between receiving and actually sending the message. Any help would be much >> > appreciated in speeding this up.This just started a few days ago. We >> have 8 >> > children running, the delay is about 20 min from each "MailScanner" >> log. It >> > seems to scan about 50 messages wait 20-25 min then scans another 50 >> > messages. We've increased the children, the file scan size, etc,etc. >> > >> > >> > Thanks in Advance. >> > Michael >> > >> > >> > -- >> > Outgoing mail is certified Virus Free. >> > Checked by AVG Anti-Virus (http://www.grisoft.com). >> > Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 >> > >> >>-- >>This message has been scanned for viruses and >>dangerous content by our MailScanner, and is >>believed to be clean. >> >> >> >> >>-- >>Incoming mail is certified Virus Free. >>Checked by AVG Anti-Virus (http://www.grisoft.com). >>Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 > > >-- >Outgoing mail is certified Virus Free. >Checked by AVG Anti-Virus (http://www.grisoft.com). >Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 09:11:01 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <4033DC27.34BB2DA7@ucsc.edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> Message-ID: <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> Sorry, haven't got time to respond to everyone. I suggest the silence means no-one else either a) has enough info from you to work out what the problem is, or b) doesn't know. At 21:41 18/02/2004, you wrote: >John Rudd wrote: > > > > John Rudd wrote: > > > > > > Julian Field wrote: > > > > > > > > At 14:00 13/02/2004, you wrote: > > > > > > > >X-Envelope-To: > > > > > > > I am of the opinion that ... > > > > putting in the envelope recipient is a bad idea. > > > > > [snip] > > > When you know that the MTA will do the right thing, it's not "a bad > > > idea". And for some MTA's, it's definitely "the right idea". > > > > So, does the lack of response to my two messages indicate they fell on > > deaf ears? Are my arguments unconvincing? > > > >*tap*tap*tap* Is this thing on? > >Beuller? Beuller? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From P.G.M.Peters at utwente.nl Thu Feb 19 09:36:23 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> <4033FE5A.A4556AF6@ucsc.edu> Message-ID: <0r0930tq6nhf1nj8akmrq6uj993k3poa8d@4ax.com> On Thu, 19 Feb 2004 02:31:35 +0100, you wrote: >> How about doing it by IP address? Doesn't "From:", when presented with >> an IP address, use the relay's IP addr and not the email address of the >> sender? > >Yes, but the sender is not the machine but an SMTP authenticated client. I >cannot whitelist the whole world there. I am not experienced with authenticated SMTP use but wouldn't it be possible to get the IP-address of the authenticated client somewhere and use a custom function to whitelist? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From slwatts at WINCKWORTHS.CO.UK Thu Feb 19 10:33:21 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:35 2006 Subject: Feature concept... "noisy viruses"? Message-ID: Or if you just have one host and run sophos this works (it aint pretty tho!): zgrep "Virus '.*' found" /var/log/mail* | sed "s/[^']*//" | sed "s/found .*//" | sort | uniq -c | sort -n -----Original Message----- From: Tony Finch [mailto:dot@DOTAT.AT] Sent: 18 February 2004 20:04 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature concept... "noisy viruses"? Craig Daters wrote: >How are you guys generating these lists, where is the info coming from? for host in a b c d e f do ssh $host zgrep "'McAfee said.*!!!'" /spool/MailScanner/log/maillog* done | sed 's/[^"]*//' | sort | uniq -c | sort -n Tony. -- f.a.n.finch http://dotat.at/ LUNDY FASTNET: EAST BACKING NORTHEAST 3 OR 4, OCCASIONALLY 5. FAIR. GOOD. -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From martyn at INVICTAWIZ.COM Thu Feb 19 11:45:30 2004 From: martyn at INVICTAWIZ.COM (Martyn Routley) Date: Thu Jan 12 21:22:35 2006 Subject: Silent Viruses update In-Reply-To: <30792.194.70.180.170.1077178819.squirrel@net.themarshalls.co.uk> Message-ID: As a wishlist item is there a possibility of a Silent Viruses List that could be fetched (from the MailScanner web site?) by a cron job? Martyn Routley > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Drew Marshall > Sent: Thursday, February 19, 2004 8:20 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Silent Viruses update > > > Daniel Bird said: > > Martin Sapsed wrote: > > > >> Anyone still maintaining a Silent Viruses list should add Tanx to it if > >> they use Sophos. I think Symantec have put it in the Beagle family. > >> Don't know about the others. > > > > Mcafee have it listed as W32/Netsky.b@MM. > > > > We just have added '@MM' to our list of silent viruses which I belive > > should do the trick for all the mass mailing worms from now on.. > > > I run 2 antivirus products, just for my own peace of mind, if I list, for > example, @MM as a silent viruses, will MailScanner accept the virus as a > silent one even if the second antivirus product doesn't use the same virus > name (And therefore may not be listed as silent)? > > Drew > > Dan > > > >> > >> Anyone who's given up on notifying senders about Viruses, please ignore > >> this message! > >> > >> Cheers, > >> > >> Martin > >> > >> -- > >> Martin Sapsed > >> Information Services "Who do you say I am?" > >> University of Wales, Bangor Jesus of Nazareth > >> > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy > > > ----------------------------------------------------------------------------- > This message has been scanned for viruses and > dangerous content by the http://www.anti84787.com > MailScanner, and is believed to be clean. > ----------------------------------------------------------------------------- > > ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From Kevin.Spicer at BMRB.CO.UK Thu Feb 19 11:54:12 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:35 2006 Subject: Silent Viruses update Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AA3@pascal.priv.bmrb.co.uk> >As a wishlist item is there a possibility of a Silent Viruses List that could be >fetched >(from the MailScanner web site?) by a cron job? If someone were to maintain such a list as a ruleset, it would be easy to script automatically fetching it via cron. I haven't checked but I presume that Silent viruses can be a ruleset? The complication is that different scanners give differrent names to the same viruses. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Feb 19 12:21:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Silent Viruses update In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AA3@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AA3@pascal.priv.bmrb.co.uk> Message-ID: <6.0.1.1.2.20040219122014.04144a88@imap.ecs.soton.ac.uk> I have considered this before. So few new viruses use real sender addresses that the whole exercise really isn't worth the bother. I would just waste someone's time looking up every different name for every new virus that appeared. Far easier to put "All-Viruses" in there and forget about it. At 11:54 19/02/2004, you wrote: > >As a wishlist item is there a possibility of a Silent Viruses List that > could be > >fetched > >(from the MailScanner web site?) by a cron job? > >If someone were to maintain such a list as a ruleset, it would be easy to >script automatically fetching it via cron. I haven't checked but I >presume that Silent viruses can be a ruleset? > >The complication is that different scanners give differrent names to the >same viruses. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From JLM939 at HOTMAIL.COM Thu Feb 19 03:15:52 2004 From: JLM939 at HOTMAIL.COM (JLM) Date: Thu Jan 12 21:22:35 2006 Subject: MailScanner on Mac OS X In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C401EA69@dc012.corpdsg.com> Message-ID: Ryan Finnesey asked: > Can I ask why OS X? Because my particular production environment is using Xserve hardware, and because that's the OS I'm most familiar with. Nearly all the other XAMS team members use some flavor of Linux. John Rudd helpfully suggested: > f sounds like you're using the HPUX stanza instead of the BSD stanza in > the check_mailscanner script. Make sure the BSD stanza is the one > you're using (make sure the conditions work out, etc.). Thanks for the suggestion, John. I'll take a look at that and see what I can figure out. Regarding item [4] below... After looking through the MailScanner code, it appears that the CustomConfig.pm routines are called from several different places. It seems that in some cases the ($message) is passed to the custom routines, and in some cases it is not. So when our custom routine is called from sendmail2... sendmail2 = &XAMSTMDAMailer .for some reason MailScanner isn't passing the ($message) to the XAMSTMDAMailer custom routine. We can't seem to determine why. Does anyone have any thoughts on this? Also, as I mentioned before, it would be great if we could figure out a way to get MailScanner to successfully run as the "mail" user on OS X. I've searched the archives, and it seems people on other platforms have experienced the same problem in the past. I seem to gather that it's been fixed for most environments, but perhaps not for OS X. Any suggestions for troubleshooting this would be *most* appreciated. Sincere thanks, Justin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of JLM > Sent: Wednesday, February 18, 2004 12:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner on Mac OS X > > > Hi folks, > > I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X > Server (10.3.2), and I'm running into a few trouble spots. I'm using > MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive > email management system that is designed to work along with Exim, > Courier-IMAP, and MySQL. > > http://www.xams.org/ > > The trouble spots I'm running into are: > > [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems > to be related to check_mailscanner, but other than that I don't anything > about this error, how important it is, and whether there's anything we can > do to fix it on Mac OS X. Any thoughts or suggestions would be much > appreciated. > > [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This > occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS > X that I have installed MailScanner on. I have to comment out the "Run as > user = " and "Run as Group = " lines in order to get MailScanner to run. > Does anyone have any suggestions as to how we might fix this? We'd rather > not have MailScanner running as root if we can avoid it. > > [3] Other than the above, MailScanner appears to function normally. However, > after a few hours of normal operation, the following error began repeatedly > appearing in the mail log: > > Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of > incoming queue dirs (/var/spool/exim-incoming/input) does not exist > > There is indeed a /var/spool/exim-incoming/input directory. I'm a bit > puzzled as to why MailScanner thinks there is a file containing a list of > incoming queue dirs at that location. Both the incoming and outgoing queue > directories are specified in the mailscanner.conf file. > > MailScanner appears to continue functioning normally, so once again it's not > clear how important this error is. Nonetheless, can anyone shed any light on > what's causing this and how I might fix it? > > [4] After mail has been scanned for viruses and run through SpamAssassin, it > may then be fed to TMDA if the spam/ham analysis is inconclusive. > > [I fully realize that many people are not big fans of challenge/response > systems such as TMDA. Please keep in mind that messages with low spam scores > are delivered unchallenged, and messages with high spam scores are discarded > outright (again, without being challenged). The only messages that will be > challenged are the very rare messages that SpamAssassin can't convincingly > classify as either spam or ham. It is our hope that this method will address > many of the objections against challenge/response systems.] > > I'm working with the other folks on the XAMS team to put together a few > routines to pass mail from MailScanner to TMDA. The following test routines > were added to the CustomConfig.pm component of MailScanner: > > ### Begin: Test routines added to CustomConfig.pm ### > > use Data::Dumper; > sub InitXAMSTMDAMailer {} > > sub XAMSTMDAMailer > { > my ($message) = @_; > $|++; > open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; > print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; > print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; > close XAMS_TMDA_FH; > return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; > } > > sub EndXAMSTMDAMailer {} > > ### End: Test routines added to CustomConfig.pm ### > > When a message is received by MailScanner and triggers the above routines, > it delivers the mail but does two unexpected things: > > 1. The output of the first print command is: "$VAR1 = undef;" > Can anyone think of why that might be? Any suggestions would be very, > very helpful. > > 2. It repeats the output five times (see below). I realize that MailScanner > has five processes running at any given time, but why are all five > processing these routines when a message is received? > > Output: > > $VAR1 = undef; > ==================================================================== > XAMSTMDAMailer was here > > (repeated another four times) > > Does anyone have any ideas as to why this is being repeated five times? > > > I realize this is a lot of questions to throw to the list at once. I and the > other members of the XAMS team would be most grateful for any advice you can > offer. > > On behalf of the XAMS team, thanks in advance for any pointers you might > have for us! > > Best, > > Justin > > PS: > > I'd like to take a moment to recognize the superb support I've received so > far from Nick Phillips, who has selflessly devoted his time to help me get > MailScanner running on Mac OS X (in at least a basic incarnation). Without > his guidance, I would never even made it this far. Many thanks, Nick! > From martinh at SOLID-STATE-LOGIC.COM Thu Feb 19 12:55:49 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:35 2006 Subject: repeated messages Message-ID: <4034B255.7030003@solid-state-logic.com> is it just me or is jiscmail repeating, I said repeating, itself (oh dear too much telly, Coronation Street in my email :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From christo at IT4AFRICA.CO.ZA Thu Feb 19 12:57:44 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:35 2006 Subject: Message attached as attachment to Email Message-ID: <017801c3f6e7$f7bbbca0$660210ac@christoxp> All of a sudden all messages on my server are attached as text messages to the existing email message. Did I mis something somewhere. My config. RH9 mailscanner-4.26.8-1 Thanx Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040219/d4778eb4/attachment.html From ugob at CAMO-ROUTE.COM Thu Feb 19 13:41:02 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: repeated messages Message-ID: <54C38A0B814C8E438EF73FC76F36292741090F@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] >Envoy? : 19 f?vrier, 2004 07:56 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : repeated messages > > >is it just me or is jiscmail repeating, I said repeating, itself same here, hope it is not my mistake... > >(oh dear too much telly, Coronation Street in my email :-) > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** > From drew at THEMARSHALLS.CO.UK Thu Feb 19 13:44:48 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:35 2006 Subject: repeated messages In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741090F@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741090F@mtlnt501fs.CAMOROUTE.COM> Message-ID: <11867.194.70.180.170.1077198288.squirrel@net.themarshalls.co.uk> Ugo Bellavance said: >>-----Message d'origine----- >>De : Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] >>Envoy? : 19 f?vrier, 2004 07:56 >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : repeated messages >> >> >>is it just me or is jiscmail repeating, I said repeating, itself > > same here, hope it is not my mistake... and here, so I don't think so. It goes with some earlier mesages wich spend 2 hours plus on one of the jiscmail servers on it's way to the listserver. Nice to know it's not just me that can have technical 'issues'. >> >>(oh dear too much telly, Coronation Street in my email :-) >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************** >> > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From dot at DOTAT.AT Thu Feb 19 14:00:11 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:35 2006 Subject: repeated messages In-Reply-To: Message-ID: Martin Hepworth wrote: >is it just me or is jiscmail repeating, I said repeating, itself There's an idiot with a broken Microsoft system that's re-injecting messages. The culprit is somewhere in the vicinity of 213.53.128.28 which whois tells me is tommy-europe.com. Received: from nldams0122 ([213.53.128.28]) by kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i1JDrYfn003561 for ; Thu, 19 Feb 2004 13:53:47 GMT Received: from mail pickup service by nldams0122 with Microsoft SMTPSVC; Thu, 19 Feb 2004 14:49:11 +0100 Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by nldams0122 with Microsoft SMTPSVC(5.0.2195.6713); Wed, 18 Feb 2004 21:14:08 +0100 Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.003F1C0C@smtp.jiscmail.ac.uk>; Wed, 18 Feb 2004 20:14:26 +0000 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) with spool id 33072418 for MAILSCANNER@JISCMAIL.AC.UK; Wed, 18 Feb 2004 20:14:26 +0000 Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0i) with TCP; Wed, 18 Feb 2004 20:04:25 GMT Tony. -- f.a.n.finch http://dotat.at/ SHETLAND ISLES: WEST 2 OR 3 BECOMING SOUTHWEST 3 OR 4. FAIR AT FIRST, SOME MIST OR FOG PATCHES LATER. GOOD OR MODERATE BECOMING POOR AT TIMES IN MIST OR FOG PATCHES. SLIGHT. From bpumphrey at WOODMACLAW.COM Thu Feb 19 14:11:51 2004 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? Message-ID: This may not be exacly what your looking for but in the MailScannere.conf file on the options of what to do with spam, there is a forward option. You will see this option for the low and high scoring spam. Be something like this: forward spam@domain.com -----Original Message----- From: Mike McMullen [mailto:mlm@LOANPROCESSING.NET] Sent: Wednesday, February 18, 2004 6:26 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Send Spam to Folder? Hi All, Is there an easy way to get mail marked as spam automatically moved to a folder (mbox format) in a user's IMAP mail folders? I'm new at trying to do this stuff so any easy examples or pointers would be of great help. Thanks, Mike From mailscanner at ecs.soton.ac.uk Thu Feb 19 13:59:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Message attached as attachment to Email In-Reply-To: <017801c3f6e7$f7bbbca0$660210ac@christoxp> References: <017801c3f6e7$f7bbbca0$660210ac@christoxp> Message-ID: <6.0.1.1.2.20040219135819.041612a8@imap.ecs.soton.ac.uk> At 12:57 19/02/2004, you wrote: >All of a sudden all messages on my server are attached as text messages to >the existing email message. Did I mis something somewhere. > >My config. RH9 mailscanner-4.26.8-1 Sounds like one of the following: a) you non-spam actions are set to "deliver attachment" rather than just "deliver" or b) all your mail is being marked as spam, and you have your spam actions set to "deliver attachment". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 14:20:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Fwd: Re: repeated messages Message-ID: <6.0.1.1.2.20040219141845.04166eb0@imap.ecs.soton.ac.uk> Wilfred, Your mailing list membership has been suspended until you get a chance to fix your mail system, which is reinjecting messages you have received back into the MailScanner mailing list. >Date: Thu, 19 Feb 2004 14:00:11 +0000 >Reply-To: MailScanner mailing list >Sender: MailScanner mailing list >From: Tony Finch >Subject: Re: repeated messages >To: MAILSCANNER@JISCMAIL.AC.UK > >Martin Hepworth wrote: > >is it just me or is jiscmail repeating, I said repeating, itself > >There's a person with a broken Microsoft system that's re-injecting >messages. The culprit is somewhere in the vicinity of 213.53.128.28 >which whois tells me is tommy-europe.com. > >Received: from nldams0122 ([213.53.128.28]) > by kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i1JDrYfn003561 > for ; Thu, 19 Feb 2004 13:53:47 GMT >Received: from mail pickup service by nldams0122 with Microsoft SMTPSVC; > Thu, 19 Feb 2004 14:49:11 +0100 >Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by nldams0122 with >Microsoft SMTPSVC(5.0.2195.6713); > Wed, 18 Feb 2004 21:14:08 +0100 >Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id ><0.003F1C0C@smtp.jiscmail.ac.uk>; Wed, 18 Feb 2004 20:14:26 +0000 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) > with spool id 33072418 for MAILSCANNER@JISCMAIL.AC.UK; Wed, 18 Feb > 2004 20:14:26 +0000 >Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0i) with TCP; > Wed, 18 Feb 2004 20:04:25 GMT > >Tony. >-- >f.a.n.finch http://dotat.at/ >SHETLAND ISLES: WEST 2 OR 3 BECOMING SOUTHWEST 3 OR 4. FAIR AT FIRST, SOME >MIST OR FOG PATCHES LATER. GOOD OR MODERATE BECOMING POOR AT TIMES IN MIST OR >FOG PATCHES. SLIGHT. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 14:27:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040219142039.04020828@imap.ecs.soton.ac.uk> The standard way of achieving this with POP users is to have a second username for every user, that has a name like username+spam for which mail is delivered into a separate mailbox. Using a procmail setup, you could achieve the same thing for their IMAP spam folder. You then write a trivial little Custom Function which for a user "username" returns "forward username+spam" as the "Spam Actions" setting. Procmail then picks up the new username+spam in the envelope recipient and delivers it into their spam mailbox. Does anyone else agree that will work? At 14:11 19/02/2004, you wrote: >This may not be exacly what your looking for but in the MailScannere.conf >file on the options of what to do with spam, there is a forward >option. You will see this option for the low and high scoring spam. > >Be something like this: >forward spam@domain.com > >-----Original Message----- >From: Mike McMullen [mailto:mlm@LOANPROCESSING.NET] >Sent: Wednesday, February 18, 2004 6:26 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Send Spam to Folder? > > >Hi All, > >Is there an easy way to get mail marked as spam automatically >moved to a folder (mbox format) in a user's IMAP mail folders? > >I'm new at trying to do this stuff so any easy examples or >pointers would be of great help. > >Thanks, > >Mike -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From christo at IT4AFRICA.CO.ZA Thu Feb 19 14:37:35 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:35 2006 Subject: Message attached as attachment to Email {Virus Scanned} In-Reply-To: <6.0.1.1.2.20040219135819.041612a8@imap.ecs.soton.ac.uk> Message-ID: <019501c3f6f5$ea4c5f80$660210ac@christoxp> Both settings is set to store and store only. This started from yesterday at round about 5pm. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: 19 February 2004 03:59 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Message attached as attachment to Email {Virus Scanned} > > > At 12:57 19/02/2004, you wrote: > >All of a sudden all messages on my server are attached as > text messages > >to the existing email message. Did I mis something somewhere. > > > >My config. RH9 mailscanner-4.26.8-1 > > Sounds like one of the following: > a) you non-spam actions are set to "deliver attachment" > rather than just "deliver" or > b) all your mail is being marked as spam, and you have your > spam actions set to "deliver attachment". > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > From rggarcia at IMGAME.NET Thu Feb 19 14:42:40 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:22:35 2006 Subject: Postfix + MailScanner HELP! Message-ID: Hello, Why is it when i try to put an # on ( smtp inet n - y - - smtpd ) under /etc/postfix/master.cf, i get this error The TCP/IP connection was unexpectedly terminated by the server. (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number 0x800ccc0f I successfully installed MailScanner and my postfix runs without error message when i put the # back. Any help is much appreciated. Rosaldo G. Garcia Systems Administrator Intermedia Solutions Inc. (http://www.imgame.net) From mlm at LOANPROCESSING.NET Thu Feb 19 14:43:05 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? References: <6.0.1.1.2.20040219142039.04020828@imap.ecs.soton.ac.uk> Message-ID: <0fd701c3f6f6$af96f700$0300a8c0@Spike> From: "Julian Field" > The standard way of achieving this with POP users is to have a second > username for every user, that has a name like > username+spam > for which mail is delivered into a separate mailbox. Using a procmail > setup, you could achieve the same thing for their IMAP spam folder. > > You then write a trivial little Custom Function which for a user "username" > returns "forward username+spam" as the "Spam Actions" setting. Procmail > then picks up the new username+spam in the envelope recipient and delivers > it into their spam mailbox. > > Does anyone else agree that will work? > > At 14:11 19/02/2004, you wrote: > >This may not be exacly what your looking for but in the MailScannere.conf > >file on the options of what to do with spam, there is a forward > >option. You will see this option for the low and high scoring spam. > > > >Be something like this: > >forward spam@domain.com > > > >From: Mike McMullen [mailto:mlm@LOANPROCESSING.NET] > >Is there an easy way to get mail marked as spam automatically > >moved to a folder (mbox format) in a user's IMAP mail folders? > > > >I'm new at trying to do this stuff so any easy examples or > >pointers would be of great help. > > > >Thanks, > > > >Mike > Hi Julian, A sample procmail rule was posted yesterday. It looks for {Spam in the Subject and if found puts it in a Spam folder. I tried it yesterday and it has worked great for my IMAP mail account. I'm going to roll it out to my people today. I'd never done any procmail stuff but since getting this rule I've done a lot of looking at the examples and I've learned a lot. Thanks to everyone who replied. Mike From LISTSERV at JISCMAIL.AC.UK Thu Feb 19 14:44:21 2004 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:22:35 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: Your message is being returned to you unprocessed because it appears to have already been distributed to the MAILSCANNER list. That is, a message with identical text (but possibly with different mail headers) has been posted to the list recently, either by you or by someone else. If you have a good reason to resend this message to the list (for instance because you have been notified of a hardware failure with loss of data), please alter the text of the message in some way and resend it to the list. Note that altering the "Subject:" line or adding blank lines at the top or bottom of the message is not sufficient; you should instead add a sentence or two at the top explaining why you are resending the message, so that the other subscribers understand why they are getting two copies of the same message. -------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Fwd: Re: repeated messages Date: Thu, 19 Feb 2004 14:20:12 +0000 Size: 3818 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040219/612328b6/attachment.mht From JFalgout at CO.JEFFERSON.CO.US Thu Feb 19 15:37:29 2004 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:22:35 2006 Subject: Need some help stopping this spam . . . Message-ID: I need some help stopping this spam - It's driving me nuts!! Here is the header: Return-path: Received: from ww11.co.jefferson.co.us [206.247.49.30] by gc6.jefferson.co.us; Thu, 19 Feb 2004 07:17:58 -0700 Received: from mail214.autocontactor.com (mail214.autocontactor.com [66.70.75.214]) by ww11.co.jefferson.co.us (8.12.8/8.12.8) with SMTP id i1JEHrxB005133 for ; Thu, 19 Feb 2004 07:17:54 -0700 XMailer: StrongMail 1.13.37 XMailing-Id: 00000::00000::00000::00000::0::356005 X-Destination-ID: postmaster@co.jefferson.co.us X-VirtualServer: Default,mail214.autocontactor.com, 66.70.75.214 Message-ID: <1077199880.356006@sendtheinfo.com> To: "Jane Doe" Message-ID: <136090-220042419142721687@mail80.autocontactor.com> Reply-To: ws@myhandwriting.com From: "Bart" x-1scdbg: mc:brt:15639:165598:1512600 X-SentTo: "Jane Doe" Subject: LIVE from Sydney, your VIP invite to tomorrow's tele-class Date: Thu, 19 Feb 2004 09:27:21 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 X-JeffCo-MailScanner-Information: Please contact the Help Desk for more information X-JeffCo-MailScanner: Found to be clean X-JeffCo-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.993, required 4, CLICK_BELOW 0.00, EXCUSE_14 0.15, LINES_OF_YELLING 0.01, ONE_TIME 0.53, ONE_TIME_MAILING 2.30) X-JeffCo-MailScanner-SpamScore: 2 I've got autocontactor.com blacklisted in the spam.blacklist.rules file: From: /autocontactor.com/ yes From: /ws@myhandwriting.com/ yes From: /myhandwriting.com/ yes And I've got spam.assassin.prefs.conf configured to stop it also: header HANDWRITING_SPAM From =~ /Bart Baggett, Handwriting University/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM From =~ /Bart, Handwriting University.com/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM From =~ /Handwriting University/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM From =~ /ws@myhandwriting.com/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM To =~ /"Jane Doe" \/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM X-SentTo =~ /"Jane Doe" \/ score HANDWRITING_SPAM 5.0 header HANDWRITING_SPAM X-VirtualServer =~ /autocontactor.com/ score HANDWRITING_SPAM 5.0 Why is this not working? Thanks for any help Jeff From dwinkler at ALGORITHMICS.COM Thu Feb 19 15:39:10 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:35 2006 Subject: Need some help stopping this spam . . . Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1D0@tormail2.algorithmics.com> You may want to give each of your SpamAssassin tests a different name, only the last one gets used if you re-use the name. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jeff Falgout > Sent: Thursday, February 19, 2004 10:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Need some help stopping this spam . . . > > > I need some help stopping this spam - It's driving me nuts!! > > Here is the header: > > Return-path: > Received: from ww11.co.jefferson.co.us [206.247.49.30] > by gc6.jefferson.co.us; Thu, 19 Feb 2004 07:17:58 -0700 > Received: from mail214.autocontactor.com (mail214.autocontactor.com > [66.70.75.214]) > by ww11.co.jefferson.co.us (8.12.8/8.12.8) with SMTP id > i1JEHrxB005133 > for ; Thu, 19 Feb 2004 07:17:54 > -0700 > XMailer: StrongMail 1.13.37 > XMailing-Id: 00000::00000::00000::00000::0::356005 > X-Destination-ID: postmaster@co.jefferson.co.us > X-VirtualServer: Default,mail214.autocontactor.com, 66.70.75.214 > Message-ID: <1077199880.356006@sendtheinfo.com> > To: "Jane Doe" > Message-ID: <136090-220042419142721687@mail80.autocontactor.com> > Reply-To: ws@myhandwriting.com > From: "Bart" > x-1scdbg: mc:brt:15639:165598:1512600 > X-SentTo: "Jane Doe" > Subject: LIVE from Sydney, your VIP invite to tomorrow's tele-class > Date: Thu, 19 Feb 2004 09:27:21 -0500 > MIME-Version: 1.0 > Content-type: text/plain; charset=iso-8859-1 > X-JeffCo-MailScanner-Information: Please contact the Help > Desk for more > information > X-JeffCo-MailScanner: Found to be clean > X-JeffCo-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.993, > required 4, CLICK_BELOW 0.00, EXCUSE_14 0.15, LINES_OF_YELLING > 0.01, > ONE_TIME 0.53, ONE_TIME_MAILING 2.30) > X-JeffCo-MailScanner-SpamScore: 2 > > > > I've got autocontactor.com blacklisted in the spam.blacklist.rules > file: > > From: /autocontactor.com/ yes > From: /ws@myhandwriting.com/ yes > From: /myhandwriting.com/ yes > > > And I've got spam.assassin.prefs.conf configured to stop it also: > > header HANDWRITING_SPAM From =~ /Bart Baggett, Handwriting > University/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM From =~ /Bart, Handwriting > University.com/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM From =~ /Handwriting University/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM From =~ /ws@myhandwriting.com/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM To =~ /"Jane Doe" > \/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM X-SentTo =~ /"Jane Doe" > \/ > score HANDWRITING_SPAM 5.0 > header HANDWRITING_SPAM X-VirtualServer =~ /autocontactor.com/ > score HANDWRITING_SPAM 5.0 > > > Why is this not working? > > Thanks for any help > > Jeff > From JFalgout at CO.JEFFERSON.CO.US Thu Feb 19 15:54:05 2004 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:22:35 2006 Subject: Need some help stopping this spam . . . Message-ID: >>> dwinkler@ALGORITHMICS.COM 2/19/2004 8:39:10 AM >>> >You may want to give each of your SpamAssassin tests a different name, only >the last one gets used if you re-use the name. > -----Original Message----- > > > header HANDWRITING_SPAM X-VirtualServer =~ /autocontactor.com/ > score HANDWRITING_SPAM 5.0 > > Ok - changed the rule names, but that still doesn't explain why it didn't get blacklisted or why the last rule didn't stick. From james at PCXPERIENCE.COM Thu Feb 19 16:14:14 2004 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:22:35 2006 Subject: Send Spam to Folder? In-Reply-To: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> References: <05cd01c3f67e$fef3ab40$3e01a8c0@express.loanprocessing.net> Message-ID: <4034E0D6.2070902@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike McMullen wrote: | Hi All, | | Is there an easy way to get mail marked as spam automatically | moved to a folder (mbox format) in a user's IMAP mail folders? | | I'm new at trying to do this stuff so any easy examples or | pointers would be of great help. | | Thanks, | | Mike | If using cyrus imap, you can use sieve filtering to do this. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ http://www.pcxperience.org/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFANODWtUXjwPIRLVERAneKAJ9FFbb1AVWGseHs03kYz0NGDOJlDACfaD7t W6p8/GEFc3KvI/mkN4ryhVw= =IoHA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Feb 19 16:15:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Need some help stopping this spam . . . In-Reply-To: References: Message-ID: <6.0.1.1.2.20040219161345.0415fc18@imap.ecs.soton.ac.uk> MailScanner doesn't use the addresses that happen to be in the From: or To: headers, so blacklisting myhandwriting.com won't have any effect. MailScanner uses the envelope addresses. Fortunately your mail system is configured to put the envelope sender address in the "Return-path:" header so you have it readily available. What you want to do is From: sendtheinfo.com yes At 15:37 19/02/2004, you wrote: >I need some help stopping this spam - It's driving me nuts!! > >Here is the header: > >Return-path: >Received: from ww11.co.jefferson.co.us [206.247.49.30] > by gc6.jefferson.co.us; Thu, 19 Feb 2004 07:17:58 -0700 >Received: from mail214.autocontactor.com (mail214.autocontactor.com >[66.70.75.214]) > by ww11.co.jefferson.co.us (8.12.8/8.12.8) with SMTP id >i1JEHrxB005133 > for ; Thu, 19 Feb 2004 07:17:54 >-0700 >XMailer: StrongMail 1.13.37 >XMailing-Id: 00000::00000::00000::00000::0::356005 >X-Destination-ID: postmaster@co.jefferson.co.us >X-VirtualServer: Default,mail214.autocontactor.com, 66.70.75.214 >Message-ID: <1077199880.356006@sendtheinfo.com> >To: "Jane Doe" >Message-ID: <136090-220042419142721687@mail80.autocontactor.com> >Reply-To: ws@myhandwriting.com >From: "Bart" >x-1scdbg: mc:brt:15639:165598:1512600 >X-SentTo: "Jane Doe" >Subject: LIVE from Sydney, your VIP invite to tomorrow's tele-class >Date: Thu, 19 Feb 2004 09:27:21 -0500 >MIME-Version: 1.0 >Content-type: text/plain; charset=iso-8859-1 >X-JeffCo-MailScanner-Information: Please contact the Help Desk for more >information >X-JeffCo-MailScanner: Found to be clean >X-JeffCo-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.993, > required 4, CLICK_BELOW 0.00, EXCUSE_14 0.15, LINES_OF_YELLING >0.01, > ONE_TIME 0.53, ONE_TIME_MAILING 2.30) >X-JeffCo-MailScanner-SpamScore: 2 > > > >I've got autocontactor.com blacklisted in the spam.blacklist.rules >file: > >From: /autocontactor.com/ yes >From: /ws@myhandwriting.com/ yes >From: /myhandwriting.com/ yes > > >And I've got spam.assassin.prefs.conf configured to stop it also: > >header HANDWRITING_SPAM From =~ /Bart Baggett, Handwriting >University/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM From =~ /Bart, Handwriting >University.com/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM From =~ /Handwriting University/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM From =~ /ws@myhandwriting.com/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM To =~ /"Jane Doe" >\/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM X-SentTo =~ /"Jane Doe" >\/ >score HANDWRITING_SPAM 5.0 >header HANDWRITING_SPAM X-VirtualServer =~ /autocontactor.com/ >score HANDWRITING_SPAM 5.0 > > >Why is this not working? > >Thanks for any help > >Jeff -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From erik at AVONDEL.COM Thu Feb 19 16:26:56 2004 From: erik at AVONDEL.COM (Erik van der Meulen (by way of Erik van der Meulen )) Date: Thu Jan 12 21:22:35 2006 Subject: Mailscanner on Debian Woody Message-ID: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> Dear all - I am trying to set up Mailscanner on my Debian Woody mail server. On the Mailscanner site I have found a document that seems to explain exactly how to accomplish this: http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=debian&file=226 However, the mailscanner package that is currently found in the unstable tree is not the same version as mentionned in the document (4.26.7-2 instead of 4.24.5-1) and it does not install well at all. If I do: dpkg --install mailscanner*.deb, I get: Selecting previously deselected package mailscanner. (Reading database ... 17953 files and directories currently installed.) Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) ... dpkg: dependency problems prevent configuration of mailscanner: mailscanner depends on libnet-cidr-perl; however: Package libnet-cidr-perl is not installed. dpkg: error processing mailscanner (--install): dependency problems - leaving unconfigured Errors were encountered while processing: mailscanner And if I try to start mailscanner later, I get: Starting MailScanner... Can't locate Net/CIDR.pm in @INC (@INC contains: /usr/share/MailScanner /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl/i386-linux /usr/local/lib/site_perl . /usr/share/MailScanner) at /usr/share/MailScanner/MailScanner/Config.pm line 34. BEGIN failed--compilation aborted at /usr/share/MailScanner/MailScanner/Config.pm line 34. Compilation failed in require at /usr/sbin/MailScanner line 42. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42 Now I am wondering if it would be possible to get this new mailscanner running on Woody at all, or if I should try to find the old package (4.24.5-1)? Any suggestions much appreciated! -- Erik van der Meulen From mailscanner at ecs.soton.ac.uk Thu Feb 19 16:19:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Mailscanner on Debian Woody In-Reply-To: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> References: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> Message-ID: <6.0.1.1.2.20040219161829.03e7cc98@imap.ecs.soton.ac.uk> At 16:26 19/02/2004, you wrote: >Dear all - > >I am trying to set up Mailscanner on my Debian Woody mail server. On the >Mailscanner site I have found a document that seems to explain exactly >how to accomplish this: > > http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=debian&file=226 > >However, the mailscanner package that is currently found in the unstable >tree is not the same version as mentionned in the document (4.26.7-2 >instead of 4.24.5-1) and it does not install well at all. > >If I do: dpkg --install mailscanner*.deb, I get: > >Selecting previously deselected package mailscanner. >(Reading database ... 17953 files and directories currently installed.) >Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) ... >dpkg: dependency problems prevent configuration of mailscanner: > mailscanner depends on libnet-cidr-perl; however: > Package libnet-cidr-perl is not installed. > dpkg: error processing mailscanner (--install): > dependency problems - leaving unconfigured >Errors were encountered while processing: > mailscanner > >And if I try to start mailscanner later, I get: > >Starting MailScanner... >Can't locate Net/CIDR.pm in @INC (@INC contains: /usr/share/MailScanner >/usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 >/usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 >/usr/local/lib/site_perl/i386-linux /usr/local/lib/site_perl . >/usr/share/MailScanner) at /usr/share/MailScanner/MailScanner/Config.pm >line 34. >BEGIN failed--compilation aborted at >/usr/share/MailScanner/MailScanner/Config.pm line 34. >Compilation failed in require at /usr/sbin/MailScanner line 42. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42 > >Now I am wondering if it would be possible to get this new mailscanner >running on Woody at all, or if I should try to find the old package >(4.24.5-1)? > >Any suggestions much appreciated! You can install the Net::CIDR perl module, it's a tiny perl module. perl -MCPAN -e shell install Net::CIDR quit -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Anjana.Patel at CRANFIELD.AC.UK Thu Feb 19 16:21:25 2004 From: Anjana.Patel at CRANFIELD.AC.UK (Patel, Anjana) Date: Thu Jan 12 21:22:35 2006 Subject: messages not being scanned by uvscan -solved Message-ID: > > I'm running MailScanner 4.26.8-1 on RedHat 7.3 and McAfee engine v4.2.40 > > I recently upgraded our three mail gateways to the latest version of > MailScanner and two are working ok but for some reason the third is not > scanning for viruses (spam checking is working ok). The configuration > on all three is the same apart from spamassassin. The other two are > running 2.60 and the problem system is running 2.61. > > I've not used symbolic links in MailScanner.conf or in > virus.scanners.conf > > uvscan --version reports the following: > > Virus Scan for Linux v4.24.0 > Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights > reserved. > (408) 988-3832 LICENSED COPY - Jan 27 2003 > > Scan engine v4.2.40 for Linux. > Virus data file v4326 created Feb 18 2004 > Scanning for 86216 viruses, trojans and variants. > > If I manually scan an infected file using the wrapper command it finds > the virus. > > There are no errors in the maillog file to indicate any problems but > I've sent viruses through and they pass undetected. Is there some > debugging I can set up to try and find the problem? After a whole day of testing - the problem turned out to be that /tmp which is part of the / file system was full so empty files were being created by exim and mailscanner was unable to write to these files. An error message by mailscanner (or should it be uvscan?) would have been handy. As this was a backup mx, it is not monitored as well as the other systems. Anjana From martinh at SOLID-STATE-LOGIC.COM Thu Feb 19 16:22:50 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:35 2006 Subject: Mailscanner on Debian Woody In-Reply-To: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> References: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> Message-ID: <4034E2DA.10104@solid-state-logic.com> Erik use CPAN to install the CIDR perl module...??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Erik van der Meulen (by way of Erik van der Meulen ) wrote: > Dear all - > > I am trying to set up Mailscanner on my Debian Woody mail server. On the > Mailscanner site I have found a document that seems to explain exactly > how to accomplish this: > > > http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=debian&file=226 > > However, the mailscanner package that is currently found in the unstable > tree is not the same version as mentionned in the document (4.26.7-2 > instead of 4.24.5-1) and it does not install well at all. > > If I do: dpkg --install mailscanner*.deb, I get: > > Selecting previously deselected package mailscanner. > (Reading database ... 17953 files and directories currently installed.) > Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) ... > dpkg: dependency problems prevent configuration of mailscanner: > mailscanner depends on libnet-cidr-perl; however: > Package libnet-cidr-perl is not installed. > dpkg: error processing mailscanner (--install): > dependency problems - leaving unconfigured > Errors were encountered while processing: > mailscanner > > And if I try to start mailscanner later, I get: > > Starting MailScanner... > Can't locate Net/CIDR.pm in @INC (@INC contains: /usr/share/MailScanner > /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 > /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 > /usr/local/lib/site_perl/i386-linux /usr/local/lib/site_perl . > /usr/share/MailScanner) at /usr/share/MailScanner/MailScanner/Config.pm > line 34. > BEGIN failed--compilation aborted at > /usr/share/MailScanner/MailScanner/Config.pm line 34. > Compilation failed in require at /usr/sbin/MailScanner line 42. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42 > > Now I am wondering if it would be possible to get this new mailscanner > running on Woody at all, or if I should try to find the old package > (4.24.5-1)? > > Any suggestions much appreciated! > > -- > Erik van der Meulen ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ugob at CAMO-ROUTE.COM Thu Feb 19 16:22:11 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: Mailscanner on Debian Woody Message-ID: <54C38A0B814C8E438EF73FC76F362927410911@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Erik van der Meulen (by way of Erik van der Meulen > ) [mailto:erik@AVONDEL.COM] > Envoy? : Thursday, February 19, 2004 11:27 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Mailscanner on Debian Woody > > > Dear all - > > I am trying to set up Mailscanner on my Debian Woody mail > server. On the > Mailscanner site I have found a document that seems to explain exactly > how to accomplish this: > > > http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=deb > ian&file=226 > > However, the mailscanner package that is currently found in > the unstable > tree is not the same version as mentionned in the document (4.26.7-2 > instead of 4.24.5-1) and it does not install well at all. > > If I do: dpkg --install mailscanner*.deb, I get: > > Selecting previously deselected package mailscanner. > (Reading database ... 17953 files and directories currently > installed.) > Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) ... > dpkg: dependency problems prevent configuration of mailscanner: > mailscanner depends on libnet-cidr-perl; however: > Package libnet-cidr-perl is not installed. > dpkg: error processing mailscanner (--install): > dependency problems - leaving unconfigured > Errors were encountered while processing: > mailscanner > Have you tried resolving the dependencies? hth Ugo > And if I try to start mailscanner later, I get: > > Starting MailScanner... > Can't locate Net/CIDR.pm in @INC (@INC contains: > /usr/share/MailScanner > /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 > /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 > /usr/local/lib/site_perl/i386-linux /usr/local/lib/site_perl . > /usr/share/MailScanner) at > /usr/share/MailScanner/MailScanner/Config.pm > line 34. > BEGIN failed--compilation aborted at > /usr/share/MailScanner/MailScanner/Config.pm line 34. > Compilation failed in require at /usr/sbin/MailScanner line 42. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42 > > Now I am wondering if it would be possible to get this new mailscanner > running on Woody at all, or if I should try to find the old package > (4.24.5-1)? > > Any suggestions much appreciated! > > -- > Erik van der Meulen > From jester at SPYDERINTERNET.COM Thu Feb 19 16:48:20 2004 From: jester at SPYDERINTERNET.COM (Michael) Date: Thu Jan 12 21:22:35 2006 Subject: queue.in clog Message-ID: <6.0.0.22.2.20040219104437.020d4d98@spyderinternet.com> Finally got this solved, wasn't a mailscanner problem at all, was spamassassin and razor, seems that when we upgraded spamassassin and mailscanner, razor apparently didn't do its "discovery" process. Ran the following command, tested on debug and razor completed its checks. Turned back on MailScanner and all is well :) razor-admin -d -discover That did the trick, no more queueing. Thank you for all the input, excellent list :) Michael Spyderinternet At 02:55 PM 2/18/2004, you wrote: >Run through a debug, (change some a couple of config options in >MailScanner.conf, Debug=yes, Spamassassin Debug = Yes). Stop >MailScanner, and restart it, then it will run through a batch in a >verbose mode, by observing it, you can see where the hang up is. Usually >it's one of the spamassassin test (Razor2, DCC, RBL checks), which you >can turn off/on in the spam_prefs for MailScanner, or reduce the >timeouts or whatever, after you determine which one is delaying your >queue.in processing. > >Regards >MIKE > > > Sorry if this is an old question... > > > > Im running MailScanner v4.25.14 > > Sophos Version 3.78 > > Redhat 7.3 > > > > > > im seeing tons of mail getting into the scanner queue, but im seeing very > > little going out. The queue.in is constanly growing (right now shows approx > > 2K messages waiting to scan). Right now there is approx a 40 min delay > > between receiving and actually sending the message. Any help would be much > > appreciated in speeding this up.This just started a few days ago. We have 8 > > children running, the delay is about 20 min from each "MailScanner" log. It > > seems to scan about 50 messages wait 20-25 min then scans another 50 > > messages. We've increased the children, the file scan size, etc,etc. > > > > > > Thanks in Advance. > > Michael > > > > > > -- > > Outgoing mail is certified Virus Free. > > Checked by AVG Anti-Virus (http://www.grisoft.com). > > Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 > > > >-- >This message has been scanned for viruses and >dangerous content by our MailScanner, and is >believed to be clean. > > > > >-- >Incoming mail is certified Virus Free. >Checked by AVG Anti-Virus (http://www.grisoft.com). >Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.211 / Virus Database: 261.9.6 - Release Date: 2/18/2004 From mailscanner at SMITS.CO.UK Thu Feb 19 17:05:17 2004 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? Message-ID: <000501c3f70a$8c755820$8f14a8c0@clumpton.homeip.net> Why not set up a separate relay host for your external users and authenticate them there? Then route everything over to the MS machine with a smarthost directive, and whitelist on the IP of the authentication host. Bart... -----Original Message----- From: Peter Peters [mailto:P.G.M.Peters@utwente.nl] Posted At: 19 February 2004 09:36 Posted To: MailScanner Conversation: Stop scanning of outgoing mails? Subject: Re: Stop scanning of outgoing mails? On Thu, 19 Feb 2004 02:31:35 +0100, you wrote: >> How about doing it by IP address? Doesn't "From:", when presented >> with an IP address, use the relay's IP addr and not the email address >> of the sender? > >Yes, but the sender is not the machine but an SMTP authenticated >client. I cannot whitelist the whole world there. I am not experienced with authenticated SMTP use but wouldn't it be possible to get the IP-address of the authenticated client somewhere and use a custom function to whitelist? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Anjana.Patel at CRANFIELD.AC.UK Thu Feb 19 14:25:44 2004 From: Anjana.Patel at CRANFIELD.AC.UK (Patel, Anjana) Date: Thu Jan 12 21:22:35 2006 Subject: messages not being scanned by uvscan Message-ID: I'm running MailScanner 4.26.8-1 on RedHat 7.3 and McAfee engine v4.2.40 I recently upgraded our three mail gateways to the latest version of MailScanner and two are working ok but for some reason the third is not scanning for viruses (spam checking is working ok). The configuration on all three is the same apart from spamassassin. The other two are running 2.60 and the problem system is running 2.61. I've not used symbolic links in MailScanner.conf or in virus.scanners.conf uvscan --version reports the following: Virus Scan for Linux v4.24.0 Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jan 27 2003 Scan engine v4.2.40 for Linux. Virus data file v4326 created Feb 18 2004 Scanning for 86216 viruses, trojans and variants. If I manually scan an infected file using the wrapper command it finds the virus. There are no errors in the maillog file to indicate any problems but I've sent viruses through and they pass undetected. Is there some debugging I can set up to try and find the problem? Thanks Anjana From mkettler at EVI-INC.COM Thu Feb 19 16:57:41 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:35 2006 Subject: Need some help stopping this spam . . . In-Reply-To: References: Message-ID: <6.0.0.22.0.20040219113844.024a8850@xanadu.evi-inc.com> At 10:37 AM 2/19/2004, Jeff Falgout wrote: >And I've got spam.assassin.prefs.conf configured to stop it also: I can't help you with the MailScanner white/blacklist problem, but I can help you with the SA rules problem. First, SpamAssassin rulenames MUST be unique. The above lines clobber each other repeatedly, leaving you with a single HANDWRITING_SPAM rule.. the last one. All the others have been obliterated and will be ignored by SA... Re-name them Next, you've forgotten to properly escape some things... all the @'s and .'s need to be \@ and \. I suspect that the , and " characters also need escaping with backslashes as well. Most punctuation does. These mistakes won't break things per-se, but will change the meaning of your regex... "." is a wildcard for example, so /te.net/ will match "telnet" "te net" or "te;net". Lastly, I suspect that this isn't the only set of errors in your spam.assassin.prefs.conf. Using the above config lines I at least get the Virtual server check to fire off. I'd suggest copying spam.assassin.prefs.conf to a user's ~/.spamassassin/user_prefs and running spamassassin --lint over it. From chris at FRACTALWEB.COM Thu Feb 19 16:57:50 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:35 2006 Subject: how to troubleshoot timeouts In-Reply-To: <6.0.1.1.2.20040219091319.038cb0d8@imap.ecs.soton.ac.uk> References: <403469C2.3050006@fractalweb.com> <6.0.1.1.2.20040219091319.038cb0d8@imap.ecs.soton.ac.uk> Message-ID: <4034EB0E.8020804@fractalweb.com> Julian Field wrote: > In MailScanner.conf, set > Debug = yes > Debug SpamAssassin = yes > then kill all your MailScanner processes. Wait for a few emails (4 or 5 > will do) to appear in mqueue.in, then run check_mailscanner. > When the SpamAssassin output pauses (it will spew up the screen very fast > normally), thump Ctrl-S to pause it. (Ctrl-Q starts it again). Read the > last few lines of output and you should get an idea what is holding it > up. > If it mentions cloudmark.com just before you stopped it, that's Razor. Thank you for the troubleshooting tips. I am seeing the following that makes me somewhat suspicious. debug: forged-HELO: from=cgmails.com helo=cgmails.com by=fractalweb.com debug: DNS MX records found: 2 debug: RBL: success for 16 of 18 queries debug: RBL: timeout for easynet after 2 seconds debug: RBL: timeout for dsbl after 2 seconds So, I see that easynet is timing out. I also see that dsbl is timing out, but only sometimes. Perhaps I should remove them from the checks? There was also a bit of a pause when it did the DNS lookup, so perhaps a caching dns server would be a good idea too. I'm on Red Hat 7.3...what do you guys recommend? Cheers, Chris From ugob at CAMO-ROUTE.COM Thu Feb 19 17:02:16 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: how to troubleshoot timeouts Message-ID: <54C38A0B814C8E438EF73FC76F362927410912@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Chris Yuzik [mailto:chris@FRACTALWEB.COM] > Envoy? : Thursday, February 19, 2004 11:58 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: how to troubleshoot timeouts > > > Julian Field wrote: > > > In MailScanner.conf, set > > Debug = yes > > Debug SpamAssassin = yes > > then kill all your MailScanner processes. Wait for a few > emails (4 or 5 > > will do) to appear in mqueue.in, then run check_mailscanner. > > When the SpamAssassin output pauses (it will spew up the > screen very fast > > normally), thump Ctrl-S to pause it. (Ctrl-Q starts it > again). Read the > > last few lines of output and you should get an idea what is > holding it > > up. > > If it mentions cloudmark.com just before you stopped it, > that's Razor. > > Thank you for the troubleshooting tips. > > I am seeing the following that makes me somewhat suspicious. > > debug: forged-HELO: from=cgmails.com helo=cgmails.com > by=fractalweb.com > debug: DNS MX records found: 2 > debug: RBL: success for 16 of 18 queries > debug: RBL: timeout for easynet after 2 seconds > debug: RBL: timeout for dsbl after 2 seconds > > So, I see that easynet is timing out. I also see that dsbl is timing > out, but only sometimes. Perhaps I should remove them from the checks? > > There was also a bit of a pause when it did the DNS lookup, > so perhaps a > caching dns server would be a good idea too. I'm on Red Hat 7.3...what > do you guys recommend? Begin with a caching dns server, for sure. If you have apt installed, do a apt-get install caching-nameserver If it is not there you can search with apt-cache search caching... > > Cheers, > Chris > From maillists at CONACTIVE.COM Thu Feb 19 17:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <0r0930tq6nhf1nj8akmrq6uj993k3poa8d@4ax.com> References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> <4033FE5A.A4556AF6@ucsc.edu> <0r0930tq6nhf1nj8akmrq6uj993k3poa8d@4ax.com> Message-ID: Peter Peters wrote on Thu, 19 Feb 2004 10:36:23 +0100: > I am not experienced with authenticated SMTP use but wouldn't it be > possible to get the IP-address of the authenticated client somewhere and > use a custom function to whitelist? > sendmail adds an "authenticated" to the Received line which obviously must be a variable available at this time, so I could possibly grab it in the sendmail.cf and put it in a custom header. Not tested yet. But then MailScanner would have to take action based on that header. I don't feel like adding a custom function myself, I fear that's too complex for my Perl skills. Last time I added a custom function our MailScanner just died (see recent thread about adding X-Envelope headers). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 19 17:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Thu, 19 Feb 2004 00:31:28 -0500: > -Scan everything. > -Ask Julian. > I agree :-) And since Julian hasn't answered yet I assume he doesn't know a solution or if there is one he won't put it in. Isn't there anyone else who wants to skip scanning of outgoing mail? Nobody who has problems with clients because their mail is mistakenly tagged as spam f.i.? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From ugob at CAMO-ROUTE.COM Thu Feb 19 17:44:22 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? Message-ID: <54C38A0B814C8E438EF73FC76F362927410913@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kai Schaetzl [mailto:maillists@CONACTIVE.COM] > Envoy? : Thursday, February 19, 2004 12:32 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Stop scanning of outgoing mails? > > > Ugo Bellavance wrote on Thu, 19 Feb 2004 00:31:28 -0500: > > > -Scan everything. > > -Ask Julian. > > > > I agree :-) And since Julian hasn't answered yet I assume he > doesn't know > a solution or if there is one he won't put it in. Isn't there > anyone else > who wants to skip scanning of outgoing mail? Nobody who has > problems with > clients because their mail is mistakenly tagged as spam f.i.? We were talking about virus scanning, weren't we? Ugo > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From mailscanner at ecs.soton.ac.uk Thu Feb 19 17:54:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20040219175325.03e26458@imap.ecs.soton.ac.uk> At 17:31 19/02/2004, you wrote: >Ugo Bellavance wrote on Thu, 19 Feb 2004 00:31:28 -0500: > > > -Scan everything. > > -Ask Julian. > > > >I agree :-) And since Julian hasn't answered yet I assume he doesn't know >a solution or if there is one he won't put it in. Isn't there anyone else >who wants to skip scanning of outgoing mail? Nobody who has problems with >clients because their mail is mistakenly tagged as spam f.i.? I have only been partially following this thread. I tend to work around problems like this by having a separate outgoing mail relay from incoming. But we are a rather larger site I suspect. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Feb 19 17:50:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:35 2006 Subject: messages not being scanned by uvscan In-Reply-To: References: Message-ID: <6.0.1.1.2.20040219174856.03e1bfc8@imap.ecs.soton.ac.uk> What MTA are you using? What are the "Run as user = " and "Run as group = " set to? Check that whatever user is running MailScanner has permissions to read and execute uvscan, that it can read all the virus pattern files and associated libraries, and that it can read the licence key file (if there is one for uvscan). At 14:25 19/02/2004, you wrote: >I'm running MailScanner 4.26.8-1 on RedHat 7.3 and McAfee engine v4.2.40 > >I recently upgraded our three mail gateways to the latest version of >MailScanner and two are working ok but for some reason the third is not >scanning for viruses (spam checking is working ok). The configuration >on all three is the same apart from spamassassin. The other two are >running 2.60 and the problem system is running 2.61. > >I've not used symbolic links in MailScanner.conf or in >virus.scanners.conf > >uvscan --version reports the following: > >Virus Scan for Linux v4.24.0 >Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights >reserved. >(408) 988-3832 LICENSED COPY - Jan 27 2003 > >Scan engine v4.2.40 for Linux. >Virus data file v4326 created Feb 18 2004 >Scanning for 86216 viruses, trojans and variants. > >If I manually scan an infected file using the wrapper command it finds >the virus. > >There are no errors in the maillog file to indicate any problems but >I've sent viruses through and they pass undetected. Is there some >debugging I can set up to try and find the problem? > >Thanks >Anjana -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Thu Feb 19 18:01:36 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <6.0.1.1.2.20040219175325.03e26458@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> <6.0.1.1.2.20040219175325.03e26458@imap.ecs.soton.ac.uk> Message-ID: <4034FA00.3030606@solid-state-logic.com> or have a seperate email gate for external traffic, with all initial outbound email handled by a separate machine from the MS box - as someone else said.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > At 17:31 19/02/2004, you wrote: > >> Ugo Bellavance wrote on Thu, 19 Feb 2004 00:31:28 -0500: >> >> > -Scan everything. >> > -Ask Julian. >> > >> >> I agree :-) And since Julian hasn't answered yet I assume he doesn't know >> a solution or if there is one he won't put it in. Isn't there anyone else >> who wants to skip scanning of outgoing mail? Nobody who has problems with >> clients because their mail is mistakenly tagged as spam f.i.? > > > I have only been partially following this thread. I tend to work around > problems like this by having a separate outgoing mail relay from incoming. > But we are a rather larger site I suspect. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ryan.finnesey at CORPDSG.COM Thu Feb 19 07:18:54 2004 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:22:36 2006 Subject: MailScanner on Mac OS X Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C401EA6F@dc012.corpdsg.com> How do you like the Xserve? We have found it very hard to get in contact with a account manager at Apple. I would like to get a few to play with. I have called them and they tell us to go down to a local CompUSA. Do you know if they offer 4 hour hardware support like HP does? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of JLM Sent: Wednesday, February 18, 2004 7:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner on Mac OS X Ryan Finnesey asked: > Can I ask why OS X? Because my particular production environment is using Xserve hardware, and because that's the OS I'm most familiar with. Nearly all the other XAMS team members use some flavor of Linux. John Rudd helpfully suggested: > f sounds like you're using the HPUX stanza instead of the BSD stanza in > the check_mailscanner script. Make sure the BSD stanza is the one > you're using (make sure the conditions work out, etc.). Thanks for the suggestion, John. I'll take a look at that and see what I can figure out. Regarding item [4] below... After looking through the MailScanner code, it appears that the CustomConfig.pm routines are called from several different places. It seems that in some cases the ($message) is passed to the custom routines, and in some cases it is not. So when our custom routine is called from sendmail2... sendmail2 = &XAMSTMDAMailer .for some reason MailScanner isn't passing the ($message) to the XAMSTMDAMailer custom routine. We can't seem to determine why. Does anyone have any thoughts on this? Also, as I mentioned before, it would be great if we could figure out a way to get MailScanner to successfully run as the "mail" user on OS X. I've searched the archives, and it seems people on other platforms have experienced the same problem in the past. I seem to gather that it's been fixed for most environments, but perhaps not for OS X. Any suggestions for troubleshooting this would be *most* appreciated. Sincere thanks, Justin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of JLM > Sent: Wednesday, February 18, 2004 12:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner on Mac OS X > > > Hi folks, > > I'm trying to get MailScanner (4.26.8-1) functioning properly on Mac OS X > Server (10.3.2), and I'm running into a few trouble spots. I'm using > MailScanner along with XAMS 0.0.15-RC4, which is a flexible and intuitive > email management system that is designed to work along with Exim, > Courier-IMAP, and MySQL. > > http://www.xams.org/ > > The trouble spots I'm running into are: > > [1] At launch, MailScanner complains: "ps: illegal option -- f" This seems > to be related to check_mailscanner, but other than that I don't anything > about this error, how important it is, and whether there's anything we can > do to fix it on Mac OS X. Any thoughts or suggestions would be much > appreciated. > > [2] I can't seem to get MailScanner to run as mail:mail (GID=6, UID=6). This > occurred on both the Jaguar (10.2.6) and Panther (10.3.2) versions of Mac OS > X that I have installed MailScanner on. I have to comment out the "Run as > user = " and "Run as Group = " lines in order to get MailScanner to run. > Does anyone have any suggestions as to how we might fix this? We'd rather > not have MailScanner running as root if we can avoid it. > > [3] Other than the above, MailScanner appears to function normally. However, > after a few hours of normal operation, the following error began repeatedly > appearing in the mail log: > > Feb 17 12:44:31 localhost MailScanner[2965]: File containing list of > incoming queue dirs (/var/spool/exim-incoming/input) does not exist > > There is indeed a /var/spool/exim-incoming/input directory. I'm a bit > puzzled as to why MailScanner thinks there is a file containing a list of > incoming queue dirs at that location. Both the incoming and outgoing queue > directories are specified in the mailscanner.conf file. > > MailScanner appears to continue functioning normally, so once again it's not > clear how important this error is. Nonetheless, can anyone shed any light on > what's causing this and how I might fix it? > > [4] After mail has been scanned for viruses and run through SpamAssassin, it > may then be fed to TMDA if the spam/ham analysis is inconclusive. > > [I fully realize that many people are not big fans of challenge/response > systems such as TMDA. Please keep in mind that messages with low spam scores > are delivered unchallenged, and messages with high spam scores are discarded > outright (again, without being challenged). The only messages that will be > challenged are the very rare messages that SpamAssassin can't convincingly > classify as either spam or ham. It is our hope that this method will address > many of the objections against challenge/response systems.] > > I'm working with the other folks on the XAMS team to put together a few > routines to pass mail from MailScanner to TMDA. The following test routines > were added to the CustomConfig.pm component of MailScanner: > > ### Begin: Test routines added to CustomConfig.pm ### > > use Data::Dumper; > sub InitXAMSTMDAMailer {} > > sub XAMSTMDAMailer > { > my ($message) = @_; > $|++; > open XAMS_TMDA_FH, '>>/tmp/xams_tmda_mailer.log'; > print XAMS_TMDA_FH Dumper($message) . '=' x 80 . "\n"; > print XAMS_TMDA_FH "XAMSTMDAMailer was here\n"; > close XAMS_TMDA_FH; > return '/usr/local/exim/bin/exim -DMAILSCANNER_OUTGOING=On'; > } > > sub EndXAMSTMDAMailer {} > > ### End: Test routines added to CustomConfig.pm ### > > When a message is received by MailScanner and triggers the above routines, > it delivers the mail but does two unexpected things: > > 1. The output of the first print command is: "$VAR1 = undef;" > Can anyone think of why that might be? Any suggestions would be very, > very helpful. > > 2. It repeats the output five times (see below). I realize that MailScanner > has five processes running at any given time, but why are all five > processing these routines when a message is received? > > Output: > > $VAR1 = undef; > ==================================================================== > XAMSTMDAMailer was here > > (repeated another four times) > > Does anyone have any ideas as to why this is being repeated five times? > > > I realize this is a lot of questions to throw to the list at once. I and the > other members of the XAMS team would be most grateful for any advice you can > offer. > > On behalf of the XAMS team, thanks in advance for any pointers you might > have for us! > > Best, > > Justin > > PS: > > I'd like to take a moment to recognize the superb support I've received so > far from Nick Phillips, who has selflessly devoted his time to help me get > MailScanner running on Mac OS X (in at least a basic incarnation). Without > his guidance, I would never even made it this far. Many thanks, Nick! > From maillists at CONACTIVE.COM Thu Feb 19 18:31:34 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <000501c3f70a$8c755820$8f14a8c0@clumpton.homeip.net> References: <000501c3f70a$8c755820$8f14a8c0@clumpton.homeip.net> Message-ID: Bart J. Smit wrote on Thu, 19 Feb 2004 17:05:17 -0000: > Why not set up a separate relay host for your exter like to distribute loadnal users and > authenticate them there? > Then route everything over to the MS machine with a smarthost directive, and > whitelist on the IP of the authentication host. > Wow, that's overkill ;-) If I setup a different machine for outgoing mail I don't need to route to the MS machine at all, I can just send out right-away. This is indeed a possible solution and I already thought about it. But we like to distribute load and it also means adding all the users which would be allowed to authenticate to that machine as well and to tell all of them changing the mail-out server. But it's a possible solution, I agree :-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 19 18:31:34 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: how to troubleshoot timeouts In-Reply-To: <4034EB0E.8020804@fractalweb.com> References: <403469C2.3050006@fractalweb.com> <6.0.1.1.2.20040219091319.038cb0d8@imap.ecs.soton.ac.uk> <4034EB0E.8020804@fractalweb.com> Message-ID: Chris Yuzik wrote on Thu, 19 Feb 2004 08:57:50 -0800: > debug: RBL: success for 16 of 18 queries > That's overkill! Pick two or three, not all! > debug: RBL: timeout for easynet after 2 seconds > That's been discontinued months ago! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 19 18:31:34 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410909@mtlnt501fs.CAMOROUTE.COM> <4033FE5A.A4556AF6@ucsc.edu> <0r0930tq6nhf1nj8akmrq6uj993k3poa8d@4ax.com> Message-ID: Kai Schaetzl wrote on Thu, 19 Feb 2004 18:31:31 +0100: > Not tested yet > Indded works, just don't know what to do with it ;-) If anyone ever wants to have this in the headers add this to your sendmail.cf in the "Format of headers" section: HX-Authenticated: ${auth_type} ${client_addr} and restart MailScanner. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Feb 19 18:53:24 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410913@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410913@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Thu, 19 Feb 2004 12:44:22 -0500: > We were talking about virus scanning, weren't we? > I'm talking of outgoing mail in general. Rules apply to all mail. I don't know of a rule which would stop *only* outgoing mail to be scanned for whatever. Did I overlook something? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From dwinkler at ALGORITHMICS.COM Thu Feb 19 18:55:33 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1D4@tormail2.algorithmics.com> I'd look into setting up a second ip with another instance of sendmail for authenticated SMTP only which uses /var/spool/mqueue directly, no MailScanner. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kai Schaetzl > Sent: Thursday, February 19, 2004 1:53 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Stop scanning of outgoing mails? > > > Ugo Bellavance wrote on Thu, 19 Feb 2004 12:44:22 -0500: > > > We were talking about virus scanning, weren't we? > > > > I'm talking of outgoing mail in general. Rules apply to all > mail. I don't > know of a rule which would stop *only* outgoing mail to be > scanned for > whatever. Did I overlook something? > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From ugob at CAMO-ROUTE.COM Thu Feb 19 19:07:35 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? Message-ID: <54C38A0B814C8E438EF73FC76F3629273132FE@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kai Schaetzl [mailto:maillists@CONACTIVE.COM] > Envoy? : Thursday, February 19, 2004 1:53 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Stop scanning of outgoing mails? > > > Ugo Bellavance wrote on Thu, 19 Feb 2004 12:44:22 -0500: > > > We were talking about virus scanning, weren't we? > > > > I'm talking of outgoing mail in general. Rules apply to all > mail. I don't > know of a rule which would stop *only* outgoing mail to be > scanned for > whatever. Did I overlook something? > I might be missing something in the conversation (didn't get enough sleep this week), but you can use whitelists to disable spam checks for outgoing messages only (whitelist your internal servers by IP), and you can use rules to disable filename/type checks for outgoing messages only. See http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/207.html hth Ugo > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From maillists at CONACTIVE.COM Thu Feb 19 19:08:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules Message-ID: While researching rules I got the impression that all the stuff below should have the same result (no spam check done), am I correct? Spam Checks = %rules-dir%/spam.1.rules From: *@domain no Is Definitely Not Spam = %rules-dir%/spam.2.rules From: *@domain yes Is Definitely Spam = %rules-dir%/spam.3.rules From: *@domain no Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From chris at FRACTALWEB.COM Thu Feb 19 19:15:42 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:36 2006 Subject: how to troubleshoot timeouts In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410912@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410912@mtlnt501fs.CAMOROUTE.COM> Message-ID: <40350B5E.4060700@fractalweb.com> Ugo Bellavance wrote: >Begin with a caching dns server, for sure. > >If you have apt installed, do a apt-get install caching-nameserver > >If it is not there you can search with apt-cache search caching... > > Ugo, Thanks. I tried this and apparently I already have the caching-nameserver installed and at the latest version. I'll cross that one off my list. :-) Cheers, Chris From ugob at CAMO-ROUTE.COM Thu Feb 19 19:22:55 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:36 2006 Subject: how to troubleshoot timeouts Message-ID: <54C38A0B814C8E438EF73FC76F36292741091B@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Chris Yuzik [mailto:chris@FRACTALWEB.COM] > Envoy? : Thursday, February 19, 2004 2:16 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: how to troubleshoot timeouts > > > Ugo Bellavance wrote: > > >Begin with a caching dns server, for sure. > > > >If you have apt installed, do a apt-get install caching-nameserver > > > >If it is not there you can search with apt-cache search caching... > > > > > Ugo, > > Thanks. I tried this and apparently I already have the > caching-nameserver installed and at the latest version. I'll > cross that > one off my list. :-) Don't forget to change your /etc/resolv.conf :) > > Cheers, > Chris > From JFalgout at CO.JEFFERSON.CO.US Thu Feb 19 20:34:00 2004 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:22:36 2006 Subject: Need some help stopping this spam . . . Message-ID: >>> mkettler@EVI-INC.COM 2/19/2004 9:57:41 AM >>> At 10:37 AM 2/19/2004, Jeff Falgout wrote: >And I've got spam.assassin.prefs.conf configured to stop it also: Lastly, I suspect that this isn't the only set of errors in your spam.assassin.prefs.conf. Using the above config lines I at least get the Virtual server check to fire off. I'd suggest copying spam.assassin.prefs.conf to a user's ~/.spamassassin/user_prefs and running spamassassin --lint over it. >>>>>>>>>> Thank you for pointing out the syntax errors in my regex. Regular Expressions can make my eyes cross. running spamassassin --lint on the spam.assassin.prefs.con file did expose another syntax error - a "-" when it should have been a "_". Jeff From pete at ELBNET.COM Thu Feb 19 20:47:52 2004 From: pete at ELBNET.COM (Peter Billson) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned Message-ID: <1077223672.403520f8a64a8@secure.elbnet.com> Hello *, I'm hoping someone can help me with an odd problem. I have Mailscanner running on a host between the world and my "real" mail server. All inbound and outbound mail pass through the mailscanner machine: MAIL TO ME >>>> Mailscanner >>>> ME MAIL FROM ME >>>> Mailscanner >>>> THE WORLD I have Mailscanner successfully scanning mail that is coming in but I can not get mail going out to be scanned. According to the Email headers mail; 1) is received by MailscannerHost from my mail server 2) is then sent from MailscannerHost to Destination According to the headers it seems that the mail is being processed, but nothing "bad" gets stripped off - i.e. I can send an EXE file or a virus without problems. As I said above, for inbound mail, EXEs or a virus are stopped as they should be. Any suggestions where to look? Thanks! Pete Billson -- http://www.elbnet.com ELB Internet Service, Inc. Web Design, Computer Consulting, Internet Hosting From ugob at CAMO-ROUTE.COM Thu Feb 19 21:03:07 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned Message-ID: <54C38A0B814C8E438EF73FC76F36292741091E@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Peter Billson [mailto:pete@ELBNET.COM] > Envoy? : Thursday, February 19, 2004 3:48 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Outbound mail not scanned > > > Hello *, > I'm hoping someone can help me with an odd problem. > > I have Mailscanner running on a host between the world and my > "real" mail > server. All inbound and outbound mail pass through the > mailscanner machine: > > MAIL TO ME >>>> Mailscanner >>>> ME > MAIL FROM ME >>>> Mailscanner >>>> THE WORLD > > I have Mailscanner successfully scanning mail that is coming > in but I can not > get mail going out to be scanned. According to the Email headers mail; > 1) is received by MailscannerHost from my mail server > 2) is then sent from MailscannerHost to Destination > > According to the headers it seems that the mail is being > processed, but > nothing "bad" gets stripped off - i.e. I can send an EXE file > or a virus > without problems. Do you have any special rules ? Ugo > > As I said above, for inbound mail, EXEs or a virus are > stopped as they should > be. > > Any suggestions where to look? > > Thanks! > > Pete Billson > -- > http://www.elbnet.com > ELB Internet Service, Inc. > Web Design, Computer Consulting, Internet Hosting > From pete at ELBNET.COM Thu Feb 19 21:07:10 2004 From: pete at ELBNET.COM (Peter Billson) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741091E@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741091E@mtlnt501fs.CAMOROUTE.COM> Message-ID: <1077224830.4035257ee4bd7@secure.elbnet.com> Quoting Ugo Bellavance : > Do you have any special rules ? Ugo, I am not sure what you mean by special. I do have rules for stripping .EXE attachemnts and they are stripped from inbound mail. Do I need special rules for outbound mail? Pete -- http://www.elbnet.com ELB Internet Service, Inc. Web Design, Computer Consulting, Internet Hosting From james at grayonline.id.au Thu Feb 19 21:08:33 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:36 2006 Subject: Mailscanner on Debian Woody In-Reply-To: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> References: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> Message-ID: <200402200808.50563.james@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Feb 2004 03:26 am, Erik van der Meulen (by way of Erik van der Meulen ) wrote: > Dear all - > > I am trying to set up Mailscanner on my Debian Woody mail server. On the > Mailscanner site I have found a document that seems to explain exactly > how to accomplish this: > > > http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=debian&file=22 >6 > > However, the mailscanner package that is currently found in the unstable > tree is not the same version as mentionned in the document (4.26.7-2 > instead of 4.24.5-1) and it does not install well at all. > > If I do: dpkg --install mailscanner*.deb, I get: > > Selecting previously deselected package mailscanner. > (Reading database ... 17953 files and directories currently installed.) > Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) ... > dpkg: dependency problems prevent configuration of mailscanner: > mailscanner depends on libnet-cidr-perl; however: > Package libnet-cidr-perl is not installed. *snipped* > Erik van der Meulen Erik, I also run a Debian (Woody) server with MailScanner and did exactly as Julian and Martin suggested: install the CIDR package from CPAN. However, I like to try-out the new versions of MailScanner long before they get massaged into a Debian package. There's really no harm in downloading the tar-ball and dropping it into /opt or somewhere relevant. Then I simply create symlinks to the version I want and use the symlink in my scripts for locating MailScanner, ie, > ls -l /opt lrwxrwxrwx 1 root root 18 Feb 9 16:24 MailScanner -> MailScanner-4.2x.y drwxr-xr-x 8 root root 376 Jan 12 10:32 MailScanner-4.2x.w drwxr-xr-x 8 root root 376 Feb 3 01:14 MailScanner-4.2x.y ...etc. So /opt/MailScanner is always the version I am running. I also have some miscellaneous links around to make the administration a little easier like: /etc/MailScanner -> /opt/MailScanner/etc The other thing I did was modify the init script (from the Debian package) so it waits for MailScanner to stop before finishing. I was running MailScanner on a rather slow machine for a while and the "restart" function would always fail because the "stop" part didn't wait for all the child processes to finish. When the "start" phase kicked off, it would fail with "MailScanner running on PIDS 123 124 125" etc. If you're interested in my init script (or anyone else for that matter) please contact me off-list. If enough people are interested, I'll add it to the http://files.grayonline.id.au/ page. Regards, James - -- Fortune cookies says: The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFANSXUwBHpdJO7b9ERAu5gAJ4owi/puYnU04fFYKIjzpM/+9vVRQCfXML1 MswX3k/Pif18pqhksOlS+QA= =WmBr -----END PGP SIGNATURE----- From ugob at CAMO-ROUTE.COM Thu Feb 19 21:10:08 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned Message-ID: <54C38A0B814C8E438EF73FC76F36292741091F@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Peter Billson [mailto:pete@ELBNET.COM] > Envoy? : Thursday, February 19, 2004 4:07 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Outbound mail not scanned > > > Quoting Ugo Bellavance : > > Do you have any special rules ? > > Ugo, > I am not sure what you mean by special. > > I do have rules for stripping .EXE attachemnts and they are > stripped from > inbound mail. > > Do I need special rules for outbound mail? The default is to filter everithing. You were not supposed to do anything to filter .exe attachments. I guess the rules you created conflicts. > > > Pete > -- > http://www.elbnet.com > ELB Internet Service, Inc. > Web Design, Computer Consulting, Internet Hosting > From mailscanner at ecs.soton.ac.uk Fri Feb 20 07:34:12 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:36 2006 Subject: {Dangerous Filename?} Returned due to virus; was:something for you Message-ID: <200402200732.i1K7WuGC015989@xenia4.mc2.renault.fr> Warning: This message has had one or more attachments removed Warning: (website.zip.htm). Warning: Please read the "ECS-Attachment-Warning.txt" attachment(s) for more information. my hero -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "website.zip.htm" is on the list of unacceptable attachments for this site and has been replaced by this warning message. If you wish to receive a copy of the original attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Feb 20 07:34:06 2004 the virus scanner said: MailScanner: Attempt to hide real filename extension (website.zip.htm) Note to Help Desk: Look on crow in /var/spool/MailScanner/quarantine/20040220 (message i1K7Y1mF016091). -- Postmaster MailScanner thanks transtec Computers for their support From tristanr at CI.GRANDJCT.CO.US Thu Feb 19 22:27:30 2004 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:22:36 2006 Subject: Keystroke logger being installed from a link in an email (Subject: Police Investigation ) Message-ID: We have received copies of a malicious email, with the subject "Police Investigation". It looks like an innocent spam email. There are no attachments, just text and some obfuscated links to websites (discussed on this list before). If you go to them (I don't recommend it) you will see a "SERVER ERROR 550" message, and you might think that the website is down. What actually happens is the error message is from the website, and they use an exploit in Internet Explorer to install a keystroke logger on your PC. This information is then mailed to an email address pentasatan@mail.ru with the trojan using its own inbuilt SMTP engine to do so. Hopefully your firewall blocks any internal host trying to use port 25 (smtp) except for your email server. Information about this expoit can be found here. http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55 What is the best way to block an exploit like this? Create a custom Spamassassin rule? Feed it to Bayes a bunch of times as SPAM? Use MCP? Thanks, Tristan Rhodes From ka at PACIFIC.NET Thu Feb 19 22:44:33 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:36 2006 Subject: Keystroke logger being installed from a link in an email (Subject: Police Investigation ) In-Reply-To: References: Message-ID: <40353C51.3020405@pacific.net> Tristan Rhodes wrote: > We have received copies of a malicious email, with the subject "Police Investigation". > > It looks like an innocent spam email. There are no attachments, just text and some obfuscated links to websites (discussed on this list before). If you go to them (I don't recommend it) you will see a "SERVER ERROR 550" message, and you might think that the website is down. What actually happens is the error message is from the website, and they use an exploit in Internet Explorer to install a keystroke logger on your PC. This information is then mailed to an email address pentasatan@mail.ru with the trojan using its own inbuilt SMTP engine to do so. Hopefully your firewall blocks any internal host trying to use port 25 (smtp) except for your email server. > > Information about this expoit can be found here. > http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55 > > What is the best way to block an exploit like this? The best way is to not use IE. Or, you can just create a rule based on the subject in spam.assassin.prefs.conf. Ken A. > Create a custom Spamassassin rule? > Feed it to Bayes a bunch of times as SPAM? > Use MCP? > > Thanks, > > Tristan Rhodes > > From mkettler at EVI-INC.COM Thu Feb 19 22:49:11 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:36 2006 Subject: Keystroke logger being installed from a link in an email (Subject: Police Investigation ) In-Reply-To: References: Message-ID: <6.0.0.22.0.20040219173857.02a77dc0@xanadu.evi-inc.com> At 05:27 PM 2/19/2004, Tristan Rhodes wrote: >What is the best way to block an exploit like this? > >Create a custom Spamassassin rule? >Feed it to Bayes a bunch of times as SPAM? >Use MCP? Quite frankly, all you can do at the email level is block this particular version of the exploit. Bayes, custom rules, etc will be effective at tagging this message as spam. However, the only way to properly prevent this general class of problem is to fix it on the workstation itself. After all, the email itself doesn't contain an attack. It's the web site that contains the attack. Patch maintenance, workstation-resident virus scanner with regular update, etc. You can also use a firewall with extensive application layer inspection tools like a netscreen to block some of these kinds of things at the network layer. However, such things are hardly 100% comprehensive, but they do inspect http transactions for some kinds of attacks etc. From chris at FRACTALWEB.COM Thu Feb 19 22:56:24 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:36 2006 Subject: McAfee virusscan Message-ID: <40353F18.8050800@fractalweb.com> OMG! I'm ready to pull what's left of my hair out. NAI and McAfee are virtually impossible to deal with. I have wasted no less than 3 hours on the phone over the past couple of days trying to get pricing for McAfee Virusscan commandline for Unix (or Linux). I managed to download an evaluation version and it seems fine. I have talked with 3 resellers that are all "not familiar with that product" and all promise to get back to me after talking to McAfee...and, of course, they never do. I've called McAfee and talked with almost a dozen people. I finally talked to one person who told me that the commandline version of Virusscan is no longer sold on its own and is only available as part of the Virusscan Suite for the Desktop 5-user version. Cost on that is apparently US$200 for the first year, then $82 per year thereafter. According to the MailScanner FAQ, it should be more like $12 for a perpetual license. One person I talked with suggested that the Command Line version MIGHT be included in the boxed retail package of McAfee Virusscan Professional, but all the literature just says Windows. According to someone at NAI, it's only the Windows version. It looks like there is something called the "McAfee Active VirusScan Suite Small Business Edition" that allegedly includes the command line scanner for unix/linux. Minimum purchase is 2 nodes, so cost is about US$80...but I cannot purchase this product because I am in Canada...and apparently, it's not available in Canada unless I purchase 11 nodes. Did I mention I only have 1 machine? Argh! Am I missing something here? Is purchasing software supposed to be this difficult? Perhaps I'm used to the way good shareware works...I download it, install it, and if I like it, pay for it. Then, they send me some sort of key file that I put on the machine and it keeps working. Can anyone shed any light here? Any McAfee users out there know the secret? Cheers, Chris From james at grayonline.id.au Thu Feb 19 23:08:26 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:36 2006 Subject: McAfee virusscan In-Reply-To: <40353F18.8050800@fractalweb.com> References: <40353F18.8050800@fractalweb.com> Message-ID: <200402201008.27005.james@grayonline.id.au> On Fri, 20 Feb 2004 09:56 am, Chris Yuzik wrote: > OMG! I'm ready to pull what's left of my hair out. > > NAI and McAfee are virtually impossible to deal with. I have wasted no > less than 3 hours on the phone over the past couple of days trying to > get pricing for McAfee Virusscan commandline for Unix (or Linux). I > managed to download an evaluation version and it seems fine. I have > talked with 3 resellers that are all "not familiar with that product" > and all promise to get back to me after talking to McAfee...and, of > course, they never do. *SNIPPED* > Can anyone shed any light here? Any McAfee users out there know the > secret? > > Cheers, > Chris Chris, We use NAI VirusScan for Linux and FreeBSD on our MailScanner gateways. The command line stuff all came with "NAI Total Virus Defence (TVD) Enterprise 7.0". OK so we have the "enterprise" version, but apparently any TVD version includes the command-line scanners - AFAIK the only difference between TVD packages is the number of licenses etc. Maybe you need to mention the TVD package?? James -- Fortune cookies says: Take heart amid the deepening gloom that your dog is finally getting enough cheese. -- National Lampoon, "Deteriorata" From jrudd at UCSC.EDU Thu Feb 19 23:12:25 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> Message-ID: <403542D9.B30C436F@ucsc.edu> Julian, The message isn't answerable by anyone but you -- it's a reply to your message about how putting "Envelope-To" headers into a message would be a bad idea (my response says that it's bad in the general cause, but not in some specific cases, which would be based upon the MTA, and should therefore be selectable by the sysadmin running mailscanner). a) doesn't apply because I'm not reporting a problem, I'm refuting an assertion of yours, and b) doesn't apply because you're the only one being addressed, really. That "other's can't answer because they don't know" isn't relevant. John Julian Field wrote: > > Sorry, haven't got time to respond to everyone. I suggest the silence means > no-one else either > a) has enough info from you to work out what the problem is, > or > b) doesn't know. > > At 21:41 18/02/2004, you wrote: > >John Rudd wrote: > > > > > > John Rudd wrote: > > > > > > > > Julian Field wrote: > > > > > > > > > > At 14:00 13/02/2004, you wrote: > > > > > > > > > >X-Envelope-To: > > > > > > > > > I am of the opinion that ... > > > > > putting in the envelope recipient is a bad idea. > > > > > > > [snip] > > > > When you know that the MTA will do the right thing, it's not "a bad > > > > idea". And for some MTA's, it's definitely "the right idea". > > > > > > So, does the lack of response to my two messages indicate they fell on > > > deaf ears? Are my arguments unconvincing? > > > > > > > >*tap*tap*tap* Is this thing on? > > > >Beuller? Beuller? From michele at BLACKNIGHTSOLUTIONS.COM Thu Feb 19 23:52:02 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules In-Reply-To: Message-ID: We're using: From: domain.tld yes From: domain.tld no Which is the way it is set in the example - and it works Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kai Schaetzl > Sent: 19 February 2004 19:09 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Spam whitelist rules > > > While researching rules I got the impression that all the stuff below > should have the same result (no spam check done), am I correct? > > Spam Checks = %rules-dir%/spam.1.rules > From: *@domain no > > Is Definitely Not Spam = %rules-dir%/spam.2.rules > From: *@domain yes > > Is Definitely Spam = %rules-dir%/spam.3.rules > From: *@domain no > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org > From michele at BLACKNIGHTSOLUTIONS.COM Thu Feb 19 23:57:12 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:36 2006 Subject: MS SA autolearn oddness Message-ID: I've noticed a couple of worrying entries in our mail logs on one server and was wondering if anybody else had any ideas. I have *not* set SA to "learn", although I experimented with that setting a couple of weeks ago. However, I am still seeing: Feb 19 00:16:53 camelot MailScanner[28987]: Message i1J0GhYG029364 from 64.70.43.5 (adv@sheck-buy.com) to somedomain.com is spam, spamh aus-xbl-sbl, spamcop.net, SpamAssassin (score=23.959, required 8.5, autolearn=spam, ADVERT_CODE 1.82, BAYES_99 5.40, DCC_CHECK 2.91, EMAIL_RO T13 4.10, HTML_70_80 0.10, HTML_FONT_BIG 0.27, HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10, HTML_MIME_NO_HTML_TAG 1.18, MAILTO_SUBJ_REMOVE 0.8 9, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, OBSCURED_EMAIL 2.70, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_SBL 1.11) This is a little worrying, as we have had to disable spamcop on one server due to an increasing number of false positives (which I cannot explain either - but that's another issue) Does anybody have any Perls of wisdom? (excuse the pun :) ) Michele Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From steve.swaney at FSL.COM Fri Feb 20 00:06:25 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:36 2006 Subject: MS SA autolearn oddness In-Reply-To: Message-ID: <20040220000621.2DE8821C13A@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: Thursday, February 19, 2004 6:57 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MS SA autolearn oddness > > I've noticed a couple of worrying entries in our mail logs on one server > and > was wondering if anybody else had any ideas. > > I have *not* set SA to "learn", although I experimented with that setting > a > couple of weeks ago. However, I am still seeing: > The default SpamAssassin setting is bayes_auto_learn ( 0 | 1 ) (default: 1) If you don't explicitly turn it off, it will learn. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From michele at BLACKNIGHTSOLUTIONS.COM Fri Feb 20 00:16:12 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:36 2006 Subject: MS SA autolearn oddness In-Reply-To: <20040220000621.2DE8821C13A@mail.fsl.com> Message-ID: Thanks - I thought I was losing my mind! Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Stephen Swaney > Sent: 20 February 2004 00:06 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] MS SA autolearn oddness > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: Thursday, February 19, 2004 6:57 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: MS SA autolearn oddness > > > > I've noticed a couple of worrying entries in our mail logs on one server > > and > > was wondering if anybody else had any ideas. > > > > I have *not* set SA to "learn", although I experimented with > that setting > > a > > couple of weeks ago. However, I am still seeing: > > > > The default SpamAssassin setting is > > bayes_auto_learn ( 0 | 1 ) (default: 1) > > If you don't explicitly turn it off, it will learn. > > Steve > Stephen Swaney > President > Fortress Systems Ltd. > Steve.Swaney@FSL.com > > > > > -- > This message has been scanned for viruses and > dangerous content by Fortress Secure Mail Gateway > and was found to be clean. > > Fortress Systems Ltd. - http://www.fsl.com > From christo at IT4AFRICA.CO.ZA Fri Feb 20 07:11:26 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:36 2006 Subject: Message attached as attachment to Email {Virus Scanned} In-Reply-To: <019501c3f6f5$ea4c5f80$660210ac@christoxp> Message-ID: <01b401c3f780$c11354d0$660210ac@christoxp> Please help for each message I get double the traffic because of the message attached as attachment to the mail. Sorry But not both are set to store. Non spam are set to deliver and spam and high score spam is set to store. This only happened for some messages from the outside. Indise was not affected. But now all messages are affected. Have a look if I could see anything in the log but nothing, even with debug mode. I'm running the following with mailscanner. Spamassassin wich I installed from RPM perl-Mail-SpamAssassin-2.61-1.i386.rpm Running F-Secure and Clamav Fsav --version F-Secure Anti-Virus Command line client version: F-Secure Anti-Virus for Linux version 4.52 build 2461 F-Secure Anti-Virus Daemon version: F-Secure Anti-Virus for Linux version 4.52 build 2461 clamscan --version clamscan / ClamAV version 0.60 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christo Bezuidenhout > Sent: 19 February 2004 04:38 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Message attached as attachment to Email {Virus Scanned} > > > Both settings is set to store and store only. This started > from yesterday at round about 5pm. > > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Julian > Field > > Sent: 19 February 2004 03:59 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Message attached as attachment to Email {Virus Scanned} > > > > > > At 12:57 19/02/2004, you wrote: > > >All of a sudden all messages on my server are attached as > > text messages > > >to the existing email message. Did I mis something somewhere. > > > > > >My config. RH9 mailscanner-4.26.8-1 > > > > Sounds like one of the following: > > a) you non-spam actions are set to "deliver attachment" rather than > > just "deliver" or > > b) all your mail is being marked as spam, and you have your spam > > actions set to "deliver attachment". > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > Mailscanner thanks IT For Africa for their support. > > > From mailscanner at ecs.soton.ac.uk Fri Feb 20 08:19:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned In-Reply-To: <1077223672.403520f8a64a8@secure.elbnet.com> References: <1077223672.403520f8a64a8@secure.elbnet.com> Message-ID: <6.0.1.1.2.20040220081758.03f40150@imap.ecs.soton.ac.uk> MailScanner will scan all mail passing into the mail server by SMTP. I suspect you are running an old sendmail and have a mail system (e.g. a webmail interface) which is delivered by invoking the sendmail binary directly. You need to configure your webmail system or whatever to send mail by talking to an SMTP server called "localhost". That way it will use SMTP and MailScanner will get to see it. At 20:47 19/02/2004, you wrote: >Hello *, > I'm hoping someone can help me with an odd problem. > >I have Mailscanner running on a host between the world and my "real" mail >server. All inbound and outbound mail pass through the mailscanner machine: > >MAIL TO ME >>>> Mailscanner >>>> ME >MAIL FROM ME >>>> Mailscanner >>>> THE WORLD > >I have Mailscanner successfully scanning mail that is coming in but I can not >get mail going out to be scanned. According to the Email headers mail; > 1) is received by MailscannerHost from my mail server > 2) is then sent from MailscannerHost to Destination > >According to the headers it seems that the mail is being processed, but >nothing "bad" gets stripped off - i.e. I can send an EXE file or a virus >without problems. > > As I said above, for inbound mail, EXEs or a virus are stopped as they > should >be. > > Any suggestions where to look? > > Thanks! > >Pete Billson >-- >http://www.elbnet.com >ELB Internet Service, Inc. >Web Design, Computer Consulting, Internet Hosting -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 20 08:25:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Keystroke logger being installed from a link in an email (Subject: Police Investigation ) In-Reply-To: References: Message-ID: <6.0.1.1.2.20040220082513.03c85850@imap.ecs.soton.ac.uk> This is apparently quite an old one. There is a good report from AusCERT here: http://www.auscert.org.au/render.html?it=3858 Sophos, for example, has detected it since May 2003. At 22:27 19/02/2004, you wrote: >We have received copies of a malicious email, with the subject "Police >Investigation". > >It looks like an innocent spam email. There are no attachments, just text >and some obfuscated links to websites (discussed on this list before). If >you go to them (I don't recommend it) you will see a "SERVER ERROR 550" >message, and you might think that the website is down. What actually >happens is the error message is from the website, and they use an exploit >in Internet Explorer to install a keystroke logger on your PC. This >information is then mailed to an email address pentasatan@mail.ru with the >trojan using its own inbuilt SMTP engine to do so. Hopefully your >firewall blocks any internal host trying to use port 25 (smtp) except for >your email server. > >Information about this expoit can be found here. >http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55 > >What is the best way to block an exploit like this? > >Create a custom Spamassassin rule? >Feed it to Bayes a bunch of times as SPAM? >Use MCP? > >Thanks, > >Tristan Rhodes -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 20 08:29:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <403542D9.B30C436F@ucsc.edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> Message-ID: <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> If you send a message to someone on the same mail server as you, and you Bcc another person on the same mail server, then both recipients would appear in the "Envelope-To" header, revealing to the first person that the message was also sent to the second person. Which rather ruins the point of being able to Bcc in the first place. At 23:12 19/02/2004, you wrote: >Julian, > >The message isn't answerable by anyone but you -- it's a reply to your >message about how putting "Envelope-To" headers into a message would be >a bad idea (my response says that it's bad in the general cause, but not >in some specific cases, which would be based upon the MTA, and should >therefore be selectable by the sysadmin running mailscanner). > >a) doesn't apply because I'm not reporting a problem, I'm refuting an >assertion of yours, > >and > >b) doesn't apply because you're the only one being addressed, really. >That "other's can't answer because they don't know" isn't relevant. > > >John > > >Julian Field wrote: > > > > Sorry, haven't got time to respond to everyone. I suggest the silence means > > no-one else either > > a) has enough info from you to work out what the problem is, > > or > > b) doesn't know. > > > > At 21:41 18/02/2004, you wrote: > > >John Rudd wrote: > > > > > > > > John Rudd wrote: > > > > > > > > > > Julian Field wrote: > > > > > > > > > > > > At 14:00 13/02/2004, you wrote: > > > > > > > > > > > >X-Envelope-To: > > > > > > > > > > > I am of the opinion that ... > > > > > > putting in the envelope recipient is a bad idea. > > > > > > > > > [snip] > > > > > When you know that the MTA will do the right thing, it's not "a bad > > > > > idea". And for some MTA's, it's definitely "the right idea". > > > > > > > > So, does the lack of response to my two messages indicate they fell on > > > > deaf ears? Are my arguments unconvincing? > > > > > > > > > > > >*tap*tap*tap* Is this thing on? > > > > > >Beuller? Beuller? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 08:54:07 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules In-Reply-To: References: Message-ID: <4035CB2F.9010800@solid-state-logic.com> Kai as long as the spammer/virus doesn't fake your domain as the 'from' then yes it will. This is why I have a separate gateway machine, I can then select not to spam scan based on the ip of where the email came from. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Kai Schaetzl wrote: > While researching rules I got the impression that all the stuff below > should have the same result (no spam check done), am I correct? > > Spam Checks = %rules-dir%/spam.1.rules > From: *@domain no > > Is Definitely Not Spam = %rules-dir%/spam.2.rules > From: *@domain yes > > Is Definitely Spam = %rules-dir%/spam.3.rules > From: *@domain no > > > Kai > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From davidj at IMPOL.NET Fri Feb 20 09:39:36 2004 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:22:36 2006 Subject: Regexp for spam mailbox Message-ID: Hi Guys, Quick question, not sure if anyone can help me but its worth a shot. I have an agreement with some of our customers that if a mail is not tagged as spam they forward it to a particular blacklist address to get banned, now I was planning on making this a semi automated process however due to the fact that its a forwarded message I can't make it automated since it will tag the From address as spam and not the spammers from address.. Now for a long time I've been adding these blacklists manually is there perhaps some sort of regexp I can use against the mbox to just get the spammer addresses? as this manual process is becoming an absolute nightmare! Any help welcome... Thanks. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/629d3c96/attachment.html From davidj at IMPOL.NET Fri Feb 20 09:46:14 2004 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter Message-ID: Hi Again, I've got customers complaining that spam is coming through and when analyzing the e-mails I notice they're using words as follows: <> <> <> <> = <>=20 which are not getting tagged, now everytime I try add special words like that with pipes colons pluses etc it seems to break stuff and tag everything as spam, can someone give me an example of how to add such words? Thanks Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/5be51b37/attachment.html From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 09:57:32 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter In-Reply-To: References: Message-ID: <4035DA0C.8010806@solid-state-logic.com> david try the antidrug ruleset at http://mywebpages.comcast.net/mkettler/sa/antidrug.cf having said that I'm running it and it didn't trigger it, but this rule did... # Created using Chris's Mediocre Obfuscation Script Version 0.00.0.0001h # http://sandgnat.com/cmos/ # header LOCAL_OBFU_VGR_SUBJ Subject =~ /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR_SUBJ 2.6 describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject body LOCAL_OBFU_VGR /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR 1.8 describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR_SUBJ 2.6 describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject body LOCAL_OBFU_VGR /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR 1.8 describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body If you also add in the xanax and others as well (generated using Chris's CGI scripts on his home page above) you should be able to trigger a spam action. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 David Jacobson wrote: > > Hi Again, > > I've got customers complaining that spam is coming through and when > analyzing the e-mails > I notice they're using words as follows: > > < Som+a+ gJe3w>> < +Soma+ < Pn.t.ermin fmRdI>> < v|@gRa ) A:t|v@n + .S.oma _ Pnter:m:in Q6bgh>> <> = > <>=20 > > which are not getting tagged, now everytime I try add special words like > that with pipes colons pluses etc > it seems to break stuff and tag everything as spam, can someone give me > an example of how to add such > words? > > Thanks > > Kind regards, > > David Jacobson > Network Security Administrator > RHCE > > Imperial Online - The Imperial Connection > > Switchboard (+27) 11 723-8000 > Helpdesk (+27) 11 723-8181 > Mobile (+27) 83 235-0760 > Facsimile (+27) 11 454 1236 > Email davidj@impol.net > > www.imperialonline.co.za / www.imperialtoday.co.za > > Confidentiality Notice: > This communication and the information it contains are intended for the > person(s) or organisation(s) named above and for no other person(s) or > organisation(s). > The content of this communication may be confidential, legally > privileged and protected. Unauthorised use, copying or disclosure of any > part of this communication may be unlawful. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From michele at BLACKNIGHTSOLUTIONS.COM Fri Feb 20 09:58:31 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter In-Reply-To: Message-ID: David Welcome to the big bad world of Bayes poisoning :) You would be best advised to look into custom rules for SA, such as Big Evil : http://mailscanner.prolocation.net (very handy scripts) http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm - home of the custom rules HTH Michele Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of David Jacobson Sent: 20 February 2004 09:46 To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] Wierd words for spam filter Hi Again, I've got customers complaining that spam is coming through and when analyzing the e-mails I notice they're using words as follows: <> <> <> <> = <>=20 which are not getting tagged, now everytime I try add special words like that with pipes colons pluses etc it seems to break stuff and tag everything as spam, can someone give me an example of how to add such words? Thanks Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/fe8d5cda/attachment.html From jrudd at UCSC.EDU Fri Feb 20 10:05:48 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> Message-ID: <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> Julian, Unless the MTA uses and removes the Envelope-To headers. In that case, your "ruins the point of BCC" argument is completely wrong. (I get the feeling you didn't read the original message I wrote in this thread) Think of it like this: combine the sendmail qf file and df file into one file. What you're essentially saying is that "you shouldn't put RPFD lines into the qf file, because the user might see them". No, sendmail uses those lines, and removes them, before putting the qf data (headers, etc.) into the final message. Your worry is unwarranted. Some MTAs, such as CommuniGate Pro, put it all into one queue file. If the file format is (and it is important that all of the Envelope-To's precede any other headers): (one or more Envelope-To: lines) (one Return-Path: line, which is the Envelope From) (rest of RFC-822 message) then that file can be directly submitted to CommuniGate Pro's "Submitted" directory (if the file's name is *.sub), and it will do the right thing. It will read the Envelope-To's and use them for the recipients, remove them from the message, and then use the Return-Path as the Envelope From (keeping it in the message). If MailScanner would accept and generate that format as a "plain" or "CGP" MTA setting, then it could be used for scanning RFC-822 messages and for supporting CommuniGate Pro. (the relay could be taken from the first Received line) Then you'd just tell MailScanner to name its result something.sub, use (non-batch mode) to put the files into the regular queue directory (which you'd set to be CGP's "Submitted" directory). Users will NOT see the "Envelope-To" headers. Your argument does not hold. Some MTA's will "do the right thing" with it. (as a side note) The CGP queue file is in a slightly different format, but it will accept the above format for the "Submitted" directory. The actual CGP queue file format is: (multiple queue info lines) (blank line) (RFC-822 message) the queue info is lines of the following format: P ? (date) (time) (number) (flags1) (flags2) R ? (date) (time) (number) (flags1) (flags2) S (STMP|PIPE|etc) [W.X.Y.Z] # module that received mesg, and the relay O L # I'm not actually sure what the OL line is (the only parts that are important to MailScanner are the last fields of the P, R, and S lines, the rest can pretty much be thrown out ... I do that with my cgp2ms perl script, though I don't use the S line, I use the first Received header ... and I use it to fake a sendmail qf/df file pair; the ms2cgp perl script (which is used for MailScanner's "Sendmail2" variable) takes the sendmail qf/df pair and creates an Envelope-To formatted file, and puts that into the CGP submitted directory ... so far, no one has mentioned seeing the Envelope-To lines, by the way) This could be munged by another process into the Envelope-To format, so that MS only has to support 1 format for both reading and sending ... or it could read the queue format and generate the Envelope-To format. Either way. (or, a "plain" MTA might read and write Envelope-To format, while a "CGP" MTA might read the CGP queue format and write the Envelope-To format ... that would probably be ideal) Anyways, the point is, Envelope-To is not the problem you think it is. It's actually very useful, once you realize that some MTA's will "do the right thing" with it. On Feb 20, 2004, at 12:29 AM, Julian Field wrote: > If you send a message to someone on the same mail server as you, and > you > Bcc another person on the same mail server, then both recipients would > appear in the "Envelope-To" header, revealing to the first person that > the > message was also sent to the second person. Which rather ruins the > point of > being able to Bcc in the first place. > > At 23:12 19/02/2004, you wrote: >> Julian, >> >> The message isn't answerable by anyone but you -- it's a reply to your >> message about how putting "Envelope-To" headers into a message would >> be >> a bad idea (my response says that it's bad in the general cause, but >> not >> in some specific cases, which would be based upon the MTA, and should >> therefore be selectable by the sysadmin running mailscanner). >> >> a) doesn't apply because I'm not reporting a problem, I'm refuting an >> assertion of yours, >> >> and >> >> b) doesn't apply because you're the only one being addressed, really. >> That "other's can't answer because they don't know" isn't relevant. >> >> >> John >> >> >> Julian Field wrote: >> > >> > Sorry, haven't got time to respond to everyone. I suggest the >> silence means >> > no-one else either >> > a) has enough info from you to work out what the problem is, >> > or >> > b) doesn't know. >> > >> > At 21:41 18/02/2004, you wrote: >> > >John Rudd wrote: >> > > > >> > > > John Rudd wrote: >> > > > > >> > > > > Julian Field wrote: >> > > > > > >> > > > > > At 14:00 13/02/2004, you wrote: >> > > > > >> > > > > > >X-Envelope-To: >> > > > > >> > > > > > I am of the opinion that ... >> > > > > > putting in the envelope recipient is a bad idea. >> > > > > >> > > > [snip] >> > > > > When you know that the MTA will do the right thing, it's not >> "a bad >> > > > > idea". And for some MTA's, it's definitely "the right idea". >> > > > >> > > > So, does the lack of response to my two messages indicate they >> fell on >> > > > deaf ears? Are my arguments unconvincing? >> > > >> > > >> > > >> > >*tap*tap*tap* Is this thing on? >> > > >> > >Beuller? Beuller? > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 20 11:12:36 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) Message-ID: > Users will NOT see the "Envelope-To" headers. Your argument > does not hold. Some MTA's will "do the right thing" with it. And some won't do the right thing. If you teach Exim (e.g.) to put in those headers they will simply stick in the message. And they are supposed to. Therefore the User will be able to see them in his MUA. Possibly your setup will get rid of those headers at a later point. But speak for yourself only. :-) Where is the problem to put in those header fields at your setup? Why should MailScanner do anything with it? I fail to see the positive side effect. Regards, JP From jacques at MONACO.NET Fri Feb 20 11:32:59 2004 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: Message-ID: <200402201232.07811.jacques@monaco.net> Le mercredi 18 F?vrier 2004 21:31, Kai Schaetzl a ?crit?: > It seems MailScanner also scans all mail which is outgoing (f.i. > relayed by SMTP authenticated clients). Is there a way to stop this? With Postfix, change this line in /etc/postfix.in/main.cf?: defer_transports = local, smtp, relay, virtual to defer_transports = local, virtual Done. Outgoing/relayed e-mail is no more scanned (as a nice side effect, this also stops customers using your mail exchanger as secondary MX wondering why some of their e-mail gets scanned). I don't know about other MTAs, but I'm sure there are solutions, too (there is *always* a solution?:-) Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From jacques at MONACO.NET Fri Feb 20 11:39:38 2004 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:22:36 2006 Subject: Postfix + MailScanner HELP! In-Reply-To: References: Message-ID: <200402201239.16214.jacques@monaco.net> Le jeudi 19 F?vrier 2004 15:42, Rosaldo Garcia a ?crit?: > Why is it when i try to put an # on ( smtp inet n - > y - - smtpd ) under /etc/postfix/master.cf, i get > this error Did you read ?? You need to make sure the *incoming* instance of Postfix (the one controlled by the files in /etc/postfix.in) has started, otherwise there will be no one to listen to SMTP connections... Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From jacques at MONACO.NET Fri Feb 20 11:57:30 2004 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:22:36 2006 Subject: Mailscanner on Debian Woody In-Reply-To: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> References: <6.0.1.1.1.20040219172621.01bb28e8@192.168.1.2> Message-ID: <200402201257.30789.jacques@monaco.net> Le jeudi 19 F?vrier 2004 17:26, Erik van der Meulen (by way of Erik van der Meulen ) a ?crit?: > If I do: dpkg --install mailscanner*.deb, I get: > > Selecting previously deselected package mailscanner. > (Reading database ... 17953 files and directories currently > installed.) Unpacking mailscanner (from mailscanner_4.26.7-2_all.deb) > ... dpkg: dependency problems prevent configuration of mailscanner: > mailscanner depends on libnet-cidr-perl; however: > Package libnet-cidr-perl is not installed. A ??clean?? solution would be to install the Net::CIDR package from the Testing version. As you can see from , it only requires perl (>= 5.6.0-16), which you happen to already have?: > /usr/share/MailScanner /usr/local/lib/perl/5.6.1 ^^^^^ Seems good enough... You can install this package, either by downloading it directly from a debian mirror (it will be in .../pool/main/libn/libnet-cidr-perl/), or by using the ??pinning?? APT feature to download it from the Testing repository (you can find more info on pinning at -- that's the Google Cache, since the original page seems to be AWOL at this moment). At any rate, I would discourage using the CPAN perl module to get it, since it wouldn't then be entered into the Debian package management system... HTH Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From mailscanner at ecs.soton.ac.uk Fri Feb 20 12:34:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: References: Message-ID: <6.0.1.1.2.20040220123359.0400f990@imap.ecs.soton.ac.uk> At 11:12 20/02/2004, you wrote: > > Users will NOT see the "Envelope-To" headers. Your argument > > does not hold. Some MTA's will "do the right thing" with it. > >And some won't do the right thing. If you teach Exim (e.g.) to put in >those headers they will simply stick in the message. And they are supposed >to. Therefore the User will be able to see them in his MUA. > >Possibly your setup will get rid of those headers at a later point. But >speak for yourself only. :-) > >Where is the problem to put in those header fields at your setup? Why >should MailScanner do anything with it? I fail to see the positive side effect. Right, it is in as an option. Envelope-From turned on by default, Envelope-To turned off by default. These will be in 4.27. # Do you want to add the Envelope-From: header? # This is very useful for tracking where spam came from as it # contains the envelope sender address. # This can also be the filename of a ruleset. Add Envelope From Header = yes # Do you want to add the Envelope-To: header? # This can be useful for tracking span destinations, but should be # used with care due to possible privacy concerns with the use of # Bcc: headers by users. # This can also be the filename of a ruleset. Add Envelope To Header = no # This is the name of the Envelope From header # controlled by the option above. # This can also be the filename of a ruleset. Envelope From Header = X-%org-name%-MailScanner-From: # This is the name of the Envelope To header # controlled by the option above. # This can also be the filename of a ruleset. Envelope To Header = X-%org-name%-MailScanner-To: -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From davidj at IMPOL.NET Fri Feb 20 13:12:23 2004 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter In-Reply-To: <4035DA0C.8010806@solid-state-logic.com> Message-ID: Hi, Thanks to all who helped me with the obfuscated spam words - implementing my own rules now works like a charm. Kind regards, David Jacobson Network Security Administrator RHCE Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. Martin Hepworth Sent by: MailScanner mailing list 02/20/2004 11:57 AM Please respond to MailScanner mailing list To MAILSCANNER@JISCMAIL.AC.UK cc Subject Re: Wierd words for spam filter david try the antidrug ruleset at http://mywebpages.comcast.net/mkettler/sa/antidrug.cf having said that I'm running it and it didn't trigger it, but this rule did... # Created using Chris's Mediocre Obfuscation Script Version 0.00.0.0001h # http://sandgnat.com/cmos/ # header LOCAL_OBFU_VGR_SUBJ Subject =~ /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR_SUBJ 2.6 describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject body LOCAL_OBFU_VGR /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR 1.8 describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR_SUBJ 2.6 describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject body LOCAL_OBFU_VGR /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x B1|\xD0\x90|\xD0\xB0)\B)/i score LOCAL_OBFU_VGR 1.8 describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body If you also add in the xanax and others as well (generated using Chris's CGI scripts on his home page above) you should be able to trigger a spam action. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 David Jacobson wrote: > > Hi Again, > > I've got customers complaining that spam is coming through and when > analyzing the e-mails > I notice they're using words as follows: > > < Som+a+ gJe3w>> < +Soma+ < Pn.t.ermin fmRdI>> < v|@gRa ) A:t|v@n + .S.oma _ Pnter:m:in Q6bgh>> <> = > <>=20 > > which are not getting tagged, now everytime I try add special words like > that with pipes colons pluses etc > it seems to break stuff and tag everything as spam, can someone give me > an example of how to add such > words? > > Thanks > > Kind regards, > > David Jacobson > Network Security Administrator > RHCE > > Imperial Online - The Imperial Connection > > Switchboard (+27) 11 723-8000 > Helpdesk (+27) 11 723-8181 > Mobile (+27) 83 235-0760 > Facsimile (+27) 11 454 1236 > Email davidj@impol.net > > www.imperialonline.co.za / www.imperialtoday.co.za > > Confidentiality Notice: > This communication and the information it contains are intended for the > person(s) or organisation(s) named above and for no other person(s) or > organisation(s). > The content of this communication may be confidential, legally > privileged and protected. Unauthorised use, copying or disclosure of any > part of this communication may be unlawful. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/712b38e9/attachment.html From maillists at CONACTIVE.COM Fri Feb 20 13:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Outbound mail not scanned In-Reply-To: <1077223672.403520f8a64a8@secure.elbnet.com> References: <1077223672.403520f8a64a8@secure.elbnet.com> Message-ID: Peter Billson wrote on Thu, 19 Feb 2004 20:47:52 +0000: > According to the headers it seems that the mail is being processed, but > nothing "bad" gets stripped off - i.e. I can send an EXE file or a virus > without problems. > Great, if you find out what your problem is/was, let us now. I think I will just want to set it up like that :-) Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 13:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules In-Reply-To: References: Message-ID: Michele Neylon :: Blacknight Solutions wrote on Thu, 19 Feb 2004 23:52:02 -0000: > Which is the way it is set in the example - and it works > I was talking about the obvious redundancy with the three rule sets. As I understand one would only need one of them. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 13:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules In-Reply-To: <4035CB2F.9010800@solid-state-logic.com> References: <4035CB2F.9010800@solid-state-logic.com> Message-ID: Martin Hepworth wrote on Fri, 20 Feb 2004 08:54:07 +0000: > as long as the spammer/virus doesn't fake your domain as the 'from' then > yes it will. > > This is why I have a separate gateway machine, I can then select not to > spam scan based on the ip of where the email came from. > Hi Martin, my question wasn't directly related to my "avoid outgoing mail being scanned" if that is what you are referring to with the gateway machine ;-) It just struck me that rules for Spam Checks Is Definitely Not Spam Is Definitely Spam basically do the same thing, so are quite redundant. If I understand correctly just using rules for "Spam Checks" would be sufficient? The other two are just for "convenience". Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 13:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Adding Envelope Headers?) In-Reply-To: References: Message-ID: Jan-Peter Koopmann wrote on Fri, 20 Feb 2004 12:12:36 +0100: > And some won't do the right thing. If you teach Exim (e.g.) to put in > those headers they will simply stick in the message. And they are > supposed to. Therefore the User will be able to see them in his MUA. sendmail doesn't insert the Envelope-To if there is more than one recipient. > > Possibly your setup will get rid of those headers at a later point. But > speak for yourself only. :-) > > Where is the problem to put in those header fields at your setup? Why > should MailScanner do anything with it? I fail to see the positive side > effect. > If I understand correctly Communigate doesn't currently support MailScanner, but he's working on an application which will gateway to it, but he needs to have the Envelope headers available. There's no harm in adding those headers by MailScanner on an *optional* basis. As it seems you can add them with most mail daemons, anyway, but not with all. So, if there was harm adding them, most people can already do now. I suppose it would be a trivial change to the code, someone already posted a custom function for this some days ago, but I tried it out and it didn't work for me (I use sendmail now to do it). The main problem remains what to do with multiple recipients on that domain. Do it like sendmail and not add them or enumerate thru and add all of them? I guess only the latter would help John. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 13:45:02 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules In-Reply-To: References: <4035CB2F.9010800@solid-state-logic.com> Message-ID: <40360F5E.8020504@solid-state-logic.com> Kai oh ok the is definitely and definetly not, do things slightly differently - have a look at the rules that use them.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Kai Schaetzl wrote: > Martin Hepworth wrote on Fri, 20 Feb 2004 08:54:07 +0000: > > >>as long as the spammer/virus doesn't fake your domain as the 'from' then >>yes it will. >> >>This is why I have a separate gateway machine, I can then select not to >>spam scan based on the ip of where the email came from. >> > > > Hi Martin, my question wasn't directly related to my "avoid outgoing mail > being scanned" if that is what you are referring to with the gateway > machine ;-) It just struck me that rules for > > Spam Checks > Is Definitely Not Spam > Is Definitely Spam > > basically do the same thing, so are quite redundant. If I understand > correctly just using rules for "Spam Checks" would be sufficient? The > other two are just for "convenience". > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Feb 20 13:51:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Adding Envelope Headers?) In-Reply-To: References: Message-ID: <6.0.1.1.2.20040220134156.08cbb888@imap.ecs.soton.ac.uk> At 13:31 20/02/2004, you wrote: >Jan-Peter Koopmann wrote on Fri, 20 Feb 2004 12:12:36 +0100: > > > And some won't do the right thing. If you teach Exim (e.g.) to put in > > those headers they will simply stick in the message. And they are > > supposed to. Therefore the User will be able to see them in his MUA. > >sendmail doesn't insert the Envelope-To if there is more than one >recipient. > > > > > Possibly your setup will get rid of those headers at a later point. But > > speak for yourself only. :-) > > > > Where is the problem to put in those header fields at your setup? Why > > should MailScanner do anything with it? I fail to see the positive side > > effect. > > > >If I understand correctly Communigate doesn't currently support >MailScanner, but he's working on an application which will gateway to it, >but he needs to have the Envelope headers available. >There's no harm in adding those headers by MailScanner on an *optional* >basis. As it seems you can add them with most mail daemons, anyway, but >not with all. So, if there was harm adding them, most people can already >do now. I suppose it would be a trivial change to the code, someone >already posted a custom function for this some days ago, but I tried it >out and it didn't work for me (I use sendmail now to do it). The main >problem remains what to do with multiple recipients on that domain. Do it >like sendmail and not add them or enumerate thru and add all of them? I >guess only the latter would help John. Well it's not trivial, but I've done it. If you want the Envelope-To header, it will add all the recipients. In the event that you use a ruleset to work out whether to add the headers or not, they will only be added if the rules for all the recipients agree to have the header added. If any matching rule says to not add either of the headers, that header will not be added. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 20 13:56:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:36 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> Message-ID: <6.0.1.1.2.20040220135222.040a76f0@imap.ecs.soton.ac.uk> At 10:05 20/02/2004, you wrote: >(I get the feeling you didn't read the original message I wrote in this >thread) Quite right. You don't have to deal with the volume of mail I do. And there's then the minor of doing my day job as well. If you want to see all the stuff I am responsible for at work, look here: http://www.ecs.soton.ac.uk/~jkf/myjob.html I have to squeeze MailScanner into the odd minutes here and there when I don't have more pressing things to do. We are a department of 1800 people and 1000 computers, in which everything computer-related (and all purchasing) is run by a team of 9 of us. We all have very busy lives. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Fri Feb 20 14:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132FE@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273132FE@mtlnt501fs.CAMOROUTE.COM> Message-ID: Ugo Bellavance wrote on Thu, 19 Feb 2004 14:07:35 -0500: > I might be missing something in the conversation (didn't get enough > sleep this week), but you can use whitelists to disable spam checks for > outgoing messages only (whitelist your internal servers by IP), and you > can use rules to disable filename/type checks for outgoing messages > only. > You can if you have a gateway thru which all your mail traffic relays. That is not the case here. We have a distributed infrastructure with lots of machines and each having its own mail servers. Some of them operated by us with multiple customers and some of them operated by the customers themselves. There are advantages and disadvantages centralizing all the mail for the machines we operate and every time we were about to do it something struck which made us realize that a distributed mail system isn't that bad ... So we are going to keep it that way. Customers authenticate via SMTP AUTH if they want to relay and we don't want to scan these messages, only the incoming traffic. I hoped that I had overlooked a certain special rule which would allow this, but there apparently isn't. There is no way of whitelisting their IP because that usually gets dynamically assigned. It should be possible to know within MailScanner that they have authenticated, though. But it seems I'm the only one who needs this solution, everyone else seems to split in and outgoing to different machines if they don't want to have one of them scanned. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 14:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <200402201232.07811.jacques@monaco.net> References: <200402201232.07811.jacques@monaco.net> Message-ID: Jacques Caruso wrote on Fri, 20 Feb 2004 12:32:59 +0100: > defer_transports = local, virtual Thanks, I'll keep that for the case we start using Postfix as well which might be the case real soon. Wouldn't that also stop any traffic *not* ending on the machine, f.i. mail which is forwarded? > I don't know about other MTAs, but I'm sure there are solutions, too > Hm, maybe I can configure sendmail to put all authenticated mail directly in mqueue instead of mqueue.in. I'll ask in a sendmail newsgroup, thanks for the hint. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 14:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <6.0.1.1.2.20040219175325.03e26458@imap.ecs.soton.ac.uk> References: <54C38A0B814C8E438EF73FC76F36292741090A@mtlnt501fs.CAMOROUTE.COM> <6.0.1.1.2.20040219175325.03e26458@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 19 Feb 2004 17:54:11 +0000: > I have only been partially following this thread. I tend to work around > problems like this by having a separate outgoing mail relay from incoming. > We have a lot of distributed systems and clients just connect to "mail.client.domain" which is the same as "client.domain" for pop, imap or smtp, so in- and outgoing is usually on the same machine. We currently use a milter for spam scanning which can be configured to skip any authenticated mail and I was of the naive presumption that every mail scanning tool would need to have such a switch. I was looking for it in MailScanner and couldn't find it. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 14:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:36 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1D4@tormail2.algorithmics.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1D4@tormail2.algorithmics.com> Message-ID: Derek Winkler wrote on Thu, 19 Feb 2004 13:55:33 -0500: > I'd look into setting up a second ip with another instance of sendmail for > authenticated SMTP only which uses /var/spool/mqueue directly, no > MailScanner. > Thanks. I had already thought about running another sendmail on a different port but running it on a different IP is better in terms of usability for the client. Still need to tell him a different outgoing mail domain, though. ;-) Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From nathan at TCPNETWORKS.NET Fri Feb 20 14:48:35 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:36 2006 Subject: McAfee virusscan Message-ID: No, you're right. It is a lesson in futility. I did a full review of all currently support virus scanners several months ago (in fact, I think someone posted this review to the FAQ). After I posted my review, I received several conflicting pieces of feedback. Everyone was told a different story by McAfee. No one seems to know where or how to buy it or how it's licensed. I've been told by several people that NAI licenses this product by user--not by machine. This quickly put it out of our price range. I found the smaller vendors were often the most helpful (which can be expected). The NOD32 folks were the most responsive but still too pricey. I settled on CAI eTrust at a little over $100.00 for 5 nodes (licensed per machine). My only issue with them is their somewhat lagging OS/distribution support. They still haven't release a version that's compatible with Red Hat 9 or later, or Red Hat Enterprise Linux 2.1 or later. They're also RedHat/SUSE centric. No mention of Debian on their compatibility list. I haven't tried it yet. Nathan > -----Original Message----- > From: Chris Yuzik [mailto:chris@FRACTALWEB.COM] > Sent: Thursday, February 19, 2004 2:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: McAfee virusscan > > OMG! I'm ready to pull what's left of my hair out. > > NAI and McAfee are virtually impossible to deal with. I have wasted no > less than 3 hours on the phone over the past couple of days trying to > get pricing for McAfee Virusscan commandline for Unix (or Linux). I > managed to download an evaluation version and it seems fine. I have > talked with 3 resellers that are all "not familiar with that product" > and all promise to get back to me after talking to McAfee...and, of > course, they never do. > > I've called McAfee and talked with almost a dozen people. I finally > talked to one person who told me that the commandline version of > Virusscan is no longer sold on its own and is only available > as part of > the Virusscan Suite for the Desktop 5-user version. Cost on that is > apparently US$200 for the first year, then $82 per year thereafter. > According to the MailScanner FAQ, it should be more like $12 for a > perpetual license. > > One person I talked with suggested that the Command Line version MIGHT > be included in the boxed retail package of McAfee Virusscan > Professional, but all the literature just says Windows. According to > someone at NAI, it's only the Windows version. > > It looks like there is something called the "McAfee Active VirusScan > Suite Small Business Edition" that allegedly includes the command line > scanner for unix/linux. Minimum purchase is 2 nodes, so cost is about > US$80...but I cannot purchase this product because I am in > Canada...and > apparently, it's not available in Canada unless I purchase 11 > nodes. Did > I mention I only have 1 machine? Argh! > > Am I missing something here? Is purchasing software supposed > to be this > difficult? > > Perhaps I'm used to the way good shareware works...I download it, > install it, and if I like it, pay for it. Then, they send me some sort > of key file that I put on the machine and it keeps working. > > Can anyone shed any light here? Any McAfee users out there > know the secret? > > Cheers, > Chris > From dustin.baer at IHS.COM Fri Feb 20 14:53:02 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:36 2006 Subject: Spam whitelist rules References: Message-ID: <40361F4E.6576F319@ihs.com> Kai Schaetzl wrote: > > While researching rules I got the impression that all the stuff below > should have the same result (no spam check done), am I correct? > > Spam Checks = %rules-dir%/spam.1.rules > From: *@domain no > > = %rules-dir%/spam.2.rules > From: *@domain yes > > Is Definitely Spam = %rules-dir%/spam.3.rules > From: *@domain no > > Kai You can whitelist, or blacklist an address, but still do spam checks in order to see what the score is. In other words, you can have SpamAssassin give a score of 500, and show the hits/scores for each test, and if the address is in "Is Definitely Not Spam," the email is still going through...with the scores displayed On our server when people request quarantined spam, I change the $_ header to a "Is Definitely Not Spam" IP, but I allow Spam Checks. That way, people can see why it was stopped in the first place. If you had an address that was "no" for "Spam Checks", then you wouldn't see the SpamAssassin tests. Hope that helps. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mkettler at EVI-INC.COM Fri Feb 20 15:13:11 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter In-Reply-To: <4035DA0C.8010806@solid-state-logic.com> References: <4035DA0C.8010806@solid-state-logic.com> Message-ID: <6.0.0.22.0.20040220100443.025cb920@xanadu.evi-inc.com> At 04:57 AM 2/20/2004, Martin Hepworth wrote: >try the antidrug ruleset at >http://mywebpages.comcast.net/mkettler/sa/antidrug.cf > >having said that I'm running it and it didn't trigger it, but this rule >did... What version of antidrug are you using Martin? 0.43? Using 0.52 David's post triggered a lot of rules: LOCAL_DRUGS_ANXIETY 0.01, LOCAL_DRUGS_ANXIETY_MALEDYS 1.00 LOCAL_DRUGS_MALEDYSFUNCTION 1.00, LOCAL_DRUGS_MALEDYSFUNCTION_OBFU 0.50 LOCAL_DRUGS_MANYKINDS 1.00, LOCAL_DRUGS_MUSCLE 0.01 LOCAL_DRUGS_SLEEP 0.01, 0.5x is a very significant improvement in hit-rate over 0.43. I've added the ability to deal with irregular gapping patterns like the ones used Daniel's message. body LOCAL_OBFU_VGR looks painfully slow to execute. [\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]? Why not just use \W? here... It would be easier to read. Why exclude so many individual characters over \x7F? From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 15:18:02 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:36 2006 Subject: Wierd words for spam filter In-Reply-To: <6.0.0.22.0.20040220100443.025cb920@xanadu.evi-inc.com> References: <4035DA0C.8010806@solid-state-logic.com> <6.0.0.22.0.20040220100443.025cb920@xanadu.evi-inc.com> Message-ID: <4036252A.5080707@solid-state-logic.com> Matt should be something recent.. 'ls' says Feb 18....comments say 0.52 hmm hang on, it's root only readable - d'oh.. something else to check - bayes DB AND custom rule sets need to be read-able by the MailScanner user....;-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matt Kettler wrote: > At 04:57 AM 2/20/2004, Martin Hepworth wrote: > >> try the antidrug ruleset at >> http://mywebpages.comcast.net/mkettler/sa/antidrug.cf >> >> having said that I'm running it and it didn't trigger it, but this rule >> did... > > > What version of antidrug are you using Martin? 0.43? > > Using 0.52 David's post triggered a lot of rules: > > LOCAL_DRUGS_ANXIETY 0.01, > LOCAL_DRUGS_ANXIETY_MALEDYS 1.00 > LOCAL_DRUGS_MALEDYSFUNCTION 1.00, > LOCAL_DRUGS_MALEDYSFUNCTION_OBFU 0.50 > LOCAL_DRUGS_MANYKINDS 1.00, > LOCAL_DRUGS_MUSCLE 0.01 > LOCAL_DRUGS_SLEEP 0.01, > > 0.5x is a very significant improvement in hit-rate over 0.43. I've added > the ability to deal with irregular gapping patterns like the ones used > Daniel's message. > > body LOCAL_OBFU_VGR looks painfully slow to execute. > > [\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]? > > > Why not just use \W? here... It would be easier to read. Why exclude so > many individual characters over \x7F? ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MWeiner at AG.COM Fri Feb 20 15:38:12 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> Julian - I am back at it again, trying to build a decent spambox to throw in front of our exchange server to help "save" it (LOL). Anyway, here is my basic layout: Red Hat Linux release 9 (Shrike) Linux spambox 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003 i686 i686 i386 GNU/Linux Running the following: Spamassassin-2.63-1 Mailscanner-4.26.8-1 Dcc-dccd 1.3.1 Razor (Clients and SDK) 2.36 Pyzor-0.4 Spammiliter-0.2 Milter-regex-0.2 And it appears that SA and MS are playing quite nicely together, but I see a lot of errors in the /var/log/maillog when this box gets busy. Is anyone else running their system like this? This box does over 50k emails aday for multiple domains and as such, the Load Average never goes below 4-5 on a good day. My plan is to use LDAP to do the user authentication against the Exchange server, thus making delivery rules and such easier to maintain and verify real users and trash everything else. Looking for any suggestions on improvement of performance and load, in particular, from admins that are using a system as described above. Any ideas would be greatly appreciated. Thanks in advance Michael Weiner Senior Systems Administator, WebOps AmericanGreetings.com From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 15:54:00 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> Message-ID: <40362D98.10204@solid-state-logic.com> Mike the the order I'd do it... 1) make sure the MailScanner working area, "Incoming Work Dir" defined in MailScanner.conf, is on a tmpfs not a disk. 2) configure a caching nameserver on the MS box. 3) have a look at the "Max Children" ,"Max Unscanned Messages Per Scan" and "Max Unsafe Messages Per Scan". Altering these, esp the Max Children can have a big effect. Given you load average I'd consider lowing the Max Children - after 1 and 2 have been done. Mine's at 5, but I'm only running an single 600mhz, 8-9k messages a day. 4) RAM RAM and plenty of RAM..1-2GB is not unheard of in this list for your sort of message load. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 MW Mike Weiner (5028) wrote: > Julian - > > I am back at it again, trying to build a decent spambox to throw in front of > our exchange server to help "save" it (LOL). Anyway, here is my basic > layout: > > Red Hat Linux release 9 (Shrike) > Linux spambox 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003 i686 i686 > i386 GNU/Linux > Running the following: > > Spamassassin-2.63-1 > Mailscanner-4.26.8-1 > Dcc-dccd 1.3.1 > Razor (Clients and SDK) 2.36 > Pyzor-0.4 > Spammiliter-0.2 > Milter-regex-0.2 > > And it appears that SA and MS are playing quite nicely together, but I see a > lot of errors in the /var/log/maillog when this box gets busy. Is anyone > else running their system like this? This box does over 50k emails aday for > multiple domains and as such, the Load Average never goes below 4-5 on a > good day. > > My plan is to use LDAP to do the user authentication against the Exchange > server, thus making delivery rules and such easier to maintain and verify > real users and trash everything else. > > Looking for any suggestions on improvement of performance and load, in > particular, from admins that are using a system as described above. Any > ideas would be greatly appreciated. > > Thanks in advance > Michael Weiner > Senior Systems Administator, WebOps > AmericanGreetings.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From sysadmins at ENHTECH.COM Fri Feb 20 16:01:48 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? Message-ID: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> Hi folks, I have two MailScanners - one running on RH 7.3 and other running on RH ES 3.0. The one on RH ES was just deployed and its configuration is identical to the 7.3 box. THE PROBLEM: The bayes engine on the ES 3.0 box does not seem like its being used and it is not apparent to me why it is not being used. I can tell its not being used because of the increase of SPAM I am receiving through this box and the fact that there is not one BAYES_** hit on in the mailogs on this box since it was deployed. The bayes path is /var/spool/spamassassin. There I see bayes_toks and bayes_seen but I do not see bayes_journal. Is that the problem? I am running MailScanner 4.25 14 and SpamAssassin version 2.63. If anyone could shed some light on my problem I would appreciate much. Best Regards, Errol Neal From nathan at TCPNETWORKS.NET Fri Feb 20 16:03:40 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:37 2006 Subject: Feature: Block Persistent Virus Senders? Message-ID: I was told that MailScanner supports the blocking of persistent virus senders. I've sifted through the documentation and the changelog, but can't seem to find any reference to this. Can someone tell me which version this was introduced in and where I may find the corresponding options or functions. Is it a custom function? Funny I missed this addition as I'm a avid reader of this list. Thanks. Nathan From kodak at FRONTIERHOMEMORTGAGE.COM Fri Feb 20 16:10:25 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:37 2006 Subject: Feature: Block Persistent Virus Senders? In-Reply-To: Message-ID: <008901c3f7cc$0cdc0240$0501a8c0@darkside> >I was told that MailScanner supports the blocking of persistent virus >senders. I've sifted through the documentation and the changelog, but >can't seem to find any reference to this. Can someone tell me which >version this was introduced in and where I may find the corresponding >options or functions. Is it a custom function? I haven't heard of this option (which is _not_ an indication that it does not exist.) but this seems like it may be something better handled by the MTA. Reject by IP in whatever your equilivent of an access table is. That way you're not wasting any cycles on something you're going to reject anyway. (Reject early and often, something the girls I was interested in always did. :) --J(K) From nathan at TCPNETWORKS.NET Fri Feb 20 16:15:55 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:22:37 2006 Subject: Feature: Block Persistent Virus Senders? Message-ID: > >I was told that MailScanner supports the blocking of persistent virus > >senders. I've sifted through the documentation and the changelog, but > >can't seem to find any reference to this. Can someone tell me which > >version this was introduced in and where I may find the corresponding > >options or functions. Is it a custom function? > > I haven't heard of this option (which is _not_ an indication that > it does not exist.) but this seems like it may be something > better handled by the MTA. Reject by IP in whatever your equilivent > of an access table is. That way you're not wasting any cycles > on something you're going to reject anyway. (Reject early and > often, something the girls I was interested in always did. :) > Looks like it might be the IPBlock custom function, which allows you to throttle the number of messages received from a given sender within an hour. However, the description says that this pertains to all types of senders (spam, virus, annoyances, and even mail from Mom). I'll hold out and see if anyone else can clarify. Vispan's author (formerly mailstats) used to automatically add persistent virus senders to the access.db as part of the stats collection cron job. He told me he didn't include this feature in the latest build because Julian had included the same functionality in MailScanner. From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 16:16:31 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? In-Reply-To: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> Message-ID: <403632DF.2060307@solid-state-logic.com> Errol make sure the bayes DB files and directory containing it are *writable* by the user defined in the MailScanner.conf file.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Admin Team wrote: > Hi folks, > > I have two MailScanners - one running on RH 7.3 and other running on RH ES > 3.0. The one on RH ES was just deployed and its configuration is identical > to the 7.3 box. > > THE PROBLEM: > > The bayes engine on the ES 3.0 box does not seem like its being used and it > is not apparent to me why it is not being used. I can tell its not being > used because of the increase of SPAM I am receiving through this box and > the fact that there is not one BAYES_** hit on in the mailogs on this box > since it was deployed. The bayes path is /var/spool/spamassassin. There I > see bayes_toks and bayes_seen but I do not see bayes_journal. Is that the > problem? > > I am running MailScanner 4.25 14 and SpamAssassin version 2.63. If anyone > could shed some light on my problem I would appreciate much. > > > Best Regards, > > Errol Neal ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 20 16:18:26 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C555@jessica.herefordshire.gov.uk> And mount your volumes with "noatime" set too. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: 20 February 2004 15:54 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Building an MS-SA box > > > Mike > > the the order I'd do it... > > 1) make sure the MailScanner working area, "Incoming Work Dir" defined > in MailScanner.conf, is on a tmpfs not a disk. > > 2) configure a caching nameserver on the MS box. > > 3) have a look at the "Max Children" ,"Max Unscanned Messages > Per Scan" > and "Max Unsafe Messages Per Scan". Altering these, esp the > Max Children > can have a big effect. Given you load average I'd consider lowing the > Max Children - after 1 and 2 have been done. Mine's at 5, but I'm only > running an single 600mhz, 8-9k messages a day. > > 4) RAM RAM and plenty of RAM..1-2GB is not unheard of in this list for > your sort of message load. > > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > MW Mike Weiner (5028) wrote: > > Julian - > > > > I am back at it again, trying to build a decent spambox to > throw in front of > > our exchange server to help "save" it (LOL). Anyway, here > is my basic > > layout: > > > > Red Hat Linux release 9 (Shrike) > > Linux spambox 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST > 2003 i686 i686 > > i386 GNU/Linux > > Running the following: > > > > Spamassassin-2.63-1 > > Mailscanner-4.26.8-1 > > Dcc-dccd 1.3.1 > > Razor (Clients and SDK) 2.36 > > Pyzor-0.4 > > Spammiliter-0.2 > > Milter-regex-0.2 > > > > And it appears that SA and MS are playing quite nicely > together, but I see a > > lot of errors in the /var/log/maillog when this box gets > busy. Is anyone > > else running their system like this? This box does over 50k > emails aday for > > multiple domains and as such, the Load Average never goes > below 4-5 on a > > good day. > > > > My plan is to use LDAP to do the user authentication > against the Exchange > > server, thus making delivery rules and such easier to > maintain and verify > > real users and trash everything else. > > > > Looking for any suggestions on improvement of performance > and load, in > > particular, from admins that are using a system as > described above. Any > > ideas would be greatly appreciated. > > > > Thanks in advance > > Michael Weiner > > Senior Systems Administator, WebOps > > AmericanGreetings.com > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From jrudd at UCSC.EDU Fri Feb 20 16:28:01 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: References: Message-ID: On Feb 20, 2004, at 3:12 AM, Jan-Peter Koopmann wrote: >> Users will NOT see the "Envelope-To" headers. Your argument >> does not hold. Some MTA's will "do the right thing" with it. > > And some won't do the right thing. If you teach Exim (e.g.) to put in > those headers they will simply stick in the message. And they are > supposed to. Therefore the User will be able to see them in his MUA. Then don't do it for all MTAs, perhaps just for new MTA's named "plain" and "CGP" (or perhaps as a setting in the conf file). I never said it should be done for all cases, just that it would be useful in some cases, and that it is not dangerous in all cases. > Where is the problem to put in those header fields at your setup? Why > should MailScanner do anything with it? I fail to see the positive > side effect. It will make supporting more MTAs (and those people who have wanted to support RFC-822 type messages directly) easier. CommuniGate Pro could go from "use my wrapper scripts" to "supported directly by MailScanner", for example. Another bullet item on the list of "supported MTA's". From sysadmins at ENHTECH.COM Fri Feb 20 16:31:33 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? In-Reply-To: <403632DF.2060307@solid-state-logic.com> References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> <403632DF.2060307@solid-state-logic.com> Message-ID: <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> At 11:16 AM 2/20/2004, you wrote: >Errol > >make sure the bayes DB files and directory containing it are *writable* >by the user defined in the MailScanner.conf file.. > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > Yes that is the case. The time stamps on the bayes_** files are being updated. Errol Neal From maillists at CONACTIVE.COM Fri Feb 20 16:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:37 2006 Subject: Spam whitelist rules In-Reply-To: <40361F4E.6576F319@ihs.com> References: <40361F4E.6576F319@ihs.com> Message-ID: Dustin Baer wrote on Fri, 20 Feb 2004 07:53:02 -0700: > You can whitelist, or blacklist an address, but still do spam checks in > order to see what the score is. In other words, you can have > SpamAssassin give a score of 500, and show the hits/scores for each > test, and if the address is in "Is Definitely Not Spam," the email is > still going through...with the scores displayed Ah, so Spam Checks = no does no spam check at all while the other two do but I can change the default action for the result, did I get that right? Hm, looking at the headers I think I didn't get it right, because there's no spam score (0.0) shown on all whitelisted mail. ;-) (using Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules) If I understand you correctly they should go through (since the default action is store) and they *do* go thru but they are all flagged as W/L and score of 0.0 in Mailwatch. > > On our server when people request quarantined spam, I change the $_ > header to a "Is Definitely Not Spam" IP, but I allow Spam Checks. I don't understand, sorry. $_ is the "validated sender address" in sendmail, how, where do you change what? That > way, people can see why it was stopped in the first place. If you had > an address that was "no" for "Spam Checks", then you wouldn't see the > SpamAssassin tests. > Yes, that's clear now, but not so much of the stuff above, sorry :-( Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 16:31:38 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Adding Envelope Headers?) In-Reply-To: <6.0.1.1.2.20040220134156.08cbb888@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040220134156.08cbb888@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 20 Feb 2004 13:51:23 +0000: > Well it's not trivial, but I've done it. If you want the Envelope-To > header, it will add all the recipients. > Looks quite promising from your description, I may go with removing it now from sendmail and put it in via MailScanner. Thanks! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From jrudd at UCSC.EDU Fri Feb 20 16:35:39 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <6.0.1.1.2.20040220123359.0400f990@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040220123359.0400f990@imap.ecs.soton.ac.uk> Message-ID: On Feb 20, 2004, at 4:34 AM, Julian Field wrote: > At 11:12 20/02/2004, you wrote: >> > Users will NOT see the "Envelope-To" headers. Your argument >> > does not hold. Some MTA's will "do the right thing" with it. >> >> And some won't do the right thing. If you teach Exim (e.g.) to put in >> those headers they will simply stick in the message. And they are >> supposed >> to. Therefore the User will be able to see them in his MUA. >> >> Possibly your setup will get rid of those headers at a later point. >> But >> speak for yourself only. :-) >> >> Where is the problem to put in those header fields at your setup? Why >> should MailScanner do anything with it? I fail to see the positive >> side effect. > > Right, it is in as an option. Envelope-From turned on by default, > Envelope-To turned off by default. > These will be in 4.27. > Great! Thank you :-) Just a couple questions: 1) Will MailScanner use them as the source of information? or just write them on output? 2) Is there any way to guarantee the ordering of the headers? For example, if they're in the source in a particular order (as I put the other messages, for CommuniGate Pro, Envelope-To has to be first, and then Return-Path), is it guaranteed that MailScanner will keep them in that order? Or, if MailScanner is only generating them, and not reading them from the input, is there a way to make sure MailScanner puts them at the top of the message? From mailscanner at ecs.soton.ac.uk Fri Feb 20 16:39:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: References: <6.0.1.1.2.20040220123359.0400f990@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040220163636.03e4c2b8@imap.ecs.soton.ac.uk> At 16:35 20/02/2004, you wrote: >On Feb 20, 2004, at 4:34 AM, Julian Field wrote: > >>At 11:12 20/02/2004, you wrote: >>> > Users will NOT see the "Envelope-To" headers. Your argument >>> > does not hold. Some MTA's will "do the right thing" with it. >>> >>>And some won't do the right thing. If you teach Exim (e.g.) to put in >>>those headers they will simply stick in the message. And they are >>>supposed >>>to. Therefore the User will be able to see them in his MUA. >>> >>>Possibly your setup will get rid of those headers at a later point. >>>But >>>speak for yourself only. :-) >>> >>>Where is the problem to put in those header fields at your setup? Why >>>should MailScanner do anything with it? I fail to see the positive >>>side effect. >> >>Right, it is in as an option. Envelope-From turned on by default, >>Envelope-To turned off by default. >>These will be in 4.27. > >Great! Thank you :-) > >Just a couple questions: > >1) Will MailScanner use them as the source of information? or just >write them on output? With one very minor exception, MailScanner never uses the headers for anything. It uses the envelope addresses. >2) Is there any way to guarantee the ordering of the headers? No. They will come at the end. >For example, if they're in the source in a particular order (as I put >the other messages, for CommuniGate Pro, Envelope-To has to be first, >and then Return-Path), is it guaranteed that MailScanner will keep them >in that order? No. >Or, if MailScanner is only generating them, and not reading them from >the input, is there a way to make sure MailScanner puts them at the top >of the message? No. MailScanner always adds headers on the end of the list. Adding them at the top is very messy as that is where the Received headers build a pretty chain of information. You don't want to go inserting headers in the middle of that, it will make a right mess :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Fri Feb 20 17:05:56 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:37 2006 Subject: Spam whitelist rules References: <40361F4E.6576F319@ihs.com> Message-ID: <40363E74.6C6D5B7F@ihs.com> Kai Schaetzl wrote: > > Dustin Baer wrote on Fri, 20 Feb 2004 07:53:02 -0700: > > > You can whitelist, or blacklist an address, but still do spam checks in > > order to see what the score is. In other words, you can have > > SpamAssassin give a score of 500, and show the hits/scores for each > > test, and if the address is in "Is Definitely Not Spam," the email is > > still going through...with the scores displayed > > Ah, so Spam Checks = no does no spam check at all while the other two do > but I can change the default action for the result, did I get that right? Yes. > Hm, looking at the headers I think I didn't get it right, because there's > no spam score (0.0) shown on all whitelisted mail. ;-) > (using Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules) Do you still have "Spam Checks = no" (or a ruleset for the particular address you are testing)? > If I understand you correctly they should go through (since the default > action is store) and they *do* go thru but they are all flagged as W/L and > score of 0.0 in Mailwatch. You have a default action of store for spam.whitelist.rules? Now, I am confused. :-) > > On our server when people request quarantined spam, I change the $_ > > header to a "Is Definitely Not Spam" IP, but I allow Spam Checks. > > I don't understand, sorry. $_ is the "validated sender address" in > sendmail, how, where do you change what? I have a script that does it. When people request email, the script changes $_ to an IP that is whitelisted, therefore goes through, no matter what SpamAssassin says. The reason I want it this way, is that it will go back through MailScanner (mqueue.in), pass through spam checking, but get tested for viruses. > > That > > way, people can see why it was stopped in the first place. If you had > > an address that was "no" for "Spam Checks", then you wouldn't see the > > SpamAssassin tests. > > > > Yes, that's clear now, but not so much of the stuff above, sorry :-( Here are some examples: Sender = spammer@spam.com 1. Spam Checks = yes spam.whitelist.rules - From: spammer@spam.com yes Result - email will include SpamAssassin score, no matter what score SpamAssassin gave it. 2. Spam Checks = no spam.whitelist.rules - From: spammer@spam.com yes Result - email will NOT include SpamAssassin score, because there are no Spam Checks Does that make more sense? Dustin From martinh at SOLID-STATE-LOGIC.COM Fri Feb 20 17:08:00 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? In-Reply-To: <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> <403632DF.2060307@solid-state-logic.com> <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> Message-ID: <40363EF0.2020208@solid-state-logic.com> Ok then - I had the situation where my sa-learn scripts were runnign a root and resetting the perms on the DB files every so often. I think theres now an option on MS 4.25 (or later) to force the umask in this case. anyway to debug the problem... stop MailScanner change the Debug and Spamassassin Debug options to 'yes' in MailScanner.conf run check_MailScanner this will run a single instance of MS and you should be able to see any errors relating to the Bayes DB pop up on the screen. NB CTRL-S and CTRL-Q can suspend/restart the text scrolling past, and CTRL-C will stop MS. Once you want to restart MS in the normal way, change the Debug settings back to 'no' and restart MS in the normal way. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Admin Team wrote: > At 11:16 AM 2/20/2004, you wrote: > >> Errol >> >> make sure the bayes DB files and directory containing it are *writable* >> by the user defined in the MailScanner.conf file.. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> > > Yes that is the case. The time stamps on the bayes_** files are being > updated. > > > Errol Neal ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From m.sapsed at BANGOR.AC.UK Fri Feb 20 17:26:30 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040218135448.023fdc00@xanadu.evi-inc.com> Message-ID: <40364346.7000807@bangor.ac.uk> Matt Kettler wrote: > However, there are those that continue to use Virus notifies and manually > maintain their silent virus list.. This would offer those administrators a > "reduced headache" alternative while still reaching their goals of > notifying senders where it's practical. > > I'm mostly proposing it from a concept of "If people are going to use it, > at least offer them an option which defaults to the most-safe behavior if > they fall behind in maintenance" > > I myself might even consider using the feature on occasion, despite my > opposition to general virus notifications. However, I won't push strongly > for you to implement it or not. I'd be in favour of this as an alternative to removing the feature altogether, especially if (as now) it matched on substrings. You could "whitelist" WM97 for example and then someone would get a wake up if they didn't know they had a macro virus, "Joke" or "Troj" would also show that those types weren't welcome. Specific things like Gibe-F can be added if they're high volume and known not to spoof. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Jan-Peter.Koopmann at SECEIDOS.DE Fri Feb 20 17:31:25 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box Message-ID: > My plan is to use LDAP to do the user authentication against > the Exchange server, thus making delivery rules and such > easier to maintain and verify real users and trash everything else. My suggestion: Don't. Do it the other way around. Push all valid e-mail adresses to the MailScanner box (I posted a script to do this earlier. Have a look at the FAQ). If you need auth, consider RADIUS instead of LDAP. LDAP will work of course but it is quite messy and from my point of view opens up too many possible security holes on an Exchange box. Regards, JP From lists at STHOMAS.NET Fri Feb 20 17:31:25 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:37 2006 Subject: Keystroke logger being installed from a link in an email (Subject: Police Investigation ) In-Reply-To: <6.0.1.1.2.20040220082513.03c85850@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Fri, Feb 20, 2004 at 08:25:48AM +0000 References: <6.0.1.1.2.20040220082513.03c85850@imap.ecs.soton.ac.uk> Message-ID: <20040220093125.A4027@sthomas.net> On Fri, Feb 20, 2004 at 08:25:48AM +0000, Julian Field is rumored to have said: > > This is apparently quite an old one. There is a good report from AusCERT here: > http://www.auscert.org.au/render.html?it=3858 > > Sophos, for example, has detected it since May 2003. > Interesting - I scanned it multiple times with Sophos (latest and greatest w/all current IDEs) and came up with zilch. I sent them a copy of it so they could check it out. -- "This isn't right, this isn't even wrong." - Wolfgang Pauli (1900-1958), upon reading a young physicist's paper From sysadmins at ENHTECH.COM Fri Feb 20 17:39:03 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? In-Reply-To: <40363EF0.2020208@solid-state-logic.com> References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> <403632DF.2060307@solid-state-logic.com> <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> <40363EF0.2020208@solid-state-logic.com> Message-ID: <6.0.2.0.0.20040220123729.026d7e78@mail.enhtech.com> At 12:08 PM 2/20/2004, you wrote: >Ok then - I had the situation where my sa-learn scripts were runnign a >root and resetting the perms on the DB files every so often. I think >theres now an option on MS 4.25 (or later) to force the umask in this case. > >anyway to debug the problem... > >stop MailScanner >change the Debug and Spamassassin Debug options to 'yes' in MailScanner.conf > >run check_MailScanner > >this will run a single instance of MS and you should be able to see any >errors relating to the Bayes DB pop up on the screen. NB CTRL-S and >CTRL-Q can suspend/restart the text scrolling past, and CTRL-C will stop > MS. > >Once you want to restart MS in the normal way, change the Debug settings >back to 'no' and restart MS in the normal way. > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > I had done all this already. The only thing that got it working was to import the bayes data from the other MailScanner system. This got bayes working again. Anybody know why? I mean, this was a plain vanilla install of SA so I am curious to learn why the bayes engine was not being used. Errol Neal From mailscanner at ecs.soton.ac.uk Fri Feb 20 17:46:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <40364346.7000807@bangor.ac.uk> References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040218135448.023fdc00@xanadu.evi-inc.com> <40364346.7000807@bangor.ac.uk> Message-ID: <6.0.1.1.2.20040220174304.03803c20@imap.ecs.soton.ac.uk> At 17:26 20/02/2004, you wrote: >Matt Kettler wrote: >>However, there are those that continue to use Virus notifies and manually >>maintain their silent virus list.. This would offer those administrators a >>"reduced headache" alternative while still reaching their goals of >>notifying senders where it's practical. >> >>I'm mostly proposing it from a concept of "If people are going to use it, >>at least offer them an option which defaults to the most-safe behavior if >>they fall behind in maintenance" >> >>I myself might even consider using the feature on occasion, despite my >>opposition to general virus notifications. However, I won't push strongly >>for you to implement it or not. > >I'd be in favour of this as an alternative to removing the feature >altogether, especially if (as now) it matched on substrings. You could >"whitelist" WM97 for example and then someone would get a wake up if >they didn't know they had a macro virus, "Joke" or "Troj" would also >show that those types weren't welcome. Specific things like Gibe-F can >be added if they're high volume and known not to spoof. So the only extra configuration option would be "Noisy Viruses =". If a message report matched the "noisy" substring list, then the message would be delivered and a warning sent to the sender (assuming other options allow it). If a message report matched both the "noisy" and "silent" substring lists, then the "noisy" status would win. Then you could put "All-Viruses" in the silent list and "WM97" in the noisy list, and the WM97 status would cause the warnings to be sent, despite the silent list. Does this sound right to you? It looks quite possible to implement. Do lots of people want this feature? Or is it only going to be used by a couple of you? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mlm at LOANPROCESSING.NET Fri Feb 20 17:50:20 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> <403632DF.2060307@solid-state-logic.com> <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> <40363EF0.2020208@solid-state-logic.com> <6.0.2.0.0.20040220123729.026d7e78@mail.enhtech.com> Message-ID: <003e01c3f7da$02665d20$3e01a8c0@express.loanprocessing.net> From: "Admin Team" > At 12:08 PM 2/20/2004, you wrote: > >Ok then - I had the situation where my sa-learn scripts were runnign a > >root and resetting the perms on the DB files every so often. I think > >theres now an option on MS 4.25 (or later) to force the umask in this case. > > > >anyway to debug the problem... > > > >stop MailScanner > >change the Debug and Spamassassin Debug options to 'yes' in MailScanner.conf > > > >run check_MailScanner > > > >this will run a single instance of MS and you should be able to see any > >errors relating to the Bayes DB pop up on the screen. NB CTRL-S and > >CTRL-Q can suspend/restart the text scrolling past, and CTRL-C will stop > > MS. > > > >Once you want to restart MS in the normal way, change the Debug settings > >back to 'no' and restart MS in the normal way. > > > >-- > >Martin Hepworth > >Snr Systems Administrator > >Solid State Logic > >Tel: +44 (0)1865 842300 > > > > I had done all this already. The only thing that got it working was to > import the bayes data from the other MailScanner system. This got bayes > working again. Anybody know why? I mean, this was a plain vanilla install > of SA so I am curious to learn why the bayes engine was not being used. > > > Errol Neal > Errol, After the install did you train SA with at least 200 ham and spam messages? I just ran into this a week ago on my first installation of SA. After there were enough sample ham and spam messages, bayes kicked in. When you imported the bayes data from the other system, that probably created enough samples for bayes to take effect. HTH, Mike From mailscanner at ecs.soton.ac.uk Fri Feb 20 17:47:57 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Bayes Engine not being used? In-Reply-To: <6.0.2.0.0.20040220123729.026d7e78@mail.enhtech.com> References: <6.0.2.0.0.20040220110145.026a58c8@mail.enhtech.com> <403632DF.2060307@solid-state-logic.com> <6.0.2.0.0.20040220113051.026b2ce0@mail.enhtech.com> <40363EF0.2020208@solid-state-logic.com> <6.0.2.0.0.20040220123729.026d7e78@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040220174715.03d3ce70@imap.ecs.soton.ac.uk> At 17:39 20/02/2004, you wrote: >At 12:08 PM 2/20/2004, you wrote: >>Ok then - I had the situation where my sa-learn scripts were runnign a >>root and resetting the perms on the DB files every so often. I think >>theres now an option on MS 4.25 (or later) to force the umask in this case. >> >>anyway to debug the problem... >> >>stop MailScanner >>change the Debug and Spamassassin Debug options to 'yes' in MailScanner.conf >> >>run check_MailScanner >> >>this will run a single instance of MS and you should be able to see any >>errors relating to the Bayes DB pop up on the screen. NB CTRL-S and >>CTRL-Q can suspend/restart the text scrolling past, and CTRL-C will stop >> MS. >> >>Once you want to restart MS in the normal way, change the Debug settings >>back to 'no' and restart MS in the normal way. >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 > >I had done all this already. The only thing that got it working was to >import the bayes data from the other MailScanner system. This got bayes >working again. Anybody know why? I mean, this was a plain vanilla install >of SA so I am curious to learn why the bayes engine was not being used. The Bayes engine won't be used until it has learnt a few hundred spam and a few hundred non-spam messages. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From support at EPAXSYS.NET Fri Feb 20 17:38:29 2004 From: support at EPAXSYS.NET (Support ePaxsys/FRWS) Date: Thu Jan 12 21:22:37 2006 Subject: filetype.rules.conf question... Message-ID: <5.1.0.14.2.20040220103129.0236dd50@mail.frws.com> Got a quick question regarding the filetype.rules.conf file. Currently we block MPG and MPE files outright using MailScanner. Seems to me a rule or sub-rule allowing these in if they were larger than 'X' amount would be a useful addition to that ruleset. As an ISP with quite a few clients, seems that this would allow 'legitimate' MPGs and MPEs into the system while potentially blocking those that could harbor viruses/trojans and the like. (The reason they are blocked is not because we do not want them sending them around, its to preclude viruses and other malicious content from getting onto the system before the virus scanners catch up) Our procmail rules block them only if they are under a set size. But that is only effective for users that have local mail boxes. Not all of our clients do. If there is a way to do this now, I missed it in the documentation. Thank you in advance for the responses. JPP ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 20 17:48:56 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C557@jessica.herefordshire.gov.uk> If somebody came up with a list of "noisy" viruses and their names according to ClamAV, McAfee, Sophos, etc, I could imagine quite a few of us using it. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 20 February 2004 17:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Feature concept... "noisy viruses"? > > > At 17:26 20/02/2004, you wrote: > >Matt Kettler wrote: > >>However, there are those that continue to use Virus > notifies and manually > >>maintain their silent virus list.. This would offer those > administrators a > >>"reduced headache" alternative while still reaching their goals of > >>notifying senders where it's practical. > >> > >>I'm mostly proposing it from a concept of "If people are > going to use it, > >>at least offer them an option which defaults to the > most-safe behavior if > >>they fall behind in maintenance" > >> > >>I myself might even consider using the feature on occasion, > despite my > >>opposition to general virus notifications. However, I won't > push strongly > >>for you to implement it or not. > > > >I'd be in favour of this as an alternative to removing the feature > >altogether, especially if (as now) it matched on substrings. > You could > >"whitelist" WM97 for example and then someone would get a wake up if > >they didn't know they had a macro virus, "Joke" or "Troj" would also > >show that those types weren't welcome. Specific things like > Gibe-F can > >be added if they're high volume and known not to spoof. > > So the only extra configuration option would be "Noisy Viruses =". > > If a message report matched the "noisy" substring list, then > the message > would be delivered and a warning sent to the sender (assuming > other options > allow it). > > If a message report matched both the "noisy" and "silent" > substring lists, > then the "noisy" status would win. Then you could put > "All-Viruses" in the > silent list and "WM97" in the noisy list, and the WM97 status > would cause > the warnings to be sent, despite the silent list. > > Does this sound right to you? > It looks quite possible to implement. > > Do lots of people want this feature? Or is it only going to > be used by a > couple of you? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Fri Feb 20 18:06:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C557@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C557@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040220180531.03954bf0@imap.ecs.soton.ac.uk> I think people would use virus types as opposed to virus names. So things like "WM97" would be put in the list, rather than names of specific viruses. At 17:48 20/02/2004, you wrote: >If somebody came up with a list of "noisy" viruses and their names according >to ClamAV, McAfee, Sophos, etc, I could imagine quite a few of us using it. > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 20 February 2004 17:47 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Feature concept... "noisy viruses"? > > > > > > At 17:26 20/02/2004, you wrote: > > >Matt Kettler wrote: > > >>However, there are those that continue to use Virus > > notifies and manually > > >>maintain their silent virus list.. This would offer those > > administrators a > > >>"reduced headache" alternative while still reaching their goals of > > >>notifying senders where it's practical. > > >> > > >>I'm mostly proposing it from a concept of "If people are > > going to use it, > > >>at least offer them an option which defaults to the > > most-safe behavior if > > >>they fall behind in maintenance" > > >> > > >>I myself might even consider using the feature on occasion, > > despite my > > >>opposition to general virus notifications. However, I won't > > push strongly > > >>for you to implement it or not. > > > > > >I'd be in favour of this as an alternative to removing the feature > > >altogether, especially if (as now) it matched on substrings. > > You could > > >"whitelist" WM97 for example and then someone would get a wake up if > > >they didn't know they had a macro virus, "Joke" or "Troj" would also > > >show that those types weren't welcome. Specific things like > > Gibe-F can > > >be added if they're high volume and known not to spoof. > > > > So the only extra configuration option would be "Noisy Viruses =". > > > > If a message report matched the "noisy" substring list, then > > the message > > would be delivered and a warning sent to the sender (assuming > > other options > > allow it). > > > > If a message report matched both the "noisy" and "silent" > > substring lists, > > then the "noisy" status would win. Then you could put > > "All-Viruses" in the > > silent list and "WM97" in the noisy list, and the WM97 status > > would cause > > the warnings to be sent, despite the silent list. > > > > Does this sound right to you? > > It looks quite possible to implement. > > > > Do lots of people want this feature? Or is it only going to > > be used by a > > couple of you? > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From MWeiner at AG.COM Fri Feb 20 18:06:23 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A8145@orca.agcom.amgreetings.com> JP - I appreciate the timely response, and appreciate your opinion. I was not at all sure I wanted to use LDAP but its now "embedded" in exchange for w2k3 which is a nice means of authenticating. I will have to check into the radius idea, I havent done it this way but will look into the suggestion. You say you have a script for the pushes?? Mind sharing to my private address? Also, what else are you running in addition to MS-SA?? Thanks in advance. -----Original Message----- From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] Sent: Friday, February 20, 2004 12:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box > My plan is to use LDAP to do the user authentication against the > Exchange server, thus making delivery rules and such easier to > maintain and verify real users and trash everything else. My suggestion: Don't. Do it the other way around. Push all valid e-mail adresses to the MailScanner box (I posted a script to do this earlier. Have a look at the FAQ). If you need auth, consider RADIUS instead of LDAP. LDAP will work of course but it is quite messy and from my point of view opens up too many possible security holes on an Exchange box. Regards, JP From MWeiner at AG.COM Fri Feb 20 18:08:56 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> Getting a slew of these tho, any idea if these are critical warnings or fatal ones? Feb 20 13:50:38 spambox sendmail[26676]: i1KInvZV026676: from=, size=7721, class=0, nrcpts=6, msgid=<2347997469571336.00782061484280958165737@commute>, proto=SMTP, daemon=MTA, relay=modemcable106.28-203-24.mc.videotron.ca [24.203.28.106] Feb 20 13:50:39 spambox spamd[27028]: info: setuid to spamd succeeded Feb 20 13:50:39 spambox spamd[1965]: hit max-children limit (5): waiting for some to exit Feb 20 13:50:36 spambox sendmail[26901]: i1KIoNZV026901: Milter (spamassassin): to error state Feb 20 13:50:39 spambox MailScanner[2156]: Spam Actions: message i1KIgAZV022325 actions are store,delete Feb 20 13:50:36 spambox sendmail[24459]: i1KIjsZV024459: to=, delay=00:04:21, mailer=relay, pri=210559, stat=queued Feb 20 13:50:39 spambox MailScanner[1931]: Config Error: Cannot match against destination IP address when resolving configuration option "spamactions" Feb 20 13:50:36 spambox sendmail[24597]: i1KIk6ZV024597: Milter (spamassassin): to error state Feb 20 13:50:39 spambox MailScanner[2235]: Spam Actions: message i1KIiSZV023558 actions are store,delete Feb 20 13:50:40 spambox MailScanner[1964]: Config Error: Cannot match against destination IP address when resolving configuration option "highscorespamactions" Feb 20 13:50:36 spambox sendmail[26911]: i1KIoOZV026911: Milter (spamassassin): init failed to open The Config error messages coming back from MS. Thanks in advance Michael Weiner Senior Systems Administator, WebOps AmericanGreetings.com From prandal at HEREFORDSHIRE.GOV.UK Fri Feb 20 18:09:39 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C558@jessica.herefordshire.gov.uk> Yes, you're right. Silly me, it has been a busy week. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 20 February 2004 18:06 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Feature concept... "noisy viruses"? > > > I think people would use virus types as opposed to virus > names. So things > like "WM97" would be put in the list, rather than names of > specific viruses. > > At 17:48 20/02/2004, you wrote: > >If somebody came up with a list of "noisy" viruses and their > names according > >to ClamAV, McAfee, Sophos, etc, I could imagine quite a few > of us using it. > > > >Phil > > > >--------------------------------------------- > >Phil Randal > >Network Engineer > >Herefordshire Council > >Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: 20 February 2004 17:47 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Feature concept... "noisy viruses"? > > > > > > > > > At 17:26 20/02/2004, you wrote: > > > >Matt Kettler wrote: > > > >>However, there are those that continue to use Virus > > > notifies and manually > > > >>maintain their silent virus list.. This would offer those > > > administrators a > > > >>"reduced headache" alternative while still reaching > their goals of > > > >>notifying senders where it's practical. > > > >> > > > >>I'm mostly proposing it from a concept of "If people are > > > going to use it, > > > >>at least offer them an option which defaults to the > > > most-safe behavior if > > > >>they fall behind in maintenance" > > > >> > > > >>I myself might even consider using the feature on occasion, > > > despite my > > > >>opposition to general virus notifications. However, I won't > > > push strongly > > > >>for you to implement it or not. > > > > > > > >I'd be in favour of this as an alternative to removing > the feature > > > >altogether, especially if (as now) it matched on substrings. > > > You could > > > >"whitelist" WM97 for example and then someone would get > a wake up if > > > >they didn't know they had a macro virus, "Joke" or > "Troj" would also > > > >show that those types weren't welcome. Specific things like > > > Gibe-F can > > > >be added if they're high volume and known not to spoof. > > > > > > So the only extra configuration option would be "Noisy Viruses =". > > > > > > If a message report matched the "noisy" substring list, then > > > the message > > > would be delivered and a warning sent to the sender (assuming > > > other options > > > allow it). > > > > > > If a message report matched both the "noisy" and "silent" > > > substring lists, > > > then the "noisy" status would win. Then you could put > > > "All-Viruses" in the > > > silent list and "WM97" in the noisy list, and the WM97 status > > > would cause > > > the warnings to be sent, despite the silent list. > > > > > > Does this sound right to you? > > > It looks quite possible to implement. > > > > > > Do lots of people want this feature? Or is it only going to > > > be used by a > > > couple of you? > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From m.sapsed at BANGOR.AC.UK Fri Feb 20 18:25:06 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? References: <6.0.0.22.0.20040218111223.02618d98@opal.evi-inc.com> <6.0.1.1.2.20040218183708.03dbb0a0@imap.ecs.soton.ac.uk> <6.0.0.22.0.20040218135448.023fdc00@xanadu.evi-inc.com> <40364346.7000807@bangor.ac.uk> <6.0.1.1.2.20040220174304.03803c20@imap.ecs.soton.ac.uk> Message-ID: <40365102.5050600@bangor.ac.uk> Julian Field wrote: > So the only extra configuration option would be "Noisy Viruses =". If you're actually thinking of implementing this, I'm not sure that "Noisy" is the best description!!! I guess we're talking about "Non-spoofing Viruses" aren't we? "Honest Viruses" perhaps? ;-) > If a message report matched the "noisy" substring list, then the message > would be delivered and a warning sent to the sender (assuming other options > allow it). Sounds about right. > If a message report matched both the "noisy" and "silent" substring lists, > then the "noisy" status would win. Then you could put "All-Viruses" in the > silent list and "WM97" in the noisy list, and the WM97 status would cause > the warnings to be sent, despite the silent list. That suggests you'd have to configure both, although since the default is pretty well no notifications I guess that's not a big deal? > Does this sound right to you? > It looks quite possible to implement. Are you sure there isn't a way of doing this with one of your amazing rulesets?? ;-) > Do lots of people want this feature? Or is it only going to be used by a > couple of you? I'd probably go for it if it were available. Since it would appear to be a safer default way of working, how about scrapping Silent Viruses altogether and just having "Notifiable|Honest|Non-spoofing Viruses" which by default is empty? (or does that bring up the problems for people upgrading??) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From kodak at FRONTIERHOMEMORTGAGE.COM Fri Feb 20 18:28:22 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <6.0.1.1.2.20040220174304.03803c20@imap.ecs.soton.ac.uk> Message-ID: <00a501c3f7df$522db240$0501a8c0@darkside> > >Do lots of people want this feature? Or is it only going to be >used by a >couple of you? I'd use it, for sure. --J(K) From jrudd at UCSC.EDU Fri Feb 20 18:25:59 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> <6.0.1.1.2.20040220135222.040a76f0@imap.ecs.soton.ac.uk> Message-ID: <40365136.48C3A8EA@ucsc.edu> Julian Field wrote: > > At 10:05 20/02/2004, you wrote: > >(I get the feeling you didn't read the original message I wrote in this > >thread) > > Quite right. You don't have to deal with the volume of mail I do. > > And there's then the minor of doing my day job as well. If you want to see > all the stuff I am responsible for at work, look here: > http://www.ecs.soton.ac.uk/~jkf/myjob.html > I have to squeeze MailScanner into the odd minutes here and there when I > don't have more pressing things to do. > We are a department of 1800 people and 1000 computers, in which everything > computer-related (and all purchasing) is run by a team of 9 of us. We all > have very busy lives. Actually, looking over that URL, I think I do have a similar amount of email. I'm the primary email administrator for a university with 25000-ish active accounts in my email domain ... and I'm part of the central campus IT group, where I have all of the regular duties in addition to email (but I'm the only one primarily tasked with email, and we're all over-tasked, so most of hte others in my small group don't have enough in depth knowledge of our email set-up to do more than the most basic issues with our email service anyway). Thankfully, the helpdesk IS a different group than mine. I have a similar issue with not always seeing messages, but when I get into a thread I try to make sure I read all of the rest of the messages in that thread (for mailing lists, I tend to delete everything as I read it, and only leave in the messages for a thread I'm participating in, so that I can easily find new messages in that same thread). I confess, there have been times where I have wiped out my entire "MailScanner" or "SpamAssassin" folder without reading the pending messages (or the folder for OpenAFS ... and especially the one for qpopper back when I was on that list). Since I put out my CommuniGatePro<->MailScanner scripts, I try to at least skim the subjects for this list before I do that, though. And message sorting rules (before CommuniGate Pro, it was procmail, but CGP has a conceptually similar server-side rules mechanism, and I use that now) are a god-send. All of my postmaster mail goes to 1 folder. Mailer-Daemon messages go to another. When I was doing virus notifications to postmaster, that went to another folder. Anyways, I understand that you don't read every message, I was just expecting that you would read direct replies to messages you wrote, or that you might review a thread that you're about to reply to. I'm not saying you're wrong for not doing so, as I understand the high mail traffic that you're probably dealing with ... I'm just saying that's what I was expecting without having had more information. From jrudd at UCSC.EDU Fri Feb 20 18:40:49 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C557@jessica.herefordshire.gov.uk> Message-ID: <403654B1.1CAB0BA1@ucsc.edu> I agree. If the list of noisy viruses is out there, and easy to get, and covers the sophos names of the viruses, I'll use the feature. John "Randal, Phil" wrote: > > If somebody came up with a list of "noisy" viruses and their names according > to ClamAV, McAfee, Sophos, etc, I could imagine quite a few of us using it. > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 20 February 2004 17:47 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Feature concept... "noisy viruses"? > > > > > > At 17:26 20/02/2004, you wrote: > > >Matt Kettler wrote: > > >>However, there are those that continue to use Virus > > notifies and manually > > >>maintain their silent virus list.. This would offer those > > administrators a > > >>"reduced headache" alternative while still reaching their goals of > > >>notifying senders where it's practical. > > >> > > >>I'm mostly proposing it from a concept of "If people are > > going to use it, > > >>at least offer them an option which defaults to the > > most-safe behavior if > > >>they fall behind in maintenance" > > >> > > >>I myself might even consider using the feature on occasion, > > despite my > > >>opposition to general virus notifications. However, I won't > > push strongly > > >>for you to implement it or not. > > > > > >I'd be in favour of this as an alternative to removing the feature > > >altogether, especially if (as now) it matched on substrings. > > You could > > >"whitelist" WM97 for example and then someone would get a wake up if > > >they didn't know they had a macro virus, "Joke" or "Troj" would also > > >show that those types weren't welcome. Specific things like > > Gibe-F can > > >be added if they're high volume and known not to spoof. > > > > So the only extra configuration option would be "Noisy Viruses =". > > > > If a message report matched the "noisy" substring list, then > > the message > > would be delivered and a warning sent to the sender (assuming > > other options > > allow it). > > > > If a message report matched both the "noisy" and "silent" > > substring lists, > > then the "noisy" status would win. Then you could put > > "All-Viruses" in the > > silent list and "WM97" in the noisy list, and the WM97 status > > would cause > > the warnings to be sent, despite the silent list. > > > > Does this sound right to you? > > It looks quite possible to implement. > > > > Do lots of people want this feature? Or is it only going to > > be used by a > > couple of you? > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From dh at UPTIME.AT Fri Feb 20 18:52:32 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:37 2006 Subject: Feature concept... "noisy viruses"? In-Reply-To: <403654B1.1CAB0BA1@ucsc.edu> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C557@jessica.herefordshire.gov.uk> <403654B1.1CAB0BA1@ucsc.edu> Message-ID: <40365770.5040602@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 John Rudd wrote: > I agree. If the list of noisy viruses is out there, and easy to get, > and covers the sophos names of the viruses, I'll use the feature. > > Well, what is needed to implement this on a "makes sense" basis? I am sure I could be convinced to front the ressources :) - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFANld0PMoaMn4kKR4RA9jGAKCPG/TscVu7uHrBlB/dpaLsSxpurQCaAkpZ wdoU9BpTBTC/t1f0luxe4vA= =rzRR -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Feb 20 18:58:59 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreeti ngs.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> Message-ID: <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> You can't match against a destination IP address as that is only known once the delivery has been done, which is really a bit late :-) Change your IP address matches to just "From:". You can't match "To:" or "FromOrTo:" with IP addresses. At 18:08 20/02/2004, you wrote: >Getting a slew of these tho, any idea if these are critical warnings or >fatal ones? > >Feb 20 13:50:38 spambox sendmail[26676]: i1KInvZV026676: >from=, size=7721, class=0, nrcpts=6, >msgid=<2347997469571336.00782061484280958165737@commute>, proto=SMTP, >daemon=MTA, relay=modemcable106.28-203-24.mc.videotron.ca [24.203.28.106] > Feb 20 13:50:39 spambox spamd[27028]: info: setuid to spamd succeeded > Feb 20 13:50:39 spambox spamd[1965]: hit max-children limit (5): waiting >for some to exit > Feb 20 13:50:36 spambox sendmail[26901]: i1KIoNZV026901: Milter >(spamassassin): to error state > Feb 20 13:50:39 spambox MailScanner[2156]: Spam Actions: message >i1KIgAZV022325 actions are store,delete > Feb 20 13:50:36 spambox sendmail[24459]: i1KIjsZV024459: >to=, delay=00:04:21, mailer=relay, pri=210559, >stat=queued > Feb 20 13:50:39 spambox MailScanner[1931]: Config Error: Cannot match >against destination IP address when resolving configuration option >"spamactions" > Feb 20 13:50:36 spambox sendmail[24597]: i1KIk6ZV024597: Milter >(spamassassin): to error state > Feb 20 13:50:39 spambox MailScanner[2235]: Spam Actions: message >i1KIiSZV023558 actions are store,delete > Feb 20 13:50:40 spambox MailScanner[1964]: Config Error: Cannot match >against destination IP address when resolving configuration option >"highscorespamactions" > Feb 20 13:50:36 spambox sendmail[26911]: i1KIoOZV026911: Milter >(spamassassin): init failed to open > >The Config error messages coming back from MS. > >Thanks in advance >Michael Weiner >Senior Systems Administator, WebOps >AmericanGreetings.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Fri Feb 20 19:31:41 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> Message-ID: MW Mike Weiner (5028) wrote on Fri, 20 Feb 2004 13:08:56 -0500: > Feb 20 13:50:39 spambox spamd[1965]: hit max-children limit (5): waiting > for some to exit spamd is configured to have only 5 children at a time and you get too much mail for this > Feb 20 13:50:36 spambox sendmail[26901]: i1KIoNZV026901: Milter > (spamassassin): to error state > the milter skips spamd because because it didn't respond in a timely fashion because of above > Feb 20 13:50:39 spambox MailScanner[1931]: Config Error: Cannot match > against destination IP address when resolving configuration option > "spamactions" > don't know > Feb 20 13:50:36 spambox sendmail[26911]: i1KIoOZV026911: Milter > (spamassassin): init failed to open > I think this indicates the milter is now completely dead, sendmail is bypassing the milter (if correctly configured). I think you are doing it the wrong way. You either need to use: - milter + spamd - MailScanner + SA NOT BOTH ! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Fri Feb 20 19:31:41 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:37 2006 Subject: Spam whitelist rules In-Reply-To: <40363E74.6C6D5B7F@ihs.com> References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: Dustin Baer wrote on Fri, 20 Feb 2004 10:05:56 -0700: > Do you still have "Spam Checks = no" (or a ruleset for the particular > address you are testing)? No, currently set: Spam Checks = yes Spam Actions = store notify High Scoring Spam Actions = store Non Spam Actions = %rules-dir%/nonspam.actions.rules -> deliver or deliver store Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules -> with some dozen lines for domains and IPs with an action of yes Is Definitely Spam = no > You have a default action of store for spam.whitelist.rules? Now, I am > confused. :-) sorry :-) action for spam. > > > > On our server when people request quarantined spam, I change the $_ > > > header to a "Is Definitely Not Spam" IP, but I allow Spam Checks. > > > > I don't understand, sorry. $_ is the "validated sender address" in > > sendmail, how, where do you change what? > > I have a script that does it. When people request email, the script > changes $_ to an IP that is whitelisted, therefore goes through, no > matter what SpamAssassin says. The reason I want it this way, is that > it will go back through MailScanner (mqueue.in), pass through spam > checking, but get tested for viruses. Do you mean "connect for relaying" with "request email"? Do you tail the sendmail log or how do you do this? That is fast enough for adding the IP before MailScanner hits the file? > 1. > Spam Checks = yes > spam.whitelist.rules - From: spammer@spam.com yes > > Result - email will include SpamAssassin score, no matter what score > SpamAssassin gave it. Yes, this is "classic" whitelisting. I have no scores on these. They are scanned and Mailwatch shows them as whitelisted (W/L) with a spam score of 0.0. > > 2. > Spam Checks = no > spam.whitelist.rules - From: spammer@spam.com yes > > Result - email will NOT include SpamAssassin score, because there are no > Spam Checks > > Does that make more sense? > Absolutely, just that it doesn't work for me like that. I mean No. 1, haven't tried No. 2 and am confident that you are right. Ok, I think I have found the problem. Looking in the quarantine I see that I don't get any scores or spam headers in the messages, not even {Spam} in the Subject. Is this a side effect of storing? I know I used to get the Subject changed last week or so, but I don't remember if that was before changing from deliver to store. I do get all the spam scores and rule hits in Mailwatch, so I didn't realize that there isn't anything about spam in the headers. I didn't knowingly change anything in MailScanner.conf or SA which could have stopped the spam reports. F.i Detailed Spam Report = yes and Include Scores In SpamAssassin Report = yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From gregg at GBCOMPUTERS.COM Fri Feb 20 19:34:27 2004 From: gregg at GBCOMPUTERS.COM (Gregg Berkholtz) Date: Thu Jan 12 21:22:37 2006 Subject: Emailing quarantined emails Message-ID: <20040220193427.GA30431@gbcomputers.com> Digging through the listserve archives, online documentation, and source, I don't see an answer to this question; While it's possible to archive all emails to an email address instead of a folder, is it also possible to quarantine emails to an address? If not, is/was this a desired/considered feature? Gregg Berkholtz From craig at WESTPRESS.COM Fri Feb 20 20:02:30 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: Honestly, what makes these people believe that we want to read their damn spam! Especially if the text is all obfuscated? What do they get out of it? Surely no one actually buy's into this crap which is so hard to read?? I get email messages now that are nothing more than lists of words! The subject may say something about a 'cable filter', but when I open it, it's like looking at a list of baby names or something.... I see spam as nothing more than a way for someone with nothing but time on their hands, and no wanting for money to do away with email altogether. Why do people put so much time into finding ways to get unreadable mail into our inboxes? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From dustin.baer at IHS.COM Fri Feb 20 20:11:31 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:37 2006 Subject: Spam whitelist rules References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: <403669F3.49CF7DE7@ihs.com> Kai Schaetzl wrote: > > Dustin Baer wrote on Fri, 20 Feb 2004 10:05:56 -0700: > > > Do you still have "Spam Checks = no" (or a ruleset for the particular > > address you are testing)? > > No, currently set: > Spam Checks = yes > Spam Actions = store notify > High Scoring Spam Actions = store If you store the spam, then you won't see any MailScanner headers. The stored version is untouched by MailScanner. > > > > On our server when people request quarantined spam, I change the $_ > > > > header to a "Is Definitely Not Spam" IP, but I allow Spam Checks. > > > > > > I don't understand, sorry. $_ is the "validated sender address" in > > > sendmail, how, where do you change what? > > > > I have a script that does it. When people request email, the script > > changes $_ to an IP that is whitelisted, therefore goes through, no > > matter what SpamAssassin says. The reason I want it this way, is that > > it will go back through MailScanner (mqueue.in), pass through spam > > checking, but get tested for viruses. > > Do you mean "connect for relaying" with "request email"? Do you tail the > sendmail log or how do you do this? That is fast enough for adding the IP > before MailScanner hits the file? I quarantine spam as queue files (qf/df), so when someone requests the quarantined email, my script changes whatever the value for $_ in the qf file is to $_[a.b.c.d]. a.b is already in whitelisted by spam.whitelist.rules, and a.b.c.d is set to "yes" in SpamChecks.rules (I didn't make that completely clear). Example: a.b is our Class B address spam.whitelist.rules - From: a.b yes SpamChecks.rules - From: a.b.c.d yes quarantined qfi1K9887j016523 - $_APoitiers-104-1-2-182.w81-48.abo.wanadoo.fr [81.48.41.182] When somone requests the i1K9887j016523 email, $_ is changed to $_[a.b.c.d] Therefore, it is whitelisted (From: a.b yes) and also checked by SpamAssassin (From: a.b.c.d yes). So, no matter what score SpamAssassin gives the email, it is delivered because it is whitelisted. > > 1. > > Spam Checks = yes > > spam.whitelist.rules - From: spammer@spam.com yes > > > > Result - email will include SpamAssassin score, no matter what score > > SpamAssassin gave it. > > Yes, this is "classic" whitelisting. I have no scores on these. They are > scanned and Mailwatch shows them as whitelisted (W/L) with a spam score of > 0.0. Does any of your delivered email have a score other than 0.0? Do you have "Use SpamAssassin = yes" in MailScanner.conf? > Ok, I think I have found the problem. Looking in the quarantine I see that I > don't get any scores or spam headers in the messages, not even {Spam} in the > Subject. Is this a side effect of storing? Yes. They are untouched. > I know I used to get the Subject > changed last week or so, but I don't remember if that was before changing from > deliver to store. Most likely when you were delivering them. > I do get all the spam scores and rule hits in Mailwatch, so > I didn't realize that there isn't anything about spam in the headers. I haven't used Mailwatch, so can't comment. > I didn't knowingly change anything in MailScanner.conf or SA which could have > stopped the spam reports. F.i Detailed Spam Report = yes and Include Scores In > SpamAssassin Report = yes. Are there any X-MailScanner headers in your delivered email? Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From acschmitt at BPA.GOV Fri Feb 20 20:19:52 2004 From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? Message-ID: <242663BECAD80B4DAAF2E62788F96917044F343E@exhq01.bud.bpa.gov> You'd be surprised. The same kind of people who write emails like: "HI I JSUT GOT MY CHEEP AOL ACOUCNT SO N0W I CNA SRUF TEH ITNENRET 4 PRON AND SNED E-GRETEING CRADS TO POEPLE ALL DAY" are likely to have no trouble deciphering, and wanting to buy merchandise advertised by, a message that says something like: "u wnana v1aagaarA or > References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: Case in point... What the hell is the message trying to scam me out of? [-- Offending message below --] Return-Path: Received: from breaker.dakotacom.net (breaker.dakotacom.net [66.192.152.146]) by elrond.westpress.com (8.12.8/8.12.8) with ESMTP id i1KK9Vkl007447 for ; Fri, 20 Feb 2004 13:09:32 -0700 Received: from h24-109-28-55.ed.shawcable.net (h24-109-28-55.ed.shawcable.net [24.109.28.55]) by breaker.dakotacom.net (8.12.2/x.y.z) with SMTP id i1KK9U8v015814 for ; Fri, 20 Feb 2004 13:09:30 -0700 (MST) X-Sent-Via: DakotaCom.NET Received: from [24.109.28.55] by 139.144.77.24 with HTTP; Fri, 20 Feb 2004 12:01:13 +0400 From: "Dolores" To: craig@westpress.com Subject: Re: YYJLI, be so good Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [21.242.47.41] Date: Fri, 20 Feb 2004 12:02:13 +0400 Reply-To: "Oconnell Dolores" Content-Type: multipart/alternative; boundary="--ALT--PXLU08169359055210" Message-Id: X-WestPress-MailScanner: Found to be clean X-WestPress-MailScanner-SpamScore: sss X-Spam-DCC: SINECTIS: elrond 1114; Body=2 Fuz1=2 Fuz2=2 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on elrond.westpress.com X-Spam-Level: **** X-Spam-Status: No, hits=4.2 required=7.5 tests=HTML_20_30,HTML_IMAGE_ONLY_06, HTML_MESSAGE,J_BACKHAIR_22,J_BACKHAIR_23 autolearn=no version=2.63 Status:

Free Cable%RND_SYB TV

repel alone expiration exhortation mastermind throwaway forgery continent attache cowman rubicund conservative incompletion prophylactic nouakchott cryogenic
alundum sinusoidal agglomerate conceive freakish staircase anaheim billow wilkes derive marsupial conscientious chilean groin happy embargoes sank atlantic assyria celestial sister eyed boot within icicle bonnet memphis grosset associate
[-- End of offending message --] >Honestly, what makes these people believe that we want to read their >damn spam! Especially if the text is all obfuscated? What do they get >out of it? Surely no one actually buy's into this crap which is so >hard to read?? I get email messages now that are nothing more than >lists of words! The subject may say something about a 'cable filter', >but when I open it, it's like looking at a list of baby names or >something.... > >I see spam as nothing more than a way for someone with nothing but >time on their hands, and no wanting for money to do away with email >altogether. Why do people put so much time into finding ways to get >unreadable mail into our inboxes? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From jacques at MONACO.NET Fri Feb 20 20:30:34 2004 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:22:37 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: References: <200402201232.07811.jacques@monaco.net> Message-ID: <200402202130.34564.jacques@monaco.net> Le vendredi 20 F?vrier 2004 15:31, Kai Schaetzl a ?crit?: > which might be the case real soon. Wouldn't that also stop any > traffic *not* ending on the machine, f.i. mail which is forwarded? Well, AFAICT, it works by domain. Thus, if a domain is listed in $mydestination (thus with a 'local' transport), the mail will be deferred, regardless of the subsequent forwarding (in /etc/aliases or in a ~/.forward). At least, it worked this way when I made some tests... Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From mkettler at EVI-INC.COM Fri Feb 20 21:10:51 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: <6.0.0.22.0.20040220160602.025b3918@xanadu.evi-inc.com> At 03:02 PM 2/20/2004, Craig Daters wrote: >Especially if the text is all obfuscated? What do they get >out of it? Surely no one actually buy's into this crap which is so >hard to read?? 1) never underestimate the capacity for a very large population of people to contain at least one person that will do something which absolutely defies logic. 2) Spam costs nothing to send. 3) The more you send, the larger the statistical population, and thus the larger the probability of finding someone who will absolutely defy logic. >Why do people put so much time into finding ways to get >unreadable mail into our inboxes? Because they can make money this way.. and, despite what you might think, they are actually quite profitable. The word salads, etc are just a part of their efforts at filter avoidance.. some are experimental... after all, come up with an idea, send a bunch of mail, see how much of it really gets opened by using an embedded image link and count your hits... That said.. the harder it becomes to get spam through, the more effort spammers have to exert to make a dollar.. Theoretically if we can drive the earnings per hour of spamming down below minimum wage, most spammers should give up.. From kodak at FRONTIERHOMEMORTGAGE.COM Fri Feb 20 21:10:12 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: Message-ID: <00b901c3f7f5$edb8df30$0501a8c0@darkside> >Honestly, what makes these people believe that we want to read their >damn spam! Especially if the text is all obfuscated? What do they get >out of it? Surely no one actually buy's into this crap which is so >hard to read?? I get email messages now that are nothing more than >lists of words! The subject may say something about a 'cable filter', >but when I open it, it's like looking at a list of baby names or >something.... When it's incomprehensible, it's an attempt at bayesian poisoning. When it's mildly comprehensible, it's an idiot trying to make a quick buck. --J(K) From mkettler at EVI-INC.COM Fri Feb 20 21:15:35 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: <6.0.0.22.0.20040220161158.02618fa0@xanadu.evi-inc.com> At 03:25 PM 2/20/2004, Craig Daters wrote: >Case in point... What the hell is the message trying to scam me out of? >Content-Type: multipart/alternative; > boundary="--ALT--PXLU08169359055210" >[-- End of offending message --] That's not the entire raw message.. looks like you got the part you weren't supposed to see.. The message was probably coded to be viewable in OE, but you use some kind of webmail which decided to pick the 'wrong' mime section to display... Take a close look at the message in raw mbox form if you've got it.. I bet it's a 2 part message, one text chunk with the words, one html chunk with a spamvertizment. The whole thing is probably horrifically malformed to try to break spam scanner's, but OE seems to read a lot of very broken mime codes just fine (and fails to read some perfectly valid ones) From jrudd at UCSC.EDU Fri Feb 20 21:08:24 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> Message-ID: <40367748.3317AB46@ucsc.edu> Craig Daters wrote: > > Case in point... What the hell is the message trying to scam me out of? > > X-WestPress-MailScanner-SpamScore: sss > X-Spam-Status: No, hits=4.2 required=7.5 > repel alone expiration exhortation mastermind throwaway forgery > continent attache cowman rubicund conservative incompletion > prophylactic nouakchott cryogenic
> alundum sinusoidal agglomerate conceive freakish staircase anaheim > billow wilkes derive marsupial conscientious chilean groin happy > embargoes sank atlantic assyria celestial sister eyed boot within > icicle bonnet memphis grosset associate
> You're looking at it wrong. It's not trying to scam YOU out of anything. It's trying to scam your bayesian learner (if you have one, which you probably do since you're using a recent version spam assassin (me too)). See, the message is scored as non-spam, so if this message ends up being auto-learned, it will throw off the weights of your bayes ranks for these words ... so if they insert these words into actual spam messages, then it will lower the score of the spam message. That's the logic, anyway. It's a bayes poisoning attack, or attempt. I don't know how well they work ... it certainly doesn't seem to have had a negative impact on my bayes db. From mailscanner at ecs.soton.ac.uk Fri Feb 20 21:32:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <40365136.48C3A8EA@ucsc.edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> <6.0.1.1.2.20040220135222.040a76f0@imap.ecs.soton.ac.uk> <40365136.48C3A8EA@ucsc.edu> Message-ID: <6.0.1.1.2.20040220212930.039602c8@imap.ecs.soton.ac.uk> At 18:25 20/02/2004, you wrote: >Julian Field wrote: > > > > At 10:05 20/02/2004, you wrote: > > >(I get the feeling you didn't read the original message I wrote in this > > >thread) > > > > Quite right. You don't have to deal with the volume of mail I do. > > > > And there's then the minor of doing my day job as well. If you want to see > > all the stuff I am responsible for at work, look here: > > http://www.ecs.soton.ac.uk/~jkf/myjob.html > > I have to squeeze MailScanner into the odd minutes here and there when I > > don't have more pressing things to do. > > We are a department of 1800 people and 1000 computers, in which everything > > computer-related (and all purchasing) is run by a team of 9 of us. We all > > have very busy lives. > >Actually, looking over that URL, I think I do have a similar amount of >email. I'm the primary email administrator for a university with >25000-ish active accounts in my email domain ... and I'm part of the >central campus IT group, where I have all of the regular duties in >addition to email (but I'm the only one primarily tasked with email, and >we're all over-tasked, so most of hte others in my small group don't >have enough in depth knowledge of our email set-up to do more than the >most basic issues with our email service anyway). Thankfully, the >helpdesk IS a different group than mine. > >I have a similar issue with not always seeing messages, but when I get >into a thread I try to make sure I read all of the rest of the messages >in that thread (for mailing lists, I tend to delete everything as I read >it, and only leave in the messages for a thread I'm participating in, so >that I can easily find new messages in that same thread). I confess, >there have been times where I have wiped out my entire "MailScanner" or >"SpamAssassin" folder without reading the pending messages (or the >folder for OpenAFS ... and especially the one for qpopper back when I >was on that list). Since I put out my CommuniGatePro<->MailScanner >scripts, I try to at least skim the subjects for this list before I do >that, though. Yes, you're right, I'm a lazy arsed layabout who can't be bothered to read every single one of 1000 messages each day. Remind me to beat myself up over it. Oh yes, and what do I get for doing all this? Oh yes, I remember, absolutely nothing. Must try to forget that so I have more time to read every one of your mails. Get off my case. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Fri Feb 20 21:40:22 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:37 2006 Subject: FEATURE REQUEST In-Reply-To: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> Message-ID: <6.0.0.22.0.20040220163942.024315b0@xanadu.evi-inc.com> At 04:32 PM 2/20/2004, Admin Team wrote: >I am not sure if this has been asked before, but is there a way to refresh >the whitelists/blacklists without doing a restart? For example, when I add >a new email address to be whitelisted, I have to restart the MailScanner. >Can we implement a separate script or action to reload/refresh the >whitelist/blacklist entries? you mean like the "reload" parameter to the mailscanner init script? (refreshes all the mailscanners without stopping and starting your MTAs like restart does) From denis at CROOMBS.ORG Fri Feb 20 21:37:08 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:37 2006 Subject: FEATURE REQUEST References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> Message-ID: <00e901c3f7f9$b209a600$85b8fea9@Laptop> Just do a "service MailScanner reload" it works for me BFN Denis Croombs www.just-servers.co.uk www.just-hosting.net ----- Original Message ----- From: "Admin Team" To: Sent: Friday, February 20, 2004 9:32 PM Subject: FEATURE REQUEST > Hi Julian, > > I am not sure if this has been asked before, but is there a way to refresh > the whitelists/blacklists without doing a restart? For example, when I add > a new email address to be whitelisted, I have to restart the MailScanner. > Can we implement a separate script or action to reload/refresh the > whitelist/blacklist entries? > > > Errol Neal > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Marvin the E-Mail scanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From ka at PACIFIC.NET Fri Feb 20 21:38:15 2004 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:22:37 2006 Subject: FEATURE REQUEST In-Reply-To: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> Message-ID: <40367E47.6060201@pacific.net> reload instead of restart Ken Admin Team wrote: > Hi Julian, > > I am not sure if this has been asked before, but is there a way to refresh > the whitelists/blacklists without doing a restart? For example, when I add > a new email address to be whitelisted, I have to restart the MailScanner. > Can we implement a separate script or action to reload/refresh the > whitelist/blacklist entries? > > > Errol Neal > > From hunter at userfriendly.net Fri Feb 20 21:46:02 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box In-Reply-To: <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> Message-ID: <1077313401.2463.4.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 13:58, Julian Field wrote: > You can't match against a destination IP address as that is only known once > the delivery has been done, which is really a bit late :-) > Change your IP address matches to just "From:". You can't match "To:" or > "FromOrTo:" with IP addresses. I am using as an example the following: FromOrTo: default store delete FromOrTo: mweiner@bmarts.com store deliver FromOrTo: someotheruser@bmarts.com store deliver in my spam and notspam.deliver rules. Is this not going to work? I was syphoning off a slipstream of the emails to use for further Bayesian training but i am thinking of discontinuing that and letting spamassassin get smart on its own ;-). But I want that user to get the emails delivered and only users in the lists to get the email delivered. All others can go to trash as far as i am concerned. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/48cc496f/attachment.bin From craig at WESTPRESS.COM Fri Feb 20 21:46:57 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: <6.0.0.22.0.20040220161158.02618fa0@xanadu.evi-inc.com> References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> <6.0.0.22.0.20040220161158.02618fa0@xanadu.evi-inc.com> Message-ID: Hmm, Well I am using Eudora 6 on a Macintosh OS9.2 system for my email, and then I have HTML turned off, so what you see is what I got. Funny, I do all of my maint., etc. on the PC. Then I use the Mac for everything else. (graphic art, email.) The Bayesian poisoning that I read in the last few posts seems entirely valid. What would I hone in on with this particular message to develop a SA rule out of it? >That's not the entire raw message.. looks like you got the part you weren't >supposed to see.. > >The message was probably coded to be viewable in OE, but you use some kind >of webmail which decided to pick the 'wrong' mime section to display... > >Take a close look at the message in raw mbox form if you've got it.. I bet >it's a 2 part message, one text chunk with the words, one html chunk with a >spamvertizment. > >The whole thing is probably horrifically malformed to try to break spam >scanner's, but OE seems to read a lot of very broken mime codes just fine >(and fails to read some perfectly valid ones) -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From brent at MIRABITO.COM Fri Feb 20 21:50:10 2004 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:22:37 2006 Subject: Stop scanning of outgoing mails? Message-ID: <62E46E0C3CB8024C807447814E1B20A501CD08@granitemail.mirabito.com> Kai, Is your MailScanner Server behind a firewall? If it is you could set it up to forward incoming external email to the second sendmail process on your gateway server (either by a new port or IP address). Then the outgoing would stay the same and your users wouldn't know the difference. Brent Strignano System Administrator Granite Capital Holdings Sidney, NY -----Original Message----- From: Kai Schaetzl [mailto:maillists@CONACTIVE.COM] Sent: Friday, February 20, 2004 9:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Stop scanning of outgoing mails? Derek Winkler wrote on Thu, 19 Feb 2004 13:55:33 -0500: > I'd look into setting up a second ip with another instance of sendmail > for authenticated SMTP only which uses /var/spool/mqueue directly, no > MailScanner. > Thanks. I had already thought about running another sendmail on a different port but running it on a different IP is better in terms of usability for the client. Still need to tell him a different outgoing mail domain, though. ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From Kevin_Miller at CI.JUNEAU.AK.US Fri Feb 20 21:56:01 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) Message-ID: <08146035CA49D6119A36009027AC822A0264EE36@CITY-EXCH-NTS> >-----Original Message----- >Yes, you're right, I'm a lazy arsed layabout who can't be >bothered to read >every single one of 1000 messages each day. Remind me to beat myself up >over it. Oh yes, and what do I get for doing all this? Oh yes, >I remember, >absolutely nothing. Must try to forget that so I have more time to read >every one of your mails. > >Get off my case. Yikes! You're busier than a one legged man in a butt kicking contest! Fortunately I'm not that busy, but I still can't follow all the threads either. Small consolation no doubt, but misery loves company as they say. Regardless, I just want to say that your efforts are *really really* appreciated by more than a few of us Julian. Probably feels like a thankless job a lot of times. We're all swimming upstream against the tide of spam, but you're almost single-handedly keeping us afloat and I'm sure I speak for many others when I say that we're quite thankful for that. Here's hoping you have a very lazy weekend doing anything but moving electrons around. Remember, in the end, it's all just zeros and ones... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From sysadmins at ENHTECH.COM Fri Feb 20 22:03:18 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:37 2006 Subject: FEATURE REQUEST In-Reply-To: <40367E47.6060201@pacific.net> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> Message-ID: <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> At 04:38 PM 2/20/2004, you wrote: >reload instead of restart >Ken > Thanks everyone. Totally forgot about that :) Errol From jrudd at UCSC.EDU Fri Feb 20 21:55:26 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> <6.0.1.1.2.20040220135222.040a76f0@imap.ecs.soton.ac.uk> <40365136.48C3A8EA@ucsc.edu> <6.0.1.1.2.20040220212930.039602c8@imap.ecs.soton.ac.uk> Message-ID: <4036824E.F5A466C8@ucsc.edu> Julian Field wrote: > > At 18:25 20/02/2004, you wrote: > >Julian Field wrote: > > > > > > At 10:05 20/02/2004, you wrote: > > > >(I get the feeling you didn't read the original message I wrote in this > > > >thread) > > > > > > Quite right. You don't have to deal with the volume of mail I do. > > > > > > And there's then the minor of doing my day job as well. If you want to see > > > all the stuff I am responsible for at work, look here: > > > http://www.ecs.soton.ac.uk/~jkf/myjob.html > > > I have to squeeze MailScanner into the odd minutes here and there when I > > > don't have more pressing things to do. > > > We are a department of 1800 people and 1000 computers, in which everything > > > computer-related (and all purchasing) is run by a team of 9 of us. We all > > > have very busy lives. > > > >Actually, looking over that URL, I think I do have a similar amount of > >email. I'm the primary email administrator for a university with > >25000-ish active accounts in my email domain ... and I'm part of the > >central campus IT group, where I have all of the regular duties in > >addition to email (but I'm the only one primarily tasked with email, and > >we're all over-tasked, so most of hte others in my small group don't > >have enough in depth knowledge of our email set-up to do more than the > >most basic issues with our email service anyway). Thankfully, the > >helpdesk IS a different group than mine. > > > >I have a similar issue with not always seeing messages, but when I get > >into a thread I try to make sure I read all of the rest of the messages > >in that thread (for mailing lists, I tend to delete everything as I read > >it, and only leave in the messages for a thread I'm participating in, so > >that I can easily find new messages in that same thread). I confess, > >there have been times where I have wiped out my entire "MailScanner" or > >"SpamAssassin" folder without reading the pending messages (or the > >folder for OpenAFS ... and especially the one for qpopper back when I > >was on that list). Since I put out my CommuniGatePro<->MailScanner > >scripts, I try to at least skim the subjects for this list before I do > >that, though. > > Yes, you're right, I'm a lazy arsed layabout who can't be bothered to read > every single one of 1000 messages each day. Remind me to beat myself up > over it. Oh yes, and what do I get for doing all this? Oh yes, I remember, > absolutely nothing. Must try to forget that so I have more time to read > every one of your mails. > > Get off my case. To repeat what I sent in reply to the other (private) message you sent along the same lines, I wasn't trying to beat you up in that message. I wasn't saying what you should do, I was just explaining what my expectation had been (and why my expectation was that way), which clearly wasn't an accurate expectation. And to an extent I was trying to comiserate and show an understanding of the amount of email you must be receiving as well as understanding the job load. I'm sorry if I'm not communicating well. I'll leave you alone now. From mailscanner at ecs.soton.ac.uk Fri Feb 20 22:12:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Building an MS-SA box In-Reply-To: <1077313401.2463.4.camel@nomad.userfriendly.net> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> <1077313401.2463.4.camel@nomad.userfriendly.net> Message-ID: <6.0.1.1.2.20040220221146.03c88948@imap.ecs.soton.ac.uk> At 21:46 20/02/2004, you wrote: >On Fri, 2004-02-20 at 13:58, Julian Field wrote: > > You can't match against a destination IP address as that is only known once > > the delivery has been done, which is really a bit late :-) > > Change your IP address matches to just "From:". You can't match "To:" or > > "FromOrTo:" with IP addresses. > >I am using as an example the following: > >FromOrTo: default store delete >FromOrTo: mweiner@bmarts.com store deliver >FromOrTo: someotheruser@bmarts.com store deliver > >in my spam and notspam.deliver rules. Is this not going to work? No, that should work. The restriction only applied to numeric IP addresses. > I was >syphoning off a slipstream of the emails to use for further Bayesian >training but i am thinking of discontinuing that and letting >spamassassin get smart on its own ;-). But I want that user to get the >emails delivered and only users in the lists to get the email delivered. >All others can go to trash as far as i am concerned. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Feb 20 22:22:13 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <4036824E.F5A466C8@ucsc.edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B1BA@tormail2.algorithmics.com> <6.0.1.1.2.20040213140639.03ac5908@imap.ecs.soton.ac.uk> <402D4E48.1A8709B1@ucsc.edu> <40329E21.7D82BCA5@ucsc.edu> <4033DC27.34BB2DA7@ucsc.edu> <6.0.1.1.2.20040219091017.03d08320@imap.ecs.soton.ac.uk> <403542D9.B30C436F@ucsc.edu> <6.0.1.1.2.20040220082658.03f3c698@imap.ecs.soton.ac.uk> <5B0E73F8-638C-11D8-8D33-003065F939FE@ucsc.edu> <6.0.1.1.2.20040220135222.040a76f0@imap.ecs.soton.ac.uk> <40365136.48C3A8EA@ucsc.edu> <6.0.1.1.2.20040220212930.039602c8@imap.ecs.soton.ac.uk> <4036824E.F5A466C8@ucsc.edu> Message-ID: <6.0.1.1.2.20040220222144.03d1e5f8@imap.ecs.soton.ac.uk> At 21:55 20/02/2004, you wrote: >Julian Field wrote: > > > > At 18:25 20/02/2004, you wrote: > > >Julian Field wrote: > > > > > > > > At 10:05 20/02/2004, you wrote: > > > > >(I get the feeling you didn't read the original message I wrote in > this > > > > >thread) > > > > > > > > Quite right. You don't have to deal with the volume of mail I do. > > > > > > > > And there's then the minor of doing my day job as well. If you want > to see > > > > all the stuff I am responsible for at work, look here: > > > > http://www.ecs.soton.ac.uk/~jkf/myjob.html > > > > I have to squeeze MailScanner into the odd minutes here and there > when I > > > > don't have more pressing things to do. > > > > We are a department of 1800 people and 1000 computers, in which > everything > > > > computer-related (and all purchasing) is run by a team of 9 of us. > We all > > > > have very busy lives. > > > > > >Actually, looking over that URL, I think I do have a similar amount of > > >email. I'm the primary email administrator for a university with > > >25000-ish active accounts in my email domain ... and I'm part of the > > >central campus IT group, where I have all of the regular duties in > > >addition to email (but I'm the only one primarily tasked with email, and > > >we're all over-tasked, so most of hte others in my small group don't > > >have enough in depth knowledge of our email set-up to do more than the > > >most basic issues with our email service anyway). Thankfully, the > > >helpdesk IS a different group than mine. > > > > > >I have a similar issue with not always seeing messages, but when I get > > >into a thread I try to make sure I read all of the rest of the messages > > >in that thread (for mailing lists, I tend to delete everything as I read > > >it, and only leave in the messages for a thread I'm participating in, so > > >that I can easily find new messages in that same thread). I confess, > > >there have been times where I have wiped out my entire "MailScanner" or > > >"SpamAssassin" folder without reading the pending messages (or the > > >folder for OpenAFS ... and especially the one for qpopper back when I > > >was on that list). Since I put out my CommuniGatePro<->MailScanner > > >scripts, I try to at least skim the subjects for this list before I do > > >that, though. > > > > Yes, you're right, I'm a lazy arsed layabout who can't be bothered to read > > every single one of 1000 messages each day. Remind me to beat myself up > > over it. Oh yes, and what do I get for doing all this? Oh yes, I remember, > > absolutely nothing. Must try to forget that so I have more time to read > > every one of your mails. > > > > Get off my case. > > > >To repeat what I sent in reply to the other (private) message you sent >along the same lines, I wasn't trying to beat you up in that message. I >wasn't saying what you should do, I was just explaining what my >expectation had been (and why my expectation was that way), which >clearly wasn't an accurate expectation. And to an extent I was trying >to comiserate and show an understanding of the amount of email you must >be receiving as well as understanding the job load. > >I'm sorry if I'm not communicating well. I'll leave you alone now. Thankyou. Let's consider this "water under the bridge". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Fri Feb 20 22:26:21 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:37 2006 Subject: Hello? (was Re: Adding Envelope Headers?) In-Reply-To: <08146035CA49D6119A36009027AC822A0264EE36@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EE36@CITY-EXCH-NTS> Message-ID: <1077315985.15039.25.camel@bach.kevinspicer.co.uk> On Fri, 2004-02-20 at 21:56, Kevin Miller wrote: > Regardless, I just want to say that your efforts are *really really* > appreciated by more than a few of us Julian. Probably feels like a > thankless job a lot of times. We're all swimming upstream against the tide > of spam, but you're almost single-handedly keeping us afloat and I'm sure I > speak for many others when I say that we're quite thankful for that. I'll drink to that! I have to say Julian that you are one of the most responsive developers I've come across. So many times I've seen someone post to the list for some advice on a problem, or how to write a custom function etc and within hours you've written them a whole new feature - really above and beyond the call of duty. You owe us nothing, but we owe you a debt of gratitude for the many long hours you have spent honing MailScanner into such a fine tool. We all have different ways of thanking you, some will contribute patches, some test, some spend time here helping MailScanner newbies (hopefully reducing the support burden, so you can concentrate on the interesting stuff), some will buy you something from your wishlist. What I'm trying to say is that the vitality of this little community around MailScanner is our thanks (although it doesn't hurt for us to say it explicitly from time to time). (I'm going to stop now, because all this public praise isn't very British!) John, I hope you read this, whilst I don't agree with the way you made your case on this occasion I know that you have contributed to the community in the past (which is more than can be said for many of the folks that turn up here demanding help). I personally hope that you will continue to participate in the future. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jcorell at IPRUS.NET Fri Feb 20 22:37:25 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:37 2006 Subject: MailScanner not parsing dumaru-y MIME headers Message-ID: Julian: Running MailScanner-4.27.3-1, rpm version Running sendmail 8 on RedHat 6.2 with latest rpm-build Running Sophos 3.79 Installed latest version of MailScanner to fix MIME header parsing problem (MyDoom-A viruses not being found). However, I have been seeing dumaru-y viruses pass through MailScanner with "Clean" headers. When the mail ends up in Outlook Express, however, OE finds the attachment and it's up to the client virus scanner to find dumaru-y. I have several copies of the virus-infected email message with full headers stored on the mail server. If you would like to see them, I can attach the file and send it to you. I thought the latest version of MailScanner was supposed to fix this? Anybody else having this problem? James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 From mkettler at EVI-INC.COM Fri Feb 20 23:05:05 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:37 2006 Subject: What are they thinking?!? In-Reply-To: References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> <6.0.0.22.0.20040220161158.02618fa0@xanadu.evi-inc.com> Message-ID: <6.0.0.22.0.20040220180303.02527b68@xanadu.evi-inc.com> At 04:46 PM 2/20/2004, Craig Daters wrote: >Hmm, Well I am using Eudora 6 on a Macintosh OS9.2 system for my >email, and then I have HTML turned off, so what you see is what I >got. Funny, I do all of my maint., etc. on the PC. Then I use the Mac >for everything else. (graphic art, email.) Yeah, I use eudora 6 for windows, with all the HTML turned off, etc... It's partly why I suggested looking at the raw message... I'm familiar with what Eudora does to messages as it parses MIME :) Once it's downloaded to Eudora, the raw message is gone.. Eudora strips out some of the mime sections prior to storing the message and discards them. In the case of spam with ill-formatted mime, no major loss. From hunter at userfriendly.net Fri Feb 20 23:19:21 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <6.0.1.1.2.20040220221146.03c88948@imap.ecs.soton.ac.uk> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> <1077313401.2463.4.camel@nomad.userfriendly.net> <6.0.1.1.2.20040220221146.03c88948@imap.ecs.soton.ac.uk> Message-ID: <1077319161.2463.13.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 17:12, Julian Field wrote: > No, that should work. The restriction only applied to numeric IP addresses. I thought so, you and i had discussed using delivery rules much like these in the past when i first played with MS. I am eager to get this back up and running, its amazing that the first partial day sucking all email for bluemountain.com and its related bretheren (i.e. bmarts.com, bluemt.net) that it pulled over 45k emails. So i am looking forward to taking that burden away from the exchange administrator who is constantly battling the concurrent connections to his exchange box and that breaks most users ability to do email. So this is an important goal. The following goal is to bring up a separate box to do additional domains that ag owns and also americangreetings.com itself. We had a successful 24 hour trial awhile back using it, but the sheer volume of email that ag gets in a day was enough to bring the box to its knees. However, after more rigorous testing and some insight to fellow list readers it appears that it was my own fault and i was running additional milters causing the load and sendmail to take out the box. All is better now, keeping it simple and sticking to SA::MS at the moment and loving it. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/f92def90/attachment.bin From hunter at userfriendly.net Fri Feb 20 23:41:41 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077319161.2463.13.camel@nomad.userfriendly.net> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> <1077313401.2463.4.camel@nomad.userfriendly.net> <6.0.1.1.2.20040220221146.03c88948@imap.ecs.soton.ac.uk> <1077319161.2463.13.camel@nomad.userfriendly.net> Message-ID: <1077320501.2463.34.camel@nomad.userfriendly.net> I do seem to be having one small issue and that is getting this to work with ClamAV. I noticed there seems to be a number of list readers using ClamAV, can someone point me to a good doc or have some pointers on getting this setup to work? I currently have the RPMS for 0.67-1 currently installed for clamav-milter and clamav. I even followed the instructions and installed the perl clamav module and modified the MailScanner.conf file appropriately. Any suggestions? And isnt there a test site out there that can send out a known virus to test a system? Thanks in advance -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/c7e0505c/attachment.bin From listonly at WEBPRESENCEGROUP.NET Fri Feb 20 23:44:05 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:38 2006 Subject: What are they thinking?!? In-Reply-To: <40367748.3317AB46@ucsc.edu> Message-ID: On 2/20/04 3:08 PM, "John Rudd" wrote: > You're looking at it wrong. It's not trying to scam YOU out of > anything. It's trying to scam your bayesian learner (if you have one, > which you probably do since you're using a recent version spam assassin > (me too)). > > See, the message is scored as non-spam, so if this message ends up being > auto-learned, it will throw off the weights of your bayes ranks for > these words ... so if they insert these words into actual spam messages, > then it will lower the score of the spam message. That's the logic, > anyway. > > It's a bayes poisoning attack, or attempt. I don't know how well they > work ... it certainly doesn't seem to have had a negative impact on my > bayes db. Interesting point. Also is it possible that they are just trying to get the numbers up on sent spam to be able to charge the client out, since it doesn't come back as a bounce? Spammers scamming the Spammers? -- Thanks!! David Thurman List Only at Web Presence Group Net From mikes at HARTWELLCORP.COM Fri Feb 20 23:37:22 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> Hello, I'm new to the MailScanner and Spamassassin world. I've recently set them both up to filter the mail here along with Clamav for additional virus scanning. We're still getting more spam slipping through than I would like and was wondering which of the additional rule sets are recommended. I've installed the fetch scripts for both the bigevil and backhair rule sets so far. Suggestions please? TIA -- Michael St. Laurent Hartwell Corporation From mikes at HARTWELLCORP.COM Fri Feb 20 23:50:47 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C85@hart-exchange.hartwellcorp.com> Michael Weiner wrote: > Any suggestions? And isnt there a test site out there that can send > out a known virus to test a system? Oh, yeah. I forgot to answer your last question. This is the site you want. I've not found another that is better at testing your email virus protection: http://www.testvirus.org/ -- Michael St. Laurent Hartwell Corporation From mikes at HARTWELLCORP.COM Fri Feb 20 23:51:10 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C86@hart-exchange.hartwellcorp.com> Michael Weiner wrote: > I do seem to be having one small issue and that is getting this to > work with ClamAV. I noticed there seems to be a number of list > readers using ClamAV, can someone point me to a good doc or have some > pointers on getting this setup to work? I currently have the RPMS for > 0.67-1 currently installed for clamav-milter and clamav. I even > followed the instructions and installed the perl clamav module and > modified the MailScanner.conf file appropriately. > > Any suggestions? And isnt there a test site out there that can send > out a known virus to test a system? Okay, first off, you won't be needing the clamav-milter package. MailScanner uses either clamscan or clamd but has no need for clamav-milter. Second, if you're using the Perl module setup you may want to hunt around for an RPM of the latest CVS version of Clamav. The instability issues with clamd that were present in the 0.67-1 release have been corrected (finally). If you can't get the perl module setup to work reliably you might want to consider switching to the clamscan wrapper mode instead. The load on your server will be a lot higher; however, it seems to "Just Work" right out of the box. -- Michael St. Laurent Hartwell Corporation From hunter at userfriendly.net Fri Feb 20 23:53:58 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C86@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C86@hart-exchange.hartwellcorp.com> Message-ID: <1077321238.2463.39.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 18:51, Michael St. Laurent wrote: > Second, if you're using the Perl module setup you may want to hunt around > for an RPM of the latest CVS version of Clamav. The instability issues with > clamd that were present in the 0.67-1 release have been corrected (finally). > > If you can't get the perl module setup to work reliably you might want to > consider switching to the clamscan wrapper mode instead. The load on your > server will be a lot higher; however, it seems to "Just Work" right out of > the box. and what do you set in the mailscanner config? i had simply changed from Virus Scanners = clamav to clamavmodule and went thru the cpan install. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/4be833ab/attachment.bin From peter at UCGBOOK.COM Fri Feb 20 23:54:58 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077320501.2463.34.camel@nomad.userfriendly.net> References: <4FD2C985D5E2A642AE25823DFD61C2B01A8146@orca.agcom.amgreetings.com> <6.0.1.1.2.20040220185755.0381aca8@imap.ecs.soton.ac.uk> <1077313401.2463.4.camel@nomad.userfriendly.net> <6.0.1.1.2.20040220221146.03c88948@imap.ecs.soton.ac.uk> <1077319161.2463.13.camel@nomad.userfriendly.net> <1077320501.2463.34.camel@nomad.userfriendly.net> Message-ID: <40369E52.1010803@ucgbook.com> Michael Weiner wrote: > I do seem to be having one small issue and that is getting this to work > with ClamAV. I noticed there seems to be a number of list readers using > ClamAV, can someone point me to a good doc or have some pointers on > getting this setup to work? I currently have the RPMS for 0.67-1 > currently installed for clamav-milter and clamav. I even followed the > instructions and installed the perl clamav module and modified the > MailScanner.conf file appropriately. > > Any suggestions? And isnt there a test site out there that can send out > a known virus to test a system? Why use milter also? I don't think many here use it, try posting it on the Clam list, there's many on that list that uses milter but none of them seem to be using it with MS and SA, at least that's what I think. The milter part of Clam seems to be quite buggy when you follow their mail list. That's one of the greatest parts of MS in my opinion, it uses the virus scanners in the absolutely simplest way possible, scanning a file, that's why so many scanners are supported. Clam tries to do a little bit of everything (daemon, mbox, milter) but the core function, file scanning, is the best part of it. I think the perl module for Clam has bugs in it making it unusable with MS, Julian has contacted the author. This is about 0.05, some have tried 0.04 and it seems to work better. Test sites: http://www.eicar.org/ http://www.gfi.com/emailsecuritytest/ http://www.testvirus.org/ -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From rggarcia at IMGAME.NET Fri Feb 20 23:56:10 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:22:38 2006 Subject: Postfix + MailScanner HELP! In-Reply-To: <200402201239.16214.jacques@monaco.net> Message-ID: Hi, Thanks for that reply really appreciate that help, but sad to say i did follow that instruction on the links, i still cannot send nor received mail when i put and # on that (smtp inet n - > y - - smtpd) under /etc/postfix/master.cf. Any other idea? Any help is much appreciated. Thanks -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jacques Caruso Sent: Friday, February 20, 2004 7:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Postfix + MailScanner HELP! Le jeudi 19 F?vrier 2004 15:42, Rosaldo Garcia a ?crit?: > Why is it when i try to put an # on ( smtp inet n - > y - - smtpd ) under /etc/postfix/master.cf, i get > this error Did you read ?? You need to make sure the *incoming* instance of Postfix (the one controlled by the files in /etc/postfix.in) has started, otherwise there will be no one to listen to SMTP connections... Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From mikes at HARTWELLCORP.COM Fri Feb 20 23:59:27 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C88@hart-exchange.hartwellcorp.com> Michael Weiner wrote: > On Fri, 2004-02-20 at 18:51, Michael St. Laurent wrote: >> Second, if you're using the Perl module setup you may want to hunt >> around for an RPM of the latest CVS version of Clamav. The >> instability issues with clamd that were present in the 0.67-1 >> release have been corrected (finally). >> >> If you can't get the perl module setup to work reliably you might >> want to consider switching to the clamscan wrapper mode instead. >> The load on your server will be a lot higher; however, it seems to >> "Just Work" right out of the box. > > and what do you set in the mailscanner config? i had simply changed > from Virus Scanners = clamav to clamavmodule and went thru the cpan > install. -- To switch to clamscan mode you mean? I think all you need to do is change the the Virus Scanners line to read "Virus Scanners = clamav" Someone please correct me if I am mistaken. -- Michael St. Laurent Hartwell Corporation From lists at STHOMAS.NET Fri Feb 20 23:58:34 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com>; from mikes@HARTWELLCORP.COM on Fri, Feb 20, 2004 at 03:37:22PM -0800 References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> Message-ID: <20040220155834.A15956@sthomas.net> On Fri, Feb 20, 2004 at 03:37:22PM -0800, Michael St. Laurent is rumored to have said: > > Suggestions please? > Others will be able to provide suggestions for rulesets - here's my advice. Getting bayes up and running and trained with all the ham/spam you have/get is more important than installing additional rulesets, IMHO. -- "Tragedy is when I cut my finger. Comedy is when you walk into an open sewer and die." - Mel Brooks From mkettler at EVI-INC.COM Sat Feb 21 00:10:40 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> Message-ID: <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> At 06:37 PM 2/20/2004, Michael St. Laurent wrote: >We're still getting more spam slipping through than I would like and was >wondering which of the additional rule sets are recommended. I've installed >the fetch scripts for both the bigevil and backhair rule sets so far. > >Suggestions please? Disclaimer of bias: I'm one of the add-on ruleset writers... I wrote antidrug.cf. Personally I think your best bet prior to using add on rulesets is to get all of the features of the default SA system working well. 1) Enable DNSBLs by installing Net::DNS. 2) Enable bayes by feeding sa-learn.. Feed it well, and feed it often. Mine gets fed a diet of about 100 fresh spams/day and about 20 nonspams/day. A good regiment of feeding bayes with input from spamtraps and such is very helpful. 3) Consider installing DCC.. DCC works pretty well and is pretty lightweight. Razor is more accurate, but seems prone to more network timeouts. As for add-on rules, I don't use that many, despite being a add-on set writer. "Best practice" would be to be very cautious when using them, and test them out with very low scores to start. If you want to know what I'm using: Obviously I use my own antidrug.cf, but that's mostly done as a giant rude gesture in the direction of the pill spammers who have been so aggressive lately. I also use a pair of rules which is a collapsed version of Jen's popcorn.cf. describe LOCAL_POPCORN 1-5 letters - hidden tag - 1-7 letters rawbody LOCAL_POPCORN /[>\s]\w{1,5}<\![^>]*>\w{1,7}\W/i describe LOCAL_POPCORN2 1-5 letters - hidden tag - 1-7 letters rawbody LOCAL_POPCORN2 /[>\s]\w{1,5}<\/\w{2,10}>\w{1,7}\b/i I also find this useful: body LOCAL_MEDS /\bmed[sz]\b/i and this: body BODY_RND_GENERATOR /\%RND_(?:LC_CHAR|UC_CHAR|SYB|WORD)\b/ And that's about it.. other than a bunch of goofball test rules floating around. I've also been playing with the FVGT_s_OBFU_* rules. The SA wiki has a pretty comprehensive list of the add-on sets if you need a list of them. Just remember, when in doubt, test with low scores! http://wiki.spamassassin.org/w/CustomRulesets From mikes at HARTWELLCORP.COM Sat Feb 21 00:02:10 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C89@hart-exchange.hartwellcorp.com> Steve Thomas wrote: > On Fri, Feb 20, 2004 at 03:37:22PM -0800, Michael St. Laurent is > rumored to have said: >> >> Suggestions please? >> > > Others will be able to provide suggestions for rulesets - here's my > advice. > > Getting bayes up and running and trained with all the ham/spam you > have/get is more important than installing additional rulesets, IMHO. Okay, thanks. I'll concentrate on getting that working. ;-D -- Michael St. Laurent Hartwell Corporation From peter at UCGBOOK.COM Sat Feb 21 00:00:41 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C86@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C86@hart-exchange.hartwellcorp.com> Message-ID: <40369FA9.20406@ucgbook.com> Michael St. Laurent wrote: > Okay, first off, you won't be needing the clamav-milter package. > MailScanner uses either clamscan or clamd but has no need for clamav-milter. MS doesn't use clamd, only clamscan. Some have experimented with replacing clamscan with clamdscan in the wrapper, I'm not sure how it worked out but they have to worry about clamd dying, which has been common at least in the previous releases. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From mikes at HARTWELLCORP.COM Sat Feb 21 00:18:55 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> Peter Bonivart wrote: > Michael St. Laurent wrote: >> Okay, first off, you won't be needing the clamav-milter package. >> MailScanner uses either clamscan or clamd but has no need for >> clamav-milter. > > MS doesn't use clamd, only clamscan. Some have experimented with > replacing clamscan with clamdscan in the wrapper, I'm not sure how it > worked out but they have to worry about clamd dying, which has been > common at least in the previous releases. You're right. MS does NOT use clamd. However, IIRC, the perl module *does* use clamd. So when you configure MailScanner to use "clamavmodule" instead of "clamav" you eventually are using clamd. -- Michael St. Laurent Hartwell Corporation From hunter at userfriendly.net Sat Feb 21 00:20:45 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> Message-ID: <1077322844.2463.44.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 19:18, Michael St. Laurent wrote: > You're right. MS does NOT use clamd. However, IIRC, the perl module *does* > use clamd. So when you configure MailScanner to use "clamavmodule" instead > of "clamav" you eventually are using clamd. I dont know, i just finished installing the cvs version of clamav and made sure that ms was configured to use clamav rather than clamavmodule. And restarted ms and send some test messages from testvirus.org and they are all coming back clean. getting nervous here, can scan for spam but not virii.... -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/3137f1f9/attachment.bin From peter at UCGBOOK.COM Sat Feb 21 00:29:13 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077322844.2463.44.camel@nomad.userfriendly.net> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> Message-ID: <4036A659.5070900@ucgbook.com> Michael Weiner wrote: > On Fri, 2004-02-20 at 19:18, Michael St. Laurent wrote: > >>You're right. MS does NOT use clamd. However, IIRC, the perl module *does* >>use clamd. So when you configure MailScanner to use "clamavmodule" instead >>of "clamav" you eventually are using clamd. > > > I dont know, i just finished installing the cvs version of clamav and > made sure that ms was configured to use clamav rather than clamavmodule. > And restarted ms and send some test messages from testvirus.org and they > are all coming back clean. > > getting nervous here, can scan for spam but not virii.... Using CVS is a lottery at best. Why not use 0.67-1, only a couple of days old? Do you know that CVS comes without signature databases? Did you run freshclam to get them? After install, try clamscan in the current directory, at least if you compile from source you get test signatures. Otherwise you can dowmload from www.eicar.com. Just run clamscan in the same directory as eicar.com, it should find it. If that work send it from Yahoo Mail or similar to your MS server and check your logs. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Sat Feb 21 00:31:23 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> Message-ID: <4036A6DB.7030804@ucgbook.com> Michael St. Laurent wrote: > You're right. MS does NOT use clamd. However, IIRC, the perl module *does* > use clamd. So when you configure MailScanner to use "clamavmodule" instead > of "clamav" you eventually are using clamd. No, the clam module does not use clamd, it uses the clam api, similar to the way MS uses SA. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From hunter at userfriendly.net Sat Feb 21 00:46:09 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <4036A659.5070900@ucgbook.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> <4036A659.5070900@ucgbook.com> Message-ID: <1077324368.2463.47.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 19:29, Peter Bonivart wrote: > Using CVS is a lottery at best. Why not use 0.67-1, only a couple of > days old? > > Do you know that CVS comes without signature databases? Did you run > freshclam to get them? yes > After install, try clamscan in the current directory, at least if you > compile from source you get test signatures. Otherwise you can dowmload > from www.eicar.com. Just run clamscan in the same directory as > eicar.com, it should find it. If that work send it from Yahoo Mail or > similar to your MS server and check your logs. That all works fine, and i see the mailscanner stamps in the maillog saying that virus and content scanning: Starting but yet no virii found even when i send some. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/9e3e8d18/attachment.bin From peter at UCGBOOK.COM Sat Feb 21 01:04:24 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077324368.2463.47.camel@nomad.userfriendly.net> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> <4036A659.5070900@ucgbook.com> <1077324368.2463.47.camel@nomad.userfriendly.net> Message-ID: <4036AE98.4000700@ucgbook.com> Michael Weiner wrote: > That all works fine, and i see the mailscanner stamps in the maillog > saying that virus and content scanning: Starting but yet no virii found > even when i send some. The log line about "virus and content scanning: Starting" doesn't necessarily mean that virus scanning (as in Clam) is starting, it's used in a broader context, looking for IFrame, HTML forms and all kinds of nasty stuff so you get this line even if you don't use a virus scanner. Could you mail the relevant lines from your MailScanner.conf regarding the virus scanning? You could also look in /tmp for lock files from Clam when used by MS, it should be visible in "top" also. Run two terminals, one "tail -f maillog" and one with "top", then mail yourself from the outside and watch closely. If you send eicar.com it should trigger Clam, file type and file name. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From hunter at userfriendly.net Sat Feb 21 01:12:23 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <4036AE98.4000700@ucgbook.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> <4036A659.5070900@ucgbook.com> <1077324368.2463.47.camel@nomad.userfriendly.net> <4036AE98.4000700@ucgbook.com> Message-ID: <1077325942.2463.52.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 20:04, Peter Bonivart wrote: > Could you mail the relevant lines from your MailScanner.conf regarding > the virus scanning? > > You could also look in /tmp for lock files from Clam when used by MS, it > should be visible in "top" also. Run two terminals, one "tail -f > maillog" and one with "top", then mail yourself from the outside and > watch closely. > > If you send eicar.com it should trigger Clam, file type and file name. > Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Silent Viruses = HTML-I Frame All-Viruses Still Deliver Silent Viruses = no .. i do see the ClamAVBusy.lock file in /tmp and the timestamp changes as well, so there is something going on. But eicar.com still comes back "clean" -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/8b3b3216/attachment.bin From peter at UCGBOOK.COM Sat Feb 21 01:19:50 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077325942.2463.52.camel@nomad.userfriendly.net> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> <4036A659.5070900@ucgbook.com> <1077324368.2463.47.camel@nomad.userfriendly.net> <4036AE98.4000700@ucgbook.com> <1077325942.2463.52.camel@nomad.userfriendly.net> Message-ID: <4036B236.4010007@ucgbook.com> Michael Weiner wrote: > Virus Scanning = yes > Virus Scanners = clamav > Virus Scanner Timeout = 300 > Silent Viruses = HTML-I > Frame All-Viruses > Still Deliver Silent Viruses = no Looks normal to me (at least at 0200 in the morning here in Sweden sitting rebuilding a server with both root mirrors crashed and trying to save a large RAID5 volume :-). > i do see the ClamAVBusy.lock file in /tmp and the timestamp changes as > well, so there is something going on. But eicar.com still comes back > "clean" I think I have seen this as well at some point but it should trigger file type and file name though. Try pasting the eicar string into the body of the mail, that is don't attach a file just the contents as regular text on one line. Let me know what happens. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From hunter at userfriendly.net Sat Feb 21 01:44:40 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <4036B236.4010007@ucgbook.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8A@hart-exchange.hartwellcorp.com> <1077322844.2463.44.camel@nomad.userfriendly.net> <4036A659.5070900@ucgbook.com> <1077324368.2463.47.camel@nomad.userfriendly.net> <4036AE98.4000700@ucgbook.com> <1077325942.2463.52.camel@nomad.userfriendly.net> <4036B236.4010007@ucgbook.com> Message-ID: <1077327876.2463.56.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 20:19, Peter Bonivart wrote: > I think I have seen this as well at some point but it should trigger > file type and file name though. Try pasting the eicar string into the > body of the mail, that is don't attach a file just the contents as > regular text on one line. Let me know what happens. Done and nothing special in the log other than it came in, queued, and was dealt with and found clean. something is definitely not right here. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/c0902236/attachment.bin From jonc at nc.rr.com Sat Feb 21 02:48:06 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:38 2006 Subject: Feature: Block Persistent Virus Senders? In-Reply-To: References: Message-ID: <1077331686.4345.34.camel@localhost.localdomain> On Fri, 2004-02-20 at 11:15, Nathan Johanson wrote: > > >I was told that MailScanner supports the blocking of persistent virus > > >senders. I've sifted through the documentation and the changelog, but > > >can't seem to find any reference to this. Can someone tell me which > > >version this was introduced in and where I may find the corresponding > > >options or functions. Is it a custom function? > > > > I haven't heard of this option (which is _not_ an indication that > > it does not exist.) but this seems like it may be something > > better handled by the MTA. Reject by IP in whatever your equilivent > > of an access table is. That way you're not wasting any cycles > > on something you're going to reject anyway. (Reject early and > > often, something the girls I was interested in always did. :) > > > > Looks like it might be the IPBlock custom function, which allows you to > throttle the number of messages received from a given sender within an > hour. However, the description says that this pertains to all types of > senders (spam, virus, annoyances, and even mail from Mom). I'll hold out > and see if anyone else can clarify. > > Vispan's author (formerly mailstats) used to automatically add > persistent virus senders to the access.db as part of the stats > collection cron job. He told me he didn't include this feature in the > latest build because Julian had included the same functionality in > MailScanner. There are various scripts for blocking (at the firewall) any ip that connects directly with a virus - The script basically pulls the virus information out of the logs (and is only queued to specific viruses that come directly from an infected computer). It then builds a list of ip's that are blocked from having smtp access to your mailserver. I think it was originally written for OpenBSD, but I recently saw one for Linux as well. You'll have to google for the actual script. Not much help, but you can find a copy in the archives of Trilug from two weeks ago: http:/www.trilug.org/pipermail/trilug Jon Carnes From jonc at nc.rr.com Sat Feb 21 02:52:13 2004 From: jonc at nc.rr.com (Jon Carnes) Date: Thu Jan 12 21:22:38 2006 Subject: Emailing quarantined emails In-Reply-To: <20040220193427.GA30431@gbcomputers.com> References: <20040220193427.GA30431@gbcomputers.com> Message-ID: <1077331933.4345.38.camel@localhost.localdomain> On Fri, 2004-02-20 at 14:34, Gregg Berkholtz wrote: > Digging through the listserve archives, online documentation, and > source, I don't see an answer to this question; > While it's possible to archive all emails to an email address instead of > a folder, is it also possible to quarantine emails to an address? If > not, is/was this a desired/considered feature? > > Gregg Berkholtz I'm confused by your question, but here is a couple of attempts... If you save the quarantined email in q-format then you can drag and drop the email qfiles directly into the outgoing /var/spool/mqueue directory where they will be sent out to their original destination. If you want to have all email to an address thrown in quarantine, then blacklist that address. Jon Carnes From mikes at HARTWELLCORP.COM Sat Feb 21 02:57:50 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C8B@hart-exchange.hartwellcorp.com> Peter Bonivart wrote: > Michael St. Laurent wrote: >> You're right. MS does NOT use clamd. However, IIRC, the perl >> module *does* use clamd. So when you configure MailScanner to use >> "clamavmodule" instead of "clamav" you eventually are using clamd. > > No, the clam module does not use clamd, it uses the clam api, similar > to the way MS uses SA. Oh, I must have misunderstood how that worked. Okay, thanks for setting me straight. :-) -- Michael St. Laurent Hartwell Corporation From newsgroup2 at SPACELINK.COM.AU Sat Feb 21 03:22:30 2004 From: newsgroup2 at SPACELINK.COM.AU (Stuart Clark) Date: Thu Jan 12 21:22:38 2006 Subject: does spamd have to be running? Message-ID: <004901c3f829$f15d5880$0100a8c0@yogi> Hi Does spamd have to be running when using MailScanner? Stuart Clark Spacelink Communications Pty Ltd From lists at STHOMAS.NET Sat Feb 21 03:32:09 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:38 2006 Subject: does spamd have to be running? In-Reply-To: <004901c3f829$f15d5880$0100a8c0@yogi>; from newsgroup2@SPACELINK.COM.AU on Sat, Feb 21, 2004 at 02:22:30PM +1100 References: <004901c3f829$f15d5880$0100a8c0@yogi> Message-ID: <20040220193209.A22819@sthomas.net> On Sat, Feb 21, 2004 at 02:22:30PM +1100, Stuart Clark is rumored to have said: > > Does spamd have to be running when using MailScanner? Nope. -- "In science one tries to tell people, in such a way as to be understood by everyone, something that no one ever knew before. But in poetry, it's the exact opposite." - Paul Dirac (1902-1984) From mikes at HARTWELLCORP.COM Sat Feb 21 03:40:48 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C8D@hart-exchange.hartwellcorp.com> I'm looking for the best way to set things up for our users to train SA. So far I'm thinking that the best way seems to be to create the spam and notspam mailboxes on the server and run a task each night to process them. Reading the FAQ section on this topic, I'm a bit confused about which way to proceed. There seems to be several scripts listed. Is the last one, the Perl script, the one that people are using these days or is there another one that is better? -- Michael St. Laurent Hartwell Corporation From lists at STHOMAS.NET Sat Feb 21 03:51:17 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C8D@hart-exchange.hartwellcorp.com>; from mikes@HARTWELLCORP.COM on Fri, Feb 20, 2004 at 07:40:48PM -0800 References: <91A5926EFF44D3118B1200104B7276EB02C56C8D@hart-exchange.hartwellcorp.com> Message-ID: <20040220195117.A23403@sthomas.net> On Fri, Feb 20, 2004 at 07:40:48PM -0800, Michael St. Laurent is rumored to have said: > > I'm looking for the best way to set things up for our users to train SA. So > far I'm thinking that the best way seems to be to create the spam and > notspam mailboxes on the server and run a task each night to process them. If you're talking about creating actual mailboxes that people forward their (non)spam to, don't. You need original, unaltered messages, otherwise you'll be training SA to think that mail from your users is spam.. What I did, and maybe what you're talking about, is create non/spam shared IMAP folders that users could copy/move messages to. I have a shell script that runs sa-learn on the folders once an hour. Works like a champ. -- "Opportunities multiply as they are seized." - Sun Tzu From mikes at HARTWELLCORP.COM Sat Feb 21 03:57:52 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C8F@hart-exchange.hartwellcorp.com> Steve Thomas wrote: >> I'm looking for the best way to set things up for our users to train >> SA. So far I'm thinking that the best way seems to be to create the >> spam and notspam mailboxes on the server and run a task each night >> to process them. > > If you're talking about creating actual mailboxes that people forward > their (non)spam to, don't. You need original, unaltered messages, > otherwise you'll be training SA to think that mail from your users is > spam.. > > What I did, and maybe what you're talking about, is create non/spam > shared IMAP folders that users could copy/move messages to. I have a > shell script that runs sa-learn on the folders once an hour. Works > like a champ. I might be able to fix that up... we are stuck with an Exchange server here for the mail email system. I could create a folder on it for people to move spam and non-spam messages into. What would I then do to access those folders from the MailScanner server in such a way that they could be fed into sa-learn? -- Michael St. Laurent Hartwell Corporation From lists at STHOMAS.NET Sat Feb 21 04:08:31 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C8F@hart-exchange.hartwellcorp.com>; from mikes@HARTWELLCORP.COM on Fri, Feb 20, 2004 at 07:57:52PM -0800 References: <91A5926EFF44D3118B1200104B7276EB02C56C8F@hart-exchange.hartwellcorp.com> Message-ID: <20040220200831.A23964@sthomas.net> On Fri, Feb 20, 2004 at 07:57:52PM -0800, Michael St. Laurent is rumored to have said: > > I might be able to fix that up... we are stuck with an Exchange server here > for the mail email system. I could create a folder on it for people to move > spam and non-spam messages into. What would I then do to access those > folders from the MailScanner server in such a way that they could be fed > into sa-learn? Never worked with exchange, so I can't say. You could probably do a perl script that logs in via pop3 or imap and downloads/deletes the messages from the exchange box. I know there's a bunch of exchange people on this list, so maybe you'll get a more definitive answer on Monday. -- "I don't feel good." - The last words of Luther Burbank (1849-1926) From mikes at HARTWELLCORP.COM Sat Feb 21 04:43:18 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C90@hart-exchange.hartwellcorp.com> Steve Thomas wrote: > On Fri, Feb 20, 2004 at 07:57:52PM -0800, Michael St. Laurent is > rumored to have said: >> >> I might be able to fix that up... we are stuck with an Exchange >> server here for the mail email system. I could create a folder on >> it for people to move spam and non-spam messages into. What would I >> then do to access those folders from the MailScanner server in such >> a way that they could be fed into sa-learn? > > Never worked with exchange, so I can't say. You could probably do a > perl script that logs in via pop3 or imap and downloads/deletes the > messages from the exchange box. I know there's a bunch of exchange > people on this list, so maybe you'll get a more definitive answer on > Monday. Okay, I'll wait to see what others have to say then. Thanks. :-D -- Michael St. Laurent Hartwell Corporation From mlm at LOANPROCESSING.NET Sat Feb 21 04:59:40 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA References: <91A5926EFF44D3118B1200104B7276EB02C56C8D@hart-exchange.hartwellcorp.com> <20040220195117.A23403@sthomas.net> Message-ID: <1b6d01c3f837$83e4b740$0300a8c0@Spike> From: "Steve Thomas" > On Fri, Feb 20, 2004 at 07:40:48PM -0800, Michael St. Laurent is rumored to have said: > > > > I'm looking for the best way to set things up for our users to train SA. So > > far I'm thinking that the best way seems to be to create the spam and > > notspam mailboxes on the server and run a task each night to process them. > > If you're talking about creating actual mailboxes that people forward their (non)spam to, don't. You need original, unaltered messages, otherwise you'll be training SA to think that mail from your users is spam.. > > What I did, and maybe what you're talking about, is create non/spam shared IMAP folders that users could copy/move messages to. I have a shell script that runs sa-learn on the folders once an hour. Works like a champ. > Do you delete the messages from s/w after running sa-learn on the IMAP folder? I do the same thing manually now after enough get in there during the day to make it worthwhile. We are a small office <5 people but we reject over 500 messages a day just from blacklists before they run the gauntlet of SA. I have to say that MailScanner and SA have been a huge success for us. All of us get <2 uncaught each a day. It's almost an event when it happens now. Mike From maillists at CONACTIVE.COM Sat Feb 21 09:32:24 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> Message-ID: Matt Kettler wrote on Fri, 20 Feb 2004 19:10:40 -0500: > 1) Enable DNSBLs by installing Net::DNS. > or enable right at MTA level, our spam influx has dropped to less than 10% after enabling a few well chosen RBLs (blocking proxy and dynamic IPs is the best) plus bogus HELO plus our own access.db. SA does its job on the remainder and gets more than 99%. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mhewryk at SYMCOR.COM Sat Feb 21 10:05:05 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:22:38 2006 Subject: How to turn off: rbl checks, razor/pyzor/dcc and bayes Message-ID: Hi, How can I turn off the RBL check within MailScanner? Magda From drew at THEMARSHALLS.CO.UK Sat Feb 21 09:52:45 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:38 2006 Subject: Postfix + MailScanner HELP! In-Reply-To: References: Message-ID: <40372A6D.4030602@themarshalls.co.uk> Rosaldo First hit. go #postfix stop to stop any current processes. Then make sure that postfix.in is correct then go #postfix -c /etc/postfix.in start (Or stop then start if it's running already). Try telneting to your local host #telnet 127.0.0.1 25. If you get a response, then #postfix -c /etc/postfix start and also start MailScanner (if it's not running). Keep checking the logs and post any error messages. Drew Rosaldo Garcia wrote: >Hi, > Thanks for that reply really appreciate that help, but sad to say i did >follow that instruction on the links, i still cannot send nor received mail >when i put and # on that (smtp inet n - > > >> y - - smtpd) under /etc/postfix/master.cf. >> >> > >Any other idea? Any help is much appreciated. Thanks > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jacques Caruso >Sent: Friday, February 20, 2004 7:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Postfix + MailScanner HELP! > > >Le jeudi 19 F?vrier 2004 15:42, Rosaldo Garcia a ?crit : > > >> Why is it when i try to put an # on ( smtp inet n - >> y - - smtpd ) under /etc/postfix/master.cf, i get >>this error >> >> > >Did you read > ? >You need to make sure the *incoming* instance of Postfix (the one >controlled by the files in /etc/postfix.in) has started, otherwise >there will be no one to listen to SMTP connections... > >Cheers, >-- >[ Jacques Caruso D?veloppeur PHP ] >[ Monaco Internet http://monaco-internet.mc/ ] >[ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] >[ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] > > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040221/758e7189/attachment.html From sysadmins at ENHTECH.COM Fri Feb 20 21:32:44 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:38 2006 Subject: FEATURE REQUEST In-Reply-To: References: Message-ID: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> Hi Julian, I am not sure if this has been asked before, but is there a way to refresh the whitelists/blacklists without doing a restart? For example, when I add a new email address to be whitelisted, I have to restart the MailScanner. Can we implement a separate script or action to reload/refresh the whitelist/blacklist entries? Errol Neal From raymond at PROLOCATION.NET Sat Feb 21 10:16:07 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:38 2006 Subject: How to turn off: rbl checks, razor/pyzor/dcc and bayes In-Reply-To: Message-ID: Hi! > Hi, > How can I turn off the RBL check within MailScanner? Just put: Spam List = Spam Domain List = Thats it. Bye, Raymond. From raymond at PROLOCATION.NET Sat Feb 21 10:24:34 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:38 2006 Subject: does spamd have to be running? In-Reply-To: <004901c3f829$f15d5880$0100a8c0@yogi> Message-ID: Hi! > Does spamd have to be running when using MailScanner? Not at all. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Feb 21 10:31:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:38 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: References: Message-ID: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> Yes please, send me a copy in a password-protected zip file. Please remember to tell me what the password is! :-) At 22:37 20/02/2004, you wrote: >Julian: > >Running MailScanner-4.27.3-1, rpm version >Running sendmail 8 on RedHat 6.2 with latest rpm-build >Running Sophos 3.79 > >Installed latest version of MailScanner to fix MIME header parsing problem >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y >viruses pass through MailScanner with "Clean" headers. When the mail ends up >in Outlook Express, however, OE finds the attachment and it's up to the >client virus scanner to find dumaru-y. > >I have several copies of the virus-infected email message with full headers >stored on the mail server. If you would like to see them, I can attach the >file and send it to you. > >I thought the latest version of MailScanner was supposed to fix this? >Anybody else having this problem? > >James Corell >E-P-C-S >111 West Mitchell, Suite E >Gaylord, MI 49735 >(989) 732-1366 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 21 12:22:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:38 2006 Subject: ANNOUNCE: Beta 4.27.4 released Message-ID: <6.0.1.1.2.20040221121332.03d61008@imap.ecs.soton.ac.uk> G'day all, I have just put 4.27.4 on the website. Note this is a beta release. Download as usual from www.mailscanner.info. You can get the full ChangeLog from here: www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog The new changes since 4.27.3 are mostly: * New Stuff * - Added "Non-Forging Viruses" list which works the opposite way around to the "Silent Viruses" list. If a virus report contains any words in this list, then the silent status is over-ridden by this. The net result is that you can put All-Viruses in the silent viruses list, so that by default no warnings are sent to senders. But put markers for joke programs or macro viruses in this list and the senders will still be warned about them, as they are known not to forge the From address. - Added options to add new headers containing the envelope sender and/or envelope recipients addresses. The names of the headers are, of course, configurable. - Much improved clamav-wrapper, courtesy of Kevin Spicer. - Added $subject to Subject: line in sample recipient.spam.report.txt to show it can be used. Should ideally get all other languages translated. * Fixes * - Exim multiple ACLs now supported for SPF compatibility. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Sat Feb 21 12:48:25 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C8F@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C8F@hart-exchange.hartwellcorp.com> Message-ID: <1077367705.15039.32.camel@bach.kevinspicer.co.uk> On Sat, 2004-02-21 at 03:57, Michael St. Laurent wrote: > I might be able to fix that up... we are stuck with an Exchange server here > for the mail email system. I could create a folder on it for people to move > spam and non-spam messages into. What would I then do to access those > folders from the MailScanner server in such a way that they could be fed > into sa-learn? If you are on Exchange 5.5 this might work, but on Exchange 2000 (and later?) the IMAP facility messes with the message (e.g. turns everything into html, supresses certain headers, changes others etc.) so by the time you have finished you're message doesn't much resemble the original. I looked long and hard to find a solution to this - but failed. I use the attachment option for spam and allow users to forward false positives back to an account on the mailscanner box, which in turn uses a mix of procmail and cron jobs to unpack the attachment and run them through sa-learn . Search the archives for how to do this. I haven't found a way to learn from false negatives. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Sat Feb 21 14:02:41 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:38 2006 Subject: ANNOUNCE: Beta 4.27.4 released In-Reply-To: <6.0.1.1.2.20040221121332.03d61008@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040221121332.03d61008@imap.ecs.soton.ac.uk> Message-ID: <40376501.6010609@eatathome.com.au> Julian Field wrote: > G'day all, > > I have just put 4.27.4 on the website. Note this is a beta release. > Download as usual from www.mailscanner.info. > > You can get the full ChangeLog from here: > www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog > > The new changes since 4.27.3 are mostly: > > * New Stuff * > > - Added "Non-Forging Viruses" list which works the opposite way around > to the > "Silent Viruses" list. If a virus report contains any words in this > list, > then the silent status is over-ridden by this. The net result is > that you > can put All-Viruses in the silent viruses list, so that by default no > warnings are sent to senders. But put markers for joke programs or > macro > viruses in this list and the senders will still be warned about > them, as > they are known not to forge the From address. > - Added options to add new headers containing the envelope sender and/or > envelope recipients addresses. The names of the headers are, of course, > configurable. > - Much improved clamav-wrapper, courtesy of Kevin Spicer. > - Added $subject to Subject: line in sample recipient.spam.report.txt > to show > it can be used. Should ideally get all other languages translated. > > * Fixes * > > - Exim multiple ACLs now supported for SPF compatibility. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Julian, realising this is a beta, once this become a gold release - knowing that i do not use bayes, dcc, razor etc, and currently have ms 4.24-5 and sa 2.60 and clamav, bigevil and backhair - is it likely (assuming almost default settings) that the newer versions of both mailscanner and spam assassin will be far better at catching spam/shitty virus email product, compared to my current versions? I am trying to guess whether its worth upgrading based purely on version comparison alone? thanks Pete From pete at eatathome.com.au Sat Feb 21 14:15:07 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> Message-ID: <403767EB.7030708@eatathome.com.au> Matt Kettler wrote: > At 06:37 PM 2/20/2004, Michael St. Laurent wrote: > >> We're still getting more spam slipping through than I would like and was >> wondering which of the additional rule sets are recommended. I've >> installed >> the fetch scripts for both the bigevil and backhair rule sets so far. >> >> Suggestions please? > > > Disclaimer of bias: I'm one of the add-on ruleset writers... I wrote > antidrug.cf. > > Personally I think your best bet prior to using add on rulesets is to get > all of the features of the default SA system working well. > > 1) Enable DNSBLs by installing Net::DNS. > > 2) Enable bayes by feeding sa-learn.. Feed it well, and feed it > often. Mine gets fed a diet of about 100 fresh spams/day and about 20 > nonspams/day. A good regiment of feeding bayes with input from spamtraps > and such is very helpful. > > 3) Consider installing DCC.. DCC works pretty well and is pretty > lightweight. Razor is more accurate, but seems prone to more network > timeouts. > > > As for add-on rules, I don't use that many, despite being a add-on set > writer. > > "Best practice" would be to be very cautious when using them, and test > them out with very low scores to start. > > If you want to know what I'm using: > > Obviously I use my own antidrug.cf, but that's mostly done as a giant > rude > gesture in the direction of the pill spammers who have been so aggressive > lately. I also use a pair of rules which is a collapsed version of Jen's > popcorn.cf. > > describe LOCAL_POPCORN 1-5 letters - hidden tag - 1-7 letters > rawbody LOCAL_POPCORN /[>\s]\w{1,5}<\![^>]*>\w{1,7}\W/i > > describe LOCAL_POPCORN2 1-5 letters - hidden tag - 1-7 letters > rawbody LOCAL_POPCORN2 /[>\s]\w{1,5}<\/\w{2,10}>\w{1,7}\b/i > > I also find this useful: > body LOCAL_MEDS /\bmed[sz]\b/i > > and this: > body BODY_RND_GENERATOR /\%RND_(?:LC_CHAR|UC_CHAR|SYB|WORD)\b/ > > > And that's about it.. other than a bunch of goofball test rules floating > around. I've also been playing with the FVGT_s_OBFU_* rules. > > > The SA wiki has a pretty comprehensive list of the add-on sets if you > need > a list of them. Just remember, when in doubt, test with low scores! > > http://wiki.spamassassin.org/w/CustomRulesets > > > As we dont have the facility to manually feed ham/spam each day, if i did this for a week or 2 and build up 500 odd entries, would it be possible to turn off the updating of bayes and just use the DB as is, or until i find something in the future we really need to add? Auto learn just doesnt work i have found :( sadly. Or is it possible to use downloaded bayes DBs? From hunter at userfriendly.net Sat Feb 21 14:22:53 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <40362D98.10204@solid-state-logic.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> <40362D98.10204@solid-state-logic.com> Message-ID: <1077373373.2463.94.camel@nomad.userfriendly.net> On Fri, 2004-02-20 at 10:54, Martin Hepworth wrote: > 1) make sure the MailScanner working area, "Incoming Work Dir" defined > in MailScanner.conf, is on a tmpfs not a disk. always an excellent suggestion, once i move this to "production" i will be throwing the Incoming Work Dir onto a Boxhill array. > 2) configure a caching nameserver on the MS box. DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest versioning crazy?) > 3) have a look at the "Max Children" ,"Max Unscanned Messages Per Scan" > and "Max Unsafe Messages Per Scan". Altering these, esp the Max Children > can have a big effect. Given you load average I'd consider lowing the > Max Children - after 1 and 2 have been done. Mine's at 5, but I'm only > running an single 600mhz, 8-9k messages a day. are you talking about within sendmail itself or within MS? Sendmail, tho not running of course, had been configured for an earlier exercise with the following (but still in the cf file): QueueLA=18, RefuseLA=22, DelayLA=0, MaxDaemonChildren=0, ConnectionRateThrottle=0 now withing MS itself i have the following set: Max Children 10 Max Unscanned Messages Per Scan 30 Max Unsafe Messages Per Scan 30 > 4) RAM RAM and plenty of RAM..1-2GB is not unheard of in this list for > your sort of message load. This is an older piece of hardware as well its a dual proc 750MHz PIII with 1G RAM and 1G swap currently. Things have calmed down and the system is running much better albeit at a fairly constant load average of 5-7 throughout the day, once i disabled sendmail's ability to use spamass-milter and regex-milter which i had been using in conjunction with another exercise. But i still run SA with pyzor, razor, and dcc along with MS and the system seems to be stabilizing now over the past 12 hours. Just trying to finish getting ClamAV working. I have 0.67-1 rpm rebuilt and installed, and i can run the wrapper test successfully as follows: /usr/lib/MailScanner/clamav-wrapper /usr /var/spool/MailScanner/quarantine/20040221 and it scans and does find exploits yet MS doesnt mark any nor log any as having been found. I am trying to figure out why, but have had no luck. Any ideas? Thanks in advance. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040221/f2027549/attachment.bin From mailscanner at ecs.soton.ac.uk Sat Feb 21 15:09:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:38 2006 Subject: ANNOUNCE: Beta 4.27.4 released In-Reply-To: <40376501.6010609@eatathome.com.au> References: <6.0.1.1.2.20040221121332.03d61008@imap.ecs.soton.ac.uk> <40376501.6010609@eatathome.com.au> Message-ID: <6.0.1.1.2.20040221150647.04156eb0@imap.ecs.soton.ac.uk> At 14:02 21/02/2004, you wrote: >Julian Field wrote: >>G'day all, >> >>I have just put 4.27.4 on the website. Note this is a beta release. >>Download as usual from www.mailscanner.info. >> >>You can get the full ChangeLog from here: >>www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog >> >>The new changes since 4.27.3 are mostly: >> >>* New Stuff * >> >>- Added "Non-Forging Viruses" list which works the opposite way around >>to the >> "Silent Viruses" list. If a virus report contains any words in this >>list, >> then the silent status is over-ridden by this. The net result is >>that you >> can put All-Viruses in the silent viruses list, so that by default no >> warnings are sent to senders. But put markers for joke programs or >>macro >> viruses in this list and the senders will still be warned about >>them, as >> they are known not to forge the From address. >>- Added options to add new headers containing the envelope sender and/or >> envelope recipients addresses. The names of the headers are, of course, >> configurable. >>- Much improved clamav-wrapper, courtesy of Kevin Spicer. >>- Added $subject to Subject: line in sample recipient.spam.report.txt >>to show >> it can be used. Should ideally get all other languages translated. >> >>* Fixes * >> >>- Exim multiple ACLs now supported for SPF compatibility. >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >Julian, realising this is a beta, once this become a gold release - >knowing that i do not use bayes, dcc, razor etc, and currently have ms >4.24-5 and sa 2.60 and clamav, bigevil and backhair - is it likely >(assuming almost default settings) that the newer versions of both >mailscanner and spam assassin will be far better at catching spam/shitty >virus email product, compared to my current versions? > >I am trying to guess whether its worth upgrading based purely on version >comparison alone? I have made some improvements to the attachment-extraction code to make it more robust, and there _may_ yet be another improvement in this code in the next few days. So it is better at spotting viruses than previous versions, but otherwise there are probably not many changes that affect you if you don't want new features. My best advice is to read the ChangeLog at http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog and read all the differences between 4.24 and 4.27 and make your decision based on that. There is no point in upgrading if you don't need to. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Feb 21 15:13:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <1077373373.2463.94.camel@nomad.userfriendly.net> References: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> <40362D98.10204@solid-state-logic.com> <1077373373.2463.94.camel@nomad.userfriendly.net> Message-ID: <6.0.1.1.2.20040221151204.0416bf08@imap.ecs.soton.ac.uk> At 14:22 21/02/2004, you wrote: >Just trying to finish getting >ClamAV working. I have 0.67-1 rpm rebuilt and installed, and i can run >the wrapper test successfully as follows: > >/usr/lib/MailScanner/clamav-wrapper /usr >/var/spool/MailScanner/quarantine/20040221 > >and it scans and does find exploits yet MS doesnt mark any nor log any >as having been found. I am trying to figure out why, but have had no >luck. Any ideas? Usual reason for this is links in the /var/spool/MailScanner/incoming path. You need to put the true path in the conf file that doesn't follow any links at all. I have added a note about this to the latest release, as it is a common problem. Also, as you are using clam, make sure that the user clam is running as can actually read the incoming dir and all its subdirs. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hunter at userfriendly.net Sat Feb 21 15:26:18 2004 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:22:38 2006 Subject: Building an MS-SA box In-Reply-To: <6.0.1.1.2.20040221151204.0416bf08@imap.ecs.soton.ac.uk> References: <4FD2C985D5E2A642AE25823DFD61C2B01A812A@orca.agcom.amgreetings.com> <40362D98.10204@solid-state-logic.com> <1077373373.2463.94.camel@nomad.userfriendly.net> <6.0.1.1.2.20040221151204.0416bf08@imap.ecs.soton.ac.uk> Message-ID: <1077377178.2463.100.camel@nomad.userfriendly.net> On Sat, 2004-02-21 at 10:13, Julian Field wrote: > Usual reason for this is links in the /var/spool/MailScanner/incoming path. > You need to put the true path in the conf file that doesn't follow any > links at all. > > I have added a note about this to the latest release, as it is a common > problem. > > Also, as you are using clam, make sure that the user clam is running as can > actually read the incoming dir and all its subdirs. I checked and the layout is as follows: /var/spool/MailScanner/incoming is a real directory, no links symlinks or otherwise, and that directory is recursively owned by clamav:clamav and 0600 are the permissions. When i look inside the directory i do see a half-dozen or so directories as in the following: drwx------ 2 clamav clamav 4096 Feb 21 11:02 10792/ drwx------ 2 clamav clamav 4096 Feb 21 11:02 10734/ drwx------ 2 clamav clamav 4096 Feb 21 11:03 13022/ drwx------ 2 clamav clamav 4096 Feb 21 11:03 13413/ and when i look in the most recent one i see some .header files that are owned by clamav and 0400 are the permissions. So that all looks correct, unless someone can tell me otherwise. -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040221/36bf1116/attachment.bin From jrudd at UCSC.EDU Sat Feb 21 15:52:15 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> Message-ID: On Feb 21, 2004, at 1:32 AM, Kai Schaetzl wrote: > Matt Kettler wrote on Fri, 20 Feb 2004 19:10:40 -0500: > >> 1) Enable DNSBLs by installing Net::DNS. >> > > or enable right at MTA level, our spam influx has dropped to less than > 10% > after enabling a few well chosen RBLs (blocking proxy and dynamic IPs > is > the best) plus bogus HELO plus our own access.db. SA does its job on > the > remainder and gets more than 99%. > Which ones are you using? From maillists at CONACTIVE.COM Sat Feb 21 17:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:38 2006 Subject: Stop scanning of outgoing mails? In-Reply-To: <62E46E0C3CB8024C807447814E1B20A501CD08@granitemail.mirabito.com> References: <62E46E0C3CB8024C807447814E1B20A501CD08@granitemail.mirabito.com> Message-ID: Brent Strignano wrote on Fri, 20 Feb 2004 16:50:10 -0500: > If it is you could set it up to forward incoming external email to the > second sendmail process on your gateway server (either by a new port or > IP address). > Then the outgoing would stay the same and your users wouldn't know the > difference. > There is no "gateway" and no way of knowing which IP is "external" and which is "internal". I guess the best and simplest way really is to put all outgoing mail on a box which doesn't have MailScanner, add all users there and tell clients to use a different hostname for SMTP. As has been suggested as one of the first solutions. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Sat Feb 21 17:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:38 2006 Subject: [Mailwatch-users] SpamAssassins config options and sa-learn In-Reply-To: <64753.68.63.190.49.1076200302.squirrel@new.host.name> References: <64753.68.63.190.49.1076200302.squirrel@new.host.name> Message-ID: wrote on Sat, 7 Feb 2004 17:31:42 -0700 (MST): > Does MailScanner honor the SpamAssassin options that are set in > SpamAssassins 'local.cf' file? Or does MailScanner instead only use the > options which are set in /etc/MailScanner/spam.assassin.prefs.conf. > It uses the file which is configured in MailScanner.conf, so if you haven't changed that it's spam.assassin.prefs.conf. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Sat Feb 21 17:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <403767EB.7030708@eatathome.com.au> References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> <403767EB.7030708@eatathome.com.au> Message-ID: Pete wrote on Sun, 22 Feb 2004 01:15:07 +1100: > As we dont have the facility to manually feed ham/spam each day, if i > did this for a week or 2 and build up 500 odd entries, would it be > possible to turn off the updating of bayes and just use the DB as is, Not recommended. Bayes works only if you learn it continually, either by hand or auto. Then better leave it off. or > until i find something in the future we really need to add? Auto learn > just doesnt work i have found :( > It possibly doesn't work for you, because you have low scoring spam or haven't yet learned enough. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Sat Feb 21 17:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:38 2006 Subject: Spam whitelist rules In-Reply-To: <403669F3.49CF7DE7@ihs.com> References: <40361F4E.6576F319@ihs.com> <40363E74.6C6D5B7F@ihs.com> <403669F3.49CF7DE7@ihs.com> Message-ID: Dustin Baer wrote on Fri, 20 Feb 2004 13:11:31 -0700: > If you store the spam, then you won't see any MailScanner headers. The > stored version is untouched by MailScanner. Ok, that clears up everything :-) I skip some of your questions below, because this is solved now. Everything works like it should, we just don't get the scores in the mail because they are stored. But MailScanner stores them for us in the MySQL table and I can see them all via Mailwatch, so I didn't notice earlier. Either the documentation doesn't mention it or I overlooked that. I also didn't know that stored mail won't be scanned for viruses before I read this list. > I quarantine spam as queue files (qf/df), so when someone requests the > quarantined email, my script changes whatever the value for $_ in the qf > file is to $_[a.b.c.d]. a.b is already in whitelisted by > spam.whitelist.rules, and a.b.c.d is set to "yes" in SpamChecks.rules (I > didn't make that completely clear). Ok, in connection with the above everything's clear now, thanks! You are releasing to mqueue.in and not to mqueue, so the stuff gets scanned for viruses. Interesting solution, I'll try to remember it. We don't quarantine with queue files because Mailwatch needs Mailbox files, so if we wanted it this way we had to change back to queue files. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From faq at mailscanner.info Sun Feb 22 00:28:01 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:22:38 2006 Subject: Faq-O-Matic Error Log Message-ID: <200402220028.i1M0S1Wn025817@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-02-20-11-24-48 2.717 error editPart 15493 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 0; in item: 4) 2004-02-20-11-28-26 2.717 error editPart 15890 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 6; in item: 9) 2004-02-20-22-25-15 2.717 error editPart 10215 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 7; in item: 8) 2004-02-20-22-53-05 2.717 error editPart 13749 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 0; in item: 2) 2004-02-20-23-46-07 2.717 error editPart 23880 <(noID)> The file (211) doesn't exist. 2004-02-21-06-28-34 2.717 error editPart 29910 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 3; in item: 4) From mailscanner at SMITS.CO.UK Sun Feb 22 09:00:40 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:38 2006 Subject: Training SA Message-ID: <58696C94787F16468267F3509F1150309814@hermes.clumpton.homeip.net> Try this script; we use it to pull the messages from junkmail and goodmail folders on the Exchange and feed the messages to sa-learn like so: #!/bin/sh SERVER= USER= PASS= GOOD=goodmail JUNK=junkmail SPAM=/tmp/spam NOTSPAM=/tmp/notspam LOGFILE=/var/log/learn.spam.log PREFS=/etc/MailScanner/spam.assassin.prefs.conf SALEARN=/usr/bin/sa-learn /usr/sbin/folderdump --host $SERVER --user $USER --pass $PASS --folder Public\ Folders/$JUNK --dir $SPAM /usr/sbin/folderdump --host $SERVER --user $USER --pass $PASS --folder Public\ Folders/$GOOD --dir $NOTSPAM date >> $LOGFILE $SALEARN --prefs-file=$PREFS --spam $SPAM >> $LOGFILE 2>&1 rm -f $SPAM/* $SALEARN --prefs-file=$PREFS --ham $NOTSPAM >> $LOGFILE 2>&1 rm -f $NOTSPAM/* Make sure that the spam checking user has read access to the public folders. You may want to restrict its write/delete access to the junkmail folder only, otherwise a user may accidentally drag and drop a valuable message on goodmail, rather than Ctrl+Drag and drop. Bart... -----Original Message----- From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] Posted At: 21 February 2004 04:43 Posted To: MailScanner Conversation: Training SA Subject: Re: Training SA Steve Thomas wrote: > On Fri, Feb 20, 2004 at 07:57:52PM -0800, Michael St. Laurent is > rumored to have said: >> >> I might be able to fix that up... we are stuck with an Exchange >> server here for the mail email system. I could create a folder on >> it for people to move spam and non-spam messages into. What would I >> then do to access those folders from the MailScanner server in such >> a way that they could be fed into sa-learn? > > Never worked with exchange, so I can't say. You could probably do a > perl script that logs in via pop3 or imap and downloads/deletes the > messages from the exchange box. I know there's a bunch of exchange > people on this list, so maybe you'll get a more definitive answer on > Monday. Okay, I'll wait to see what others have to say then. Thanks. :-D -- Michael St. Laurent Hartwell Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: folderdump.pl Type: application/octet-stream Size: 2760 bytes Desc: folderdump.pl Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040222/e12922c2/folderdump.obj From gregg at GBCOMPUTERS.COM Sat Feb 21 21:11:10 2004 From: gregg at GBCOMPUTERS.COM (Gregg Berkholtz) Date: Thu Jan 12 21:22:38 2006 Subject: Emailing quarantined emails In-Reply-To: <1077331933.4345.38.camel@localhost.localdomain> References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> Message-ID: <20040221211110.GA7057@gbcomputers.com> On Fri, Feb 20, 2004 at 09:52:13PM -0500, Jon Carnes wrote: > On Fri, 2004-02-20 at 14:34, Gregg Berkholtz wrote: > > Digging through the listserve archives, online documentation, and > > source, I don't see an answer to this question; > > While it's possible to archive all emails to an email address instead of > > a folder, is it also possible to quarantine emails to an address? If > > not, is/was this a desired/considered feature? > > > > Gregg Berkholtz > > I'm confused by your question, but here is a couple of attempts... > > If you save the quarantined email in q-format then you can drag and drop > the email qfiles directly into the outgoing /var/spool/mqueue directory > where they will be sent out to their original destination. > > If you want to have all email to an address thrown in quarantine, then > blacklist that address. > > Jon Carnes > Actually, what I want to do is change the original recipient of the infected messages to point to a generic quarantine address, and then deliver the email to that address. Something so that the helpdesk doesn't have to access the SMTP server directly. Then they'll just check that other mailbox (actually it'll be a shared IMAP folder) to look at any quarantined messages. Though 99% of quarantined emails are worthless anyway, that other 1% needs to be easily/quickly accessed by the helpdesk staff. Basically, I really like what I see in MailScanner, and want to replace our existing AMViS install with it. Currently AMViS redirects infected messages to a quarantine address, and I'm trying to avoid changing the procedure our helpdesk has become accustomed to. Gregg From pete at eatathome.com.au Sat Feb 21 21:25:36 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:38 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> <403767EB.7030708@eatathome.com.au> Message-ID: <4037CCD0.7060503@eatathome.com.au> Kai Schaetzl wrote: >Pete wrote on Sun, 22 Feb 2004 01:15:07 +1100: > > > >>As we dont have the facility to manually feed ham/spam each day, if i >>did this for a week or 2 and build up 500 odd entries, would it be >>possible to turn off the updating of bayes and just use the DB as is, >> >> > >Not recommended. Bayes works only if you learn it continually, either by >hand or auto. Then better leave it off. > >or > > >>until i find something in the future we really need to add? Auto learn >>just doesnt work i have found :( >> >> >> > >It possibly doesn't work for you, because you have low scoring spam or >haven't yet learned enough. > > >Kai > >-- > >Kai Sch?tzl, Berlin, Germany >Get your web at Conactive Internet Services: http://www.conactive.com >IE-Center: http://ie5.de & http://msie.winware.org > > > > > Nah i think from autolearning it learns incorrectly (poisoned?) and then score mail innapproriately. I think i will use auto learn but re create the DBs once a month. From newsgroup2 at SPACELINK.COM.AU Sun Feb 22 01:03:30 2004 From: newsgroup2 at SPACELINK.COM.AU (Stuart Clark) Date: Thu Jan 12 21:22:39 2006 Subject: Mass Config Comparison Message-ID: <006701c3f8df$b0b7b210$0100a8c0@yogi> I thought it might be good to compare important configuration values. Please enter your values with more details if relevant. Environment - Small ISP Virus----------------------- Virus scanners used - default Still Deliver Silent Viruses = yes Allow Form Tags = yes Allow IFrame Tags = yes Allow Object Codebase Tags = yes Deliver Disinfected Files = no Spam------------------------ Required SpamAssassin Score = 8 High SpamAssassin Score = 15 Spam Actions = deliver High Scoring Spam Actions = delete Razor - yes DCC - yes Pyzor - yes Additional rules Chickenpox.cf Antidrug.cf False positives - Almost zero User complaints - Almost zero MRTG - http://mailscanner.spacelink.com.au Regards Stuart Clark RHCE Spacelink Communications Pty Ltd From ugob at CAMO-ROUTE.COM Sun Feb 22 04:35:59 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> > >> 2) configure a caching nameserver on the MS box. > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest >versioning crazy?) > nscd? Is is better than to use the package named "caching nameserver"? I don't need to cache other services. Thanks, From wppiphoto at wppi.com Sun Feb 22 09:31:52 2004 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:22:39 2006 Subject: Some e-mails not being scanned? {Scanned} References: <003a01c3f3da$58331a30$0d01a8c0@Toshiba> <6.0.1.1.2.20040215180600.0323a5a0@imap.ecs.soton.ac.uk> Message-ID: <001c01c3f926$b7ad0970$0d01a8c0@Toshiba> Julian, Sorry didn't see you reply until tonight. Ops! In regards to your reply, these e-mails that bypass MS/SA don't in no way come from any place which I have whitelisted. We use openwebmail but I'm not sure how this spammer is using that to by pass MS/SA. The strange thing is that only e-mails with the 'X-AntiAbuse' header seem to bypass MS/SA. Can anyone see a pattern and possibilites of how this spammer is bypassing MS/SA.Here are some more header info. of some recent e-mails all from the same spammer: Return-Path: Received: from 1stbulkemail.com (pD9504F54.dip.t-dialin.net [217.80.79.84]) by wppi.com (8.10.2/8.10.2) with SMTP id i1M7FWf10235 for ; Sun, 22 Feb 2004 02:15:33 -0500 Received: (from www@localhost) by 1stbulkemail.com (8.11.6p2/8.11.3) with ESMTP id J87Gz028030521 for ; Sun, 22 Feb 2004 07:15:07 +0000 (GMT) (envelope-from www) Message-ID: <697663289192.4DuK9L6i87y3H4@localhost> From: "Shara Montoya" To: sales@wppi.com Subject: Design Your Logo {Scanned} Date: Sun, 22 Feb 2004 07:15:07 +0000 (GMT) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - 1stbulkemail.com X-AntiAbuse: Original Domain - 1stbulkemail.com X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] X-AntiAbuse: Sender Address Domain - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" ---------------------------------------------------------------------------- ---- Return-Path: Received: from eofficemail.com ([218.157.147.241]) by wash-photo.com (8.10.2/8.10.2) with SMTP id i1M13of25927 for ; Sat, 21 Feb 2004 20:03:51 -0500 Received: (from www@localhost) by eofficemail.com (Vircom SMTPRS 2.1.258) with ESMTP id J87Gz030585292 for ; Sat, 21 Feb 2004 20:04:42 -0500 (EST) (envelope-from www) Message-ID: <380117213434.PbtrkS09esY7Q8@localhost> From: "Laquita Ewing" To: sales@wash-photo.com Subject: Custom Logo Creation {Scanned} Date: Sat, 21 Feb 2004 20:04:42 -0500 (EST) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - eofficemail.com X-AntiAbuse: Original Domain - eofficemail.com X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] X-AntiAbuse: Sender Address Domain - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" ---------------------------------------------------------------------------- ---- Return-Path: Received: from emailphonebook.net (lsanca2-ar32-4-33-033-229.lsanca2.dsl-verizon.net [4.33.33.229]) by ultraphotos.com (8.10.2/8.10.2) with SMTP id i1LKDLf12864 for ; Sat, 21 Feb 2004 15:13:21 -0500 Received: (from www@localhost) by emailphonebook.net (8.12.8/8.10.0) with ESMTP id J87Gz028821499 for ; Sat, 21 Feb 2004 20:07:22 +0000 (GMT) (envelope-from www) Message-ID: <548455242357.f8H0iBG31vW05g@localhost> From: "Sade Rowe" To: sales@ultraphotos.com Subject: Flash Logo Animation {Scanned} Date: Sat, 21 Feb 2004 20:07:22 +0000 (GMT) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - emailphonebook.net X-AntiAbuse: Original Domain - emailphonebook.net X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] X-AntiAbuse: Sender Address Domain - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, February 15, 2004 1:08 PM Subject: Re: Some e-mails not being scanned? {Scanned} > I suspect from the headers that you have an email-generating app (a webmail > system perhaps?) that is sending mail by directly invoking the sendmail > binary. You need to get this app to send mail by talking SMTP to localhost > instead. > Either that or you have bypassed the MS host in some way for this mail. As > you don't say which of the systems involved is the MS host, it is > impossible to say for definite. > > At 15:42 15/02/2004, you wrote: > >Can someone tell me why some e-mails don't get scanned by MS/SA? I know they > >are not being scanned because they are missing the mailscanner header info. > >The only thing I can think of is that there is something in mailscanner > >which ignores e-mails that contain in the header 'X-AntiAbuse' and flags > >them as non-spam. Not sure if I'm right but hopefully someone here can help. > > > >Here is a sample e-mail header which does not get scanned by mailscanner: > > > >Return-Path: > >Received: from free-web-hosting-and-free-email.com > >(pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114]) > > by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925 > > for ; Wed, 11 Feb 2004 17:46:30 -0500 > >Received: (from www@localhost) > > by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id > >J87Gz037587771 > > for ; Wed, 11 Feb 2004 17:44:37 -0500 (EST) > > (envelope-from www) > >Message-ID: <823244444119.yyr36h3MgwRq8N@localhost> > >From: "Ruthie Nixon" > >To: sales@wppi.net > >Subject: Website Intros and Animated Logos {Scanned} > >Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST) > >X-AntiAbuse: This header was added to track abuse, please include it with > >any abuse report > >X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com > >X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com > >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] > >X-AntiAbuse: Sender Address Domain - > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > > > > > >Thanks, > > > >SW > > > > > > > >------------------------------------------------- > > WPPi.com | WPPi.Net > >------------------------------------------------- > > http://www.wppi.com | http://www.wppi.net > >------------------------------------------------- > >WPPi.com & WPPi.Net MailScanner Signature > >This message has been scanned for viruses > >and dangerous content by WPPi MailScanner, > >and has been found to be clean. > >------------------------------------------------- > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > > ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From newsgroup2 at SPACELINK.COM.AU Sun Feb 22 12:13:01 2004 From: newsgroup2 at SPACELINK.COM.AU (Stuart Clark) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score Message-ID: <001101c3f93d$394a0760$0100a8c0@yogi> What is the best High SpamAssassin Score? Without getting complaints from customers Kind Regards Stuart Clark Spacelink Communications Pty Ltd From raymond at PROLOCATION.NET Sun Feb 22 12:17:44 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <001101c3f93d$394a0760$0100a8c0@yogi> Message-ID: Hi! > What is the best High SpamAssassin Score? > > Without getting complaints from customers Around 18-20 is what we always recommend. Bye, Raymond. From jaearick at COLBY.EDU Sun Feb 22 12:41:28 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> Message-ID: IMHO, you are better off running a cache/slave DNS like bind or tinydns. On Solaris we have found that nscd can be a bottleneck, not a help. When we moved our web service (apache) from HP to Solaris, we were getting really poor response until we turned off nscd. I have it turned off on all of my Sun boxes, including my MailScanner box. Others may have different insight on nscd. Jeff Earickson Colby College On Sat, 21 Feb 2004, Ugo Bellavance wrote: > Date: Sat, 21 Feb 2004 23:35:59 -0500 > From: Ugo Bellavance > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Building an MS-SA box > > > > >> 2) configure a caching nameserver on the MS box. > > > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest > >versioning crazy?) > > > > nscd? > > Is is better than to use the package named "caching nameserver"? > > I don't need to cache other services. > > Thanks, > From mailscanner at ecs.soton.ac.uk Sun Feb 22 13:16:59 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20040222131529.03ebfe18@imap.ecs.soton.ac.uk> I agree with the comments about Solaris's nscd. It appears to slowly grow without limit. I have had one taking about 800MB of RAM after the box had been up for a few months. Linux's nscd might be better, but most people only need to cache DNS responses, which is better done with bind as it is more configurable. At 12:41 22/02/2004, you wrote: >IMHO, you are better off running a cache/slave DNS like bind or >tinydns. On Solaris we have found that nscd can be a bottleneck, >not a help. When we moved our web service (apache) from HP to >Solaris, we were getting really poor response until we turned off >nscd. I have it turned off on all of my Sun boxes, including >my MailScanner box. Others may have different insight on nscd. > >Jeff Earickson >Colby College > >On Sat, 21 Feb 2004, Ugo Bellavance wrote: > > > Date: Sat, 21 Feb 2004 23:35:59 -0500 > > From: Ugo Bellavance > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Building an MS-SA box > > > > > > > >> 2) configure a caching nameserver on the MS box. > > > > > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest > > >versioning crazy?) > > > > > > > nscd? > > > > Is is better than to use the package named "caching nameserver"? > > > > I don't need to cache other services. > > > > Thanks, > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 13:13:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Emailing quarantined emails In-Reply-To: <20040221211110.GA7057@gbcomputers.com> References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> <20040221211110.GA7057@gbcomputers.com> Message-ID: <6.0.1.1.2.20040222131207.039c3200@imap.ecs.soton.ac.uk> At 21:11 21/02/2004, you wrote: >On Fri, Feb 20, 2004 at 09:52:13PM -0500, Jon Carnes wrote: > > On Fri, 2004-02-20 at 14:34, Gregg Berkholtz wrote: > > > Digging through the listserve archives, online documentation, and > > > source, I don't see an answer to this question; > > > While it's possible to archive all emails to an email address instead of > > > a folder, is it also possible to quarantine emails to an address? If > > > not, is/was this a desired/considered feature? > > > > > > Gregg Berkholtz > > > > I'm confused by your question, but here is a couple of attempts... > > > > If you save the quarantined email in q-format then you can drag and drop > > the email qfiles directly into the outgoing /var/spool/mqueue directory > > where they will be sent out to their original destination. > > > > If you want to have all email to an address thrown in quarantine, then > > blacklist that address. > > > > Jon Carnes > > > >Actually, what I want to do is change the original recipient of the >infected messages to point to a generic quarantine address, and then >deliver the email to that address. Something so that the helpdesk doesn't >have to access the SMTP server directly. Then they'll just check that >other mailbox (actually it'll be a shared IMAP folder) to look at any >quarantined messages. Though 99% of quarantined emails are worthless >anyway, that other 1% needs to be easily/quickly accessed by the >helpdesk staff. > >Basically, I really like what I see in MailScanner, and want to replace >our existing AMViS install with it. Currently AMViS redirects infected >messages to a quarantine address, and I'm trying to avoid changing the >procedure our helpdesk has become accustomed to. I've just taken a look at this, and it's not easy. I will try to come up with a solution but I can't make any promises. You are probably going to have to re-educate your helldesk staff. Sorry about that. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 13:20:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Some e-mails not being scanned? {Scanned} In-Reply-To: <001c01c3f926$b7ad0970$0d01a8c0@Toshiba> References: <003a01c3f3da$58331a30$0d01a8c0@Toshiba> <6.0.1.1.2.20040215180600.0323a5a0@imap.ecs.soton.ac.uk> <001c01c3f926$b7ad0970$0d01a8c0@Toshiba> Message-ID: <6.0.1.1.2.20040222131755.03efada0@imap.ecs.soton.ac.uk> All I can really say at this point is that scanning is not governed by the contents of the headers in any way, so looking at the AntiAbuse headers is a red herring. I still think it's a webmail configuration interface problem, as the "www@localhost" statements imply. I still think your webmail is not delivering by SMTP to your MailScanner, but is invoking sendmail directly. Take a good look at your webmail configuration. At 09:31 22/02/2004, you wrote: >Julian, > >Sorry didn't see you reply until tonight. Ops! In regards to your reply, >these e-mails that bypass MS/SA don't in no way come from any place which I >have whitelisted. We use openwebmail but I'm not sure how this spammer is >using that to by pass MS/SA. > >The strange thing is that only e-mails with the 'X-AntiAbuse' header seem to >bypass MS/SA. Can anyone see a pattern and possibilites of how this spammer >is bypassing MS/SA.Here are some more header info. of some recent e-mails >all from the same spammer: > >Return-Path: >Received: from 1stbulkemail.com (pD9504F54.dip.t-dialin.net [217.80.79.84]) > by wppi.com (8.10.2/8.10.2) with SMTP id i1M7FWf10235 > for ; Sun, 22 Feb 2004 02:15:33 -0500 >Received: (from www@localhost) > by 1stbulkemail.com (8.11.6p2/8.11.3) with ESMTP id J87Gz028030521 > for ; Sun, 22 Feb 2004 07:15:07 +0000 (GMT) > (envelope-from www) >Message-ID: <697663289192.4DuK9L6i87y3H4@localhost> >From: "Shara Montoya" >To: sales@wppi.com >Subject: Design Your Logo {Scanned} >Date: Sun, 22 Feb 2004 07:15:07 +0000 (GMT) >X-AntiAbuse: This header was added to track abuse, please include it with >any abuse report >X-AntiAbuse: Primary Hostname - 1stbulkemail.com >X-AntiAbuse: Original Domain - 1stbulkemail.com >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] >X-AntiAbuse: Sender Address Domain - >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > >---------------------------------------------------------------------------- >---- > >Return-Path: >Received: from eofficemail.com ([218.157.147.241]) > by wash-photo.com (8.10.2/8.10.2) with SMTP id i1M13of25927 > for ; Sat, 21 Feb 2004 20:03:51 -0500 >Received: (from www@localhost) > by eofficemail.com (Vircom SMTPRS 2.1.258) with ESMTP id J87Gz030585292 > for ; Sat, 21 Feb 2004 20:04:42 -0500 (EST) > (envelope-from www) >Message-ID: <380117213434.PbtrkS09esY7Q8@localhost> >From: "Laquita Ewing" >To: sales@wash-photo.com >Subject: Custom Logo Creation {Scanned} >Date: Sat, 21 Feb 2004 20:04:42 -0500 (EST) >X-AntiAbuse: This header was added to track abuse, please include it with >any abuse report >X-AntiAbuse: Primary Hostname - eofficemail.com >X-AntiAbuse: Original Domain - eofficemail.com >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] >X-AntiAbuse: Sender Address Domain - >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > > > >---------------------------------------------------------------------------- >---- > >Return-Path: >Received: from emailphonebook.net >(lsanca2-ar32-4-33-033-229.lsanca2.dsl-verizon.net [4.33.33.229]) > by ultraphotos.com (8.10.2/8.10.2) with SMTP id i1LKDLf12864 > for ; Sat, 21 Feb 2004 15:13:21 -0500 >Received: (from www@localhost) > by emailphonebook.net (8.12.8/8.10.0) with ESMTP id J87Gz028821499 > for ; Sat, 21 Feb 2004 20:07:22 +0000 (GMT) > (envelope-from www) >Message-ID: <548455242357.f8H0iBG31vW05g@localhost> >From: "Sade Rowe" >To: sales@ultraphotos.com >Subject: Flash Logo Animation {Scanned} >Date: Sat, 21 Feb 2004 20:07:22 +0000 (GMT) >X-AntiAbuse: This header was added to track abuse, please include it with >any abuse report >X-AntiAbuse: Primary Hostname - emailphonebook.net >X-AntiAbuse: Original Domain - emailphonebook.net >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] >X-AntiAbuse: Sender Address Domain - >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, February 15, 2004 1:08 PM >Subject: Re: Some e-mails not being scanned? {Scanned} > > > > I suspect from the headers that you have an email-generating app (a >webmail > > system perhaps?) that is sending mail by directly invoking the sendmail > > binary. You need to get this app to send mail by talking SMTP to localhost > > instead. > > Either that or you have bypassed the MS host in some way for this mail. As > > you don't say which of the systems involved is the MS host, it is > > impossible to say for definite. > > > > At 15:42 15/02/2004, you wrote: > > >Can someone tell me why some e-mails don't get scanned by MS/SA? I know >they > > >are not being scanned because they are missing the mailscanner header >info. > > >The only thing I can think of is that there is something in mailscanner > > >which ignores e-mails that contain in the header 'X-AntiAbuse' and flags > > >them as non-spam. Not sure if I'm right but hopefully someone here can >help. > > > > > >Here is a sample e-mail header which does not get scanned by mailscanner: > > > > > >Return-Path: > > >Received: from free-web-hosting-and-free-email.com > > >(pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114]) > > > by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925 > > > for ; Wed, 11 Feb 2004 17:46:30 -0500 > > >Received: (from www@localhost) > > > by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id > > >J87Gz037587771 > > > for ; Wed, 11 Feb 2004 17:44:37 -0500 (EST) > > > (envelope-from www) > > >Message-ID: <823244444119.yyr36h3MgwRq8N@localhost> > > >From: "Ruthie Nixon" > > >To: sales@wppi.net > > >Subject: Website Intros and Animated Logos {Scanned} > > >Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST) > > >X-AntiAbuse: This header was added to track abuse, please include it with > > >any abuse report > > >X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com > > >X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com > > >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80] > > >X-AntiAbuse: Sender Address Domain - > > >MIME-Version: 1.0 > > >Content-Type: multipart/alternative; > > > boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00" > > > > > > > > >Thanks, > > > > > >SW > > > > > > > > > > > >------------------------------------------------- > > > WPPi.com | WPPi.Net > > >------------------------------------------------- > > > http://www.wppi.com | http://www.wppi.net > > >------------------------------------------------- > > >WPPi.com & WPPi.Net MailScanner Signature > > >This message has been scanned for viruses > > >and dangerous content by WPPi MailScanner, > > >and has been found to be clean. > > >------------------------------------------------- > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > ------------------------------------------------- > > WPPi.com | WPPi.Net > > ------------------------------------------------- > > http://www.wppi.com | http://www.wppi.net > > ------------------------------------------------- > > WPPi.com & WPPi.Net MailScanner Signature > > This message has been scanned for viruses > > and dangerous content by WPPi MailScanner, > > and has been found to be clean. > > ------------------------------------------------- > > > > > > > >------------------------------------------------- > WPPi.com | WPPi.Net >------------------------------------------------- > http://www.wppi.com | http://www.wppi.net >------------------------------------------------- >WPPi.com & WPPi.Net MailScanner Signature >This message has been scanned for viruses >and dangerous content by WPPi MailScanner, >and has been found to be clean. >------------------------------------------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From MWeiner at AG.COM Sun Feb 22 13:25:36 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A8179@orca.agcom.amgreetings.com> I will keep that in mind, thank you Jeff. I am not a big fan of tinydns, if am I going to have to run dns, then I will just opt for running bind9 and get it over with. I have not as yet seen too much of a lookup bottleneck, but I understand what you are saying and have seen that in other instances where we've used nscd. What I really want to get working is pipelining within sendmail, so instead of opening a connection, and doing the work, then closing the connection, why not create a "persistent" connection over which I pipeline the mail to the DS host. Example, tho the current implementation of this spambox would not make for a great candidate for this, but we run mailers in our farm where we send boat loads of emails to a variety of recipients from the web servers using an Ironport mailer device as the focal point before blasting it to the world. Now, being able to pipeline there would be a nice help. Anyway, thanks to all who have responded. The spambox is working well, other than clamav which still doesn't seem to be working as nothing ever gets "tagged" a containing a virus or exploit. Not sure if this is related to my delivery rules as being "store deliver" or not, cause I can see clamscan doing its work on the temp working directory and signs of life in logs, etc. Can any one confirm that a delivery option of "store deliver" would essentially BREAK clamav? Thanks. -----Original Message----- From: Jeff A. Earickson [mailto:jaearick@COLBY.EDU] Sent: Sunday, February 22, 2004 7:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box IMHO, you are better off running a cache/slave DNS like bind or tinydns. On Solaris we have found that nscd can be a bottleneck, not a help. When we moved our web service (apache) from HP to Solaris, we were getting really poor response until we turned off nscd. I have it turned off on all of my Sun boxes, including my MailScanner box. Others may have different insight on nscd. Jeff Earickson Colby College On Sat, 21 Feb 2004, Ugo Bellavance wrote: > Date: Sat, 21 Feb 2004 23:35:59 -0500 > From: Ugo Bellavance > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Building an MS-SA box > > > > >> 2) configure a caching nameserver on the MS box. > > > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's > >latest versioning crazy?) > > > > nscd? > > Is is better than to use the package named "caching nameserver"? > > I don't need to cache other services. > > Thanks, > From MWeiner at AG.COM Sun Feb 22 13:34:13 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A817A@orca.agcom.amgreetings.com> Nscd = name service caching daemon We're talking about the same thing ;-) -----Original Message----- From: Ugo Bellavance [mailto:ugob@CAMO-ROUTE.COM] Sent: Saturday, February 21, 2004 11:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box > >> 2) configure a caching nameserver on the MS box. > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest >versioning crazy?) > nscd? Is is better than to use the package named "caching nameserver"? I don't need to cache other services. Thanks, From ugob at CAMO-ROUTE.COM Sun Feb 22 13:54:20 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <54C38A0B814C8E438EF73FC76F362927410924@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : MW Mike Weiner (5028) [mailto:MWeiner@AG.COM] >Envoy? : 22 f?vrier, 2004 08:34 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Building an MS-SA box > > >Nscd = name service caching daemon > >We're talking about the same thing ;-) not really. The package called "caching nameserver" is a pre-configured Bind. Thanks, > >-----Original Message----- >From: Ugo Bellavance [mailto:ugob@CAMO-ROUTE.COM] >Sent: Saturday, February 21, 2004 11:36 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Building an MS-SA box > >> >>> 2) configure a caching nameserver on the MS box. >> >>DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's latest >>versioning crazy?) >> > >nscd? > >Is is better than to use the package named "caching nameserver"? > >I don't need to cache other services. > >Thanks, > From peter at UCGBOOK.COM Sun Feb 22 13:55:35 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4038B4D7.5060203@ucgbook.com> Jeff A. Earickson wrote: > IMHO, you are better off running a cache/slave DNS like bind or > tinydns. On Solaris we have found that nscd can be a bottleneck, > not a help. When we moved our web service (apache) from HP to > Solaris, we were getting really poor response until we turned off > nscd. I have it turned off on all of my Sun boxes, including > my MailScanner box. Others may have different insight on nscd. I think the main target for Sun with nscd was to improve NIS performance, therefore it caches more than just hosts. I haven't heard of any problems with it for years, the last patch released for it was in 2001 for Solaris 8. Are your problems with nscd recent? I'm using it with no problems. I have a host hit rate of 99.6% and after being up for 129 days it's using 3 MB. That's OK with me. ;-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From MWeiner at AG.COM Sun Feb 22 13:48:18 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreetings.com> -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sunday, February 22, 2004 8:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box I agree with the comments about Solaris's nscd. It appears to slowly grow without limit. I have had one taking about 800MB of RAM after the box had been up for a few months. Linux's nscd might be better, but most people only need to cache DNS responses, which is better done with bind as it is more configurable. Well, linux doesn't really do any more magic than the others out there, honestly nscd works best for pam and auth related stuff than for dns lookups which is what I am using it for in this instance. It runs ok, and is not that phat actually. But I do agree, that I have seen it bottleneck the box due to cpu consumption. OK, I have to ask the author this question directly, as the answers from the list seem to range in response. OK, I have delivery rules such as the following (for both spam and notspam.delivery.rules): FromOrTo: default delete FromOrTo: mweiner@bmarts.com store deliver The thought here was to temporarily store the email so I can use later for Bayesian training. However, it has come up in the list a few times that some people think when the options are set as above "store deliver" then that piece of email is not getting processed at all. Meaning when mweiner@bmarts.com gets an email, it gets stored and not processd via sa or even clamav. Is this the case? I could sift through code, but that's not really very valuable to me at this point. What I need is to figure out what is causing clamav not to run or at least tag or log anything to indicate that its running properly through ms and it was indicated that the delivery options may be the problem. Any additional insights? -- At 12:41 22/02/2004, you wrote: >IMHO, you are better off running a cache/slave DNS like bind or >tinydns. On Solaris we have found that nscd can be a bottleneck, not a >help. When we moved our web service (apache) from HP to Solaris, we >were getting really poor response until we turned off nscd. I have it >turned off on all of my Sun boxes, including my MailScanner box. >Others may have different insight on nscd. > >Jeff Earickson >Colby College > >On Sat, 21 Feb 2004, Ugo Bellavance wrote: > > > Date: Sat, 21 Feb 2004 23:35:59 -0500 > > From: Ugo Bellavance > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Building an MS-SA box > > > > > > > >> 2) configure a caching nameserver on the MS box. > > > > > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's > > >latest versioning crazy?) > > > > > > > nscd? > > > > Is is better than to use the package named "caching nameserver"? > > > > I don't need to cache other services. > > > > Thanks, > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 14:05:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreeti ngs.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreetings.com> Message-ID: <6.0.1.1.2.20040222140204.03ec6e18@imap.ecs.soton.ac.uk> At 13:48 22/02/2004, you wrote: >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Sunday, February 22, 2004 8:17 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Building an MS-SA box > >>I agree with the comments about Solaris's nscd. It appears to slowly grow >>without limit. I have had one taking about 800MB of RAM after the box had >>been up for a few months. Linux's nscd might be better, but most people only >>need to cache DNS responses, which is better done with bind as it is more >>configurable. > >Well, linux doesn't really do any more magic than the others out there, >honestly nscd works best for pam and auth related stuff than for dns lookups >which is what I am using it for in this instance. It runs ok, and is not >that phat actually. But I do agree, that I have seen it bottleneck the box >due to cpu consumption. > >OK, I have to ask the author this question directly, as the answers from the >list seem to range in response. OK, I have delivery rules such as the >following (for both spam and notspam.delivery.rules): > >FromOrTo: default delete >FromOrTo: mweiner@bmarts.com store deliver > >The thought here was to temporarily store the email so I can use later for >Bayesian training. However, it has come up in the list a few times that some >people think when the options are set as above "store deliver" then that >piece of email is not getting processed at all. Meaning when >mweiner@bmarts.com gets an email, it gets stored and not processd via sa or >even clamav. Is this the case? I could sift through code, but that's not >really very valuable to me at this point. What I need is to figure out what >is causing clamav not to run or at least tag or log anything to indicate >that its running properly through ms and it was indicated that the delivery >options may be the problem. > >Any additional insights? There is no reason that "store deliver" should adversely affect the mail processing. What happens if you just set the non-spam action to "deliver" and use the "Archive Mail" setting to archive your mail? >-- >At 12:41 22/02/2004, you wrote: > >IMHO, you are better off running a cache/slave DNS like bind or > >tinydns. On Solaris we have found that nscd can be a bottleneck, not a > >help. When we moved our web service (apache) from HP to Solaris, we > >were getting really poor response until we turned off nscd. I have it > >turned off on all of my Sun boxes, including my MailScanner box. > >Others may have different insight on nscd. > > > >Jeff Earickson > >Colby College > > > >On Sat, 21 Feb 2004, Ugo Bellavance wrote: > > > > > Date: Sat, 21 Feb 2004 23:35:59 -0500 > > > From: Ugo Bellavance > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Building an MS-SA box > > > > > > > > > > >> 2) configure a caching nameserver on the MS box. > > > > > > > >DEFINITELY!! currently running nscd-2.3.2-27.9.7 (aint redhat's > > > >latest versioning crazy?) > > > > > > > > > > nscd? > > > > > > Is is better than to use the package named "caching nameserver"? > > > > > > I don't need to cache other services. > > > > > > Thanks, > > > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC >7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 14:01:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4038B4D7.5060203@ucgbook.com> References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> <4038B4D7.5060203@ucgbook.com> Message-ID: <6.0.1.1.2.20040222140015.03a10ec0@imap.ecs.soton.ac.uk> At 13:55 22/02/2004, you wrote: >Jeff A. Earickson wrote: >>IMHO, you are better off running a cache/slave DNS like bind or >>tinydns. On Solaris we have found that nscd can be a bottleneck, >>not a help. When we moved our web service (apache) from HP to >>Solaris, we were getting really poor response until we turned off >>nscd. I have it turned off on all of my Sun boxes, including >>my MailScanner box. Others may have different insight on nscd. > >I think the main target for Sun with nscd was to improve NIS >performance, therefore it caches more than just hosts. I haven't heard >of any problems with it for years, the last patch released for it was in >2001 for Solaris 8. Are your problems with nscd recent? Yes, with Solaris 9 with all patches. >I'm using it with no problems. I have a host hit rate of 99.6% and after >being up for 129 days it's using 3 MB. That's OK with me. ;-) Thanks for that. I'll take a look to ensure I am fully patched, and see if there are any configuration options to limit its memory use. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Sun Feb 22 14:05:06 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410924@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410924@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4038B712.40700@ucgbook.com> Ugo Bellavance wrote: >>Nscd = name service caching daemon >> >>We're talking about the same thing ;-) > > > not really. The package called "caching nameserver" is a pre-configured Bind. It's not the same product but in this case they both do what you want which is what he meant. ;-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Sun Feb 22 14:03:23 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreetings.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreetings.com> Message-ID: <4038B6AB.6020407@ucgbook.com> MW Mike Weiner (5028) wrote: > FromOrTo: default delete > FromOrTo: mweiner@bmarts.com store deliver > > The thought here was to temporarily store the email so I can use later for > Bayesian training. However, it has come up in the list a few times that some > people think when the options are set as above "store deliver" then that > piece of email is not getting processed at all. Meaning when > mweiner@bmarts.com gets an email, it gets stored and not processd via sa or > even clamav. Is this the case? I could sift through code, but that's not > really very valuable to me at this point. What I need is to figure out what > is causing clamav not to run or at least tag or log anything to indicate > that its running properly through ms and it was indicated that the delivery > options may be the problem. The stored copy is in its original form for many reasons such as legal ones. The delivered one on the other hand is of course processed. I agree, there seems to be some confusion about that on the list. By the way, I think the default rule should be last, might not matter here but for good form if nothing else. :-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From MWeiner at AG.COM Sun Feb 22 14:01:34 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A817C@orca.agcom.amgreetings.com> That's beautiful, but then again, you're using a REAL OS, lol. You gotta love sun though, I love the posix/sysv implementation but due to financial reasons, we have opted for linux for our normal working environment and use solaris for our database and datawarehouse functions. -----Original Message----- From: Peter Bonivart [mailto:peter@UCGBOOK.COM] Sent: Sunday, February 22, 2004 8:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box Jeff A. Earickson wrote: > IMHO, you are better off running a cache/slave DNS like bind or > tinydns. On Solaris we have found that nscd can be a bottleneck, not > a help. When we moved our web service (apache) from HP to Solaris, we > were getting really poor response until we turned off nscd. I have it > turned off on all of my Sun boxes, including my MailScanner box. > Others may have different insight on nscd. I think the main target for Sun with nscd was to improve NIS performance, therefore it caches more than just hosts. I haven't heard of any problems with it for years, the last patch released for it was in 2001 for Solaris 8. Are your problems with nscd recent? I'm using it with no problems. I have a host hit rate of 99.6% and after being up for 129 days it's using 3 MB. That's OK with me. ;-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From dh at UPTIME.AT Sun Feb 22 14:19:44 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A817C@orca.agcom.amgreetings.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A817C@orca.agcom.amgreetings.com> Message-ID: <4038BA80.3000509@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 MW Mike Weiner (5028) wrote: > That's beautiful, but then again, you're using a REAL OS, lol. You gotta > love sun though, I love the posix/sysv implementation .....quietly goes to find the strong tape to tape his mouth shut before one hell of a flame war breaks loose... PS: don't take it too serious I dealt with about 90% of teh OS's that are out there :) But still, that was practically begging for a comment :) - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAOLqDPMoaMn4kKR4RA1MkAJ97gOxGoqFMYj6iAlr41YaU8edgYgCffUh+ EcCBtIQWF3wn8fJjoo3mNWE= =tPAL -----END PGP SIGNATURE----- From MWeiner at AG.COM Sun Feb 22 14:29:23 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A817D@orca.agcom.amgreetings.com> Same here, I wasn't trying to START anything, just had to comment. Tho I see by your email you're using darwin, are you running MacOSx ?? Now there is an os that I really love where its come from and heading to. Again, I wasn't trying to flame, that's pretty pointless anyway. -----Original Message----- From: David H. [mailto:dh@UPTIME.AT] Sent: Sunday, February 22, 2004 9:20 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 MW Mike Weiner (5028) wrote: > That's beautiful, but then again, you're using a REAL OS, lol. You > gotta love sun though, I love the posix/sysv implementation .....quietly goes to find the strong tape to tape his mouth shut before one hell of a flame war breaks loose... PS: don't take it too serious I dealt with about 90% of teh OS's that are out there :) But still, that was practically begging for a comment :) - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAOLqDPMoaMn4kKR4RA1MkAJ97gOxGoqFMYj6iAlr41YaU8edgYgCffUh+ EcCBtIQWF3wn8fJjoo3mNWE= =tPAL -----END PGP SIGNATURE----- From MWeiner at AG.COM Sun Feb 22 14:31:22 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A817E@orca.agcom.amgreetings.com> Well the more I looked at it, the more I would agree, cause if MS is working with the rule sets like a firewall does, meaning TOP DOWN matching, then you would want your default, most often used rule at the bottom of the list thus being the "catch all" rule that everything not matching the rules above would be treated. Julian, any thoughts? -----Original Message----- From: Peter Bonivart [mailto:peter@UCGBOOK.COM] Sent: Sunday, February 22, 2004 9:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Building an MS-SA box MW Mike Weiner (5028) wrote: > FromOrTo: default delete > FromOrTo: mweiner@bmarts.com store deliver > > The thought here was to temporarily store the email so I can use later > for Bayesian training. However, it has come up in the list a few times > that some people think when the options are set as above "store > deliver" then that piece of email is not getting processed at all. > Meaning when mweiner@bmarts.com gets an email, it gets stored and not > processd via sa or even clamav. Is this the case? I could sift through > code, but that's not really very valuable to me at this point. What I > need is to figure out what is causing clamav not to run or at least > tag or log anything to indicate that its running properly through ms > and it was indicated that the delivery options may be the problem. The stored copy is in its original form for many reasons such as legal ones. The delivered one on the other hand is of course processed. I agree, there seems to be some confusion about that on the list. By the way, I think the default rule should be last, might not matter here but for good form if nothing else. :-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From mailscanner at ecs.soton.ac.uk Sun Feb 22 14:10:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4038B6AB.6020407@ucgbook.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A817B@orca.agcom.amgreetings.com> <4038B6AB.6020407@ucgbook.com> Message-ID: <6.0.1.1.2.20040222141034.03ec1e18@imap.ecs.soton.ac.uk> At 14:03 22/02/2004, you wrote: >MW Mike Weiner (5028) wrote: >>FromOrTo: default delete >>FromOrTo: mweiner@bmarts.com store deliver >> >>The thought here was to temporarily store the email so I can use later for >>Bayesian training. However, it has come up in the list a few times that some >>people think when the options are set as above "store deliver" then that >>piece of email is not getting processed at all. Meaning when >>mweiner@bmarts.com gets an email, it gets stored and not processd via sa or >>even clamav. Is this the case? I could sift through code, but that's not >>really very valuable to me at this point. What I need is to figure out what >>is causing clamav not to run or at least tag or log anything to indicate >>that its running properly through ms and it was indicated that the delivery >>options may be the problem. > >The stored copy is in its original form for many reasons such as legal >ones. The delivered one on the other hand is of course processed. I >agree, there seems to be some confusion about that on the list. > >By the way, I think the default rule should be last, might not matter >here but for good form if nothing else. :-) Good practice to put the default rule last, but it doesn't actually matter where it is. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 15:09:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A817E@orca.agcom.amgreeti ngs.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A817E@orca.agcom.amgreetings.com> Message-ID: <6.0.1.1.2.20040222150654.0398c760@imap.ecs.soton.ac.uk> It does top down matching just like a firewall does. The only exception is the default rule. If I made it all top-to-bottom, and someone accidentally put the default first, none of their rules would be used at all. In cases where every matching rule is used, rather that the first match, then the default is only used when none of the other rules match. In that case, there is no "right" place for the default. I wanted to make both the all-matches and first-match rulesets have the same semantics for the placing of the default rule. At 14:31 22/02/2004, you wrote: >Well the more I looked at it, the more I would agree, cause if MS is working >with the rule sets like a firewall does, meaning TOP DOWN matching, then you >would want your default, most often used rule at the bottom of the list thus >being the "catch all" rule that everything not matching the rules above >would be treated. > >Julian, any thoughts? >-----Original Message----- >From: Peter Bonivart [mailto:peter@UCGBOOK.COM] >Sent: Sunday, February 22, 2004 9:03 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Building an MS-SA box > >MW Mike Weiner (5028) wrote: > > FromOrTo: default delete > > FromOrTo: mweiner@bmarts.com store deliver > > > > The thought here was to temporarily store the email so I can use later > > for Bayesian training. However, it has come up in the list a few times > > that some people think when the options are set as above "store > > deliver" then that piece of email is not getting processed at all. > > Meaning when mweiner@bmarts.com gets an email, it gets stored and not > > processd via sa or even clamav. Is this the case? I could sift through > > code, but that's not really very valuable to me at this point. What I > > need is to figure out what is causing clamav not to run or at least > > tag or log anything to indicate that its running properly through ms > > and it was indicated that the delivery options may be the problem. > >The stored copy is in its original form for many reasons such as legal ones. >The delivered one on the other hand is of course processed. I agree, there >seems to be some confusion about that on the list. > >By the way, I think the default rule should be last, might not matter here >but for good form if nothing else. :-) > >-- >/Peter Bonivart > >--Unix lovers do it in the Sun > >Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, >SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Feb 22 16:09:00 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:22:39 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200402221609.i1MG907k010799@seer.ecs.soton.ac.uk> New Guestbook-Entry from Amias Gardner This website contains chosen information about http://www.geocities.com/history_of_internet/ . You are welcome to browse it and become a bit wiser.Integrated aquiculture and the irrigation are system for planting watering Read more here From chris at FRACTALWEB.COM Sun Feb 22 16:34:51 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <001101c3f93d$394a0760$0100a8c0@yogi> References: <001101c3f93d$394a0760$0100a8c0@yogi> Message-ID: <4038DA2B.5020909@fractalweb.com> Stuart Clark wrote: >What is the best High SpamAssassin Score? > >Without getting complaints from customers > Stuart, Unfortunately, the answer is not that simple--the "best" score depends on a number of factors. Spamassassin has quite a few options and can be tweaked like crazy. If you have Bayes running, that can increase the score of spam. Also, DCC and Razor are great too. Perhaps even more significantly, if you have added any additional rule sets, such as BigEvil.cf, you catch more spam and will increase the scores of spam as well. (get it and others from http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm). It also depends on what you're going to do with your high spam--are you just tagging it and delivering it too? Or, if are you deleting it altogether, in which case you would want to be a bit more catious. On my server, I have bayes, Razor, and DCC running along with with a few custom rulesets. I am also using BigEvil.cf, popcorn.cf, weeds.cf, and a few others that I cannot remember right now. My thresholds are 5 points for spam and 15 points for high spam. I deliver spam as an attachment, but quarantine high spam for a couple of weeks; the user doesn't receive any notification of high-spam. Cheers, Chris From ryan.finnesey at CORPDSG.COM Sun Feb 22 20:06:43 2004 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:22:39 2006 Subject: McAfee virusscan Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C401EAC0@dc012.corpdsg.com> We talked with CA about eTrust last week and where told if you are using eTrust for e-mail scanning it is licensed per user. Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Nathan Johanson Sent: Friday, February 20, 2004 6:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: McAfee virusscan No, you're right. It is a lesson in futility. I did a full review of all currently support virus scanners several months ago (in fact, I think someone posted this review to the FAQ). After I posted my review, I received several conflicting pieces of feedback. Everyone was told a different story by McAfee. No one seems to know where or how to buy it or how it's licensed. I've been told by several people that NAI licenses this product by user--not by machine. This quickly put it out of our price range. I found the smaller vendors were often the most helpful (which can be expected). The NOD32 folks were the most responsive but still too pricey. I settled on CAI eTrust at a little over $100.00 for 5 nodes (licensed per machine). My only issue with them is their somewhat lagging OS/distribution support. They still haven't release a version that's compatible with Red Hat 9 or later, or Red Hat Enterprise Linux 2.1 or later. They're also RedHat/SUSE centric. No mention of Debian on their compatibility list. I haven't tried it yet. Nathan > -----Original Message----- > From: Chris Yuzik [mailto:chris@FRACTALWEB.COM] > Sent: Thursday, February 19, 2004 2:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: McAfee virusscan > > OMG! I'm ready to pull what's left of my hair out. > > NAI and McAfee are virtually impossible to deal with. I have wasted no > less than 3 hours on the phone over the past couple of days trying to > get pricing for McAfee Virusscan commandline for Unix (or Linux). I > managed to download an evaluation version and it seems fine. I have > talked with 3 resellers that are all "not familiar with that product" > and all promise to get back to me after talking to McAfee...and, of > course, they never do. > > I've called McAfee and talked with almost a dozen people. I finally > talked to one person who told me that the commandline version of > Virusscan is no longer sold on its own and is only available > as part of > the Virusscan Suite for the Desktop 5-user version. Cost on that is > apparently US$200 for the first year, then $82 per year thereafter. > According to the MailScanner FAQ, it should be more like $12 for a > perpetual license. > > One person I talked with suggested that the Command Line version MIGHT > be included in the boxed retail package of McAfee Virusscan > Professional, but all the literature just says Windows. According to > someone at NAI, it's only the Windows version. > > It looks like there is something called the "McAfee Active VirusScan > Suite Small Business Edition" that allegedly includes the command line > scanner for unix/linux. Minimum purchase is 2 nodes, so cost is about > US$80...but I cannot purchase this product because I am in > Canada...and > apparently, it's not available in Canada unless I purchase 11 > nodes. Did > I mention I only have 1 machine? Argh! > > Am I missing something here? Is purchasing software supposed > to be this > difficult? > > Perhaps I'm used to the way good shareware works...I download it, > install it, and if I like it, pay for it. Then, they send me some sort > of key file that I put on the machine and it keeps working. > > Can anyone shed any light here? Any McAfee users out there > know the secret? > > Cheers, > Chris > From maillists at CONACTIVE.COM Sun Feb 22 22:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box In-Reply-To: References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> Message-ID: since everyone's throwing in his favorite variant of caching dns I'd like to mention dnsmasq. If you need a fast, highly configurable, low foot-print dns cache it's the right thing to use. Most Linux distro's come with a package of it, but it also compiles painlessly. It's also in use in a lot of gateway and firewall "appliances". Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From jaearick at COLBY.EDU Mon Feb 23 02:28:44 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:22:39 2006 Subject: sun and nscd, was: Building an MS-SA box In-Reply-To: <4038B4D7.5060203@ucgbook.com> References: <54C38A0B814C8E438EF73FC76F362927410923@mtlnt501fs.CAMOROUTE.COM> <4038B4D7.5060203@ucgbook.com> Message-ID: Y'all, We got badly burned by Sun's nscd in Solaris 8 when we moved Apache. Turned it off then and left it off. We are running Solaris 9 now, and I still leave it off. We don't use NIS (yuck); I have bind where I need it, so why use nscd? In fact I have a whole list of Sun daemons (21 total) that I disable, plus nearly everything in /etc/inetd.conf. If I can't think of a good reason to run a daemon then I disable it. And I run ipfilter on all of my boxes. I'm not paranoid, everybody *is* out to get me. Jeff Earickson Colby College On Sun, 22 Feb 2004, Peter Bonivart wrote: > Date: Sun, 22 Feb 2004 14:55:35 +0100 > From: Peter Bonivart > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Building an MS-SA box > > Jeff A. Earickson wrote: > > IMHO, you are better off running a cache/slave DNS like bind or > > tinydns. On Solaris we have found that nscd can be a bottleneck, > > not a help. When we moved our web service (apache) from HP to > > Solaris, we were getting really poor response until we turned off > > nscd. I have it turned off on all of my Sun boxes, including > > my MailScanner box. Others may have different insight on nscd. > > I think the main target for Sun with nscd was to improve NIS > performance, therefore it caches more than just hosts. I haven't heard > of any problems with it for years, the last patch released for it was in > 2001 for Solaris 8. Are your problems with nscd recent? > > I'm using it with no problems. I have a host hit rate of 99.6% and after > being up for 129 days it's using 3 MB. That's OK with me. ;-) > > -- > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 > From ugob at CAMO-ROUTE.COM Mon Feb 23 07:06:30 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:39 2006 Subject: Time. Message-ID: <54C38A0B814C8E438EF73FC76F362927410926@mtlnt501fs.CAMOROUTE.COM> which one is good? overwritte the wrong one with the good one. i.e. cp -f /etc/localtime /var/spool/postfix/etc/localtime (if /etc/localtime is the right one) >-----Message d'origine----- >De : Erik Jakobsen [mailto:eja@URBAKKEN.DK] >Envoy? : 23 f?vrier, 2004 01:02 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Time. > > >How is it that I fix this ?: > >/var/spool/postfix/etc/localtime and /etc/localtime differ >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 9.0 Proff. >Registered as user #319488 with the Linux Counter, >http://counter.li.org. > From eja at URBAKKEN.DK Mon Feb 23 06:02:20 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:39 2006 Subject: Time. Message-ID: <4039976C.7070404@urbakken.dk> How is it that I fix this ?: /var/spool/postfix/etc/localtime and /etc/localtime differ -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 9.0 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 09:40:40 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: Building an MS-SA box Message-ID: Hi Mike, > I appreciate the timely response, and appreciate your > opinion. I was not at all sure I wanted to use LDAP but its > now "embedded" in exchange for w2k3 which is a nice means of > authenticating. Of course it is. I still do not trust Microsoft's LDAP implementation. With RADIUS all you can do is ask the server if the username/password combination is valid. I know RADIUS is able to provide a bit more information but nothing compared to LDAP. > I will have to check into the radius idea, I > havent done it this way but will look into the suggestion. Quite simple. What MTA are you using? > You say you have a script for the pushes?? Mind sharing to my > private address? Have a look at the FAQ: http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=exchange&file =270 > Also, what else are you running in addition > to MS-SA?? Exim, Spamassassin, lot's of virus scanners, some RBLs, MailWatch, MailScanner-MRTG Regards, JP From prandal at HEREFORDSHIRE.GOV.UK Mon Feb 23 10:35:48 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:39 2006 Subject: Which SA rule set considered "Best Practice"? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55A@jessica.herefordshire.gov.uk> I'd add Chris Santerre's BigEvil rule and Jennifer's Backhair to the list: http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm My experience has been that it is worth examining the spam which gets through and finding rules to clobber it. If you have MS Exchange as your backend mail system it's nigh impossible (to train users) to feed stuff back from exchange to spamassassin in a reliable way. My favourite rule is simple, obvious, but only works in countries where the dollar isn't the local currency: header WRONGCURRENCY Subject =~ /\$|dollar/i describe WRONGCURRENCY Wrong currency - dollar in subject score WRONGCURRENCY 4.0 We had a load of spams a while back which matched this: header TO_MEET Subject =~ /(wants? to (meet|talk to) you|lets meet up)/i describe TO_MEET A spammer wants to meet you score TO_MEET 3.5 If you do RBL lookups within spamassassin, these might be useful: header RCVD_IN_BNBL eval:check_rbl('bnbl', 'bl.blueshore.net.') describe RCVD_IN_BNBL Listed by BNBL tflags RCVD_IN_BNBL net score RCVD_IN_BNBL 2.0 header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.') describe RCVD_IN_PSBL Listed by PSBL (surriel.com) tflags RCVD_IN_PSBL net score RCVD_IN_PSBL 2.0 header RCVD_IN_SXBL eval:check_rbl('sxbl', 'xbl.spamhaus.org.') describe RCVD_IN_SXBL Listed by SXBL (spamhaus.org) tflags RCVD_IN_SXBL net score RCVD_IN_SXBL 2.0 Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Matt Kettler > Sent: 21 February 2004 00:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which SA rule set considered "Best Practice"? > > > At 06:37 PM 2/20/2004, Michael St. Laurent wrote: > >We're still getting more spam slipping through than I would > like and was > >wondering which of the additional rule sets are recommended. > I've installed > >the fetch scripts for both the bigevil and backhair rule sets so far. > > > >Suggestions please? > > Disclaimer of bias: I'm one of the add-on ruleset writers... I wrote > antidrug.cf. > > Personally I think your best bet prior to using add on > rulesets is to get > all of the features of the default SA system working well. > > 1) Enable DNSBLs by installing Net::DNS. > > 2) Enable bayes by feeding sa-learn.. Feed it well, > and feed it > often. Mine gets fed a diet of about 100 fresh spams/day and about 20 > nonspams/day. A good regiment of feeding bayes with input > from spamtraps > and such is very helpful. > > 3) Consider installing DCC.. DCC works pretty well > and is pretty > lightweight. Razor is more accurate, but seems prone to more > network timeouts. > > > As for add-on rules, I don't use that many, despite being a > add-on set writer. > > "Best practice" would be to be very cautious when using > them, and test > them out with very low scores to start. > > If you want to know what I'm using: > > Obviously I use my own antidrug.cf, but that's mostly done as > a giant rude > gesture in the direction of the pill spammers who have been > so aggressive > lately. I also use a pair of rules which is a collapsed > version of Jen's > popcorn.cf. > > describe LOCAL_POPCORN 1-5 letters - hidden tag - > 1-7 letters > rawbody LOCAL_POPCORN /[>\s]\w{1,5}<\![^>]*>\w{1,7}\W/i > > describe LOCAL_POPCORN2 1-5 letters - hidden tag - > 1-7 letters > rawbody LOCAL_POPCORN2 > /[>\s]\w{1,5}<\/\w{2,10}>\w{1,7}\b/i > > I also find this useful: > body LOCAL_MEDS /\bmed[sz]\b/i > > and this: > body BODY_RND_GENERATOR > /\%RND_(?:LC_CHAR|UC_CHAR|SYB|WORD)\b/ > > > And that's about it.. other than a bunch of goofball test > rules floating > around. I've also been playing with the FVGT_s_OBFU_* rules. > > > The SA wiki has a pretty comprehensive list of the add-on > sets if you need > a list of them. Just remember, when in doubt, test with low scores! > > http://wiki.spamassassin.org/w/CustomRulesets > From eja at URBAKKEN.DK Mon Feb 23 07:26:35 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:22:39 2006 Subject: Time. In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410926@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410926@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4039AB2B.7030205@urbakken.dk> Ugo Bellavance wrote: > which one is good? > > overwritte the wrong one with the good one. i.e. > > cp -f /etc/localtime /var/spool/postfix/etc/localtime > > (if /etc/localtime is the right one) Thanks Ugo. > >>-----Message d'origine----- >>De : Erik Jakobsen [mailto:eja@URBAKKEN.DK] >>Envoy? : 23 f?vrier, 2004 01:02 >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Time. >> >> >>How is it that I fix this ?: >> >>/var/spool/postfix/etc/localtime and /etc/localtime differ >>-- >>Med venlig hilsen - Best regards. >>Erik Jakobsen - eja@urbakken.dk. >>Licensed radioamateur with the callsign OZ4KK. >>SuSE Linux 9.0 Proff. >>Registered as user #319488 with the Linux Counter, >>http://counter.li.org. >> > > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 9.0 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From prandal at HEREFORDSHIRE.GOV.UK Mon Feb 23 10:53:26 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55B@jessica.herefordshire.gov.uk> My threshold is 4.75 for low, 10.25 for high, autolearning at 9, with loads of rules, razor, pyzor, dcc. Bayes has been well-trained. A couple of spammers have tried to send us spam in batches of 100+ at a time, so they've been blacklisted. I found one (disputable) false positive in that high range in the last 3 months. We still get a few false negatives, but new rules and Bayes usually catch them. Now, if ownly we could persuade our users not to subscriber to spammers' mailing lists. You know the ones, special deals and offers lists, nothing to do with work at all, and indistinguishable from the unsolicited stuff :-( Grrrrr. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Chris Yuzik > Sent: 22 February 2004 16:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What is the best High SpamAssassin Score > > > Stuart Clark wrote: > > >What is the best High SpamAssassin Score? > > > >Without getting complaints from customers > > > Stuart, > > Unfortunately, the answer is not that simple--the "best" score depends > on a number of factors. Spamassassin has quite a few options > and can be > tweaked like crazy. If you have Bayes running, that can increase the > score of spam. Also, DCC and Razor are great too. Perhaps even more > significantly, if you have added any additional rule sets, such as > BigEvil.cf, you catch more spam and will increase the scores > of spam as > well. (get it and others from > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm) . It also depends on what you're going to do with your high spam--are you just tagging it and delivering it too? Or, if are you deleting it altogether, in which case you would want to be a bit more catious. On my server, I have bayes, Razor, and DCC running along with with a few custom rulesets. I am also using BigEvil.cf, popcorn.cf, weeds.cf, and a few others that I cannot remember right now. My thresholds are 5 points for spam and 15 points for high spam. I deliver spam as an attachment, but quarantine high spam for a couple of weeks; the user doesn't receive any notification of high-spam. Cheers, Chris From P.G.M.Peters at utwente.nl Mon Feb 23 11:12:45 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:39 2006 Subject: Emailing quarantined emails In-Reply-To: <6.0.1.1.2.20040222131207.039c3200@imap.ecs.soton.ac.uk> References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> <20040221211110.GA7057@gbcomputers.com> <6.0.1.1.2.20040222131207.039c3200@imap.ecs.soton.ac.uk> Message-ID: On Sun, 22 Feb 2004 13:13:21 +0000, you wrote: >>Actually, what I want to do is change the original recipient of the >>infected messages to point to a generic quarantine address, and then >>deliver the email to that address. Something so that the helpdesk doesn't >>have to access the SMTP server directly. Then they'll just check that >>other mailbox (actually it'll be a shared IMAP folder) to look at any >>quarantined messages. Though 99% of quarantined emails are worthless >>anyway, that other 1% needs to be easily/quickly accessed by the >>helpdesk staff. >> >>Basically, I really like what I see in MailScanner, and want to replace >>our existing AMViS install with it. Currently AMViS redirects infected >>messages to a quarantine address, and I'm trying to avoid changing the >>procedure our helpdesk has become accustomed to. > >I've just taken a look at this, and it's not easy. I will try to come up >with a solution but I can't make any promises. You are probably going to >have to re-educate your helldesk staff. Sorry about that. What about saving the message in mbox format and using an IMAP server which understands maildir. You will have every quarantained messages in a separate folder, but it should work. Or just use the forward possibility MS offers. And forward it to the mailbox of the helpdesk. Perhaps you could use a custom function to change the destination to something like helpdesk+@domain. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From drew at THEMARSHALLS.CO.UK Mon Feb 23 11:13:27 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55B@jessica.herefordshire.gov.uk > References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55B@jessica.herefordshire.gov.uk> Message-ID: <27243.194.70.180.170.1077534807.squirrel@net.themarshalls.co.uk> Having only just realised that by running the latest stable SA I have automatic Bayes, I am just starting to play. So how do I change the autolearn thresholds? I am very lucky with the amount of spam that hits the server (Postfix does some RBL at SMTP stage) but I have just enabled a couple of addresses that I used to use with Usenet which are being contantly spammed so I can get bayes to autolearn. Off the back of that I read last week that bayes wants 200 messages before it will start 'processing'. Now is that just 200 messages, in my instance autolearnt or do I also have to find it 200 ham messages? If so does it matter what or can I just pick 200 legitimate messages and feed the hungry beast? Drew (Feeling stupid this morning) Randal, Phil said: > My threshold is 4.75 for low, 10.25 for high, autolearning at 9, with > loads > of rules, razor, pyzor, dcc. Bayes has been well-trained. > > A couple of spammers have tried to send us spam in batches of 100+ at a > time, so they've been blacklisted. > > I found one (disputable) false positive in that high range in the last 3 > months. > > We still get a few false negatives, but new rules and Bayes usually catch > them. > > Now, if ownly we could persuade our users not to subscriber to spammers' > mailing lists. You know the ones, special deals and offers lists, nothing > to do with work at all, and indistinguishable from the unsolicited stuff > :-( > Grrrrr. > > Cheers, > > Phil > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf Of Chris Yuzik >> Sent: 22 February 2004 16:35 >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: What is the best High SpamAssassin Score >> >> >> Stuart Clark wrote: >> >> >What is the best High SpamAssassin Score? >> > >> >Without getting complaints from customers >> > >> Stuart, >> >> Unfortunately, the answer is not that simple--the "best" score depends >> on a number of factors. Spamassassin has quite a few options >> and can be >> tweaked like crazy. If you have Bayes running, that can increase the >> score of spam. Also, DCC and Razor are great too. Perhaps even more >> significantly, if you have added any additional rule sets, such as >> BigEvil.cf, you catch more spam and will increase the scores >> of spam as >> well. (get it and others from >> http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm) > . It also > depends on what you're going to do with your high spam--are you just > tagging it and delivering it too? Or, if are you deleting it altogether, > in which case you would want to be a bit more catious. > > On my server, I have bayes, Razor, and DCC running along with with a few > custom rulesets. I am also using BigEvil.cf, popcorn.cf, weeds.cf, and a > few others that I cannot remember right now. > > My thresholds are 5 points for spam and 15 points for high spam. I > deliver spam as an attachment, but quarantine high spam for a couple of > weeks; the user doesn't receive any notification of high-spam. > > Cheers, > Chris > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From prandal at HEREFORDSHIRE.GOV.UK Mon Feb 23 11:22:42 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:39 2006 Subject: What is the best High SpamAssassin Score Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> In my /etc/MailScanner/MailScanner.conf: # This replaces the SpamAssassin configuration value 'required_hits'. # If a message achieves a SpamAssassin score higher than this value, # it is spam. See also the High SpamAssassin Score configuration option. # This can also be the filename of a ruleset, so the SpamAssassin # required_hits value can be set to different values for different messages. Required SpamAssassin Score = 4.75 # If a message achieves a SpamAssassin score higher than this value, # then the "High Scoring Spam Actions" are used. You may want to use # this to deliver moderate scores, while deleting very high scoring messsages. # This can also be the filename of a ruleset. High SpamAssassin Score = 10.25 Spamassassin needs to learn 200 spam before auto-learning kicks in, if I recall correctly. I used Steve Freegard's MailWatch (http://mailwatch.sf.net) and fed spam to sa-learn from there. Once Bayes is trained, it makes quite a difference. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Drew Marshall > Sent: 23 February 2004 11:13 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What is the best High SpamAssassin Score > > > Having only just realised that by running the latest stable SA I have > automatic Bayes, I am just starting to play. So how do I change the > autolearn thresholds? I am very lucky with the amount of spam > that hits > the server (Postfix does some RBL at SMTP stage) but I have > just enabled a > couple of addresses that I used to use with Usenet which are being > contantly spammed so I can get bayes to autolearn. Off the > back of that I > read last week that bayes wants 200 messages before it will start > 'processing'. Now is that just 200 messages, in my instance > autolearnt or > do I also have to find it 200 ham messages? If so does it > matter what or > can I just pick 200 legitimate messages and feed the hungry beast? > > Drew (Feeling stupid this morning) > > Randal, Phil said: > > My threshold is 4.75 for low, 10.25 for high, autolearning > at 9, with > > loads > > of rules, razor, pyzor, dcc. Bayes has been well-trained. > > > > A couple of spammers have tried to send us spam in batches > of 100+ at a > > time, so they've been blacklisted. > > > > I found one (disputable) false positive in that high range > in the last 3 > > months. > > > > We still get a few false negatives, but new rules and Bayes > usually catch > > them. > > > > Now, if ownly we could persuade our users not to subscriber > to spammers' > > mailing lists. You know the ones, special deals and offers > lists, nothing > > to do with work at all, and indistinguishable from the > unsolicited stuff > > :-( > > Grrrrr. > > > > Cheers, > > > > Phil > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > >> -----Original Message----- > >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf Of Chris Yuzik >> Sent: 22 February 2004 16:35 >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: What is the best High SpamAssassin Score >> >> >> Stuart Clark wrote: >> >> >What is the best High SpamAssassin Score? >> > >> >Without getting complaints from customers >> > >> Stuart, >> >> Unfortunately, the answer is not that simple--the "best" score depends >> on a number of factors. Spamassassin has quite a few options >> and can be >> tweaked like crazy. If you have Bayes running, that can increase the >> score of spam. Also, DCC and Razor are great too. Perhaps even more >> significantly, if you have added any additional rule sets, such as >> BigEvil.cf, you catch more spam and will increase the scores >> of spam as >> well. (get it and others from >> http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm) > . It also > depends on what you're going to do with your high spam--are you just > tagging it and delivering it too? Or, if are you deleting it altogether, > in which case you would want to be a bit more catious. > > On my server, I have bayes, Razor, and DCC running along with with a few > custom rulesets. I am also using BigEvil.cf, popcorn.cf, weeds.cf, and a > few others that I cannot remember right now. > > My thresholds are 5 points for spam and 15 points for high spam. I > deliver spam as an attachment, but quarantine high spam for a couple of > weeks; the user doesn't receive any notification of high-spam. > > Cheers, > Chris > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From jcorell at IPRUS.NET Mon Feb 23 00:44:00 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:39 2006 Subject: No subject Message-ID: <200402230044.i1N0i0fl002147@kili.jiscmail.ac.uk> I installed the Message.pm patch Julian was so kind enough to send me to fix the dumaru-y problem, but now I'm experiencing a new strangeness in MailScanner. This message: Feb 22 19:37:32 iprus MailScanner[6517]: MailScanner E-Mail Virus Scanner version 4.27.3 starting... Feb 22 19:37:32 iprus MailScanner[6517]: Using locktype = flock Feb 22 19:37:32 iprus MailScanner[6517]: New Batch: Scanning 1 messages, 1414 bytes Feb 22 19:37:32 iprus MailScanner[6517]: Virus and Content Scanning: Starting Feb 22 19:37:34 iprus MailScanner[6517]: >>> Virus 'EICAR-AV-Test' found in file ./i1N0aaH06417/eicar.com Feb 22 19:37:34 iprus MailScanner[6517]: Virus Scanning: Sophos found 1 infections Feb 22 19:37:34 iprus MailScanner[6517]: Infected message i1N0aaH06417 came from 198.31.178.118 Feb 22 19:37:34 iprus MailScanner[6517]: Virus Scanning: Found 1 viruses Feb 22 19:37:34 iprus MailScanner[6517]: Filename Checks: Windows/DOS Executable (i1N0aaH06417 eicar.com) Feb 22 19:37:34 iprus MailScanner[6517]: Other Checks: Found 1 problems Feb 22 19:37:34 iprus MailScanner[6517]: Saved entire message to /var/spool/MailScanner/quarantine/20040222/i1N0aaH06417 Feb 22 19:37:34 iprus MailScanner[6517]: Saved infected "eicar.com" to /var/spool/MailScanner/quarantine/20040222/i1N0aaH06417 repeats over and over in the maillog. I tracked a little bit of it down to the mqueue.in directory. Apparently, the message is scanned and quarantined, but not delivered/deleted from the mqueue.in directory. Anyone know why? (Also, Julian, are the header features in the Message.pm script you sent me included with the latest beta release of MailScanner?) --- James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 From mailscanner at ecs.soton.ac.uk Mon Feb 23 12:13:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: No subject In-Reply-To: <200402230044.i1N0i0fl002147@kili.jiscmail.ac.uk> References: <200402230044.i1N0i0fl002147@kili.jiscmail.ac.uk> Message-ID: <6.0.1.1.2.20040223121301.07c287f8@imap.ecs.soton.ac.uk> At 00:44 23/02/2004, you wrote: >I installed the Message.pm patch Julian was so kind enough to send me to fix >the dumaru-y problem, but now I'm experiencing a new strangeness in >MailScanner. This message: > >Feb 22 19:37:32 iprus MailScanner[6517]: MailScanner E-Mail Virus Scanner >version 4.27.3 starting... >Feb 22 19:37:32 iprus MailScanner[6517]: Using locktype = flock >Feb 22 19:37:32 iprus MailScanner[6517]: New Batch: Scanning 1 messages, >1414 bytes >Feb 22 19:37:32 iprus MailScanner[6517]: Virus and Content Scanning: >Starting >Feb 22 19:37:34 iprus MailScanner[6517]: >>> Virus 'EICAR-AV-Test' found in >file ./i1N0aaH06417/eicar.com >Feb 22 19:37:34 iprus MailScanner[6517]: Virus Scanning: Sophos found 1 >infections >Feb 22 19:37:34 iprus MailScanner[6517]: Infected message i1N0aaH06417 came >from 198.31.178.118 >Feb 22 19:37:34 iprus MailScanner[6517]: Virus Scanning: Found 1 viruses >Feb 22 19:37:34 iprus MailScanner[6517]: Filename Checks: Windows/DOS >Executable (i1N0aaH06417 eicar.com) >Feb 22 19:37:34 iprus MailScanner[6517]: Other Checks: Found 1 problems >Feb 22 19:37:34 iprus MailScanner[6517]: Saved entire message to >/var/spool/MailScanner/quarantine/20040222/i1N0aaH06417 >Feb 22 19:37:34 iprus MailScanner[6517]: Saved infected "eicar.com" to >/var/spool/MailScanner/quarantine/20040222/i1N0aaH06417 > >repeats over and over in the maillog. I tracked a little bit of it down to >the mqueue.in directory. Apparently, the message is scanned and quarantined, >but not delivered/deleted from the mqueue.in directory. > >Anyone know why? > >(Also, Julian, are the header features in the Message.pm script you sent me >included with the latest beta release of MailScanner?) Which header features were they? Can't remember. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 12:33:11 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule Message-ID: Hi, I just switched from clamav-wrapper to clamavmodule (after teaching my perl to work with threads of course...). Everything seems to work but now I am wondering about the clamav options. I had a look at clamav.conf and wanted to recheck with you guys. What are your settings? Is ScanMail and ScanArchives all I need? What archives will be scanned? Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 12:35:28 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule Message-ID: One more question: Do you use clamav-autoupdate ot the freshclam-deamon? From jclark at SKIDMORE.EDU Mon Feb 23 13:55:03 2004 From: jclark at SKIDMORE.EDU (jclark) Date: Thu Jan 12 21:22:39 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> Message-ID: Third request of hopefully a simple question to this list: We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. I am trying to include an e-mail address in the body of the "stored.virus.message.txt" and "stored.filename.message.txt". When I include the '@' symbol in the text line, the whole line does not print. Any ideas? How do I print the '@' symbol in the files? Jeff Clark -- Jeffrey A. Clark Associate Director, CITS Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866-1632 (518) 580-5929 E-mail: jclark@skidmore.edu From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:09:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> At 13:55 23/02/2004, you wrote: >Third request of hopefully a simple question to this list: > >We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. > >I am trying to include an e-mail address in the body of the >"stored.virus.message.txt" and "stored.filename.message.txt". > >When I include the '@' symbol in the text line, the whole line does not >print. Any ideas? How do I print the '@' symbol in the files? The quick workaround is to use \@ instead of @ But I'm going to take a look at the code as it should already do this substitution for you. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:14:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> At 14:09 23/02/2004, you wrote: >At 13:55 23/02/2004, you wrote: >>Third request of hopefully a simple question to this list: >> >>We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >>MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. >> >>I am trying to include an e-mail address in the body of the >>"stored.virus.message.txt" and "stored.filename.message.txt". >> >>When I include the '@' symbol in the text line, the whole line does not >>print. Any ideas? How do I print the '@' symbol in the files? > >The quick workaround is to use > \@ >instead of > @ > >But I'm going to take a look at the code as it should already do this >substitution for you. I have just found that a line containing no backslash works fine, while a line with a backslash doesn't print, which is understandable. So if I put in an email address like helpdesk@ecs.soton.ac.uk it works fine. Are you getting the reverse behaviour? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From simon at ADVANTAGE-INTERACTIVE.COM Mon Feb 23 14:30:19 2004 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:22:39 2006 Subject: Email virus getting past MailScanner Message-ID: <1077546618.4798.10.camel@localhost> I'm running MailScanner version 4.27.3 along with f-prot virus scanner and for some reason one variation of Dumaru.Y@mm (according to f-prot) is getting through despite f-prot picking it up ok when it scans the full email. I've attached a password protected zipfile containing a copy of the email, to me it looks like very badly encoded MIME which may be getting past, is there any current solution apart from blacklisting based on other parts of the email? -------------- next part -------------- A non-text attachment was scrubbed... Name: virus.zip Type: application/zip Size: 18057 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040223/c95f4659/virus.zip From maillists at CONACTIVE.COM Mon Feb 23 14:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule In-Reply-To: References: Message-ID: Jan-Peter Koopmann wrote on Mon, 23 Feb 2004 13:33:11 +0100: > ScanMail and > ScanArchives > I think you don't need anything there, it looks like that file is only used by clamd. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Mon Feb 23 14:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule In-Reply-To: References: Message-ID: Jan-Peter Koopmann wrote on Mon, 23 Feb 2004 13:35:28 +0100: > clamav-autoupdate ot the freshclam-deamon > None, MS does it. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Mon Feb 23 14:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: Emailing quarantined emails In-Reply-To: <20040221211110.GA7057@gbcomputers.com> References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> <20040221211110.GA7057@gbcomputers.com> Message-ID: Gregg Berkholtz wrote on Sat, 21 Feb 2004 13:11:10 -0800: > I'm trying to avoid changing the > procedure our helpdesk has become accustomed to. > You could start using Mailwatch and tell your Helpdesk to release messages via it's web interface. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Mon Feb 23 14:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> Message-ID: John Rudd wrote on Sat, 21 Feb 2004 07:52:15 -0800: > Which ones are you using? > We use dnsbl.sorbs.org, dnsbl.njabl.net and list.dsbl.org, in that order. Here's a breakdown from our log since last log rotation. Since Dsbl is called after Njabl and Njabl called after Sorbs it doesn't give an accurate count of the usability of the RBLs. Njabl usually catches almost as much as Sorbs, so in parallel it might be something like 427/400. DSBL is just used because I couldn't find a better one yet, we could just stop using it, it doesn't matter much, so the figure for it is more accurate ;-) bogus HELO......: 345 bogus From/ID...: 4 RBL Sorbs.......: 427 RBL Njabl.......: 127 RBL Dsbl........: 11 Access denied...: 1755 mailbox disabled: 353 Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Mon Feb 23 14:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:39 2006 Subject: Which SA rule set considered "Best Practice"? In-Reply-To: <4037CCD0.7060503@eatathome.com.au> References: <91A5926EFF44D3118B1200104B7276EB02C56C83@hart-exchange.hartwellcorp.com> <6.0.0.22.0.20040220185621.0204e3c8@xanadu.evi-inc.com> <403767EB.7030708@eatathome.com.au> <4037CCD0.7060503@eatathome.com.au> Message-ID: Pete wrote on Sun, 22 Feb 2004 08:25:36 +1100: > Nah i think from autolearning it learns incorrectly (poisoned?) and then > score mail innapproriately. I think i will use auto learn but re create > the DBs once a month. > No. I suggest you subscribe to the SA list and just read a while. Will give you a good impression of how the Bayes engine works. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From simon at ADVANTAGE-INTERACTIVE.COM Mon Feb 23 14:32:20 2004 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:22:39 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> Message-ID: <1077546740.4798.12.camel@localhost> I've just sent a copy of this to the list in a different thread having not seen this one until afterwards :) It's in a password protected zipfile) On Sat, 2004-02-21 at 10:31, Julian Field wrote: > Yes please, send me a copy in a password-protected zip file. Please > remember to tell me what the password is! :-) > > At 22:37 20/02/2004, you wrote: > >Julian: > > > >Running MailScanner-4.27.3-1, rpm version > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > >Running Sophos 3.79 > > > >Installed latest version of MailScanner to fix MIME header parsing problem > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > >viruses pass through MailScanner with "Clean" headers. When the mail ends up > >in Outlook Express, however, OE finds the attachment and it's up to the > >client virus scanner to find dumaru-y. > > > >I have several copies of the virus-infected email message with full headers > >stored on the mail server. If you would like to see them, I can attach the > >file and send it to you. > > > >I thought the latest version of MailScanner was supposed to fix this? > >Anybody else having this problem? > > > >James Corell > >E-P-C-S > >111 West Mitchell, Suite E > >Gaylord, MI 49735 > >(989) 732-1366 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 14:36:37 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule Message-ID: Hi Kai, > I think you don't need anything there, it looks like that > file is only used by clamd. Correct me if I am wrong but the clamavmodule itself (not MS) uses clamd. And clamd gets its options from clamd.conf... Regards, JP From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:43:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <1077546740.4798.12.camel@localhost> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> <1077546740.4798.12.camel@localhost> Message-ID: <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> Please try this patch to Message.pm. I have tried to post a new Message.pm a couple of times already, but it seems to disappear down the toilet :-( At 14:32 23/02/2004, you wrote: >I've just sent a copy of this to the list in a different thread having >not seen this one until afterwards :) It's in a password protected >zipfile) > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > Yes please, send me a copy in a password-protected zip file. Please > > remember to tell me what the password is! :-) > > > > At 22:37 20/02/2004, you wrote: > > >Julian: > > > > > >Running MailScanner-4.27.3-1, rpm version > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > >Running Sophos 3.79 > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > >viruses pass through MailScanner with "Clean" headers. When the mail > ends up > > >in Outlook Express, however, OE finds the attachment and it's up to the > > >client virus scanner to find dumaru-y. > > > > > >I have several copies of the virus-infected email message with full > headers > > >stored on the mail server. If you would like to see them, I can attach the > > >file and send it to you. > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > >Anybody else having this problem? > > > > > >James Corell > > >E-P-C-S > > >111 West Mitchell, Suite E > > >Gaylord, MI 49735 > > >(989) 732-1366 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: application/octet-stream Size: 1158 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040223/316926f4/Message.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 14:45:10 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule Message-ID: I take that back. I misread this somewhere. If this does not use clamd however this raises a new question: Why is the module supposed to be faster? Regards, JP From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:46:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223144600.03ed1c38@imap.ecs.soton.ac.uk> At 14:36 23/02/2004, you wrote: >Hi Kai, > > > I think you don't need anything there, it looks like that > > file is only used by clamd. > >Correct me if I am wrong but the clamavmodule itself (not MS) uses >clamd. And clamd gets its options from clamd.conf... clamavmodule does not use clamd. It calls a library, similar to the way the sophossavi interface works. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:49:55 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:39 2006 Subject: clamavmodule In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223144742.03f3ce90@imap.ecs.soton.ac.uk> At 14:45 23/02/2004, you wrote: >I take that back. I misread this somewhere. If this does not use clamd >however this raises a new question: Why is the module supposed to be >faster? Don't have to wait for the command-line program to start up for each batch of messages. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From g.pentland at SOTON.AC.UK Mon Feb 23 14:50:47 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:39 2006 Subject: spam.actions.rules Message-ID: All, Just doing some testing with a few friendly guinea pig users and noticed something not quite as I would expect. In Mailscanner.conf Spam Actions = /opt/local/mailscanner/etc/rules/spam.actions.rules In spam.actions.rules To: gp397@soton.ac.uk delete To: g.pentland@soton.ac.uk delete To: jw@soton.ac.uk delete To: J.Watts@soton.ac.uk delete To: eks@soton.ac.uk delete To: E.K.Struzyna@soton.ac.uk delete To: lb3@soton.ac.uk delete To: L.Williams@soton.ac.uk delete FromorTo: default deliver BUT... Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: from=, size=3898, class=0, nrcpts=5, msgid=<000611d7be47$dab24652$21337435@efvfxrq.qdi>, proto=SMTP, daemon=MTA, relay=adsl-065-082-235-059.sip.btr.bellsouth.net [65.82.235.59] Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Message i1NE0s7s010428 from 65.82.235.59 (acutebabe192kkoy@aol.com) to soton.ac.uk is spam, SpamAssassin (score=46.611, required 5, BIZ_TLD 0.78, CLICK_BELOW_CAPS 0.57, COMPLETELY_FREE 0.74, DATE_IN_FUTURE_03_06 2.83, EXCUSE_14 0.15, EXCUSE_16 0.17, FAKE_HELO_AOL 1.88, FORGED_MUA_EUDORA 1.91, HTML_60_70 0.10, HTML_FONTCOLOR_RED 0.10, HTML_FONT_BIG 0.10, HTML_IMAGE_ONLY_08 0.84, HTML_IMAGE_RATIO_06 0.32, HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, HTML_TAG_EXISTS_TBODY 0.10, MAILTO_TO_REMOVE 0.04, MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10, MSGID_OUTLOOK_INVALID 4.30, MSGID_SPAM_99X9XX99 4.30, NO_REAL_NAME 0.28, RATWARE_HASH_DASH 4.30, RCVD_FAKE_HELO_DOTCOM 1.35, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10, RCVD_IN_OPM 4.30, RCVD_IN_OPM_SOCKS 4.30, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.10, REMOVE_SUBJ 0.05, SUBJ_HAS_SPACES 0.97, SUBJ_HAS_UNIQ_ID 0.21, SUSPICIOUS_RECIPS 3.00) Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Spam Actions: message i1NE0s7s010428 actions are deliver and j.watts@soton.ac.uk received this despite the rule set above, is it as simple as being case sensitive (I hope not). Any ideas/advice would be most useful. Gary From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 14:52:52 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:39 2006 Subject: MailScanner not parsing dumaru-y MIME headers Message-ID: Hi Julian, > Please try this patch to Message.pm. I have tried to post a > new Message.pm a couple of times already, but it seems to > disappear down the toilet :-( Hmm. Haven't seen this one myself. It is not part of 4.27.4 is it? Is this "stable" enough to be patched into the FreeBSD development port 4.27.4? Regards, JP From g.pentland at soton.ac.uk Mon Feb 23 14:50:47 2004 From: g.pentland at soton.ac.uk (Pentland G.) Date: Thu Jan 12 21:22:39 2006 Subject: spam.actions.rules Message-ID: All, Just doing some testing with a few friendly guinea pig users and noticed something not quite as I would expect. In Mailscanner.conf Spam Actions = /opt/local/mailscanner/etc/rules/spam.actions.rules In spam.actions.rules To: gp397@soton.ac.uk delete To: g.pentland@soton.ac.uk delete To: jw@soton.ac.uk delete To: J.Watts@soton.ac.uk delete To: eks@soton.ac.uk delete To: E.K.Struzyna@soton.ac.uk delete To: lb3@soton.ac.uk delete To: L.Williams@soton.ac.uk delete FromorTo: default deliver BUT... Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: from=, size=3898, class=0, nrcpts=5, msgid=<000611d7be47$dab24652$21337435@efvfxrq.qdi>, proto=SMTP, daemon=MTA, relay=adsl-065-082-235-059.sip.btr.bellsouth.net [65.82.235.59] Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Message i1NE0s7s010428 from 65.82.235.59 (acutebabe192kkoy@aol.com) to soton.ac.uk is spam, SpamAssassin (score=46.611, required 5, BIZ_TLD 0.78, CLICK_BELOW_CAPS 0.57, COMPLETELY_FREE 0.74, DATE_IN_FUTURE_03_06 2.83, EXCUSE_14 0.15, EXCUSE_16 0.17, FAKE_HELO_AOL 1.88, FORGED_MUA_EUDORA 1.91, HTML_60_70 0.10, HTML_FONTCOLOR_RED 0.10, HTML_FONT_BIG 0.10, HTML_IMAGE_ONLY_08 0.84, HTML_IMAGE_RATIO_06 0.32, HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, HTML_TAG_EXISTS_TBODY 0.10, MAILTO_TO_REMOVE 0.04, MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10, MSGID_OUTLOOK_INVALID 4.30, MSGID_SPAM_99X9XX99 4.30, NO_REAL_NAME 0.28, RATWARE_HASH_DASH 4.30, RCVD_FAKE_HELO_DOTCOM 1.35, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10, RCVD_IN_OPM 4.30, RCVD_IN_OPM_SOCKS 4.30, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.10, REMOVE_SUBJ 0.05, SUBJ_HAS_SPACES 0.97, SUBJ_HAS_UNIQ_ID 0.21, SUSPICIOUS_RECIPS 3.00) Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Spam Actions: message i1NE0s7s010428 actions are deliver and j.watts@soton.ac.uk received this despite the rule set above, is it as simple as being case sensitive (I hope not). Any ideas/advice would be most useful. Gary From Cleveland at WINNEFOX.ORG Mon Feb 23 15:01:19 2004 From: Cleveland at WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:22:39 2006 Subject: Emailing quarantined emails Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F881@mail.winnefox.org> > You could start using Mailwatch and tell your Helpdesk to > release messages > via it's web interface. I've tried that, but all it does is re-quarantine itself. Jody From JPowers at FERNO.COM Mon Feb 23 14:50:33 2004 From: JPowers at FERNO.COM (Powers, Jason) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers Message-ID: Can you provide basic instructions on the proper way to patch message.pm? Sorry for the stupid question, I'm a newbie. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, February 23, 2004 9:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner not parsing dumaru-y MIME headers Please try this patch to Message.pm. I have tried to post a new Message.pm a couple of times already, but it seems to disappear down the toilet :-( At 14:32 23/02/2004, you wrote: >I've just sent a copy of this to the list in a different thread having >not seen this one until afterwards :) It's in a password protected >zipfile) > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > Yes please, send me a copy in a password-protected zip file. Please > > remember to tell me what the password is! :-) > > > > At 22:37 20/02/2004, you wrote: > > >Julian: > > > > > >Running MailScanner-4.27.3-1, rpm version > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > >Running Sophos 3.79 > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > >viruses pass through MailScanner with "Clean" headers. When the mail > ends up > > >in Outlook Express, however, OE finds the attachment and it's up to the > > >client virus scanner to find dumaru-y. > > > > > >I have several copies of the virus-infected email message with full > headers > > >stored on the mail server. If you would like to see them, I can attach the > > >file and send it to you. > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > >Anybody else having this problem? > > > > > >James Corell > > >E-P-C-S > > >111 West Mitchell, Suite E > > >Gaylord, MI 49735 > > >(989) 732-1366 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Declan.Grady at NUVOTEM.COM Mon Feb 23 15:03:38 2004 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:22:40 2006 Subject: Notifying one domain of virus received from them ? Message-ID: <200402231503.38688.Declan.Grady@nuvotem.com> Hi, After all the recent discussions about not sending virus notifications, I had my Mailscanner (4.23.11) set to 'Notify Senders Of Viruses = no' Now I find I need to set this to ruleset, to notify our sister-company, who keep getting infected with some JS signature virii. I have set the following: 'Notify Senders Of Viruses = %rules-dir%/virus.notify.senders' and in this file virus.notify.senders, I have 2 lines: From: domain.to.notify yes FromOrTo: default no Please tell me I'm right, as I have not yet used the ruleset facility in MailScanner. thanks, Declan From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 15:12:44 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers Message-ID: Save the patch to /tmp/Message.pm.patch Change to the directory that contains Message.pm. patch < /tmp/Message.pm.patch That should (!) do it. Regards, JP From simon at ADVANTAGE-INTERACTIVE.COM Mon Feb 23 15:14:16 2004 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> <1077546740.4798.12.camel@localhost> <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> Message-ID: <1077549256.4798.14.camel@localhost> That appears to work fine, it detected the re-insertion I did, a genuine one comes through every morning though so I'll have a live test early tomorrow. Thanks for the excellent help! On Mon, 2004-02-23 at 14:43, Julian Field wrote: > Please try this patch to Message.pm. I have tried to post a new Message.pm > a couple of times already, but it seems to disappear down the toilet :-( > > > At 14:32 23/02/2004, you wrote: > >I've just sent a copy of this to the list in a different thread having > >not seen this one until afterwards :) It's in a password protected > >zipfile) > > > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > > Yes please, send me a copy in a password-protected zip file. Please > > > remember to tell me what the password is! :-) > > > > > > At 22:37 20/02/2004, you wrote: > > > >Julian: > > > > > > > >Running MailScanner-4.27.3-1, rpm version > > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > > >Running Sophos 3.79 > > > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > > >viruses pass through MailScanner with "Clean" headers. When the mail > > ends up > > > >in Outlook Express, however, OE finds the attachment and it's up to the > > > >client virus scanner to find dumaru-y. > > > > > > > >I have several copies of the virus-infected email message with full > > headers > > > >stored on the mail server. If you would like to see them, I can attach the > > > >file and send it to you. > > > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > > >Anybody else having this problem? > > > > > > > >James Corell > > > >E-P-C-S > > > >111 West Mitchell, Suite E > > > >Gaylord, MI 49735 > > > >(989) 732-1366 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ______________________________________________________________________ > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Mon Feb 23 15:15:48 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F881@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A959F881@mail.winnefox.org> Message-ID: <1077549348.25666.272.camel@dbeauchemin.sti.usherbrooke.ca> Le lun 23/02/2004 ? 10:01, Jody Cleveland a ?crit : > > You could start using Mailwatch and tell your Helpdesk to > > release messages > > via it's web interface. > > I've tried that, but all it does is re-quarantine itself. > > Jody I've begun seeing the same behaviour on my RH9 server (the others are running 7.3) with "sendmail -t -oi Whoops... In Mailscanner.conf High SpamAssassin Score = 20 High Scoring Spam Actions = deliver Our default was still on for high scoring Spam Sorry to clog the list, thought I had... High SpamAssassin Score = 100 ...but obviously reverted it later as the action is the same. Gary From g.pentland at soton.ac.uk Mon Feb 23 15:17:23 2004 From: g.pentland at soton.ac.uk (Pentland G.) Date: Thu Jan 12 21:22:40 2006 Subject: spam.actions.rules DOH! Message-ID: Whoops... In Mailscanner.conf High SpamAssassin Score = 20 High Scoring Spam Actions = deliver Our default was still on for high scoring Spam Sorry to clog the list, thought I had... High SpamAssassin Score = 100 ...but obviously reverted it later as the action is the same. Gary From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 15:18:02 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails Message-ID: > I've tried that, but all it does is re-quarantine itself. Been there... :-) Make filename and filetype checks dependend on who is sending the stuff. Instead of Filename Rules = %etc-dir%/filename.conf Filetype Rules = %etc-dir%/filetype.conf do something like Filename Rules = %etc-dir%/rules/filename.rules Filetype Rules = %etc-dir%/rules/filetype.rules Create two sets of filename.conf/filetype.conf files (e.g. filename.rules.release.conf and filetype.rules.release.conf). In the .release.conf files allow all files that you want to be able to release from the Quarantine. Then in filename.rules put something like From: postmaster@yourdomain.com /usr/local/etc/MailScanner/filename.rules.release.conf FromOrTo: default /usr/local/etc/MailScanner/filename.rules.conf In MailWatch conf.php adjust the QUARANTINE_FROM_ADDR to match the one in the rules-file: define(QUARANTINE_FROM_ADDR, 'postmaster@yourdomain.com'); That should do the trick. Regards, JP From Denis.Beauchemin at USHERBROOKE.CA Mon Feb 23 15:42:13 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails In-Reply-To: References: Message-ID: <1077550933.25666.277.camel@dbeauchemin.sti.usherbrooke.ca> Le lun 23/02/2004 ? 10:18, Jan-Peter Koopmann a ?crit : > > I've tried that, but all it does is re-quarantine itself. > > Been there... :-) > > Make filename and filetype checks dependend on who is sending the stuff. > Instead of > > Filename Rules = %etc-dir%/filename.conf > Filetype Rules = %etc-dir%/filetype.conf > > do something like > > Filename Rules = %etc-dir%/rules/filename.rules > Filetype Rules = %etc-dir%/rules/filetype.rules > > Create two sets of filename.conf/filetype.conf files (e.g. > filename.rules.release.conf and filetype.rules.release.conf). In the > .release.conf files allow all files that you want to be able to release > from the Quarantine. Then in filename.rules put something like > > From: postmaster@yourdomain.com > /usr/local/etc/MailScanner/filename.rules.release.conf > FromOrTo: default > /usr/local/etc/MailScanner/filename.rules.conf > > In MailWatch conf.php adjust the QUARANTINE_FROM_ADDR to match the one > in the rules-file: > > define(QUARANTINE_FROM_ADDR, 'postmaster@yourdomain.com'); > > That should do the trick. > > Regards, > JP I am right in thinking that any email with an envelope from equal to postmaster@yourdomain.com would then bypass the filename rules? If so I would not want to implement it because it would be too risky to let some viruses through. If I was able to restrict it only from localhost, then maybe... but I don't think this is feasible. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Anjana.Patel at CRANFIELD.AC.UK Mon Feb 23 15:54:05 2004 From: Anjana.Patel at CRANFIELD.AC.UK (Patel, Anjana) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 23 February 2004 14:44 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner not parsing dumaru-y MIME headers > > Please try this patch to Message.pm. I have tried to post a new Message.pm > a couple of times already, but it seems to disappear down the toilet :-( > Julian, The 'sample Dumaru.y' virus sent to the list by Simon Dick got past our version of mailscanner (v 4.26-8 ,RedHat 7.3, exim v3). Can the patch you posted to the list be applied to this version as well? Anjana From Matthew.Day at BUCKINGHAM.AC.UK Mon Feb 23 16:02:17 2004 From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day) Date: Thu Jan 12 21:22:40 2006 Subject: Spam lists to reach low spam? Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D57B11@GILA> All I'm aware that the number of RBLs required to mark a message as high spam can be controlled via the MailScanner.conf line: "Spam Lists To Reach High Score = 2" Is it possible to change the number of RBLs required to mark a message as low spam? Best Matthew Day University of Buckingham From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:58:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: spam.actions.rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223145518.03ed9170@imap.ecs.soton.ac.uk> What you have just witnessed is a problem raised by having messages with multiple recipients. MailScanner doesn't generate mail messages, so if you have 5 recipients with different actions, it has to make some decision. In this case, I believe it uses the result from the 1st recipient. Take a look in the Advanced Settings section of MailScanner.conf where you will find this: # When trying to work out the value of configuration parameters which are # using a ruleset, this controls the behaviour when a rule is checking the # "To:" addresses. # If this option is set to "yes", then the following happens when checking # the ruleset: # a) 1 recipient. Same behaviour as normal. # b) Several recipients, but all in the same domain (domain.com for example). # The rules are checked for one that matches the string "*@domain.com". # c) Several recipients, not all in the same domain. # The rules are checked for one that matches the string "*@*". # # If this option is set to "no", then some rules will use the result they # get from the first matching rule for any of the recipients of a message, # so the exact value cannot be predicted for messages with more than 1 # recipient. # # This value *cannot* be the filename of a ruleset. Use Default Rules With Multiple Recipients = no Use of this option makes the behaviour predictable, as the order of the recipients doesn't matter. The other way of solving it is to use sendmail "Queue Groups" to limit the number of recipients per message to a maximum of 1. How to do this has been discussed here in the past, should be in the list archive. At 14:50 23/02/2004, you wrote: >All, > >Just doing some testing with a few friendly guinea pig users and noticed >something not quite as I would expect. > >In Mailscanner.conf > >Spam Actions = /opt/local/mailscanner/etc/rules/spam.actions.rules > >In spam.actions.rules > >To: gp397@soton.ac.uk delete >To: g.pentland@soton.ac.uk delete >To: jw@soton.ac.uk delete >To: J.Watts@soton.ac.uk delete >To: eks@soton.ac.uk delete >To: E.K.Struzyna@soton.ac.uk delete >To: lb3@soton.ac.uk delete >To: L.Williams@soton.ac.uk delete >FromorTo: default deliver > >BUT... > >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >from=, size=3898, class=0, nrcpts=5, >msgid=<000611d7be47$dab24652$21337435@efvfxrq.qdi>, proto=SMTP, >daemon=MTA, relay=adsl-065-082-235-059.sip.btr.bellsouth.net >[65.82.235.59] >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Message >i1NE0s7s010428 from 65.82.235.59 (acutebabe192kkoy@aol.com) to >soton.ac.uk is spam, SpamAssassin (score=46.611, required 5, BIZ_TLD >0.78, CLICK_BELOW_CAPS 0.57, COMPLETELY_FREE 0.74, DATE_IN_FUTURE_03_06 >2.83, EXCUSE_14 0.15, EXCUSE_16 0.17, FAKE_HELO_AOL 1.88, >FORGED_MUA_EUDORA 1.91, HTML_60_70 0.10, HTML_FONTCOLOR_RED 0.10, >HTML_FONT_BIG 0.10, HTML_IMAGE_ONLY_08 0.84, HTML_IMAGE_RATIO_06 0.32, >HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, >HTML_TAG_EXISTS_TBODY 0.10, MAILTO_TO_REMOVE 0.04, MAILTO_TO_SPAM_ADDR >1.05, MIME_HTML_ONLY 0.10, MSGID_OUTLOOK_INVALID 4.30, >MSGID_SPAM_99X9XX99 4.30, NO_REAL_NAME 0.28, RATWARE_HASH_DASH 4.30, >RCVD_FAKE_HELO_DOTCOM 1.35, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL >1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10, RCVD_IN_OPM 4.30, >RCVD_IN_OPM_SOCKS 4.30, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, >RCVD_IN_SORBS_SOCKS 1.10, REMOVE_SUBJ 0.05, SUBJ_HAS_SPACES 0.97, >SUBJ_HAS_UNIQ_ID 0.21, SUSPICIOUS_RECIPS 3.00) >Feb 23 14:01:01 mta2.sucs.soton.ac.uk MailScanner[22254]: Spam Actions: >message i1NE0s7s010428 actions are deliver > >and j.watts@soton.ac.uk received this despite the rule set above, is it >as simple as being case sensitive (I hope not). > >Any ideas/advice would be most useful. > >Gary -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 14:54:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223145359.03bcd7d8@imap.ecs.soton.ac.uk> At 14:52 23/02/2004, you wrote: >Hi Julian, > > > Please try this patch to Message.pm. I have tried to post a > > new Message.pm a couple of times already, but it seems to > > disappear down the toilet :-( > >Hmm. Haven't seen this one myself. It is not part of 4.27.4 is it? No, I wrote it yesterday. > Is >this "stable" enough to be patched into the FreeBSD development port >4.27.4? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Mon Feb 23 16:21:28 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:40 2006 Subject: Spam lists to reach low spam? In-Reply-To: <0EAE842EEAA4D711A05C00B0D0FED1D57B11@GILA> Message-ID: <20040223162123.96E0F21C137@mail.fsl.com> Matt, Unfortunately no. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Matthew Day > Sent: Monday, February 23, 2004 11:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Spam lists to reach low spam? > > All > > I'm aware that the number of RBLs required to mark a message as high spam > can be controlled via the MailScanner.conf line: > "Spam Lists To Reach High Score = 2" > > Is it possible to change the number of RBLs required to mark a message as > low spam? > > Best > > Matthew Day > University of Buckingham > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From mailscanner at ecs.soton.ac.uk Mon Feb 23 16:22:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: Spam lists to reach low spam? In-Reply-To: <0EAE842EEAA4D711A05C00B0D0FED1D57B11@GILA> References: <0EAE842EEAA4D711A05C00B0D0FED1D57B11@GILA> Message-ID: <6.0.1.1.2.20040223162228.0b7dd168@imap.ecs.soton.ac.uk> At 16:02 23/02/2004, you wrote: >All > >I'm aware that the number of RBLs required to mark a message as high spam >can be controlled via the MailScanner.conf line: >"Spam Lists To Reach High Score = 2" > >Is it possible to change the number of RBLs required to mark a message as >low spam? No. If you want to do more fancy calculations with RBLs then use SpamAssassin rules to do it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 16:21:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: Notifying one domain of virus received from them ? In-Reply-To: <200402231503.38688.Declan.Grady@nuvotem.com> References: <200402231503.38688.Declan.Grady@nuvotem.com> Message-ID: <6.0.1.1.2.20040223162030.0b82c6d0@imap.ecs.soton.ac.uk> That's fine. The separators don't need to be tabs, any old spaces will do. The only times that tabs are required are in filename.rules.conf and filetype.rules.conf. At 15:03 23/02/2004, you wrote: >Hi, >After all the recent discussions about not sending virus notifications, I had >my Mailscanner (4.23.11) set to 'Notify Senders Of Viruses = no' > >Now I find I need to set this to ruleset, to notify our sister-company, who >keep getting infected with some JS signature virii. > >I have set the following: >'Notify Senders Of Viruses = %rules-dir%/virus.notify.senders' > >and in this file virus.notify.senders, I have 2 lines: > >From: domain.to.notify yes >FromOrTo: default no > >Please tell me I'm right, as I have not yet used the ruleset facility in >MailScanner. > >thanks, >Declan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 16:22:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223162202.0b79d2e8@imap.ecs.soton.ac.uk> At 15:54 23/02/2004, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 23 February 2004 14:44 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: MailScanner not parsing dumaru-y MIME headers > > > > Please try this patch to Message.pm. I have tried to post a new >Message.pm > > a couple of times already, but it seems to disappear down the toilet >:-( > > > >Julian, > >The 'sample Dumaru.y' virus sent to the list by Simon Dick got past our >version of mailscanner (v 4.26-8 ,RedHat 7.3, exim v3). Can the patch >you posted to the list be applied to this version as well? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mikes at HARTWELLCORP.COM Mon Feb 23 16:49:06 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Which SA rule set considered "Best Practice"? Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C91@hart-exchange.hartwellcorp.com> Kai Schaetzl wrote: >> 1) Enable DNSBLs by installing Net::DNS. > > or enable right at MTA level, our spam influx has dropped to less > than 10% after enabling a few well chosen RBLs (blocking proxy and > dynamic IPs is the best) plus bogus HELO plus our own access.db. SA > does its job on the remainder and gets more than 99%. Actually, our DNS RBL check is done at the firewall. We have FWTK as our SMTP proxy and the RBL patches are installed. We're using .bl.spamcop.net, .sbl.spamhaus.org and .xbl.spamhaus.org. -- Michael St. Laurent Hartwell Corporation From chris at FRACTALWEB.COM Mon Feb 23 17:11:37 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:40 2006 Subject: Notifying one domain of virus received from them ? In-Reply-To: <6.0.1.1.2.20040223162030.0b82c6d0@imap.ecs.soton.ac.uk> References: <200402231503.38688.Declan.Grady@nuvotem.com> <6.0.1.1.2.20040223162030.0b82c6d0@imap.ecs.soton.ac.uk> Message-ID: <403A3449.9010901@fractalweb.com> Julian, Just curious...CAN they be tabs in the other files? I believe they can, but want to be certain. :-) Thanks, Chris Julian Field wrote: > That's fine. The separators don't need to be tabs, any old spaces will > do. > > The only times that tabs are required are in filename.rules.conf and > filetype.rules.conf. > From campbell at CNPAPERS.COM Mon Feb 23 17:15:11 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> <20040221211110.GA7057@gbcomputers.com> Message-ID: <007201c3fa30$98878ba0$e901a8c0@cnpapers.net> Mr. Freegard replied to me with the following setup for fixing what you describe. It fixes all but when there are forms in the quarantined mail. I haven't set up rules for this yet. You should note that released files are sent from localhost allowing this to work. ******************************************** To release blocked attachments you should use two rulesets to allow bypass of filetype and filename checking - on my systems I do it like this: MailScanner.conf: Filename Rules = %etc-dir%/filename.rules Filetype Rules = %etc-dir%/filetype.rules filename.rules: From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf FromOrTo: default /etc/MailScanner/filename.rules.conf filename.rules.allowall.conf: allow .* - - filename.rules.conf: As MailScanner supplied default filetype.rules: From: 127.0.0.1 /etc/MailScanner/filetype.rules.allowall.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf filetype.rules.allowall.conf: allow .* - - filetype.rules.conf: As MailScanner supplied default Doing it this way means that everything get's virus checked and you have a log of the transaction in the MailWatch database should someone release something they shouldn't - which is why I would recommend doing it this way as you can't be too paranoid. **************************************** This works very well for me. Thanks again Mr. Freegard Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Kai Schaetzl" To: Sent: Monday, February 23, 2004 9:31 AM Subject: Re: Emailing quarantined emails > Gregg Berkholtz wrote on Sat, 21 Feb 2004 13:11:10 -0800: > > > I'm trying to avoid changing the > > procedure our helpdesk has become accustomed to. > > > > You could start using Mailwatch and tell your Helpdesk to release messages > via it's web interface. > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org From MWeiner at AG.COM Mon Feb 23 17:15:41 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:40 2006 Subject: clamavmodule Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A81A3@orca.agcom.amgreetings.com> I just swapped over to using the clamavmodule after following the instructions on the website and making the appropriate config changes and restarting MailScanner, however I still get test virus emails going through basically unscathed. Any thing to look for in particular to help debug? Thanks in advance From g.pentland at SOTON.AC.UK Mon Feb 23 17:17:16 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:40 2006 Subject: spam.actions.rules Message-ID: Julian Field wrote: > What you have just witnessed is a problem raised by having messages > with multiple recipients. MailScanner doesn't generate mail messages, > so if you have 5 recipients with different actions, it has to make > some decision. In this case, I believe it uses the result from the > 1st recipient. Take a look in the Advanced Settings section of > MailScanner.conf where you will find this: This cannot be right as the ruleset was... To: gp397@soton.ac.uk delete To: g.pentland@soton.ac.uk delete To: jw@soton.ac.uk delete To: J.Watts@soton.ac.uk delete To: eks@soton.ac.uk delete To: E.K.Struzyna@soton.ac.uk delete To: lb3@soton.ac.uk delete To: L.Williams@soton.ac.uk delete FromorTo: default deliver and j.watts was not the first recipient in that message... Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: from=, size=3898, class=0, nrcpts=5, msgid=<000611d7be47$dab24652$21337435@efvfxrq.qdi>, proto=SMTP, daemon=MTA, relay=adsl-065-082-235-059.sip.btr.bellsouth.net [65.82.235.59] Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: to=, delay=00:00:02, mailer=esmtp, pri=153898, stat=queued ...Sendmail thought j.watts was second. Maybe it's the first matching rule for any recipient... here the default being last so the j.watts rule matched first? Having re-read that extract I think this is the correct description of what happened here. Obviously Mailscanner doesn't create the mail but Mailscanner could remove a recipient from the mail but leave the rest of it/them in the queue. I realise this is not easy to implement. > The other way of solving it is to use sendmail "Queue Groups" to > limit the number of recipients per message to a maximum of 1. How to > do this has been discussed here in the past, should be in the list > archive. This is not good for disk usage or speed in general as MS would have to scan a lot more messages but it would indeed solve the problem. Gary From mikes at HARTWELLCORP.COM Mon Feb 23 17:19:11 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C93@hart-exchange.hartwellcorp.com> Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D MailScanner wrote: > Try this script; we use it to pull the messages from junkmail and > goodmail folders on the Exchange and feed the messages to sa-learn > like so: > > #!/bin/sh > > SERVER= > USER= > PASS= > > GOOD=goodmail > JUNK=junkmail > > SPAM=/tmp/spam > NOTSPAM=/tmp/notspam > > LOGFILE=/var/log/learn.spam.log > PREFS=/etc/MailScanner/spam.assassin.prefs.conf > SALEARN=/usr/bin/sa-learn > > /usr/sbin/folderdump --host $SERVER --user $USER --pass $PASS --folder > Public\ Folders/$JUNK --dir $SPAM > /usr/sbin/folderdump --host $SERVER --user $USER --pass $PASS --folder > Public\ Folders/$GOOD --dir $NOTSPAM > > date >> $LOGFILE > > $SALEARN --prefs-file=$PREFS --spam $SPAM >> $LOGFILE 2>&1 > rm -f $SPAM/* > > $SALEARN --prefs-file=$PREFS --ham $NOTSPAM >> $LOGFILE 2>&1 > rm -f $NOTSPAM/* > > > Make sure that the spam checking user has read access to the public > folders. You may want to restrict its write/delete access to the > junkmail folder only, otherwise a user may accidentally drag and drop > a valuable message on goodmail, rather than Ctrl+Drag and drop. > > Bart... > > -----Original Message----- > From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] > Posted At: 21 February 2004 04:43 > Posted To: MailScanner > Conversation: Training SA > Subject: Re: Training SA > > Steve Thomas wrote: >> On Fri, Feb 20, 2004 at 07:57:52PM -0800, Michael St. Laurent is >> rumored to have said: >>> >>> I might be able to fix that up... we are stuck with an Exchange >>> server here for the mail email system. I could create a folder on >>> it for people to move spam and non-spam messages into. What would I >>> then do to access those folders from the MailScanner server in such >>> a way that they could be fed into sa-learn? >> >> Never worked with exchange, so I can't say. You could probably do a >> perl script that logs in via pop3 or imap and downloads/deletes the >> messages from the exchange box. I know there's a bunch of exchange >> people on this list, so maybe you'll get a more definitive answer on >> Monday. > > Okay, I'll wait to see what others have to say then. > > Thanks. :-D -- Michael St. Laurent Hartwell Corporation From campbell at CNPAPERS.COM Mon Feb 23 17:19:36 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails References: <20040220193427.GA30431@gbcomputers.com> <1077331933.4345.38.camel@localhost.localdomain> <20040221211110.GA7057@gbcomputers.com> <007201c3fa30$98878ba0$e901a8c0@cnpapers.net> Message-ID: <007e01c3fa31$36182780$e901a8c0@cnpapers.net> Clarification: Mr. Freegard replied to me with the following setup USING MAILWATCH for fixing what you describe. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Stephe Campbell" To: Sent: Monday, February 23, 2004 12:15 PM Subject: Re: Emailing quarantined emails Mr. Freegard replied to me with the following setup for fixing what you describe. It fixes all but when there are forms in the quarantined mail. I haven't set up rules for this yet. You should note that released files are sent from localhost allowing this to work. ******************************************** To release blocked attachments you should use two rulesets to allow bypass of filetype and filename checking - on my systems I do it like this: MailScanner.conf: Filename Rules = %etc-dir%/filename.rules Filetype Rules = %etc-dir%/filetype.rules filename.rules: From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf FromOrTo: default /etc/MailScanner/filename.rules.conf filename.rules.allowall.conf: allow .* - - filename.rules.conf: As MailScanner supplied default filetype.rules: From: 127.0.0.1 /etc/MailScanner/filetype.rules.allowall.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf filetype.rules.allowall.conf: allow .* - - filetype.rules.conf: As MailScanner supplied default Doing it this way means that everything get's virus checked and you have a log of the transaction in the MailWatch database should someone release something they shouldn't - which is why I would recommend doing it this way as you can't be too paranoid. **************************************** This works very well for me. Thanks again Mr. Freegard Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Kai Schaetzl" To: Sent: Monday, February 23, 2004 9:31 AM Subject: Re: Emailing quarantined emails > Gregg Berkholtz wrote on Sat, 21 Feb 2004 13:11:10 -0800: > > > I'm trying to avoid changing the > > procedure our helpdesk has become accustomed to. > > > > You could start using Mailwatch and tell your Helpdesk to release messages > via it's web interface. > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org From MWeiner at AG.COM Mon Feb 23 17:20:41 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A81A4@orca.agcom.amgreetings.com> -----Original Message----- From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] Sent: Monday, February 23, 2004 12:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Training SA Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D AFAIK, it was attached to the original email. I still have it if you need it. Michael Weiner From mikes at HARTWELLCORP.COM Mon Feb 23 17:27:07 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: FW: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C94@hart-exchange.hartwellcorp.com> Michael St. Laurent <> wrote: > Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D Whups, never mind. I failed to see the attachment on the first read through. Thanks! ;-D -- Michael St. Laurent Hartwell Corporation From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 17:28:05 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails Message-ID: Hi, > I am right in thinking that any email with an envelope from > equal to postmaster@yourdomain.com would then bypass the > filename rules? Yes and no. > If so I would not want to implement it because it would be > too risky to let some viruses through. If I was able to > restrict it only from localhost, then maybe... but I don't > think this is feasible. It is bypassing the filename rules only. NOT the virus check! Depending on your setup you could also change this to From: 127.0.0.1 Regards, Jan-Peter From mikes at HARTWELLCORP.COM Mon Feb 23 17:36:44 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C95@hart-exchange.hartwellcorp.com> MW Mike Weiner (5028) wrote: > -----Original Message----- > From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] > Sent: Monday, February 23, 2004 12:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Training SA > > Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D > > AFAIK, it was attached to the original email. I still have it if you > need it. > Michael Weiner Yes, it was. However, I'm having trouble finding the perl modules used (IMAPClient). Are there RPMS available or will I need to get it from CPAN? -- Michael St. Laurent Hartwell Corporation From martinh at SOLID-STATE-LOGIC.COM Mon Feb 23 17:43:03 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C95@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C95@hart-exchange.hartwellcorp.com> Message-ID: <403A3BA7.9060605@solid-state-logic.com> Michael St. Laurent wrote: > MW Mike Weiner (5028) wrote: > >>-----Original Message----- >>From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] >>Sent: Monday, February 23, 2004 12:19 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Training SA >> >>Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D >> >>AFAIK, it was attached to the original email. I still have it if you >>need it. >>Michael Weiner > > > Yes, it was. However, I'm having trouble finding the perl modules used > (IMAPClient). Are there RPMS available or will I need to get it from CPAN? > Mike CPAN is always first call for perl modules.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MWeiner at AG.COM Mon Feb 23 17:46:39 2004 From: MWeiner at AG.COM (MW Mike Weiner (5028)) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <4FD2C985D5E2A642AE25823DFD61C2B01A81A5@orca.agcom.amgreetings.com> -----Original Message----- From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] Sent: Monday, February 23, 2004 12:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Training SA MW Mike Weiner (5028) wrote: > -----Original Message----- > From: Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] > Sent: Monday, February 23, 2004 12:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Training SA > > Question: rpm -q --whatprovides /usr/sbin/folderdump ?? ;-D > > AFAIK, it was attached to the original email. I still have it if you > need it. > Michael Weiner Yes, it was. However, I'm having trouble finding the perl modules used (IMAPClient). Are there RPMS available or will I need to get it from CPAN? Perl -MCPAN -e shell Install Mail::IMAPClient From mailscan at PRIS.CA Mon Feb 23 18:11:17 2004 From: mailscan at PRIS.CA (MailScanner Mailbox) Date: Thu Jan 12 21:22:40 2006 Subject: DOS and Oversized Zip In-Reply-To: <007e01c3fa31$36182780$e901a8c0@cnpapers.net> Message-ID: Hello All I think that this may be a clamav problem rather then a mailscanner problem but I am not 100% sure. I am running MailScanner 4.22-4 and clamav 0.67. It seems that recently I am getting many many emails turned away with the message "Denial of Service attack in message!" It seems to be caused by a zipfile that expands many times it's zipped size, (isn't this the purpose of zipping a file)? Anyways, there is some info I googled that mentions editing the scanners.c file (specifically "ZIPOSDET") to increase the value. I don't see that option available in clamav 0.67 so perhaps it is something I can set within the mailscanner config file? I have confirmed that the file being sent is a zip file containing 3 txt files (one of them is 5mb) and it compresses down to 220kb. Any and all help concerning this is most appreciated. Rick From mikes at HARTWELLCORP.COM Mon Feb 23 18:28:25 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C96@hart-exchange.hartwellcorp.com> MW Mike Weiner (5028) wrote: > Yes, it was. However, I'm having trouble finding the perl modules > used (IMAPClient). Are there RPMS available or will I need to get it > from CPAN? > > Perl -MCPAN -e shell > Install Mail::IMAPClient Okay, I've got it installed and (I think) working now. Thanks!! Does the sa-learn script/program know enough to parse out the original email if MailScanner marked it as possible spam and has put it into an attachment? -- Michael St. Laurent Hartwell Corporation From maillists at CONACTIVE.COM Mon Feb 23 18:31:31 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails In-Reply-To: References: Message-ID: Jan-Peter Koopmann wrote on Mon, 23 Feb 2004 16:18:02 +0100: > > I've tried that, but all it does is re-quarantine itself. > > Been there... :-) > Hm, makes me wonder why this happens on your systems and not here. Try adding a whitelist rule for your own IP. Those mails are generated on your system, so this should whitelist them. Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From mikes at HARTWELLCORP.COM Mon Feb 23 18:35:11 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C97@hart-exchange.hartwellcorp.com> MW Mike Weiner (5028) wrote: > Yes, it was. However, I'm having trouble finding the perl modules > used (IMAPClient). Are there RPMS available or will I need to get it > from CPAN? > > Perl -MCPAN -e shell > Install Mail::IMAPClient Actually, the sa-learn program is returning an error. Below is the debug output: debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', which doesn't exist, dropping. debug: Final PATH set to: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: Failed to parse line in SpamAssassin configuration, skipping: auto_report_threshold 30 debug: Failed to parse line in SpamAssassin configuration, skipping: defang_mime 0 debug: bayes: DB_File module not installed, cannot use Bayes debug: Score set 0 chosen. debug: Initialising learner debug: Initialising learner debug: Syncing Bayes journal and expiring old tokens... debug: bayes: DB_File module not installed, cannot use Bayes debug: Syncing complete. debug: Learning Spam debug: uri tests: Done uriRE debug: bayes: DB_File module not installed, cannot use Bayes Learned from 0 message(s) (1 message(s) examined). debug: bayes: 5479 untie-ing ERROR: the Bayes learn function returned an error, please re-run with -D for more information I've missed something obvious I think. -- Michael St. Laurent Hartwell Corporation -- Michael St. Laurent Hartwell Corporation From lists at STHOMAS.NET Mon Feb 23 18:38:22 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C97@hart-exchange.hartwellcorp.com>; from mikes@HARTWELLCORP.COM on Mon, Feb 23, 2004 at 10:35:11AM -0800 References: <91A5926EFF44D3118B1200104B7276EB02C56C97@hart-exchange.hartwellcorp.com> Message-ID: <20040223103822.A30570@sthomas.net> On Mon, Feb 23, 2004 at 10:35:11AM -0800, Michael St. Laurent is rumored to have said: > ... > debug: bayes: DB_File module not installed, cannot use Bayes You need to install the DB_File perl module. perl -MCPAN -e 'install DB_File' -- "C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do, it blows away your whole leg." - Bjarne Stroustrup From Jan-Peter.Koopmann at SECEIDOS.DE Mon Feb 23 18:40:46 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails Message-ID: Kai, > Hm, makes me wonder why this happens on your systems and not > here. Try adding a whitelist rule for your own IP. Those > mails are generated on your system, so this should whitelist them. My description is exactly doing that: Whitelisting the mails from Mailwatch.... I am not having problem. Others are. :-) From mailscanner at ecs.soton.ac.uk Mon Feb 23 18:44:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C97@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C97@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040223184253.0344e9d8@imap.ecs.soton.ac.uk> At 18:35 23/02/2004, you wrote: >MW Mike Weiner (5028) wrote: > > Yes, it was. However, I'm having trouble finding the perl modules > > used (IMAPClient). Are there RPMS available or will I need to get it > > from CPAN? > > > > Perl -MCPAN -e shell > > Install Mail::IMAPClient > >Actually, the sa-learn program is returning an error. Below is the debug >output: > >debug: bayes: DB_File module not installed, cannot use Bayes >debug: bayes: DB_File module not installed, cannot use Bayes >debug: bayes: DB_File module not installed, cannot use Bayes >ERROR: the Bayes learn function returned an error, please re-run with -D for >more information > >I've missed something obvious I think. You are missing the DB_File module. If I remember correctly the answer is this: perl -MCPAN -e shell install DB_File If that doesn't work then "install DB::File" should work. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jcorell at IPRUS.NET Mon Feb 23 19:08:45 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> Message-ID: Rolled MailScanner Message.pm back to 4.27.3-1, then ran the patch. MailScanner runs fine (no more looping scans or missing headers). I'll know pretty soon if this fixes the dumaru-y problems. James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 23, 2004 9:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers Please try this patch to Message.pm. I have tried to post a new Message.pm a couple of times already, but it seems to disappear down the toilet :-( At 14:32 23/02/2004, you wrote: >I've just sent a copy of this to the list in a different thread having >not seen this one until afterwards :) It's in a password protected >zipfile) > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > Yes please, send me a copy in a password-protected zip file. Please > > remember to tell me what the password is! :-) > > > > At 22:37 20/02/2004, you wrote: > > >Julian: > > > > > >Running MailScanner-4.27.3-1, rpm version > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > >Running Sophos 3.79 > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > >viruses pass through MailScanner with "Clean" headers. When the mail > ends up > > >in Outlook Express, however, OE finds the attachment and it's up to the > > >client virus scanner to find dumaru-y. > > > > > >I have several copies of the virus-infected email message with full > headers > > >stored on the mail server. If you would like to see them, I can attach the > > >file and send it to you. > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > >Anybody else having this problem? > > > > > >James Corell > > >E-P-C-S > > >111 West Mitchell, Suite E > > >Gaylord, MI 49735 > > >(989) 732-1366 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Mon Feb 23 19:18:00 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails References: Message-ID: <002b01c3fa41$c1ca8880$e901a8c0@cnpapers.net> One of the problems I had after upgrading MailWatch from Version 0.4 to 0.5 was the releasing of quarantineed messages. I found that the 0.4 version was using 'mail' instead of 'smtp' to resend the quarantineed file back into sendmail. This resulted in sending mail to the output queue (/var/spool/mqueue) when using 0.4, instead of the input queue (/var/spool/mqueue.in) when using 0.5. This requires the rules I mentioned before in my last post. I am using RH and sendmail. Your mileage may vary. You could change the line in detail.php in your mailscanner(MailWatch) directory from $mail =& Mail::factory('smtp'); to $mail =& Mail::factory('mail'); , but then nothing gets scanned again and an errant release could let something through. Files do get delivered though. Check your logs and headers and see if a released quarantined message is not sent from 127.0.0.1 (localhost). If it is, you can create any type of rules you want for either the IP or the domain localhost to control quarantine releases. With the rules Mr. Freegard suggested, you still get scanned for viruses, and as someone else mentioned (Mr. Rose I believe), this will take care of the situation where an email was not flagged as a virus due to virus dictionaries not being up to date during the quarantine process the first time through, but maybe getting flagged the second time after the dictionaries have been updated. There is usually a considerable time lapse between the actual receipt of email and the time someone wants it released, allowing for the updated dictionary. This would explain some of the "mine works, how come yours doesn't". Or maybe they already had the localhost rules in place. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Jan-Peter Koopmann" To: Sent: Monday, February 23, 2004 1:40 PM Subject: Re: Emailing quarantined emails Kai, > Hm, makes me wonder why this happens on your systems and not > here. Try adding a whitelist rule for your own IP. Those > mails are generated on your system, so this should whitelist them. My description is exactly doing that: Whitelisting the mails from Mailwatch.... I am not having problem. Others are. :-) From mikes at HARTWELLCORP.COM Mon Feb 23 19:25:45 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C9A@hart-exchange.hartwellcorp.com> Julian Field wrote: >> debug: bayes: DB_File module not installed, cannot use Bayes > You are missing the DB_File module. > If I remember correctly the answer is this: > perl -MCPAN -e shell > install DB_File > > If that doesn't work then "install DB::File" should work. Yep, that got it working. Thanks Julian and Steve. -- Michael St. Laurent Hartwell Corporation From jcorell at IPRUS.NET Mon Feb 23 19:25:20 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:40 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> Message-ID: I know that I'm using escaped @ and $ symbols in message.txt files. If I don't, the trailing text won't display. MailScanner 4.27.3-1 James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 23, 2004 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] '@' symbol in "stored.xxxxx.message.txt" files At 14:09 23/02/2004, you wrote: >At 13:55 23/02/2004, you wrote: >>Third request of hopefully a simple question to this list: >> >>We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >>MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. >> >>I am trying to include an e-mail address in the body of the >>"stored.virus.message.txt" and "stored.filename.message.txt". >> >>When I include the '@' symbol in the text line, the whole line does not >>print. Any ideas? How do I print the '@' symbol in the files? > >The quick workaround is to use > \@ >instead of > @ > >But I'm going to take a look at the code as it should already do this >substitution for you. I have just found that a line containing no backslash works fine, while a line with a backslash doesn't print, which is understandable. So if I put in an email address like helpdesk@ecs.soton.ac.uk it works fine. Are you getting the reverse behaviour? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jcorell at IPRUS.NET Mon Feb 23 19:43:23 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: Message-ID: Nope. dumaru-y still passes through MailScanner unscathed. From: "Elene" To: Subject: Important information for you. Read it immediately ! MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="xxxx" X-MailScanner-MailScanner-Information: Please contact the ISP for more information X-MailScanner-MailScanner: Found to be clean Status: James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of James Corell Sent: Monday, February 23, 2004 2:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers Rolled MailScanner Message.pm back to 4.27.3-1, then ran the patch. MailScanner runs fine (no more looping scans or missing headers). I'll know pretty soon if this fixes the dumaru-y problems. James Corell E-P-C-S 111 West Mitchell, Suite E Gaylord, MI 49735 (989) 732-1366 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 23, 2004 9:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers Please try this patch to Message.pm. I have tried to post a new Message.pm a couple of times already, but it seems to disappear down the toilet :-( At 14:32 23/02/2004, you wrote: >I've just sent a copy of this to the list in a different thread having >not seen this one until afterwards :) It's in a password protected >zipfile) > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > Yes please, send me a copy in a password-protected zip file. Please > > remember to tell me what the password is! :-) > > > > At 22:37 20/02/2004, you wrote: > > >Julian: > > > > > >Running MailScanner-4.27.3-1, rpm version > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > >Running Sophos 3.79 > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > >viruses pass through MailScanner with "Clean" headers. When the mail > ends up > > >in Outlook Express, however, OE finds the attachment and it's up to the > > >client virus scanner to find dumaru-y. > > > > > >I have several copies of the virus-infected email message with full > headers > > >stored on the mail server. If you would like to see them, I can attach the > > >file and send it to you. > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > >Anybody else having this problem? > > > > > >James Corell > > >E-P-C-S > > >111 West Mitchell, Suite E > > >Gaylord, MI 49735 > > >(989) 732-1366 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rzewnickie at RFA.ORG Mon Feb 23 19:47:50 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:40 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> Message-ID: <20040223194750.GB726@rfa.org> On Mon, Feb 23, 2004 at 11:22:42AM -0000, Randal, Phil wrote: > In my /etc/MailScanner/MailScanner.conf: ... > Spamassassin needs to learn 200 spam before auto-learning kicks in, if I > recall correctly. I used Steve Freegard's MailWatch > (http://mailwatch.sf.net) and fed spam to sa-learn from there. Once Bayes > is trained, it makes quite a difference. > > Cheers, > > Phil > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Drew Marshall > > Sent: 23 February 2004 11:13 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: What is the best High SpamAssassin Score > > > > > > Having only just realised that by running the latest stable SA I have > > automatic Bayes, I am just starting to play. So how do I change the ... > > matter what or > > can I just pick 200 legitimate messages and feed the hungry beast? > > > > Drew (Feeling stupid this morning) > > > > Randal, Phil said: > > > My threshold is 4.75 for low, 10.25 for high, autolearning > > at 9, with But where do you set the autolearning threshold? I haven't adjusted mine ... it seems to be somewhere around 14 or 15, but I don't know where this is set. -Eric Rz. From mailscanner at ecs.soton.ac.uk Mon Feb 23 19:57:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <20040223194750.GB726@rfa.org> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> <20040223194750.GB726@rfa.org> Message-ID: <6.0.1.1.2.20040223195659.03491e88@imap.ecs.soton.ac.uk> At 19:47 23/02/2004, you wrote: >On Mon, Feb 23, 2004 at 11:22:42AM -0000, Randal, Phil wrote: > > In my /etc/MailScanner/MailScanner.conf: >... > > Spamassassin needs to learn 200 spam before auto-learning kicks in, if I > > recall correctly. I used Steve Freegard's MailWatch > > (http://mailwatch.sf.net) and fed spam to sa-learn from there. Once Bayes > > is trained, it makes quite a difference. > > > > Cheers, > > > > Phil > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Drew Marshall > > > Sent: 23 February 2004 11:13 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: What is the best High SpamAssassin Score > > > > > > > > > Having only just realised that by running the latest stable SA I have > > > automatic Bayes, I am just starting to play. So how do I change the >... > > > matter what or > > > can I just pick 200 legitimate messages and feed the hungry beast? > > > > > > Drew (Feeling stupid this morning) > > > > > > Randal, Phil said: > > > > My threshold is 4.75 for low, 10.25 for high, autolearning > > > at 9, with > >But where do you set the autolearning threshold? I haven't adjusted mine >... it seems to be somewhere around 14 or 15, but I don't know where >this is set. It's in "man Mail::SpamAssassin::Conf"... bayes_auto_learn_threshold_nonspam n.nn (default: 0.1) The score threshold below which a mail has to score, to be fed into SpamAssassin's learning systems automatically as a non-spam mes- sage. bayes_auto_learn_threshold_spam n.nn (default: 12.0) The score threshold above which a mail has to score, to be fed into SpamAssassin's learning systems automatically as a spam message. Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body to auto-learn as spam. Therefore, the mini- mum working value for this option is 6. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 19:54:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223195345.0343c498@imap.ecs.soton.ac.uk> Did you remember to restart MailScanner after changing the code? I tried it with your message and it was detected just fine. It may need the other changes I have written recently. I'll do another beta release before the weekend if I get time. At 19:43 23/02/2004, you wrote: >Nope. dumaru-y still passes through MailScanner unscathed. > >From: "Elene" >To: >Subject: Important information for you. Read it immediately ! >MIME-Version: 1.0 >Content-Type: multipart/mixed;boundary="xxxx" >X-MailScanner-MailScanner-Information: Please contact the ISP for more >information >X-MailScanner-MailScanner: Found to be clean >Status: > > > >James Corell >E-P-C-S >111 West Mitchell, Suite E >Gaylord, MI 49735 >(989) 732-1366 > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of James Corell >Sent: Monday, February 23, 2004 2:09 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers > > >Rolled MailScanner Message.pm back to 4.27.3-1, then ran the patch. >MailScanner runs fine (no more looping scans or missing headers). I'll know >pretty soon if this fixes the dumaru-y problems. > > >James Corell >E-P-C-S >111 West Mitchell, Suite E >Gaylord, MI 49735 >(989) 732-1366 > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, February 23, 2004 9:44 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers > > >Please try this patch to Message.pm. I have tried to post a new Message.pm >a couple of times already, but it seems to disappear down the toilet :-( > > >At 14:32 23/02/2004, you wrote: > >I've just sent a copy of this to the list in a different thread having > >not seen this one until afterwards :) It's in a password protected > >zipfile) > > > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > > Yes please, send me a copy in a password-protected zip file. Please > > > remember to tell me what the password is! :-) > > > > > > At 22:37 20/02/2004, you wrote: > > > >Julian: > > > > > > > >Running MailScanner-4.27.3-1, rpm version > > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > > >Running Sophos 3.79 > > > > > > > >Installed latest version of MailScanner to fix MIME header parsing >problem > > > >(MyDoom-A viruses not being found). However, I have been seeing >dumaru-y > > > >viruses pass through MailScanner with "Clean" headers. When the mail > > ends up > > > >in Outlook Express, however, OE finds the attachment and it's up to the > > > >client virus scanner to find dumaru-y. > > > > > > > >I have several copies of the virus-infected email message with full > > headers > > > >stored on the mail server. If you would like to see them, I can attach >the > > > >file and send it to you. > > > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > > >Anybody else having this problem? > > > > > > > >James Corell > > > >E-P-C-S > > > >111 West Mitchell, Suite E > > > >Gaylord, MI 49735 > > > >(989) 732-1366 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Mon Feb 23 19:54:38 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <1077546740.4798.12.camel@localhost> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> <1077546740.4798.12.camel@localhost> Message-ID: <403A5A7E.7030400@gmx.de> Simon Dick wrote: >I've just sent a copy of this to the list in a different thread having >not seen this one until afterwards :) It's in a password protected >zipfile) > skipping: ms_virus incorrect password :-( -- shrek-m From rzewnickie at RFA.ORG Mon Feb 23 19:54:28 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:40 2006 Subject: Notifying one domain of virus received from them ? In-Reply-To: <403A3449.9010901@fractalweb.com> References: <200402231503.38688.Declan.Grady@nuvotem.com> <6.0.1.1.2.20040223162030.0b82c6d0@imap.ecs.soton.ac.uk> <403A3449.9010901@fractalweb.com> Message-ID: <20040223195428.GC726@rfa.org> It doesn't hurt for them to be tabs. All of my .rules files are tab-delimited because I somehow got it in my head that they had to be, until Julian cleared that up for me a while back. They work fine with tabs. But, as Julian said they don't need to be. -Eric Rz. On Mon, Feb 23, 2004 at 09:11:37AM -0800, Chris Yuzik wrote: > Julian, > > Just curious...CAN they be tabs in the other files? I believe they can, > but want to be certain. :-) > > Thanks, > Chris > > Julian Field wrote: > > >That's fine. The separators don't need to be tabs, any old spaces will > >do. > > > >The only times that tabs are required are in filename.rules.conf and > >filetype.rules.conf. > > From mark at TIPPINGMAR.COM Mon Feb 23 20:03:31 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:22:40 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <20040223194750.GB726@rfa.org> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> Message-ID: <4039EC13.24183.1753D953@localhost> On 23 Feb 2004 at 14:47, Eric Dantan Rzewnicki wrote: > But where do you set the autolearning threshold? I haven't adjusted mine > ... it seems to be somewhere around 14 or 15, but I don't know where > this is set. You can set it in spam.assassin.prefs.conf as follows: # Defaults for following bayes settings are 12.0 and 0.1 auto_learn_threshold_spam 15.0 auto_learn_threshold_nonspam 0.2 You should be aware that in calculating the score for autolearning, spamassassin uses a different score set than you do. I think it uses set 1, which does not consider bayes or network checks. -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From mailscanner at ecs.soton.ac.uk Mon Feb 23 17:59:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: Notifying one domain of virus received from them ? In-Reply-To: <403A3449.9010901@fractalweb.com> References: <200402231503.38688.Declan.Grady@nuvotem.com> <6.0.1.1.2.20040223162030.0b82c6d0@imap.ecs.soton.ac.uk> <403A3449.9010901@fractalweb.com> Message-ID: <6.0.1.1.2.20040223175907.038856a0@imap.ecs.soton.ac.uk> Yes they can. Any combination of tabs and/or spaces will work. At 17:11 23/02/2004, you wrote: >Julian, > >Just curious...CAN they be tabs in the other files? I believe they can, >but want to be certain. :-) > >Thanks, >Chris > >Julian Field wrote: > >>That's fine. The separators don't need to be tabs, any old spaces will >>do. >> >>The only times that tabs are required are in filename.rules.conf and >>filetype.rules.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 18:01:49 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: clamavmodule In-Reply-To: <4FD2C985D5E2A642AE25823DFD61C2B01A81A3@orca.agcom.amgreeti ngs.com> References: <4FD2C985D5E2A642AE25823DFD61C2B01A81A3@orca.agcom.amgreetings.com> Message-ID: <6.0.1.1.2.20040223180010.03762380@imap.ecs.soton.ac.uk> Firstly check you have no rulesets which would cause your scanner to be bypassed for your test messages. Also check the test messages get the X-MailScanner-Information header added to them to prove they are going through MailScanner at all. It's quite common for people to forget they have custom rules that exclude the host they happen to be sending the test messages from. At 17:15 23/02/2004, you wrote: >I just swapped over to using the clamavmodule after following the >instructions on the website and making the appropriate config changes and >restarting MailScanner, however I still get test virus emails going through >basically unscathed. Any thing to look for in particular to help debug? > >Thanks in advance -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Feb 23 18:03:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:40 2006 Subject: spam.actions.rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040223180222.03897ac8@imap.ecs.soton.ac.uk> At 17:17 23/02/2004, you wrote: >Julian Field wrote: > > What you have just witnessed is a problem raised by having messages > > with multiple recipients. MailScanner doesn't generate mail messages, > > so if you have 5 recipients with different actions, it has to make > > some decision. In this case, I believe it uses the result from the > > 1st recipient. Take a look in the Advanced Settings section of > > MailScanner.conf where you will find this: > >This cannot be right as the ruleset was... > >To: gp397@soton.ac.uk delete >To: g.pentland@soton.ac.uk delete >To: jw@soton.ac.uk delete >To: J.Watts@soton.ac.uk delete >To: eks@soton.ac.uk delete >To: E.K.Struzyna@soton.ac.uk delete >To: lb3@soton.ac.uk delete >To: L.Williams@soton.ac.uk delete >FromorTo: default deliver > >and j.watts was not the first recipient in that message... > >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >from=, size=3898, class=0, nrcpts=5, >msgid=<000611d7be47$dab24652$21337435@efvfxrq.qdi>, proto=SMTP, >daemon=MTA, relay=adsl-065-082-235-059.sip.btr.bellsouth.net >[65.82.235.59] >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued >Feb 23 14:00:57 mta2.sucs.soton.ac.uk sendmail[10428]: i1NE0s7s010428: >to=, delay=00:00:02, mailer=esmtp, pri=153898, >stat=queued > >...Sendmail thought j.watts was second. > >Maybe it's the first matching rule for any recipient... here the default >being last so the j.watts rule matched first? > >Having re-read that extract I think this is the correct description of >what happened here. > > >Obviously Mailscanner doesn't create the mail but Mailscanner could >remove a recipient from the mail but leave the rest of it/them in the >queue. I realise this is not easy to implement. This only works for the "delete" spam action. But I agree it is a possible solution to the problem in this case. > > The other way of solving it is to use sendmail "Queue Groups" to > > limit the number of recipients per message to a maximum of 1. How to > > do this has been discussed here in the past, should be in the list > > archive. > >This is not good for disk usage or speed in general as MS would have to >scan a lot more messages but it would indeed solve the problem. > >Gary -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at pdscc.com Tue Feb 24 05:00:29 2004 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:22:40 2006 Subject: make copies of all emails - not archive Message-ID: <200402240529.VAA06916@sheridan.sibble.net> Have a situation where we need to have a copy of all emails that come in and go out of the MS gateway machine be sent to and address on the internal mailserver. Essentially the boss wants to see all the mail activity for the day, a day log so to speak, which would be deleted each day or so. We have MS running running as the mail gateway and use a transport rule to allow incoming mail for the domain to be delivered to the hidden intranet mail server. I know how to do archiving of all in/outbound mail on the MS box, however I want to have it send a copy of all messages (hopefully without mangling the headers) to and address on out Samsung Contact server internally. Is this easy/simple to do? We are running postfix 2.x on the MS box. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From campbell at CNPAPERS.COM Mon Feb 23 20:20:31 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:40 2006 Subject: What is the best High SpamAssassin Score References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C55C@jessica.herefordshire.gov.uk> <20040223194750.GB726@rfa.org> <6.0.1.1.2.20040223195659.03491e88@imap.ecs.soton.ac.uk> Message-ID: <005301c3fa4a$7c9884c0$e901a8c0@cnpapers.net> Can these be put in the spam.assassin.prefs.conf file if I want to modify them for my site? Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Monday, February 23, 2004 2:57 PM Subject: Re: What is the best High SpamAssassin Score > At 19:47 23/02/2004, you wrote: > >On Mon, Feb 23, 2004 at 11:22:42AM -0000, Randal, Phil wrote: > > > In my /etc/MailScanner/MailScanner.conf: > >... > > > Spamassassin needs to learn 200 spam before auto-learning kicks in, if I > > > recall correctly. I used Steve Freegard's MailWatch > > > (http://mailwatch.sf.net) and fed spam to sa-learn from there. Once Bayes > > > is trained, it makes quite a difference. > > > > > > Cheers, > > > > > > Phil > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Drew Marshall > > > > Sent: 23 February 2004 11:13 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: What is the best High SpamAssassin Score > > > > > > > > > > > > Having only just realised that by running the latest stable SA I have > > > > automatic Bayes, I am just starting to play. So how do I change the > >... > > > > matter what or > > > > can I just pick 200 legitimate messages and feed the hungry beast? > > > > > > > > Drew (Feeling stupid this morning) > > > > > > > > Randal, Phil said: > > > > > My threshold is 4.75 for low, 10.25 for high, autolearning > > > > at 9, with > > > >But where do you set the autolearning threshold? I haven't adjusted mine > >... it seems to be somewhere around 14 or 15, but I don't know where > >this is set. > > It's in "man Mail::SpamAssassin::Conf"... > bayes_auto_learn_threshold_nonspam n.nn (default: 0.1) > The score threshold below which a mail has to score, to be fed into > SpamAssassin's learning systems automatically as a non-spam mes- > sage. > > bayes_auto_learn_threshold_spam n.nn (default: 12.0) > The score threshold above which a mail has to score, to be fed into > SpamAssassin's learning systems automatically as a spam message. > > Note: SpamAssassin requires at least 3 points from the header, and > 3 points from the body to auto-learn as spam. Therefore, the mini- > mum working value for this option is 6. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Mon Feb 23 20:30:50 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:40 2006 Subject: What is the best High SpamAssassin Score In-Reply-To: <005301c3fa4a$7c9884c0$e901a8c0@cnpapers.net> Message-ID: <20040223203045.B147321C138@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephe Campbell > Sent: Monday, February 23, 2004 3:21 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What is the best High SpamAssassin Score > > Can these be put in the spam.assassin.prefs.conf file if I want to modify > them for my site? > Yes Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From mikes at HARTWELLCORP.COM Mon Feb 23 20:31:57 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: Training SA Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56C9D@hart-exchange.hartwellcorp.com> Okay, I've got the feedback mechanism in place for training the Bayes engine. Now for a few proceedural questions. ;-D I have MailScanner set to add the {Spam?} tag to the Subject line and to make the original message an attachment. Will either of these throw off the training process? Is the sa-learn program able to extract the original message from the attachment and does it know that it should do so? -- Michael St. Laurent Hartwell Corporation From jclark at SKIDMORE.EDU Mon Feb 23 18:51:44 2004 From: jclark at SKIDMORE.EDU (jclark) Date: Thu Jan 12 21:22:40 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> Message-ID: <5392B908-6631-11D8-B941-0003937E94EA@skidmore.edu> I am getting the behaviour regardless of which I do. Whether I escape it or not (this was in my previous submissions to this list) the line does not print. Jeff Clark On Feb 23, 2004, at 9:14 AM, Julian Field wrote: > At 14:09 23/02/2004, you wrote: >> At 13:55 23/02/2004, you wrote: >>> Third request of hopefully a simple question to this list: >>> >>> We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >>> MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. >>> >>> I am trying to include an e-mail address in the body of the >>> "stored.virus.message.txt" and "stored.filename.message.txt". >>> >>> When I include the '@' symbol in the text line, the whole line does >>> not >>> print. Any ideas? How do I print the '@' symbol in the files? >> >> The quick workaround is to use >> \@ >> instead of >> @ >> >> But I'm going to take a look at the code as it should already do this >> substitution for you. > > I have just found that a line containing no backslash works fine, > while a > line with a backslash doesn't print, which is understandable. So if I > put > in an email address like > helpdesk@ecs.soton.ac.uk > it works fine. > > Are you getting the reverse behaviour? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Jeffrey A. Clark Associate Director, CITS Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866-1632 (518) 580-5929 E-mail: jclark@skidmore.edu From jcorell at IPRUS.NET Mon Feb 23 20:49:08 2004 From: jcorell at IPRUS.NET (James Corell) Date: Thu Jan 12 21:22:40 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <6.0.1.1.2.20040223195345.0343c498@imap.ecs.soton.ac.uk> Message-ID: "service MailScanner restart" Maybe I need 4.27.4? It's not really an emergency, and if the next beta solves it, I'll be ecstatically happy. James -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, February 23, 2004 2:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers Did you remember to restart MailScanner after changing the code? I tried it with your message and it was detected just fine. It may need the other changes I have written recently. I'll do another beta release before the weekend if I get time. At 19:43 23/02/2004, you wrote: >Nope. dumaru-y still passes through MailScanner unscathed. > >From: "Elene" >To: >Subject: Important information for you. Read it immediately ! >MIME-Version: 1.0 >Content-Type: multipart/mixed;boundary="xxxx" >X-MailScanner-MailScanner-Information: Please contact the ISP for more >information >X-MailScanner-MailScanner: Found to be clean >Status: > > > >James Corell >E-P-C-S >111 West Mitchell, Suite E >Gaylord, MI 49735 >(989) 732-1366 > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of James Corell >Sent: Monday, February 23, 2004 2:09 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers > > >Rolled MailScanner Message.pm back to 4.27.3-1, then ran the patch. >MailScanner runs fine (no more looping scans or missing headers). I'll know >pretty soon if this fixes the dumaru-y problems. > > >James Corell >E-P-C-S >111 West Mitchell, Suite E >Gaylord, MI 49735 >(989) 732-1366 > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, February 23, 2004 9:44 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] MailScanner not parsing dumaru-y MIME headers > > >Please try this patch to Message.pm. I have tried to post a new Message.pm >a couple of times already, but it seems to disappear down the toilet :-( > > >At 14:32 23/02/2004, you wrote: > >I've just sent a copy of this to the list in a different thread having > >not seen this one until afterwards :) It's in a password protected > >zipfile) > > > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > > Yes please, send me a copy in a password-protected zip file. Please > > > remember to tell me what the password is! :-) > > > > > > At 22:37 20/02/2004, you wrote: > > > >Julian: > > > > > > > >Running MailScanner-4.27.3-1, rpm version > > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > > >Running Sophos 3.79 > > > > > > > >Installed latest version of MailScanner to fix MIME header parsing >problem > > > >(MyDoom-A viruses not being found). However, I have been seeing >dumaru-y > > > >viruses pass through MailScanner with "Clean" headers. When the mail > > ends up > > > >in Outlook Express, however, OE finds the attachment and it's up to the > > > >client virus scanner to find dumaru-y. > > > > > > > >I have several copies of the virus-infected email message with full > > headers > > > >stored on the mail server. If you would like to see them, I can attach >the > > > >file and send it to you. > > > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > > >Anybody else having this problem? > > > > > > > >James Corell > > > >E-P-C-S > > > >111 West Mitchell, Suite E > > > >Gaylord, MI 49735 > > > >(989) 732-1366 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Mon Feb 23 21:15:35 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:40 2006 Subject: DOS and Oversized Zip In-Reply-To: Message-ID: <20040223211531.20C8921C14B@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of MailScanner Mailbox > Sent: Monday, February 23, 2004 1:11 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: DOS and Oversized Zip > > Hello All > > I think that this may be a clamav problem rather then a mailscanner > problem but I am not 100% sure. I am running MailScanner 4.22-4 and clamav > 0.67. > > It seems that recently I am getting many many emails turned away with the > message "Denial of Service attack in message!" It seems to be caused by a > zipfile that expands many times it's zipped size, (isn't this the purpose > of zipping a file)? > > Anyways, there is some info I googled that mentions editing the scanners.c > file (specifically "ZIPOSDET") to increase the value. I don't see that > option available in clamav 0.67 so perhaps it is something I can set > within the mailscanner config file? > There was a problem with the maximum size of a zip file in CalmAV -0.66 but according to the archives this was fixed in ClamAV 0.66 and scanners.c is no longer configurable. Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > I have confirmed that the file being sent is a zip file containing 3 txt > files (one of them is 5mb) and it compresses down to 220kb. > > Any and all help concerning this is most appreciated. > > Rick > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From cconn at ABACOM.COM Mon Feb 23 21:12:27 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:40 2006 Subject: clamav-autoupdate Message-ID: <403A6CBB.8050702@abacom.com> Hello, I am sure this has been asked before, however I have not found the answer in the mailing list archive. Is there a way to change the time at which the clamav-autoupdate is run so that it does not run at the top of the hour but at another interval? Thanks in advance, Chris From steve.swaney at FSL.COM Mon Feb 23 21:26:55 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:40 2006 Subject: clamav-autoupdate In-Reply-To: <403A6CBB.8050702@abacom.com> Message-ID: <20040223212651.0959F21C14C@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Chris Conn > Sent: Monday, February 23, 2004 4:12 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: clamav-autoupdate > > Hello, > > I am sure this has been asked before, however I have not found the > answer in the mailing list archive. > > Is there a way to change the time at which the clamav-autoupdate is run > so that it does not run at the top of the hour but at another interval? > > Thanks in advance, > > Chris > You could remove it from cron.hourly and run the same job from cron. As root run: cron -e And add the job there to run whenever you want. Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From maillists at CONACTIVE.COM Mon Feb 23 21:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:40 2006 Subject: Emailing quarantined emails In-Reply-To: References: Message-ID: Jan-Peter Koopmann wrote on Mon, 23 Feb 2004 19:40:46 +0100: > My description is exactly doing that: Whitelisting the mails from > Mailwatch > which whitelists everything with that email address as someone already pointed out ... But I agree I should have replied to the message you replied to ;-) Kai -- Kai Sch�tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From cconn at ABACOM.COM Mon Feb 23 21:42:32 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:40 2006 Subject: clamav-autoupdate In-Reply-To: <20040223212651.0959F21C14C@mail.fsl.com> References: <20040223212651.0959F21C14C@mail.fsl.com> Message-ID: <403A73C8.9020709@abacom.com> =) I completely forgot to check the cron...I don't know why I was under the impression that it was called from the MailScanner process... Thanks, Chris Stephen Swaney wrote: >>-----Original Message----- >> > > > You could remove it from cron.hourly and run the same job from cron. > > As root run: cron -e > > And add the job there to run whenever you want. From bob.jones at USG.EDU Mon Feb 23 22:02:11 2004 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:22:40 2006 Subject: New variant of MyDoom? Message-ID: <403A7863.5000407@usg.edu> Hey all... we have recieved a few messages with .zip attachments that aren't caught by the latest McAfee which seem to be a new variang of MyDoom. All the virus company's websites are very slow right now so I'm assuming this is hitting a lot of people. We have temporarily started blocking .zip attachments until we get definitions that can recognize it. Just a heads up... Bob Jones OIIT The Board of Regents, USG From kevins at BMRB.CO.UK Mon Feb 23 22:47:29 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:40 2006 Subject: DOS and Oversized Zip In-Reply-To: References: Message-ID: <1077576454.23027.0.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-23 at 18:11, MailScanner Mailbox wrote: > Anyways, there is some info I googled that mentions editing the scanners.c > file (specifically "ZIPOSDET") to increase the value. I don't see that > option available in clamav 0.67 so perhaps it is something I can set > within the mailscanner config file? > > I have confirmed that the file being sent is a zip file containing 3 txt > files (one of them is 5mb) and it compresses down to 220kb. > I think you'll find this is now configurable in clamav.conf BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikes at HARTWELLCORP.COM Mon Feb 23 22:53:31 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:40 2006 Subject: New variant of MyDoom? Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CA9@hart-exchange.hartwellcorp.com> Bob Jones wrote: > Hey all... we have recieved a few messages with .zip attachments that > aren't caught by the latest McAfee which seem to be a new variang of > MyDoom. All the virus company's websites are very slow right now so > I'm assuming this is hitting a lot of people. We have temporarily > started blocking .zip attachments until we get definitions that can > recognize it. Just a heads up... Thanks for the heads-up. -- Michael St. Laurent Hartwell Corporation From arringtp at MUSC.EDU Mon Feb 23 23:07:22 2004 From: arringtp at MUSC.EDU (Paul Arrington) Date: Thu Jan 12 21:22:40 2006 Subject: New variant of MyDoom? In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CA9@hart-exchange.hartwellcorp.com> Message-ID: <200402232307.i1NN7Nha022905@flopsy.musc.edu> #-----Original Message----- #From: MailScanner mailing list #[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Michael St. Laurent #Sent: Monday, February 23, 2004 5:54 PM #To: MAILSCANNER@JISCMAIL.AC.UK #Subject: Re: [MAILSCANNER] New variant of MyDoom? # #Bob Jones wrote: #> Hey all... we have recieved a few messages with .zip #attachments that #> aren't caught by the latest McAfee which seem to be a new variang of #> MyDoom. All the virus company's websites are very slow right now so #> I'm assuming this is hitting a lot of people. We have temporarily #> started blocking .zip attachments until we get definitions that can #> recognize it. Just a heads up... # #Thanks for the heads-up. # Thanks from me, too. Thought it might be this: http://vil.nai.com/vil/content/v_101038.htm (I use McAfee) They are not officially releasing a definition for this until next week. I installed their extra.dat file and immediately started seeing hits in the mail log. From pete at eatathome.com.au Mon Feb 23 23:21:09 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:40 2006 Subject: clamav-autoupdate In-Reply-To: <403A73C8.9020709@abacom.com> References: <20040223212651.0959F21C14C@mail.fsl.com> <403A73C8.9020709@abacom.com> Message-ID: <403A8AE5.7010402@eatathome.com.au> Chris Conn wrote: > =) I completely forgot to check the cron...I don't know why I was under > the impression that it was called from the MailScanner process... > > Thanks, > > Chris > > > Stephen Swaney wrote: > >>> -----Original Message----- >> > >>> >> >> >> You could remove it from cron.hourly and run the same job from cron. >> >> As root run: cron -e >> >> And add the job there to run whenever you want. > > > > COuld some one tell me how to check what/when the latest signature version is or when it was last updated. Additionally i am using clam .60 i have ms 4.24-5 so no support for the perl module, should i be upgrading this version of clamav? From kevins at BMRB.CO.UK Mon Feb 23 23:48:26 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:40 2006 Subject: clamav-autoupdate In-Reply-To: <403A8AE5.7010402@eatathome.com.au> References: <20040223212651.0959F21C14C@mail.fsl.com> <403A73C8.9020709@abacom.com> <403A8AE5.7010402@eatathome.com.au> Message-ID: <1077580107.23027.7.camel@bach.kevinspicer.co.uk> On Mon, 2004-02-23 at 23:21, Pete wrote: > COuld some one tell me how to check what/when the latest signature > version is or when it was last updated. Subscribe to the clamav-virusdb list > Additionally i am using clam .60 i have ms 4.24-5 so no support for the > perl module, should i be upgrading this version of clamav? Yes, you don't need to use the perl module, but the latest clam contains several important fixes - including more robust updating. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rcooper at DWFORD.COM Tue Feb 24 00:39:47 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:41 2006 Subject: DOS and Oversized Zip In-Reply-To: Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of MailScanner Mailbox > Sent: Monday, February 23, 2004 1:11 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: DOS and Oversized Zip > > > Hello All > > I think that this may be a clamav problem rather then > a mailscanner > problem but I am not 100% sure. I am running > MailScanner 4.22-4 and clamav > 0.67. > > It seems that recently I am getting many many emails > turned away with the > message "Denial of Service attack in message!" It > seems to be caused by a > zipfile that expands many times it's zipped size, > (isn't this the purpose > of zipping a file)? There are ways to handcraft a zip file so it expands from a few bytes to a couple of terabytes, used to be called "The Zip of death". Clam allows you to restrict the compression ratio to avoid "Zip bombs" of this nature. Imagine the problems if you received a zip bomb that was a few hundred K compressed and a few gig uncompressed? > > Anyways, there is some info I googled that mentions > editing the scanners.c > file (specifically "ZIPOSDET") to increase the value. > I don't see that > option available in clamav 0.67 so perhaps it is > something I can set > within the mailscanner config file? > > I have confirmed that the file being sent is a zip > file containing 3 txt > files (one of them is 5mb) and it compresses down to 220kb. > > Any and all help concerning this is most appreciated. > look in your clamav.conf file for: # Mark potential archive bombs as viruses (0 disables the limit) ArchiveMaxCompressionRatio 200 and set it to what you think appropriate for your system. If it's not there add it. From pete at eatathome.com.au Tue Feb 24 01:14:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:41 2006 Subject: clamav-autoupdate In-Reply-To: <1077580107.23027.7.camel@bach.kevinspicer.co.uk> References: <20040223212651.0959F21C14C@mail.fsl.com> <403A73C8.9020709@abacom.com> <403A8AE5.7010402@eatathome.com.au> <1077580107.23027.7.camel@bach.kevinspicer.co.uk> Message-ID: <403AA55E.10304@eatathome.com.au> Kevin Spicer wrote: >On Mon, 2004-02-23 at 23:21, Pete wrote: > > > >>COuld some one tell me how to check what/when the latest signature >>version is or when it was last updated. >> >> > >Subscribe to the clamav-virusdb list > > > >>Additionally i am using clam .60 i have ms 4.24-5 so no support for the >>perl module, should i be upgrading this version of clamav? >> >> > >Yes, you don't need to use the perl module, but the latest clam contains >several important fixes - including more robust updating. > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > > > > Many thanks for the replies, any chance some one could point me towards the upgrade doco? i cant find in the mailing list, the source or on the clanm website. But i do remember some one posting a quickie howto upgrade once, but buggared if i can find it. thanks Pete From pete at eatathome.com.au Tue Feb 24 01:45:24 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:41 2006 Subject: clamav-autoupdate In-Reply-To: <20040224012551.M81007@konsultex.com.br> References: <20040223212651.0959F21C14C@mail.fsl.com> <403A73C8.9020709@abacom.com> <403A8AE5.7010402@eatathome.com.au> <1077580107.23027.7.camel@bach.kevinspicer.co.uk> <403AA55E.10304@eatathome.com.au> <20040224012551.M81007@konsultex.com.br> Message-ID: <403AACB4.3030702@eatathome.com.au> Miguel Koren OBrien de Lacy wrote: >Pete; > >I'm not sure there is any upgrade information. You actually don't need much because >the process is simple since you already have the conf file and the clamav user. What I >do is: > >a) uncompress and untar the distribution in a directory of choice (I use /usr/local/src) >b) go into the directory and do a ./configure (setting any options: I use "./configure >--sysconfdir=/etc") >c) make >d) stop MailScanner and any rouge sendmail processes >e) make a backup of my clamav.conf (just in case) >f) stop cron temporarily (just in case) >g) make install >h) restart MailScanner (check to see if it started ok) >i) restart cron >j) after an hour or so see if the pattern updating is working normally > >This has worked fine for 3 upgrades so far. It takes about 5 minutes, maximum. > >MailScanner itself is also very, very easy to upgrade, You just follow the install >instructions and then remember to update the MailScanner.conf file. Of course if you >come from a much older version this may not be the case. I think that MailScanner has >absolutely the best install/upgrade script I have used. But since this is Perl, your >Perl infrastructure may interfere with this great feeling, although I never had >problems. I like seeing the part "Oh good, you seem to ...." during the process; it's >a human touch. > >Miguel > >-- >Konsultex Informatica (http://www.konsultex.com.br) > >---------- Original Message ----------- >From: Pete >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Tue, 24 Feb 2004 12:14:06 +1100 >Subject: Re: clamav-autoupdate > > > >>Kevin Spicer wrote: >> >> >> >>>On Mon, 2004-02-23 at 23:21, Pete wrote: >>> >>> >>> >>> >>> >>>>COuld some one tell me how to check what/when the latest signature >>>>version is or when it was last updated. >>>> >>>> >>>> >>>> >>>Subscribe to the clamav-virusdb list >>> >>> >>> >>> >>> >>>>Additionally i am using clam .60 i have ms 4.24-5 so no support for the >>>>perl module, should i be upgrading this version of clamav? >>>> >>>> >>>> >>>> >>>Yes, you don't need to use the perl module, but the latest clam contains >>>several important fixes - including more robust updating. >>> >>> >>> >>> >>>BMRB International >>>http://www.bmrb.co.uk >>>+44 (0)20 8566 5000 >>>_________________________________________________________________ >>>This message (and any attachment) is intended only for the >>>recipient and may contain confidential and/or privileged >>>material. If you have received this in error, please contact the >>>sender and delete this message immediately. Disclosure, copying >>>or other action taken in respect of this email or in >>>reliance on it is prohibited. BMRB International Limited >>>accepts no liability in relation to any personal emails, or >>>content of any email which does not directly relate to our >>>business. >>> >>> >>> >>> >>> >>> >>> >>Many thanks for the replies, any chance some one could point me towards >>the upgrade doco? i cant find in the mailing list, the source or on the >>clanm website. But i do remember some one posting a quickie howto >>upgrade once, but buggared if i can find it. >> >>thanks >>Pete >> >>-- >>Esta mensagem foi verificada pelo sistema de antiv?rus e >> acredita-se estar livre de perigo. >> >> >------- End of Original Message ------- > > > > Awesome, thanks very much. Am trying the clam upgrade now. I am planning to upgrade MS in March. I am very cautious about this sort fo thing, but i do want to use the newer SA and add DCC support. So i will attempt an upgrade of my back up mail filter in place, (2 mailscanners running side by side), with an option in my schedule to allow for a total rebuild, should i break it :) Thanks Pete From JLM939 at HOTMAIL.COM Tue Feb 24 01:50:02 2004 From: JLM939 at HOTMAIL.COM (JLM) Date: Thu Jan 12 21:22:41 2006 Subject: MailScanner on Mac OS X In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C401EA6F@dc012.corpdsg.com> Message-ID: > How do you like the Xserve? We have found it very hard to get in contact with > a account manager at Apple. I would like to get a few to play with. I have > called them and they tell us to go down to a local CompUSA. Do you know if > they offer 4 hour hardware support like HP does? Well, we're getting a bit off-topic here, so I suggest you contact me directly if I can provide any additional information. But to answer your question, we're very happy with the Xserve. They perform very well, are easy to maintain, and are quite secure. http://maccentral.macworld.com/news/2004/02/20/osxserver/index.php I don't know much about their hardware support, since we've never needed it. ;) Justin From pete at eatathome.com.au Tue Feb 24 03:58:17 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:41 2006 Subject: Training SA In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56C9D@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56C9D@hart-exchange.hartwellcorp.com> Message-ID: <403ACBD9.6080500@eatathome.com.au> Michael St. Laurent wrote: >Okay, I've got the feedback mechanism in place for training the Bayes >engine. Now for a few proceedural questions. ;-D > >I have MailScanner set to add the {Spam?} tag to the Subject line and to >make the original message an attachment. Will either of these throw off the >training process? Is the sa-learn program able to extract the original >message from the attachment and does it know that it should do so? > >-- >Michael St. Laurent >Hartwell Corporation > > > > > So what do you do when the silly users put all thier spam in the good folder and thier ham in the junk folder an you have automatically already run the sa-leanr stuff on it? This would certainly be a frequent occurance if we implemented this...how do you handle it? The whole reason we havent used any manual bayes already is because we dont want to create extra work, which i think could cause us. From chris at FRACTALWEB.COM Tue Feb 24 05:11:29 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:22:41 2006 Subject: the "ins" and "outs" of McAfee with MailScanner Message-ID: <403ADD01.7070002@fractalweb.com> Hi everyone, I'm running the 30-day evaluation copy of McAfee antivirus on my linux server with MailScanner. Previously, I was only running ClamAV, but for now, I'm running both. Although I'm quite familiar with ClamAV, I'm somewhat of a noob when it comes to McAfee. I have a few questions: 1) How often does MailScanner check the NAI site for new DAT files? I couldn't seem to find anything on this. 2) Is there a log file anywhere that I can look at to see when the DAT files are updated? 3) I understand that there are DAT files, extra DAT files, and super-extra DAT files? Does MailScanner update these too? Or do I have to do these manually? Thanks everyone. Cheers, Chris From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 24 07:48:47 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:41 2006 Subject: Emailing quarantined emails Message-ID: Hi, > which whitelists everything with that email address as > someone already pointed out ... Just whitelisting some filetypes not the entire messages! But yes. 127.0.0.1 is better. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Feb 24 08:01:51 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:41 2006 Subject: Emailing quarantined emails Message-ID: > which whitelists everything with that email address as > someone already pointed out ... But I agree I should have > replied to the message you replied to ;-) BTW: Why not use two rules From: postmaster@yourdomain.com and From: 127.0.0.1 ? That would make it much more secure. 127.0.0.1 alone is not a solution for people using stunnel for SSMTP e.g. :-) Regards, JP From drew at THEMARSHALLS.CO.UK Tue Feb 24 08:15:41 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:41 2006 Subject: make copies of all emails - not archive In-Reply-To: <200402240529.VAA06916@sheridan.sibble.net> References: <200402240529.VAA06916@sheridan.sibble.net> Message-ID: <9947.194.70.180.170.1077610541.squirrel@net.themarshalls.co.uk> Harondel J. Sibble said: > Have a situation where we need to have a copy of all emails that come in and > go out of the MS gateway machine be sent to and address on the internal mailserver. > > Essentially the boss wants to see all the mail activity for the day, a day > log so to speak, which would be deleted each day or so. > > We have MS running running as the mail gateway and use a transport rule to > allow incoming mail for the domain to be delivered to the hidden intranet > mail server. I know how to do archiving of all in/outbound mail on the MS > box, however I want to have it send a copy of all messages (hopefully without > mangling the headers) to and address on out Samsung Contact server internally. > > Is this easy/simple to do? We are running postfix 2.x on the MS box. I would guess the easiest place to do this would be in the spam/ nonspam/ delivery options and set it to forward boss@tld deliver To do it in Postfix would be messier (I think, no coffee yet so brain not quite there ;-) ) Drew > -- > Harondel J. Sibble > Sibble Computer Consulting > Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > (604) 739-3709 (voice/fax) (604) 686-2253 (pager) > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From P.G.M.Peters at utwente.nl Tue Feb 24 08:28:06 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:41 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: References: Message-ID: <8j2m30lnid0dqt6h6h2ri417q5ntpjovin@4ax.com> On Mon, 23 Feb 2004 16:12:44 +0100, you wrote: >patch < /tmp/Message.pm.patch This gave me |patching file Message.pm |Hunk #1 succeeded at 3307 (offset -156 lines). with MailScanner 4.25-14. MS restarted without problems. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Tue Feb 24 09:11:30 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:41 2006 Subject: New %RND location Message-ID: <175m30hngr1ar7asdl30r2ajqabave8gr5@4ax.com> We all know the spam that has %RND in tags in html-messages and %RND-words in the body. Sometimes we see %RND in Subjects. Today I saw a message with %RND in the domain part of the From header. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Feb 24 09:46:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:41 2006 Subject: DOS and Oversized Zip In-Reply-To: References: Message-ID: <6.0.1.1.2.20040224094609.03d13618@imap.ecs.soton.ac.uk> At 00:39 24/02/2004, you wrote: >There are ways to handcraft a zip file so it expands from a few >bytes to a couple of terabytes, used to be called "The Zip of >death". Clam allows you to restrict the compression ratio to >avoid "Zip bombs" of this nature. Imagine the problems if you >received a zip bomb that was a few hundred K compressed and a few >gig uncompressed? MailScanner is designed to handle this sort of attack, and should survive it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 24 09:44:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:41 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <5392B908-6631-11D8-B941-0003937E94EA@skidmore.edu> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> <5392B908-6631-11D8-B941-0003937E94EA@skidmore.edu> Message-ID: <6.0.1.1.2.20040224093640.03d138a8@imap.ecs.soton.ac.uk> This sounds like a Perl bug if it is producing different results on different platforms, OSs and versions. I'll rewrite the code so it is phrased differently. Please can you try this patch to Message.pm. At 18:51 23/02/2004, you wrote: >I am getting the behaviour regardless of which I do. Whether I escape >it or not (this was in my previous submissions to this list) the line >does not print. > >Jeff Clark >On Feb 23, 2004, at 9:14 AM, Julian Field wrote: > >>At 14:09 23/02/2004, you wrote: >>>At 13:55 23/02/2004, you wrote: >>>>Third request of hopefully a simple question to this list: >>>> >>>>We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >>>>MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. >>>> >>>>I am trying to include an e-mail address in the body of the >>>>"stored.virus.message.txt" and "stored.filename.message.txt". >>>> >>>>When I include the '@' symbol in the text line, the whole line does >>>>not >>>>print. Any ideas? How do I print the '@' symbol in the files? >>> >>>The quick workaround is to use >>> \@ >>>instead of >>> @ >>> >>>But I'm going to take a look at the code as it should already do this >>>substitution for you. >> >>I have just found that a line containing no backslash works fine, >>while a >>line with a backslash doesn't print, which is understandable. So if I >>put >>in an email address like >> helpdesk@ecs.soton.ac.uk >>it works fine. >> >>Are you getting the reverse behaviour? >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >-- >Jeffrey A. Clark >Associate Director, CITS >Director, Enterprise Systems >Skidmore College >815 North Broadway >Saratoga Springs, NY 12866-1632 >(518) 580-5929 >E-mail: jclark@skidmore.edu -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: application/octet-stream Size: 749 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040224/2a71a68a/Message.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From simon at ADVANTAGE-INTERACTIVE.COM Tue Feb 24 10:03:19 2004 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:22:41 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <1077549256.4798.14.camel@localhost> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> <1077546740.4798.12.camel@localhost> <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> <1077549256.4798.14.camel@localhost> Message-ID: <1077616999.731.0.camel@localhost> As a confirmation, the patch caught a genuine copy of the Dumaru.Y virus that got sent to us here so I'm very happy with that On Mon, 2004-02-23 at 15:14, Simon Dick wrote: > That appears to work fine, it detected the re-insertion I did, a genuine > one comes through every morning though so I'll have a live test early > tomorrow. > > Thanks for the excellent help! > > On Mon, 2004-02-23 at 14:43, Julian Field wrote: > > Please try this patch to Message.pm. I have tried to post a new Message.pm > > a couple of times already, but it seems to disappear down the toilet :-( > > > > > > At 14:32 23/02/2004, you wrote: > > >I've just sent a copy of this to the list in a different thread having > > >not seen this one until afterwards :) It's in a password protected > > >zipfile) > > > > > >On Sat, 2004-02-21 at 10:31, Julian Field wrote: > > > > Yes please, send me a copy in a password-protected zip file. Please > > > > remember to tell me what the password is! :-) > > > > > > > > At 22:37 20/02/2004, you wrote: > > > > >Julian: > > > > > > > > > >Running MailScanner-4.27.3-1, rpm version > > > > >Running sendmail 8 on RedHat 6.2 with latest rpm-build > > > > >Running Sophos 3.79 > > > > > > > > > >Installed latest version of MailScanner to fix MIME header parsing problem > > > > >(MyDoom-A viruses not being found). However, I have been seeing dumaru-y > > > > >viruses pass through MailScanner with "Clean" headers. When the mail > > > ends up > > > > >in Outlook Express, however, OE finds the attachment and it's up to the > > > > >client virus scanner to find dumaru-y. > > > > > > > > > >I have several copies of the virus-infected email message with full > > > headers > > > > >stored on the mail server. If you would like to see them, I can attach the > > > > >file and send it to you. > > > > > > > > > >I thought the latest version of MailScanner was supposed to fix this? > > > > >Anybody else having this problem? > > > > > > > > > >James Corell > > > > >E-P-C-S > > > > >111 West Mitchell, Suite E > > > > >Gaylord, MI 49735 > > > > >(989) 732-1366 > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz > > > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > ______________________________________________________________________ > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Feb 24 10:17:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:41 2006 Subject: '@' symbol in "stored.xxxxx.message.txt" files In-Reply-To: <6.0.1.1.2.20040224093640.03d138a8@imap.ecs.soton.ac.uk> References: <6.0.2.0.0.20040220162813.026fcc28@mail.enhtech.com> <40367E47.6060201@pacific.net> <6.0.2.0.0.20040220170302.026ec7f8@mail.enhtech.com> <6.0.1.1.2.20040223140901.0388e1a0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040223141318.03edc5b8@imap.ecs.soton.ac.uk> <5392B908-6631-11D8-B941-0003937E94EA@skidmore.edu> <6.0.1.1.2.20040224093640.03d138a8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040224101644.0361d308@imap.ecs.soton.ac.uk> Oops, screw up in previous version of patch. Try this one instead. At 09:44 24/02/2004, you wrote: >This sounds like a Perl bug if it is producing different results on >different platforms, OSs and versions. >I'll rewrite the code so it is phrased differently. > >Please can you try this patch to Message.pm. > >At 18:51 23/02/2004, you wrote: >>I am getting the behaviour regardless of which I do. Whether I escape >>it or not (this was in my previous submissions to this list) the line >>does not print. >> >>Jeff Clark >>On Feb 23, 2004, at 9:14 AM, Julian Field wrote: >> >>>At 14:09 23/02/2004, you wrote: >>>>At 13:55 23/02/2004, you wrote: >>>>>Third request of hopefully a simple question to this list: >>>>> >>>>>We are running sendmail Version 8.11.7+Sun on a Solaris 8 V880, >>>>>MailScanner-4.25-14. and perl, v5.6.1 built for sun4-solaris. >>>>> >>>>>I am trying to include an e-mail address in the body of the >>>>>"stored.virus.message.txt" and "stored.filename.message.txt". >>>>> >>>>>When I include the '@' symbol in the text line, the whole line does >>>>>not >>>>>print. Any ideas? How do I print the '@' symbol in the files? >>>> >>>>The quick workaround is to use >>>> \@ >>>>instead of >>>> @ >>>> >>>>But I'm going to take a look at the code as it should already do this >>>>substitution for you. >>> >>>I have just found that a line containing no backslash works fine, >>>while a >>>line with a backslash doesn't print, which is understandable. So if I >>>put >>>in an email address like >>> helpdesk@ecs.soton.ac.uk >>>it works fine. >>> >>>Are you getting the reverse behaviour? >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >>> >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>-- >>Jeffrey A. Clark >>Associate Director, CITS >>Director, Enterprise Systems >>Skidmore College >>815 North Broadway >>Saratoga Springs, NY 12866-1632 >>(518) 580-5929 >>E-mail: jclark@skidmore.edu > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: application/octet-stream Size: 758 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040224/e7b81c69/Message.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dot at DOTAT.AT Tue Feb 24 10:11:21 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:41 2006 Subject: the "ins" and "outs" of McAfee with MailScanner In-Reply-To: Message-ID: Chris Yuzik wrote: > >Although I'm quite familiar with ClamAV, I'm somewhat of a noob when it >comes to McAfee. I have a few questions: >1) How often does MailScanner check the NAI site for new DAT files? I >couldn't seem to find anything on this. That's up to your crontab. >2) Is there a log file anywhere that I can look at to see when the DAT >files are updated? The autoupdate script by default says nothing when it does nothing, and produces output when it makes an update, so normal cron behaviour means you get an email when there's an update. >3) I understand that there are DAT files, extra DAT files, and >super-extra DAT files? Does MailScanner update these too? Or do I have >to do these manually? The only one of interest to us is the extra.dat files. Unfortunately using them automatically doesn't seem to be particularly easy. It might be possible to subscribe to NAI's notification email, pipe that into a script which works out what's going on and if necessary goes to the new virus's web page (whose URL is in the email) to find the link to the extra.dat file. But I haven't written this script. Tony. -- f.a.n.finch http://dotat.at/ SHANNON ROCKALL MALIN: NORTH OR NORTHWEST 5 TO 7. RAIN THEN SHOWERS. MODERATE OR GOOD. From g.pentland at SOTON.AC.UK Tue Feb 24 10:34:52 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:41 2006 Subject: spam.actions.rules Message-ID: Julian Field wrote: . . . . >> >> >> Obviously Mailscanner doesn't create the mail but Mailscanner could >> remove a recipient from the mail but leave the rest of it/them in the >> queue. I realise this is not easy to implement. > > This only works for the "delete" spam action. But I agree it is a > possible solution to the problem in this case. > Is there any chance of implementing this for the delete action in a future release? Would anyone else out there find this useful? Gary From mailscanner at ecs.soton.ac.uk Tue Feb 24 11:05:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:41 2006 Subject: spam.actions.rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040224110428.03f65ab8@imap.ecs.soton.ac.uk> At 10:34 24/02/2004, you wrote: >Julian Field wrote: > >> Obviously Mailscanner doesn't create the mail but Mailscanner could > >> remove a recipient from the mail but leave the rest of it/them in the > >> queue. I realise this is not easy to implement. > > > > This only works for the "delete" spam action. But I agree it is a > > possible solution to the problem in this case. > > > >Is there any chance of implementing this for the delete action in a >future release? It's not trivial as the current configuration engine doesn't really support me doing this. I'll have a think but no promises. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tony.johansson at SVENSKAKYRKAN.SE Tue Feb 24 11:36:41 2004 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam Message-ID: Has anyone had look at DSpam? See http://www.nuclearelephant.com/projects/dspam The author seems to write off SpamAssassin as a filter totally (see http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl implementations in general any thoughts on that? Regards, Tony From david at PLATFORMHOSTING.COM Tue Feb 24 11:40:54 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam In-Reply-To: Message-ID: <200402241140.i1OBesP19048@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Tony Johansson > Sent: Tuesday, 24 February 2004 10:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Dspam > > Has anyone had look at DSpam? > See http://www.nuclearelephant.com/projects/dspam > > The author seems to write off SpamAssassin as a filter totally (see > http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl > implementations in general > > any thoughts on that? Oddly enough I was looking at it today. It certainly looks like a great concept and it's been written up on Slashdot recently which positive comments. For us it wouldn't work because by default it replaces the MDA rather than intercepting the message before delivery (like spamd or mailscanner currently does). Unless someone has already done this? I'm sure however we'd use it if it was integrated into MailScanner ;) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 24 12:01:34 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:41 2006 Subject: New variant of MyDoom? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C563@jessica.herefordshire.gov.uk> McAfee patterns updated automatically here at 01:02 GMT today to catch it. They did have an extra.dat out to cover it yesterday afternoon (UK time). And we're yet to see a copy of it. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Paul Arrington > Sent: 23 February 2004 23:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: New variant of MyDoom? > > > #-----Original Message----- > #From: MailScanner mailing list > #[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Michael St. Laurent > #Sent: Monday, February 23, 2004 5:54 PM > #To: MAILSCANNER@JISCMAIL.AC.UK > #Subject: Re: [MAILSCANNER] New variant of MyDoom? > # > #Bob Jones wrote: > #> Hey all... we have recieved a few messages with .zip > #attachments that > #> aren't caught by the latest McAfee which seem to be a new > variang of > #> MyDoom. All the virus company's websites are very slow > right now so > #> I'm assuming this is hitting a lot of people. We have temporarily > #> started blocking .zip attachments until we get definitions that can > #> recognize it. Just a heads up... > # > #Thanks for the heads-up. > # > > > Thanks from me, too. Thought it might be this: > > http://vil.nai.com/vil/content/v_101038.htm > > (I use McAfee) They are not officially releasing a > definition for this > until next week. I installed their extra.dat file and > immediately started > seeing hits in the mail log. > From mailscanner at ecs.soton.ac.uk Tue Feb 24 12:23:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam In-Reply-To: References: Message-ID: <6.0.1.1.2.20040224120938.03b14240@imap.ecs.soton.ac.uk> At 11:36 24/02/2004, you wrote: >Has anyone had look at DSpam? >See http://www.nuclearelephant.com/projects/dspam > >The author seems to write off SpamAssassin as a filter totally (see >http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl >implementations in general > >any thoughts on that? > >Regards, Tony It's very much an aggressive sales pitch. His example of his largest site at 125,000 mailboxes is not very big at all. I have sites with over 100 times that amount. As for his "peaks at 99.984% accuracy", that's just like an advertisement telling you that you can get "up to 30% off in the sale". If he chose his sample right, he should be able to say that it peaks at 100% accuracy. Sounds like a bunch of Bayes-based or similar approaches. If he is relying on 1 tool like this, he is doomed to failure as the spammers work round his filters. The more popular he gets, the faster his approach will die. SpamAssassin succeeds through its use of so many different approaches blended into 1 system. It is easy to fool one or two of them at once, but very hard to fool all of them at the same time. SpamAssassin Myth 2: you just set up a spam and notspam address just as described countless times on this mailing list. SpamAssassin Myth 3: only true if you use the "spamassassin" script, which almost no-one does. MailScanner certainly doesn't suffer this problem. Oh, and while we're at it, Perl is not an interpreted language, it's a just-in-time compiled language. It just looks like an interpreted language. This just reads like a bolshy sales talk. "I'm wonderful and everyone else is c**p, and I'm going to keep telling you!". I fully expect there are some good components in there, and I expect the SpamAssassin guys have looked at it and made their own judgement on whether there are useful ideas. Slagging off all the opposition isn't actually a very good way of convincing people of your argument. Some of what he says is true, but certainly not all of it. And since I can quickly see several mistakes in his information, how much else is made up? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From slwatts at WINCKWORTHS.CO.UK Tue Feb 24 12:33:02 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam Message-ID: Yup - it looks pretty good on the face of it. It would be great to have this work with mailscanner. SpamAssassin seems to work well for me but if there is a better engine out there for filtering spam then I would love to be able to use that with MS. Sam -----Original Message----- From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: 24 February 2004 11:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Dspam > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Tony Johansson > Sent: Tuesday, 24 February 2004 10:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Dspam > > Has anyone had look at DSpam? > See http://www.nuclearelephant.com/projects/dspam > > The author seems to write off SpamAssassin as a filter totally (see > http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl > implementations in general > > any thoughts on that? Oddly enough I was looking at it today. It certainly looks like a great concept and it's been written up on Slashdot recently which positive comments. For us it wouldn't work because by default it replaces the MDA rather than intercepting the message before delivery (like spamd or mailscanner currently does). Unless someone has already done this? I'm sure however we'd use it if it was integrated into MailScanner ;) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From slwatts at WINCKWORTHS.CO.UK Tue Feb 24 12:35:31 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam Message-ID: Oh well... Guess if it looks too good to be true.... It usually is! -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 24 February 2004 12:24 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Dspam At 11:36 24/02/2004, you wrote: >Has anyone had look at DSpam? >See http://www.nuclearelephant.com/projects/dspam > >The author seems to write off SpamAssassin as a filter totally (see >http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl >implementations in general > >any thoughts on that? > >Regards, Tony It's very much an aggressive sales pitch. His example of his largest site at 125,000 mailboxes is not very big at all. I have sites with over 100 times that amount. As for his "peaks at 99.984% accuracy", that's just like an advertisement telling you that you can get "up to 30% off in the sale". If he chose his sample right, he should be able to say that it peaks at 100% accuracy. Sounds like a bunch of Bayes-based or similar approaches. If he is relying on 1 tool like this, he is doomed to failure as the spammers work round his filters. The more popular he gets, the faster his approach will die. SpamAssassin succeeds through its use of so many different approaches blended into 1 system. It is easy to fool one or two of them at once, but very hard to fool all of them at the same time. SpamAssassin Myth 2: you just set up a spam and notspam address just as described countless times on this mailing list. SpamAssassin Myth 3: only true if you use the "spamassassin" script, which almost no-one does. MailScanner certainly doesn't suffer this problem. Oh, and while we're at it, Perl is not an interpreted language, it's a just-in-time compiled language. It just looks like an interpreted language. This just reads like a bolshy sales talk. "I'm wonderful and everyone else is c**p, and I'm going to keep telling you!". I fully expect there are some good components in there, and I expect the SpamAssassin guys have looked at it and made their own judgement on whether there are useful ideas. Slagging off all the opposition isn't actually a very good way of convincing people of your argument. Some of what he says is true, but certainly not all of it. And since I can quickly see several mistakes in his information, how much else is made up? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From pete at eatathome.com.au Tue Feb 24 12:38:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:41 2006 Subject: Dspam In-Reply-To: <6.0.1.1.2.20040224120938.03b14240@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040224120938.03b14240@imap.ecs.soton.ac.uk> Message-ID: <403B45BD.5050307@eatathome.com.au> Julian Field wrote: > At 11:36 24/02/2004, you wrote: > >> Has anyone had look at DSpam? >> See http://www.nuclearelephant.com/projects/dspam >> >> The author seems to write off SpamAssassin as a filter totally (see >> http://www.nuclearelephant.com/projects/dspam/faq.html#1.7 ) and perl >> implementations in general >> >> any thoughts on that? >> >> Regards, Tony > > > It's very much an aggressive sales pitch. His example of his largest site > at 125,000 mailboxes is not very big at all. I have sites with over 100 > times that amount. As for his "peaks at 99.984% accuracy", that's just > like > an advertisement telling you that you can get "up to 30% off in the > sale". > If he chose his sample right, he should be able to say that it peaks at > 100% accuracy. > > Sounds like a bunch of Bayes-based or similar approaches. If he is > relying > on 1 tool like this, he is doomed to failure as the spammers work > round his > filters. The more popular he gets, the faster his approach will die. > SpamAssassin succeeds through its use of so many different approaches > blended into 1 system. It is easy to fool one or two of them at once, but > very hard to fool all of them at the same time. > > SpamAssassin Myth 2: you just set up a spam and notspam address just as > described countless times on this mailing list. > SpamAssassin Myth 3: only true if you use the "spamassassin" script, > which > almost no-one does. MailScanner certainly doesn't suffer this problem. > > Oh, and while we're at it, Perl is not an interpreted language, it's a > just-in-time compiled language. It just looks like an interpreted > language. > > This just reads like a bolshy sales talk. "I'm wonderful and everyone > else > is c**p, and I'm going to keep telling you!". I fully expect there are > some > good components in there, and I expect the SpamAssassin guys have > looked at > it and made their own judgement on whether there are useful ideas. > > Slagging off all the opposition isn't actually a very good way of > convincing people of your argument. Some of what he says is true, but > certainly not all of it. And since I can quickly see several mistakes in > his information, how much else is made up? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Even though its only 2 zeros i still had to get my calculator out - you have clients with 12500000 - 12.5 million mailboxes? Australia only has 18million people, one environment like this could almost serve our whole country? babies, old folks and all? I read this mailing list every day, and every day i am amazed! From graham at CELESTINEWEB.COM Tue Feb 24 12:03:49 2004 From: graham at CELESTINEWEB.COM (Graham Scanlan) Date: Thu Jan 12 21:22:41 2006 Subject: SNMP server down since installing mailscanner Message-ID: <20040224120349.M70312@celestineweb.com> Hi Below is copy of mail log:- [root admin]# ps auxw | grep -i mail root 796 0.0 0.7 5220 2320 ? S 09:29 0:00 sendmail: accepti ng connections root 802 0.0 0.6 5140 2176 ? S 09:29 0:00 /usr/sbin/sendmai l -q15m -OPidFile /var/run/sendmail.out.pid root 841 0.0 3.5 12928 11224 ? S 09:29 0:00 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 842 0.0 3.6 13760 11732 ? S 09:29 0:00 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 916 0.0 3.6 13760 11732 ? S 09:29 0:00 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 2163 0.0 0.1 1536 612 pts/0 S 09:45 0:00 grep -i mail [root admin]# tail -f -n100 /var/log/maillog Feb 24 09:00:03 www sendmail[3801]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Feb 24 09:00:03 www imapd[3812]: imap service init from 127.0.0.1 Feb 24 09:00:03 www imapd[3812]: Logout user=??? host=localhost [127.0.0.1] Feb 24 09:01:01 www update.virus.scanners: Found clamav installed Feb 24 09:01:01 www update.virus.scanners: Running autoupdate for clamav Feb 24 09:01:02 www ClamAV-autoupdate[4450]: ClamAV updater /usr/local/bin/freshclam cannot be run Feb 24 09:01:02 www sendmail[4409]: i1O911R04409: from=root, size=1152, class=0, nrcpts=1, msgid=<200402240901.i1O911R04409@www.celestineweb.net>, relay=root@localhost Feb 24 09:01:02 www sendmail[4409]: i1O911R04409: to=admin, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=31152, dsn=2.0.0, stat=Sent Feb 24 09:12:26 www MailScanner[842]: MailScanner child caught a SIGHUP Feb 24 09:12:26 www MailScanner[914]: MailScanner child caught a SIGHUP Feb 24 09:14:10 www sendmail[4990]: alias database /etc/mail/aliases rebuilt by admin Feb 24 09:14:10 www sendmail[4990]: /etc/mail/aliases: 30 aliases, longest 10 bytes, 308 bytes total Feb 24 09:14:10 www sendmail[4990]: alias database /etc/mail/aliases.majordomo rebuilt by admin Feb 24 09:14:10 www sendmail[4990]: /etc/mail/aliases.majordomo: 6 aliases, longest 90 bytes, 257 bytes total Feb 24 09:14:11 www sendmail[4994]: starting daemon (8.11.6): SMTP Feb 24 09:14:11 www sendmail[5000]: starting daemon (8.11.6): queueing@00:15:00 Feb 24 09:14:16 www MailScanner[5018]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 24 09:14:16 www MailScanner[5018]: Using locktype = flock Feb 24 09:14:26 www MailScanner[5037]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 24 09:14:26 www MailScanner[5037]: Using locktype = flock Feb 24 09:14:56 www MailScanner[5037]: MailScanner child caught a SIGHUP Feb 24 09:14:56 www MailScanner[5018]: MailScanner child caught a SIGHUP Feb 24 09:15:12 www sendmail[5098]: alias database /etc/mail/aliases rebuilt by root Feb 24 09:15:12 www sendmail[5098]: /etc/mail/aliases: 30 aliases, longest 10 bytes, 308 bytes total Feb 24 09:15:12 www sendmail[5098]: alias database /etc/mail/aliases.majordomo rebuilt by root Feb 24 09:15:12 www sendmail[5098]: /etc/mail/aliases.majordomo: 6 aliases, longest 90 bytes, 257 bytes total Feb 24 09:15:12 www sendmail[5102]: starting daemon (8.11.6): SMTP Feb 24 09:15:12 www sendmail[5108]: starting daemon (8.11.6): queueing@00:15:00 Feb 24 09:15:17 www MailScanner[5126]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 24 09:15:18 www MailScanner[5126]: Using locktype = flock Feb 24 09:15:22 www sendmail[5132]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Feb 24 09:15:23 www imapd[5143]: imap service init from 127.0.0.1 Feb 24 09:15:23 www imapd[5143]: Logout user=??? host=localhost [127.0.0.1] Feb 24 09:15:27 www MailScanner[5229]: MailScanner E-Mail Virus Scanner version 4.26.8 starting... Feb 24 09:15:28 www MailScanner[5229]: Using locktype = flock Feb 24 09:17:58 www sendmail[5472]: alias database /etc/mail/aliases rebuilt by admin Feb 24 09:17:58 www sendmail[5472]: /etc/mail/aliases: 30 aliases, longest 10 bytes, 308 bytes total Feb 24 09:17:58 www sendmail[5472]: alias database /etc/mail/aliases.majordomo rebuilt by admin Feb 24 09:17:58 www sendmail[5472]: /etc/mail/aliases.majordomo: 6 aliases, longest 90 bytes, 257 bytes total Feb 24 09:17:58 www sendmail[5476]: starting daemon (8.11.6): SMTP Feb 24 09:17:58 www sendmail[5476]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 24 09:17:58 www sendmail[5476]: daemon MTA: problem creating SMTP socket Feb 24 09:17:58 www sendmail[5482]: starting daemon (8.11.6): queueing@00:15:00 Feb 24 09:18:03 www sendmail[5476]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 24 09:18:03 www sendmail[5476]: daemon MTA: problem creating SMTP socket Feb 24 09:18:08 www sendmail[5476]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 24 09:18:08 www sendmail[5476]: daemon MTA: problem creating SMTP socket Feb 24 09:18:13 www sendmail[5476]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 24 09:18:13 www sendmail[5476]: daemon MTA: problem creating SMTP Two errors one finding updates for clamav. two problem creating smtp socket I followed the install instructions for a Raq550 without any problems. The load on the CPU and memory is light If you an see anything wrong in the log above and suggest a fix I would appreciate it Regards Graham graham@celestineweb.com -- Open WebMail Project (http://openwebmail.org) From P.G.M.Peters at utwente.nl Tue Feb 24 13:53:28 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:41 2006 Subject: MailScanner not parsing dumaru-y MIME headers In-Reply-To: <1077616999.731.0.camel@localhost> References: <6.0.1.1.2.20040221103044.04009ec0@imap.ecs.soton.ac.uk> <1077546740.4798.12.camel@localhost> <6.0.1.1.2.20040223144309.03ec31e0@imap.ecs.soton.ac.uk> <1077549256.4798.14.camel@localhost> <1077616999.731.0.camel@localhost> Message-ID: <1nlm30dd8qtnkfs4n322fitc6glkkl83c9@4ax.com> On Tue, 24 Feb 2004 10:03:19 +0000, you wrote: >As a confirmation, the patch caught a genuine copy of the Dumaru.Y virus >that got sent to us here so I'm very happy with that I am seeing the occasionally Dumaru.Y in my log since I patches Message.pm. And I am seeing Dumaru.Z also. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at SMITS.CO.UK Tue Feb 24 11:03:51 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:41 2006 Subject: Training SA Message-ID: <58696C94787F16468267F3509F115030981B@hermes.clumpton.homeip.net> You make them clean the dust out of their machine with a straw and then you run sa-learn against the offending messages with the --forget option. ;-) If this is a likely occurrence, give the spamchecker user only read access (at least for a while) and manually check the folders for obvious mistakes. You could even create a 'Forget me' public folder, folderdump those messages in a separate directory and run sa-learn --forget against them as part of the cron job. Ultimately the whole point of feedback is that you assume that your users know better than your filter. If this is not the case, then don't give them access to feedback. Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Pete Posted At: 24 February 2004 03:58 Posted To: MailScanner Conversation: Training SA Subject: Re: Training SA Michael St. Laurent wrote: >Okay, I've got the feedback mechanism in place for training the Bayes >engine. Now for a few proceedural questions. ;-D > >I have MailScanner set to add the {Spam?} tag to the Subject line and >to make the original message an attachment. Will either of these throw >off the training process? Is the sa-learn program able to extract the >original message from the attachment and does it know that it should do so? > >-- >Michael St. Laurent >Hartwell Corporation > > > > > So what do you do when the silly users put all thier spam in the good folder and thier ham in the junk folder an you have automatically already run the sa-leanr stuff on it? This would certainly be a frequent occurance if we implemented this...how do you handle it? The whole reason we havent used any manual bayes already is because we dont want to create extra work, which i think could cause us. From campbell at CNPAPERS.COM Tue Feb 24 14:01:38 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:22:41 2006 Subject: DOS and Oversized Zip References: Message-ID: <008601c3fade$b8b8ac20$e901a8c0@cnpapers.net> I'm curious as to the configuration of clam. I thought, based on the Faq-o-matic, that clam did not require configuration, and that all parameters were passed to it from MS. Is this only used in the manual mode of operation or does there need to be something set up in clamav.conf for MS? Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Rick Cooper" To: Sent: Monday, February 23, 2004 7:39 PM Subject: Re: DOS and Oversized Zip > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of MailScanner Mailbox > > Sent: Monday, February 23, 2004 1:11 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: DOS and Oversized Zip > > > > > > Hello All > > > > I think that this may be a clamav problem rather then > > a mailscanner > > problem but I am not 100% sure. I am running > > MailScanner 4.22-4 and clamav > > 0.67. > > > > It seems that recently I am getting many many emails > > turned away with the > > message "Denial of Service attack in message!" It > > seems to be caused by a > > zipfile that expands many times it's zipped size, > > (isn't this the purpose > > of zipping a file)? > > There are ways to handcraft a zip file so it expands from a few > bytes to a couple of terabytes, used to be called "The Zip of > death". Clam allows you to restrict the compression ratio to > avoid "Zip bombs" of this nature. Imagine the problems if you > received a zip bomb that was a few hundred K compressed and a few > gig uncompressed? > > > > > Anyways, there is some info I googled that mentions > > editing the scanners.c > > file (specifically "ZIPOSDET") to increase the value. > > I don't see that > > option available in clamav 0.67 so perhaps it is > > something I can set > > within the mailscanner config file? > > > > I have confirmed that the file being sent is a zip > > file containing 3 txt > > files (one of them is 5mb) and it compresses down to 220kb. > > > > Any and all help concerning this is most appreciated. > > > > look in your clamav.conf file for: > > # Mark potential archive bombs as viruses (0 disables the limit) > ArchiveMaxCompressionRatio 200 > > and set it to what you think appropriate for your system. If it's > not there add it. From HancockS at MORGANCO.COM Tue Feb 24 14:02:54 2004 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:22:41 2006 Subject: Would stripping HTML before calling SA help? Message-ID: <3EA1A302A4978A4C970D2C63F327156E02406D57@worc-mail2.int.morganco.com> I received an email with this code.
Subject: chinch gumbo instill fraud
Over 300,000 males in the world used our product for last year!
Amazing, PERMANENT RESULTS! The most popular solution for Pegnis Enlabrgement

10c0% safe hearbal fomrmula and douctor aproved

Increase Your Pebnis Width (Girth) By 20%

Gain 3+ Full Incohes In Length

Stop Prevmature Ejaclulation!

Produce Stronger, Rock Hard Erhections

vmature I am a very small site and have the horsepower for the processing. Any opinions? Or alternate suggestions? Any favorite SA rules site that I should be updating my SA against? My mailscanner is a relay for exchange. Would going through the Bayes / public folder / Spam mailbox implementation find this SPAM? The SPAM is getting deep. MS 4.23 SA 2.63 Thanks Scott Scott Hancock Morgan Construction Co. v. 508-849-6492 f. 508-755-6140 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040224/9e6ce8c7/attachment.html From dh at UPTIME.AT Tue Feb 24 14:06:27 2004 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:22:41 2006 Subject: Fature Request? (not sure if it is already Possible) Ripping out all Java Script Message-ID: <403B5A63.90200@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. I have no idea if this is already possible, but I would very much like to see it as a feature. Some pieces of HTML mail, especially newsletters use javascript code in some form to enable tracking of the users behaviour. I know that many MUA have Javascript turned off my default now, yet is there a way to simply rip javascript tags out when the messages traverses through Mailscanner? - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAO1pjPMoaMn4kKR4RAx4WAKCR2jJ6CBhNdAMe4EWI1p24tA5S+wCgjX51 kzT9JxZGqjyL/yv406ZFT5Q= =nWRK -----END PGP SIGNATURE----- From Denis.Beauchemin at USHERBROOKE.CA Tue Feb 24 14:06:04 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:41 2006 Subject: the "ins" and "outs" of McAfee with MailScanner In-Reply-To: References: Message-ID: <1077631564.3911.53.camel@dbeauchemin.sti.usherbrooke.ca> Le mar 24/02/2004 ? 05:11, Tony Finch a ?crit : > Chris Yuzik wrote: > > > >Although I'm quite familiar with ClamAV, I'm somewhat of a noob when it > >comes to McAfee. I have a few questions: > >1) How often does MailScanner check the NAI site for new DAT files? I > >couldn't seem to find anything on this. > > That's up to your crontab. > > >2) Is there a log file anywhere that I can look at to see when the DAT > >files are updated? > > The autoupdate script by default says nothing when it does nothing, > and produces output when it makes an update, so normal cron behaviour > means you get an email when there's an update. > > >3) I understand that there are DAT files, extra DAT files, and > >super-extra DAT files? Does MailScanner update these too? Or do I have > >to do these manually? > > The only one of interest to us is the extra.dat files. Unfortunately > using them automatically doesn't seem to be particularly easy. It might > be possible to subscribe to NAI's notification email, pipe that into a > script which works out what's going on and if necessary goes to the > new virus's web page (whose URL is in the email) to find the link to > the extra.dat file. But I haven't written this script. > > Tony. > -- > f.a.n.finch http://dotat.at/ > SHANNON ROCKALL MALIN: NORTH OR NORTHWEST 5 TO 7. RAIN THEN SHOWERS. MODERATE > OR GOOD. Tony, How about the daily DAT file? (see http://vil.nai.com/vil/virus-4d.asp) Do you think it could be automated in /usr/lib/MailScanner/mcafee-autoupdate ? I am beginning to feel quite nervous about permitting ZIP files through since Mydoom has caught us off guard (McAfee left us unprotected for the first 7 hours of the Mydoom strike)... Since then I installed manually 2 extra.dat (Netsky and Mydoom.f) but I feel uneasy about this manual process (I have to react quickly to every AVERT notification and I also have to remember to delete those extra.dat when they are no longer needed). Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From prandal at HEREFORDSHIRE.GOV.UK Tue Feb 24 14:08:22 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:41 2006 Subject: the "ins" and "outs" of McAfee with MailScanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C564@jessica.herefordshire.gov.uk> I was wondering about the "daily" file too. You'd need to do some datestamp checking to only use the dialy file if it was newer that the released .dat file. A good idea, nonetheless. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Denis Beauchemin > Sent: 24 February 2004 14:06 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: the "ins" and "outs" of McAfee with MailScanner > > > Le mar 24/02/2004 ? 05:11, Tony Finch a ?crit : > > Chris Yuzik wrote: > > > > > >Although I'm quite familiar with ClamAV, I'm somewhat of a > noob when it > > >comes to McAfee. I have a few questions: > > >1) How often does MailScanner check the NAI site for new > DAT files? I > > >couldn't seem to find anything on this. > > > > That's up to your crontab. > > > > >2) Is there a log file anywhere that I can look at to see > when the DAT > > >files are updated? > > > > The autoupdate script by default says nothing when it does nothing, > > and produces output when it makes an update, so normal cron > behaviour > > means you get an email when there's an update. > > > > >3) I understand that there are DAT files, extra DAT files, and > > >super-extra DAT files? Does MailScanner update these too? > Or do I have > > >to do these manually? > > > > The only one of interest to us is the extra.dat files. Unfortunately > > using them automatically doesn't seem to be particularly > easy. It might > > be possible to subscribe to NAI's notification email, pipe > that into a > > script which works out what's going on and if necessary goes to the > > new virus's web page (whose URL is in the email) to find the link to > > the extra.dat file. But I haven't written this script. > > > > Tony. > > -- > > f.a.n.finch http://dotat.at/ > > SHANNON ROCKALL MALIN: NORTH OR NORTHWEST 5 TO 7. RAIN THEN > SHOWERS. MODERATE > > OR GOOD. > > Tony, > > How about the daily DAT file? (see > http://vil.nai.com/vil/virus-4d.asp) > > Do you think it could be automated in > /usr/lib/MailScanner/mcafee-autoupdate ? > > I am beginning to feel quite nervous about permitting ZIP > files through > since Mydoom has caught us off guard (McAfee left us > unprotected for the > first 7 hours of the Mydoom strike)... Since then I > installed manually > 2 extra.dat (Netsky and Mydoom.f) but I feel uneasy about this manual > process (I have to react quickly to every AVERT notification > and I also > have to remember to delete those extra.dat when they are no longer > needed). > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > From Kevin.Spicer at BMRB.CO.UK Tue Feb 24 14:09:08 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:41 2006 Subject: Would stripping HTML before calling SA help? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AB8@pascal.priv.bmrb.co.uk> Apologies for top posting - for reasons that will become clear! Stripping HTML probably won't help as some of spamassassins best rules work on the HTML content. However adding some extra rules to pick up this kind of thing will. PLEASE DON'T forward spam or spam content to the list look what happens.... Hancock, Scott wrote: > Our MailScanner believes that the attachment to this message sent to > you > > From: owner-mailscanner@jiscmail.ac.uk > Subject: Would stripping HTML before calling SA help? > > is Unsolicited Commercial Email (spam). Unless you are sure that this My score BTW X-BMRB-MailScanner-SpamCheck: spam, SpamAssassin (score=12.1, required 6, HTML_MESSAGE 0.10, J_BACKHAIR_21 1.00, J_BACKHAIR_22 1.00, J_BACKHAIR_31 1.00, J_BACKHAIR_32 1.00, J_BACKHAIR_34 1.00, J_BACKHAIR_35 1.00, J_BACKHAIR_41 1.00, J_BACKHAIR_43 1.00, J_BACKHAIR_45 1.00, J_CHICKENPOX_24 1.00, J_CHICKENPOX_34 1.00, J_CHICKENPOX_44 1.00, UPPERCASE_25_50 0.00) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steve.swaney at FSL.COM Tue Feb 24 14:28:03 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:41 2006 Subject: SNMP server down since installing mailscanner In-Reply-To: <20040224120349.M70312@celestineweb.com> Message-ID: <20040224143007.F203E21C150@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Graham Scanlan > Sent: Tuesday, February 24, 2004 7:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SNMP server down since installing mailscanner > > Hi > Below is copy of mail log:- > > [root admin]# ps auxw | grep -i mail > root 796 0.0 0.7 5220 2320 ? S 09:29 0:00 sendmail: > accepti > ng connections > root 802 0.0 0.6 5140 2176 ? S 09:29 > 0:00 /usr/sbin/sendmai > l -q15m -OPidFile /var/run/sendmail.out.pid > root 841 0.0 3.5 12928 11224 ? S 09:29 > 0:00 /usr/bin/perl -I/ > usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS > root 842 0.0 3.6 13760 11732 ? S 09:29 > 0:00 /usr/bin/perl -I/ > usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS > root 916 0.0 3.6 13760 11732 ? S 09:29 > 0:00 /usr/bin/perl -I/ > usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS > root 2163 0.0 0.1 1536 612 pts/0 S 09:45 0:00 grep -i > mail > [root admin]# tail -f -n100 /var/log/maillog > Feb 24 09:00:03 www sendmail[3801]: NOQUEUE: localhost [127.0.0.1] did not > issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Feb 24 09:00:03 www imapd[3812]: imap service init from 127.0.0.1 > Feb 24 09:00:03 www imapd[3812]: Logout user=??? host=localhost > [127.0.0.1] > Feb 24 09:01:01 www update.virus.scanners: Found clamav installed > Feb 24 09:01:01 www update.virus.scanners: Running autoupdate for clamav > Feb 24 09:01:02 www ClamAV-autoupdate[4450]: ClamAV > updater /usr/local/bin/freshclam cannot be run > Feb 24 09:01:02 www sendmail[4409]: i1O911R04409: from=root, size=1152, > class=0, nrcpts=1, msgid=<200402240901.i1O911R04409@www.celestineweb.net>, > relay=root@localhost > Feb 24 09:01:02 www sendmail[4409]: i1O911R04409: to=admin, ctladdr=root > (0/0), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=31152, > dsn=2.0.0, > stat=Sent > Feb 24 09:12:26 www MailScanner[842]: MailScanner child caught a SIGHUP > Feb 24 09:12:26 www MailScanner[914]: MailScanner child caught a SIGHUP > Feb 24 09:14:10 www sendmail[4990]: alias database /etc/mail/aliases > rebuilt > by admin > Feb 24 09:14:10 www sendmail[4990]: /etc/mail/aliases: 30 aliases, longest > 10 bytes, 308 bytes total > Feb 24 09:14:10 www sendmail[4990]: alias > database /etc/mail/aliases.majordomo rebuilt by admin > Feb 24 09:14:10 www sendmail[4990]: /etc/mail/aliases.majordomo: 6 > aliases, > longest 90 bytes, 257 bytes total > Feb 24 09:14:11 www sendmail[4994]: starting daemon (8.11.6): SMTP > Feb 24 09:14:11 www sendmail[5000]: starting daemon (8.11.6): > queueing@00:15:00 > Feb 24 09:14:16 www MailScanner[5018]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... > Feb 24 09:14:16 www MailScanner[5018]: Using locktype = flock > Feb 24 09:14:26 www MailScanner[5037]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... > Feb 24 09:14:26 www MailScanner[5037]: Using locktype = flock > Feb 24 09:14:56 www MailScanner[5037]: MailScanner child caught a SIGHUP > Feb 24 09:14:56 www MailScanner[5018]: MailScanner child caught a SIGHUP > Feb 24 09:15:12 www sendmail[5098]: alias database /etc/mail/aliases > rebuilt > by root > Feb 24 09:15:12 www sendmail[5098]: /etc/mail/aliases: 30 aliases, longest > 10 bytes, 308 bytes total > Feb 24 09:15:12 www sendmail[5098]: alias > database /etc/mail/aliases.majordomo rebuilt by root > Feb 24 09:15:12 www sendmail[5098]: /etc/mail/aliases.majordomo: 6 > aliases, > longest 90 bytes, 257 bytes total > Feb 24 09:15:12 www sendmail[5102]: starting daemon (8.11.6): SMTP > Feb 24 09:15:12 www sendmail[5108]: starting daemon (8.11.6): > queueing@00:15:00 > Feb 24 09:15:17 www MailScanner[5126]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... > Feb 24 09:15:18 www MailScanner[5126]: Using locktype = flock > Feb 24 09:15:22 www sendmail[5132]: NOQUEUE: localhost [127.0.0.1] did not > issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Feb 24 09:15:23 www imapd[5143]: imap service init from 127.0.0.1 > Feb 24 09:15:23 www imapd[5143]: Logout user=??? host=localhost > [127.0.0.1] > Feb 24 09:15:27 www MailScanner[5229]: MailScanner E-Mail Virus Scanner > version 4.26.8 starting... > Feb 24 09:15:28 www MailScanner[5229]: Using locktype = flock > Feb 24 09:17:58 www sendmail[5472]: alias database /etc/mail/aliases > rebuilt > by admin > Feb 24 09:17:58 www sendmail[5472]: /etc/mail/aliases: 30 aliases, longest > 10 bytes, 308 bytes total > Feb 24 09:17:58 www sendmail[5472]: alias > database /etc/mail/aliases.majordomo rebuilt by admin > Feb 24 09:17:58 www sendmail[5472]: /etc/mail/aliases.majordomo: 6 > aliases, > longest 90 bytes, 257 bytes total > Feb 24 09:17:58 www sendmail[5476]: starting daemon (8.11.6): SMTP > Feb 24 09:17:58 www sendmail[5476]: NOQUEUE: SYSERR(root): > opendaemonsocket: > daemon MTA: cannot bind: Address already in use > Feb 24 09:17:58 www sendmail[5476]: daemon MTA: problem creating SMTP > socket > Feb 24 09:17:58 www sendmail[5482]: starting daemon (8.11.6): > queueing@00:15:00 > Feb 24 09:18:03 www sendmail[5476]: NOQUEUE: SYSERR(root): > opendaemonsocket: > daemon MTA: cannot bind: Address already in use > Feb 24 09:18:03 www sendmail[5476]: daemon MTA: problem creating SMTP > socket > Feb 24 09:18:08 www sendmail[5476]: NOQUEUE: SYSERR(root): > opendaemonsocket: > daemon MTA: cannot bind: Address already in use > Feb 24 09:18:08 www sendmail[5476]: daemon MTA: problem creating SMTP > socket > Feb 24 09:18:13 www sendmail[5476]: NOQUEUE: SYSERR(root): > opendaemonsocket: > daemon MTA: cannot bind: Address already in use > Feb 24 09:18:13 www sendmail[5476]: daemon MTA: problem creating SMTP > > Two errors > > one finding updates for clamav. Check to see if /usr/local/bin/freshclam exists and is executable > > two problem creating smtp socket > This is caused by an instance of sendmail running before you start MailScanner. If you're on a Linux System (you don't say what OS you're running) Stop MailScanner: service MailScanner stop Stop sendmail: service sendmail stop make sure that sendmail is NOT started on boot: chkconfig --del sendmail Make sure that MailScanner starts on boot: chkconfig --level 345 MailScanner on Start MailScanner: service MailScanner start Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > I followed the install instructions for a Raq550 without any problems. > The load on the CPU and memory is light > > If you an see anything wrong in the log above and suggest a fix I would > appreciate it > > Regards > > Graham > graham@celestineweb.com > -- > Open WebMail Project (http://openwebmail.org) > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From dot at DOTAT.AT Tue Feb 24 14:24:16 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:41 2006 Subject: the "ins" and "outs" of McAfee with MailScanner In-Reply-To: References:

jiscmail@jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
From satya at bainsdigital.com Sun Feb 15 19:30:00 2004 From: satya at bainsdigital.com (SatyaDev Sharma) Date: Thu Jan 12 21:26:24 2006 Subject: Fw: [DefenderMX:Spam] Allowing .exe files in .zip files Message-ID:

Edit "filename.rules.conf" also ...and allow .exe .zip extentions.

----- Original Message -----

From: Renata D. Vieira

To: MAILSCANNER@JISCMAIL.AC.UK

Sent: Monday, August 16, 2004 7:25 PM

Subject: [DefenderMX:Spam] Allowing .exe files in .zip files

Hi!

Does anyone know if it is possible to configure MailScanner to allow .exe
files compressed in .zip files?
By default, MailScanner denies .exe attachments, but some people here need
to send and receive this type of attachment and then, they would like to
send/receive .exe files compressing them in .zip files.
I have already tried to configure this option changing the following line in
the filetype.rules.conf:

allow executable No executables No programs allowed

Instead of using "deny", I changed to "allow".

Thanks for any help.

Renata D. Vieira

Support Analyst

Impactools - The wise solution that fits.

www.impactools.com

| This message may contain confidential and/or privileged

| information. If you are not the addressee or authorized to

| receive this for the addressee, you must not use, copy,

| disclose or take any action based on this message or any

| information herein. If you have received this message in

| error, please advise the sender immediately by reply e-mail

| and delete this message. Thank you for your cooperation

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail@jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

--------------------------------------------------------------
Scanned for viruses, spam and dangerous content by DefenderMX
-------------------------------------------------------------

------------------------------------------------------------
Scanned for viruses, spam and dangerous content by DefenderMX Server
------------------------------------------------------------ ------------------------ MailScanner list ------------------------ To unsubscribe, email jiscmail@jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html). From satya at bainsdigital.com Sun Feb 15 19:39:42 2004 From: satya at bainsdigital.com (SatyaDev Sharma) Date: Thu Jan 12 21:26:24 2006 Subject: reject msg based on rbl list. Message-ID:

I m using mailscanner+spamassassin+postfix. How I can reject mails like below message so sender can know where he is listed in rbl-lists.

Currently my mail server except all mails and then fitter by MS+SA and add high score, and then perform action (deliver or delete).

so how I can configure mail server which reject mails with message based on rbl-lists ?

--------------
<MAILSCANNER@JISCMAIL.AC.UK>: host kili.jiscmail.ac.uk[130.246.192.52] said:
550 5.7.1 <MAILSCANNER@JISCMAIL.AC.UK>... Rejected: 24.84.7.202 listed at
rbl-plus.mail-abuse.ja.net (in reply to RCPT TO command)
---------------

satya !

------------------------ MailScanner list ------------------------ To unsubscribe, email jiscmail@jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).